Hello~ I'm having an issue where I use a timeline template in the investigate in timeline feature of a rule in elastic security. When we create the rule, we override the timestamp to event.ingested. Our logs has a lag during ingestion where the event.ingested is behind the original timestamp by 10mins or so. When I click on the "investigate in timeline" the timeline template filters the results by the event.ingested. When it does this, it does not pick up the actual event because the event timestamp is 10 mins in the past. is there a way to tell the timeline template to use @timestamp when filtering the events instead of event.ingested?
Hi @elk_jh, welcome!
When I click on the "investigate in timeline" the timeline template filters the results by the event.ingested.
Just to clarify: is the problem that the timeline builds a filter based on the alert's @timestamp
field, when you'd like it to be based upon its event.ingested
instead? Or is it that the filter is correct to find the alerts under investigation, but not the original events, and so you'd like the filter to be something like { gte: min(@timestamp, event.ingested), lte: max(@timestamp, event.ingested) }
?
Regardless, I think you're correct that there's some missing timeline functionality here; I've opened [Security Solution][Threat Hunting] Timeline support for @timestamp overrides · Issue #157447 · elastic/kibana · GitHub to track that work for the appropriate team.
In the meantime, if you could provide some sample data and/or a simple example I think that will help ensure that we're all working toward the same goal. Thanks!
Hello @RylandHerrick ,
Thanks for you reply.
Yes, the problem I'm having is that the timeline feature's time filter uses a different timestamp from the rule triggered the alert.
For example, I have this rule with a timestamp override as event.ingested.
so when I click on the Investigate in timeline button, the event is not shown as the event timestamp is actually 10 mins before the event.ingested, I need to adjust the time slider to see the relevant event, like this:
I think the timeline filter is using the event.ingested timestamp from the rule, but filtering the actual events by theevents triggered timestamp.
I saw the github issue you have opened and I think you described my problem perfectly. Thank you!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.