Can Elastic SIEM have a Group By feature in the Timelines?


When it comes to Elastic Stack is has great functionalities for specific detection trigerred by well tuned rules but security analysts struggle when it comes to generic checks like if I have a phishing related public IP that hosts a malware and i wanna see the list of source.ip and that started a communication towards this IP, neither in the timeline or discovery panel I can see unique number of source.ip since i should scroll down pages and i might miss something. Even the unique values at the left panel in the Discovery page won't be enough.

My question is, is there a way to do this apart from creating aggregation (more queries and time consuming). Would it be such a feature in future releases ? why isn't up till now present in the SIEM APP ?

Thank you

Hi @hilo21, thanks for your post and for your interest in the SIEM app!

We've actually got a whole slew of threat hunting enhancements) arriving in 7.8, and one in particular should address your use case: Show top fields.

The author does a great job detailing those features in the above link, so I definitely recommend checking that out! However, specific to your example of viewing unique source.ips communicating with a malware host, within the SIEM app you'll be able to:

  1. Build a timeline with destination.ip: <malware_host>
  2. Hover source.ip (either in a row renderer or the column header)
  3. Click "Show top source.ip" from the context menu

Which will then generate a histogram of the top source.ip values within that timeline, like so:

We hope this feature will help you and others to be even more effective in your threat hunting. Please do keep the feature requests coming, both here and on GitHub!

(Edit: fixed "threat hunting enhancements" link above)


1 Like

Thanks @RylandHerrick for the great reply!!

Looks like this link isn't working:

Hey @ebeahan , good catch! I've updated my reply with the fix. Thanks!

@RylandHerrick Thank you very much

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.