elasticmachine
commented
1 year ago Pinging @elastic/security-solution (Team: SecuritySolution)
Open rylnd opened 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-solution (Team: SecuritySolution)
Summary
When leveraging a detection rule with a timestamp override, there are some missing features related to threat hunting. This issue describes the (proposed) relationship between an alert's time fields and timeline's time-filtering functionality.
Proposed Feature
As a Threat Hunter In order to investigate an alert with an overridden time field I want timeline to respect my chosen time field when finding alerts and related events
Currently, timeline assumes
@timestampis the correct time field, and builds an appropriate range filter ([@timestamp - 65m, @timestamp]). While this works in cases where the original event's timestamp is within that window, manual changes are required to update the range if the "@timestamp/override drift" is greater than that 65m. Ideally, timeline should be able to leverage knowledge of the override (and potentially the "Do not use @timestamp as a fallback timestamp field" option) to create a streamlined threat hunting experience.