I would love to know if it is possible to add a timeline template to a detection rule, and use the fields in the template to see logs that are not part of the alert.
For example, I have a rule that alerts registry changes of specific paths, and for further investigation I want to see logs about the user logging in to the server (which are not part of the alert). I want to use the Timeline Template because I can set the user name as a variable, and I hope to see logs with this user name to cross the information I need to investigate this event. So far I was able to filter only the fields of the alert, or all the logs possible outside the alert which is not helping me.
My main goal is to see all the logs I need to investigate an event all in the same place, and so far Timeline Template seems like the best feature for it (assuming that what I ask for is possible).
Is there anyone here that maybe know if this is possible?
Hi, yes the workflow described is possible. A timeline template with a user variable can be added to a rule (make sure the timeline template has the "logs-*" pattern selected in the data view).
Then when clicking on "Investigate in timeline" action of an alert, the timeline should open with the selected timeline template and you should be able to see logs data for the given user.
Is this what you need?
Hi @Sergi_Massaneda_Dona , thank you very much for your answer!
I figured that this is the way to go and tried it. the problem is, when I set the 'logs-*' pattern in the template, I see all logs (not filtered by the user name of the alert).
(See number of logs in query)
When I select the "Show only detection alerts" option, I see the logs that generated the alert, but not the second part of the query which is not part of the alert (there was one time that I did see other log which is not part of the alert, but it was not filtered by the user name and host name of the alert, which I find a little weird)
Maybe my filtering is not correct? Maybe there is a different problem?
Thank you for tour time!
Hi @RoeeKent ,
Your filtering seems fine. Let's follow the steps:
First, create the Timeline template, and add the filters (I only added one user filter):
Select the "Security Default Data View" in the Data view selector, the "Show only detection alerts" should be unchecked, and when expanding the advanced options the
logs-* should be present along with the alerts index pattern:
And save it, disregarding the results displayed at this point.
Then go to the rule and make sure the template is assigned to the Rule:
Once this is done, the alerts generated by this rule will use this template when clicking the "Investigate in timeline" button:
A new "Untitled timeline" will open and apply the template previously created, setting the alert values to the filters:
You should see alerts and logs filtered by the correct value.
Does this work for you?
Hi @Sergi_Massaneda_Dona ,
it worked! Thank you very much!
The missing piece was to assign the template to a rule (so far I did not assign it, so I opened it every time from the alert itself and the filters were not applied).
Thank you so much for your help!