Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations.
You can drag or send fields of interest to a Timeline to create the desired query. For example, you can add fields from tables and histograms on the Overview, Alerts, Hosts, and Network pages, as well as from other Timelines. Alternatively, you can add a query directly in Timeline by clicking + Add field.
Timelines are responsive, and they persist as you move through the Elastic Security app collecting data. Auto-saving ensures that the results of your investigation are available for later review. To record and share your findings with others, attach your Timeline to a case.
Untitled Timelines are saved as drafts. To attach a Timeline to a case, you must give it a title.
In addition to Timelines, you can create and attach Timeline templates to detection rules. Timeline templates allow you to define the source event fields used when you investigate alerts in Timeline. You can select whether the fields use predefined values or values retrieved from the alert. For more information, refer to About Timeline templates.
View and refine Timeline resultsedit
You can select whether Timeline displays detection alerts and other raw events, or just alerts. By default, Timeline displays both raw events and alerts. To hide raw events and display alerts only, click Data view to the right of the date and time picker, then select Show only detection alerts.
Inspect an event or alertedit
To further inspect an event or detection alert, click the View details button. A flyout with event or alert details appears.
Configure Timeline event context and displayedit
Many types of events automatically appear in preconfigured views that provide relevant contextual information, called Event Renderers. You can display and turn them on or off with the Settings menu in the upper left corner of the results pane:
The example above displays the Flow event renderer, which highlights the movement of data between its source and destination. If you see a particular part of the rendered event that interests you, you can drag it up to the drop zone below the query bar for further investigation.
You can also modify a Timeline’s display in other ways:
- Add, remove, reorder, or resize columns
- Create runtime fields and display them in the Timeline
- View the Timeline in full screen mode
- Add or delete notes on individual events
- Add or delete investigation notes on the entire Timeline
- Pin interesting events to the Timeline
Narrow or expand your KQL queryedit
By placing fields within the drop zone, you turn them into query filters.
Their relative placement specifies their logical relationships: horizontally adjacent filters use
while vertically adjacent filters use
Edit existing filtersedit
Click a filter to access additional operations such as Add filter, Clear all, Load saved query, and more:
Here are examples of various types of filters:
- Field with value
Filters for events with the specified field value:
- Field exists
Filters for events containing the specified field:
- Exclude results
Filters for events that do not contain the specified field value (
field with valuefilter) or the specified field (
- Temporarily disable
The filter is not used in the query until it is enabled again:
- Filter for field present
field with valuefilter to a
Attach Timeline to a caseedit
To attach a Timeline to a new or existing case, open it, click Attach to case in the upper right corner, then select either Attach to new case or Attach to existing case.
To learn more about cases, refer to Cases.
Manage existing Timelinesedit
You can view, duplicate, export, delete, and create templates from existing Timelines:
- Go to Timelines.
Click the All actions menu in the desired row, then select an action:
- Create template from timeline (refer to About Timeline templates)
- Duplicate timeline
- Export selected (refer to Export and import Timelines)
- Delete selected
- Create query rule from timeline (only available if the Timeline contains a KQL query)
- Create EQL rule from timeline (only available if the Timeline contains an EQL query)
To perform an action on multiple Timelines, first select the Timelines, then select an action from the Bulk actions menu.
Export and import Timelinesedit
You can export and import Timelines, which enables you to share Timelines from one
Kibana space or instance to another. Exported Timelines are saved as
To export Timelines:
- Go to Timelines.
- Either click the All actions menu in the relevant row and select Export selected, or select multiple Timelines and then click Bulk actions → Export selected.
To import Timelines:
Click Import, then select or drag and drop the relevant
Multiple Timeline objects are delimited with newlines.
Filter Timeline results with EQLedit
Use the Correlation tab to investigate Timeline results with EQL queries.
When forming EQL queries, you can write a basic query to return a list of events and alerts. Or, you can create sequences of EQL queries to view matched, ordered events across multiple event categories. Sequence queries are useful for identifying and predicting related events. They can also provide a more complete picture of potential adversary behavior in your environment, which you can use to create or update rules and detection alerts.
The following image shows what matched ordered events look like in the Timeline table. Events that belong to the same sequence are matched together in groups and shaded red or blue. Matched events are also ordered from oldest to newest in each sequence.
From the Correlation tab, you can also do the following:
- Specify the date and time range that you want to investigate.
- Reorder the columns and choose which fields to display.
- Choose a data view and whether to show detection alerts only.
Use ES|QL to investigate eventsedit
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The Elasticsearch Query Language (ES|QL) provides a powerful way to filter, transform, and analyze event data stored in Elasticsearch. ES|QL queries use "pipes" to manipulate and transform data in a step-by-step fashion. This approach allows you to compose a series of operations, where the output of one operation becomes the input for the next, enabling complex data transformations and analysis.
You can use ES|QL in Timeline by opening the ES|QL tab. From there, you can:
Explore your events using the default query, or create a custom one. The default query searches documents within the Security alert index (
.alerts-security.alerts-default) and indices specified in the Security data view, then returns 10 events from the defined time range.
- Click the help icon () on the far right side of the query editor to open the in-product reference documentation for all ES|QL commands and functions.
- Visualize query results using Discover functionality.
Additional ES|QL resourcesedit
To get started using ES|QL, read the tutorial for using ES|QL in Kibana. Much of the functionality available in Kibana is also available in Timeline.
To find examples of using ES|QL for threat hunting, check out our blog.