Timeline Template see fields other then the fields in the alert

RoeeKent · February 7, 2024, 12:46pm

Hi everyone!
I would love to know if it is possible to add a timeline template to a detection rule, and use the fields in the template to see logs that are not part of the alert.

For example, I have a rule that alerts registry changes of specific paths, and for further investigation I want to see logs about the user logging in to the server (which are not part of the alert). I want to use the Timeline Template because I can set the user name as a variable, and I hope to see logs with this user name to cross the information I need to investigate this event. So far I was able to filter only the fields of the alert, or all the logs possible outside the alert which is not helping me.

My main goal is to see all the logs I need to investigate an event all in the same place, and so far Timeline Template seems like the best feature for it (assuming that what I ask for is possible).

Is there anyone here that maybe know if this is possible?

Sergi_Massaneda_Dona · February 7, 2024, 5:31pm

Hi, yes the workflow described is possible. A timeline template with a user variable can be added to a rule (make sure the timeline template has the "logs-*" pattern selected in the data view).

Then when clicking on "Investigate in timeline" action of an alert, the timeline should open with the selected timeline template and you should be able to see logs data for the given user.

Is this what you need?

cc @Michael_Olorunnisola

RoeeKent · February 8, 2024, 8:19am

Hi @Sergi_Massaneda_Dona , thank you very much for your answer!

I figured that this is the way to go and tried it. the problem is, when I set the 'logs-*' pattern in the template, I see all logs (not filtered by the user name of the alert).

(See number of logs in query)

When I select the "Show only detection alerts" option, I see the logs that generated the alert, but not the second part of the query which is not part of the alert (there was one time that I did see other log which is not part of the alert, but it was not filtered by the user name and host name of the alert, which I find a little weird)

Maybe my filtering is not correct? Maybe there is a different problem?
Thank you for tour time!

Sergi_Massaneda_Dona · February 8, 2024, 11:22am

Hi @RoeeKent ,

Your filtering seems fine. Let's follow the steps:

First, create the Timeline template, and add the filters (I only added one user filter):

Select the "Security Default Data View" in the Data view selector, the "Show only detection alerts" should be unchecked, and when expanding the advanced options the logs-* should be present along with the alerts index pattern:

And save it, disregarding the results displayed at this point.
Then go to the rule and make sure the template is assigned to the Rule:

Once this is done, the alerts generated by this rule will use this template when clicking the "Investigate in timeline" button:

A new "Untitled timeline" will open and apply the template previously created, setting the alert values to the filters:

You should see alerts and logs filtered by the correct value.

Does this work for you?

RoeeKent · February 8, 2024, 12:23pm

Hi @Sergi_Massaneda_Dona ,
it worked! Thank you very much!

The missing piece was to assign the template to a rule (so far I did not assign it, so I opened it every time from the alert itself and the filters were not applied).

Thank you so much for your help!

system · March 7, 2024, 12:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.