Timeline View of Search Results

Note

License Requirement for Timeline View

Currently, the Timeline view of search results can only be accessed if you have one of the New-Scale licenses. For more information see New-Scale Security Operations Portfolio Licenses.

The Timeline view of search results brings the investigational timeline experience into the Search application. It provides analysts and threat hunters with a starting point for investigating risky or anomalous events while also leveraging the granular filtering capabilities of the Search application.

When you run a search, the results are displayed by default in the List view. To access the Timeline view, click the Timeline View icon ( ) just above the navigation header for the search results.

Note

The Timeline view is available only for a search with a time range of seven days or less. You can switch easily from the Timeline view to the List or Table views by clicking their respective icons: (List View), (Table View).List View of Search ResultsTable View of Search Results

The benefits of using the Timeline view include the following:

Abnormal behavior is easy to spot.
Detections, which represent risky or anomalous behavior, are linked directly to the events that triggered them.
Search filtering capabilities can be leveraged to filter the timeline to a granular level.
Timelines can be built for any attribute or combination of attributes, from any perspective that's of interest. You can focus on a user activity, on specific IP addresses, on an IOC, on a rule, or any other entity.

The Timeline view is designed to simplify the task of finding risky or anomalous behaviors (detections) and the events they are associated with. The view is visually organized so that events are listed on the left side of each row while the associated detections (if any) are listed on the right side of the row. You can efficiently scan the results to see where normal and abnormal activity has taken place. You can choose to toggle the view to display only events where detections are associated, or you can view the display with all events showing so that you can view detections in the context of the normal events around them.

Note

Keep in mind that Search results display a repository of ingested events, but cannot guarantee the order in which those events are ingested. Sometimes a duplicate Analytics detection may be created because an associated event is ingested after the initial detection was created. The second Analytics detection is an updated one that accounts for the late arriving event, and it has the same ID as the first Analytics detection. Both detections will be included in the Search results. For a view of detections that update when late events are ingested, see the Threat Center application.

You can interact with results in the Timeline view in a number of ways. The sections below provide more detail about each of the following portions of the Timeline view page:

Toolbar Options

When search results first display in the Timeline view, the toolbar above the results contains two rows. The top row contains the Summary button on the left and the view selector icons on the right. The second row of the toolbar displays page-specific options. To preserve viewing space as you scroll through the results, the toolbar collapses to one row. If you want to switch into a different view of the results, you'll need to return to the top of the page to redisplay the expanded version of the toolbar where the view selector icons are available.

On the toolbar, the following options are available:

Summary – Click to open a new panel on the left showing a list of all parsed fields in the search results, and a count of unique values for each field. By default, these results are calculated for the first 500 results. When opened, the Summary panel is pinned to the left side of the search results page. To close it, click the Summary button again. For more information about the options available on the Summary panel, see Field Summary.
View Selector Icons – Click on a view selector icon to switch into a different view of the search results data. Options include () Timeline view, () List view, and () Table view.
Aggregation View – Click the Aggregation View icon () to view a high level summary of the search results. For more information about adding aggregation to your search results, see Aggregated Search Results.
Collapse all – Click to collapse any event rows you have expanded. This option is only visible if at least one event row has been expanded.
Show detections only – Click this toggle to further collapse the list of event results so that only events with associated detections are showing. Hidden results rows will be designated only by the number of rows hidden. You can toggle this view on and off.
Rows per view – Click the drop-down menu to select the number of rows you want to view per page.
Tip
In the Timeline view, similar events are aggregated for display in groups. As a result, one row in the results data can represent more than a single event. Keep this in mind when configuring the Rows per View number. It does not align with how many events are represented per page, and in fact, there can be many more events per page than the number of rows. For more information about how events are grouped, see the Events in the Timeline section below.
Pagination arrows – Click the pagination arrows to scroll backwards and forwards through the pages of event results.

Events in the Timeline

Timeline events are listed chronologically, with the most recent events at the top. Events that match your search query are listed on the left side of each row in the Timeline view. Each event has a natural language title that provides a simple description of the event. In cases where no event title is available, or not enough fields were parsed, the event title defaults to the subject of the event. Each event title also includes an icon that indicates the event type.

To reduce scrolling while looking for detections, events that are similar are aggregated into groups. Event groups are indicated by a <n>X designation to the left of the event title. You can click an event group to expand and view the individual events.

Events are grouped automatically according to the following logic:

The events have identical titles.
The events occur within the same minute, even if they are non-consecutive.
Non-consecutive events can only be grouped together if any intervening events are not associated with a detection event. If an intervening event has a detection, the events with the same title are split into separate groups in order to preserve the order of events before and after the detection.

On each event row, you can click the down arrow to the left to expand the event and view the information that has been parsed from the event log. If the row represents multiple events, expanding it will display each event in an indented list, along with the parsed information for each event.

You can interact with each event in the following ways:

Click on any parsed field to display possible options for the field (options may vary depending on the query):
- Use the AND, AND NOT, or OR operators to add the field to your query.
- Click Copy to copy the value of the field to the clipboard.
- Click Visualize Field to pivot immediately to the Dashboard application, which opens in the visualization editor view with the information from your search query preconfigured.
If the title of an event includes any dynamic fields, you can click on these dynamic fields for additional options, as with the parsed fields (such as adding it to the query, copying it, or visualizing it).
View Event Details – To view detailed information about the event, including the raw log message and a list of parsed fields for the event, do one of the following to open an Event Details panel:
- Click the options menu icon () on the right of the event row and select Event Details.
- Expand the event row and click the Event Details link.
View Rule Details – If the event is associated with one or more detection events (displayed on the right of the same row), you can view Rule Details, about the rules that triggered the detection, in one of the following ways.
- Click the options menu icon () on the right of the event row and select Rules Details.
- Expand the event and click the Event Details link. When the Event Details panel opens, click on the Rules tab.
- Expand the detection event and click the Rule Details link.
Click the Copy Link () icon to copy the link to that event.
Click the Copy Raw Log () icon to copy the raw log data.

Detections in the Timeline

When an event is evaluated as risky or anomalous, according to conditions configured in correlation or analytics rules, a detection event is generated. In the Timeline view, if an event in the search results has triggered a detection, the detection event is displayed on the right-hand side of the same event row. This visual representation makes it easy to see the connection between detections and their associated events.

Each detection is displayed with an icon that shows the type of detection event, a natural language title that describes the detected behavior, a list of the rules associated with the detection, and a risk score that indicates the total number of points of risk those rules represent.

When you click to expand the detection, you can also see a list of the Rule Tags and Rule Use Cases that are associated with the rules that triggered the detection. Tags are labels or keywords created and added to rules, alerts, or use cases to categorize them. You can define tags in other Exabeam applications, such as Correlation Rules, Advanced Analytics, Threat Center, or when creating Use Cases.

You can interact with the expanded detection event in the following ways:

Click the Copy Link () icon to copy the link to that event.
Click the Copy Raw Log () icon to copy the raw log data.
To view Rule Details information, do one of the following:
- Click the options menu icon () on the right of the event row and select Rules Details.
- In the expanded detection event, click the Rule Details link.

Exabeam SearchExabeam Search Guide

Table of ContentsTable of Contents