Investigate events in Timeline


Investigate events in Timelineedit

Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations.

You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms on the Overview, Alerts, Hosts, and Network pages, as well as from other Timelines. Alternatively, you can add a query directly in Timeline by expanding the query builder and clicking + Add field.

example Timeline with several events

In addition to Timelines, you can create and attach Timeline templates to detection rules. Timeline templates allow you to define the source event fields used when you investigate alerts in Timeline. You can select whether the fields use predefined values or values retrieved from the alert. For more information, refer to About Timeline templates.

Create new or open existing Timelineedit

To make a new Timeline, choose one of the following:

  • Go to Timelines, then click Create new Timeline.
  • Go to the Timeline bar (which is at the bottom of most pages), click the Click the add new button button, then click Create new Timeline template.
  • From an open Timeline or Timeline template, click NewNew Timeline.

To open an existing Timeline, choose one of the following:

  • Go to the Timelines page, then click a Timeline’s title.
  • Go to the Timeline bar, click the Click the add new button button, then click Open Timeline.
  • From an open Timeline or Timeline template, click Open, then select a Timeline.

To avoid losing your changes, save the Timeline before moving to a different Elastic Security app page. If you change an existing Timeline, you can use the Save as new timeline toggle to make a new copy of the Timeline without overwriting the original one.

Click the star icon (Click the favorite icon) to favorite your Timeline and quickly find it later.

View and refine Timeline resultsedit

You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click Data view to the left of the KQL query bar, then select Show only detection alerts.

Inspect an event or alertedit

To further inspect an event or detection alert, click the View details button. A flyout with event or alert details appears.

Configure Timeline event context and displayedit

Many types of events automatically appear in preconfigured views that provide relevant contextual information, called Event Renderers. You can display and turn them on or off with the Settings menu in the upper left corner of the results pane:

example timeline with the event renderer highlighted

The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that interests you, you can drag it up to the drop zone below the query bar for further investigation.

You can also modify a Timeline’s display in other ways:

  • Add, remove, reorder, or resize columns
  • Create runtime fields and display them in the Timeline
  • View the Timeline in full screen mode
  • Add or delete notes on individual events
  • Add or delete investigation notes on the entire Timeline
  • Pin interesting events to the Timeline

Use the Timeline query builderedit

Expand the query builder by clicking the query builder button (Click the query builder button) to the right of the KQL query bar. Drop in fields to build a query that filters Timeline results. The fields' relative placement specifies their logical relationships: horizontally adjacent filters use AND, while vertically adjacent filters use OR.

Collapse the query builder to provide more space for Timeline results by clicking the query builder button (Click the query builder button).

Edit existing filtersedit

Click a filter to access additional operations such as Add filter, Clear all, Load saved query, and more:

timeline ui filter options

Here are examples of various types of filters:

Field with value

Filters for events with the specified field value:

timeline filter value
Field exists

Filters for events containing the specified field:

timeline field exists
Exclude results

Filters for events that do not contain the specified field value (field with value filter) or the specified field (field exists filter):

timeline filter exclude
Temporarily disable

The filter is not used in the query until it is enabled again:

timeline disable filter
Filter for field present
Converts a field with value filter to a field exists filter.

When you convert a Timeline template to a Timeline, some fields may be disabled. For more information, refer to Timeline template legend.

Attach Timeline to a caseedit

To attach a Timeline to a new or existing case, open it, click Attach to case in the upper right corner, then select either Attach to new case or Attach to existing case.

To learn more about cases, refer to Cases.

Manage existing Timelinesedit

You can view, duplicate, export, delete, and create templates from existing Timelines:

  1. Go to Timelines.
  2. Click the All actions menu in the desired row, then select an action:

    • Create template from timeline (refer to About Timeline templates)
    • Duplicate timeline
    • Export selected (refer to Export and import Timelines)
    • Delete selected
    • Create query rule from timeline (only available if the Timeline contains a KQL query)
    • Create EQL rule from timeline (only available if the Timeline contains an EQL query)

To perform an action on multiple Timelines, first select the Timelines, then select an action from the Bulk actions menu.

Export and import Timelinesedit

You can export and import Timelines, which enables you to share Timelines from one Kibana space or instance to another. Exported Timelines are saved as .ndjson files.

To export Timelines:

  • Go to Timelines.
  • Either click the All actions menu in the relevant row and select Export selected, or select multiple Timelines and then click Bulk actionsExport selected.

To import Timelines:

  • Click Import, then select or drag and drop the relevant .ndjson file.

    Multiple Timeline objects are delimited with newlines.

Filter Timeline results with EQLedit

Use the Correlation tab to investigate Timeline results with EQL queries.

When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts.

The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence.

a Timeline’s correlation tab

From the Correlation tab, you can also do the following:

  • Specify the date and time range that you want to investigate.
  • Reorder the columns and choose which fields to display.
  • Choose a data view and whether to show detection alerts only.

Use ES|QL to investigate eventsedit

ES|QL is enabled by default in Kibana. It can be disabled using the enableESQL setting from the Advanced Settings. This will hide the ES|QL user interface from various applications. However, users will be able to access existing ES|QL artifacts like saved searches and visualizations.

The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze event data stored in Elasticsearch. ES|QL queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.

You can use ES|QL in Timeline by opening the ES|QL tab. From there, you can:

  • Write an ES|QL query to explore your events. For example, start with the following query, then iterate on it to tailor your results:

    FROM .alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-*
    | LIMIT 10
    | KEEP @timestamp, message, event.category, event.action,, source.ip, destination.ip,

    This query does the following:

    • It starts by querying documents within the Security alert index (.alerts-security.alerts-default) and indices specified in the Security data view.
    • Then, the query limits the output to the top 10 results.
    • Finally, it keeps the default Timeline fields (@timestamp, message, event.category, event.action,, source.ip, destination.ip, and in the output.

      When querying indices that tend to be large (for example, logs-*), performance can be impacted by the number of fields returned in the output. To optimize performance, we recommend using the KEEP command to specify fields that you want returned. For example, add the clause KEEP @timestamp, to the end of your query to specify that you only want the @timestamp and fields returned.

An error message displays when the query bar is empty.

  • Click the help icon (Click the ES|QL reference button) on the far right side of the query editor to open the in-product reference documentation for all ES|QL commands and functions.
  • Visualize query results using Discover functionality.
a Timeline’s ES|QL tab

Additional ES|QL resourcesedit

To get started using ES|QL, read the tutorial for using ES|QL in Kibana. Much of the functionality available in Kibana is also available in Timeline.

To find examples of using ES|QL for threat hunting, check out our blog.