- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Timeline View of Search Results
The Timeline view of search results brings the investigational timeline experience into the Search application. It provides analysts and threat hunters with a starting point for investigating risky or anomalous events while also leveraging the granular filtering capabilities of the Search application.
When you run a search, the results are displayed by default in the List view. To access the Timeline view, click the Timeline View icon ( 
) just above the navigation header for the search results.
Note
The Timeline view is available only for a search with a time range of seven days or less. You can switch easily from the Timeline view to the List or Table views by clicking their respective icons: 
(List View), 
(Table View).
The benefits of using the Timeline view include the following:
Abnormal behavior is easy to spot.
Detections, which represent risky or anomalous behavior, are linked directly to the events that triggered them. If a single detection is triggered by multiple events, the detection is displayed only on the latest chronological event.
Search filtering capabilities can be leveraged to filter the timeline to a granular level.
Timelines can be built for any attribute or combination of attributes, from any perspective that's of interest. You can focus on a user activity, on specific IP addresses, on an IOC, on a rule, or any other entity.
The Timeline view is designed to simplify the task of finding risky or anomalous behaviors (detections) and the events they are associated with. The view is visually organized so that events are listed on the left side of each row while the associated detections (if any) are listed on the right side of the row. You can efficiently scan the results to see where normal and abnormal activity has taken place. You can choose to toggle the view to display only events where detections are associated, or you can view the display with all events showing so that you can view detections in the context of the normal events around them.
 |
You can interact with results in the Timeline view in a number of ways. The sections below provide more detail about each of the following portions of the Timeline view page:
Toolbar Options
When search results first display in the Timeline view, the toolbar above the results contains two rows. The top row contains the Summary button on the left and the view selector icons on the right. The second row of the toolbar displays page-specific options. To preserve viewing space as you scroll through the results, the toolbar collapses to one row. If you want to switch into a different view of the results, you'll need to return to the top of the page to redisplay the expanded version of the toolbar where the view selector icons are available.
 |
On the toolbar, the following options are available:
Summary – Click to open a new panel on the left showing a list of all parsed fields in the search results, and a count of unique values for each field. By default, these results are calculated for the first 500 results. When opened, the Summary panel is pinned to the top of the left side of the search results page. To close it, click the Summary button again. For more information about the options available on the Summary panel, see Field Summary.
View Selector Icons – Click on a view selector icon to switch into a different view of the search results data. Options include (
) Timeline view, () List view, and () Table view. Aggregation View – Click the Aggregation View icon (
) to view a high level summary of the search results. For more information about adding aggregation to your search results, see Aggregated Search Results.Collapse all – Click to collapse any event rows you have expanded. This option is only visible if at least one event row has been expanded.
Show detections only – Click this toggle to further collapse the list of event results so that only events with associated detections are showing. Hidden results rows will be designated only by the number of rows hidden. You can toggle this view on and off.
Show sites – Click the toggle to show or hide site tags from each event row in the results list. When the toggle is in the on position, any site names you have configured in your system will be displayed above the relevant event row. For more information about using tag names, see Define a Unique Site Name in theNew-Scale Security Operations Platform Guide.
Rows per view – Click the drop-down menu to select the number of rows you want to view per page.
Tip
In the Timeline view, similar events are aggregated for display in groups. As a result, one row in the results data can represent more than a single event. Keep this in mind when configuring the Rows per View number. It does not align with how many events are represented per page, and in fact, there can be many more events per page than the number of rows. For more information about how events are grouped, see the Events in the Timeline section below.
Pagination arrows – Click the pagination arrows to scroll backwards and forwards through the pages of event results.
Events in the Timeline
Timeline events are listed chronologically, with the most recent or the oldest events at the top, depending on the sort order you ran your query with. Events that match your search query are listed on the left side of each row in the Timeline view. Each event has a natural language title that provides a simple description of the event. In cases where no event title is available, or not enough fields were parsed, the event title defaults to the subject of the event. Each event title also includes an icon that indicates the event type.
To reduce scrolling while looking for detections, events that are similar are aggregated into groups. Event groups are indicated by a <n>X designation to the left of the event title. You can click an event group to expand and view the individual events.
 |
Events are grouped automatically according to the following logic:
The events have identical titles.
The events occur within the same minute, even if they are non-consecutive.
Non-consecutive events can only be grouped together if any intervening events are not associated with a detection event. If an intervening event has a detection, the events with the same title are split into separate groups in order to preserve the order of events before and after the detection.
On every event row, you can click the down arrow to the left to expand the event and view the information that has been parsed from the event log. If the row represents multiple events, expanding it will display each event in an indented list, along with the parsed information for each event. Note that in the case of grouped events, the individual events are numbered for easy identification, especially when viewing them in the Events tab.
 |
You can interact with each event in the following ways:
Click on any parsed field to display possible options for the field (options may vary depending on the query):
Use the AND, AND NOT, or OR operators to add the field to your query.
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard application, which opens in the visualization editor view with the information from your search query preconfigured.
If the title of an event includes any dynamic fields, you can click on these dynamic fields for additional options, as with the parsed fields (such as adding it to the query, copying it, or visualizing it).
View Event Details – To view detailed information about the event, including the raw log message and a list of parsed fields for the event, do one of the following to open a Details panel with the Event tab displayed:
Click the options menu icon (
) on the right of the event row and select Event Details. If the event row includes multiple events, the details for each event are displayed on numbered tabs in the Details panel. Expand the event row and click the Event Details link. If the event row includes multiple events, click the Event Details link for a specific event and the Details panel opens to display the numbered tab for that event.
View Data Insights – If the event includes users or devices that have been parsed, you can view Data Insights about those entities by doing one of the following:
Click the options menu icon (
) on the right of the event row and select Data Insights. Expand the event row and click the Event Details link. When the Details panel opens, click on the Data Insights tab.
View Detection Details – If an event is associated with one or more detection events (displayed on the right of the same row), you can view a Detection tab, with details about the rules that triggered the detection, in one of the following ways. Note that if an event includes multiple detections, the details for each detection are displayed on numbered tabs in the Details panel.
Click the options menu icon (
) on the right of the event row and select Detection Details. IExpand the event row and click the Event Details link. When the Details panel opens, click on the Detection tab.
Click on the detection side of the row to expand the detection box and click the Detection Details link.
Click the Copy Link (
) icon to copy the link to that event.Click the Copy Raw Log (
) icon to copy the raw log data.
Detections in the Timeline
When an event is evaluated as risky or anomalous, according to conditions configured in correlation or analytics rules, a detection event is generated. In the Timeline view, if an event in the search results has triggered a detection, the detection event is displayed on the right-hand side of the same event row. This visual representation makes it easy to see the connection between detections and their associated events.
In each event row that includes a detection, a list of the triggered rules is displayed. Note that in the case of an event that triggers multiple detections, the individual detections are numbered for easy identification, especially when viewing them in the Detection tabs.
Note
If more than one event triggers the same detection, the detection is displayed only on the latest chronological event.
 |
Each detection is displayed with a Detection title that includes an icon that shows the type of detection event, a number (if there are multiple detections associated with the same event), and the number of rules triggered. The title is followed by a list of the first five rules associated with the detection. In the top right corner of the detection box is a risk score, from 0 to 100, that indicates the level of risk those rules represent.
 |
When you click to expand the detection box, the following options become available:
Detection Details – Click to open the Details panel with the Detection tab displayed. The tab includes information relevant to the detection, including endpoints, use cases, MITRE ATT&CK® tactics and techniques, triggered rules, the raw log, and parsed fields. If there are multiple events associated with a single event, click the Event Details link for a specific detection and the Details panel opens to display the numbered tab for that detection.
- Copy Link – Click to copy the link to that detection event.
- Copy Raw Log – Click to copy the raw log data.