Attack Timeline
Attack Timeline feature analyzes events and flows that are associated with an offense in IBM QRadar and creates milestones that represent important changes or new occurrences during the attack progression.
Attack Timeline feature provides a chronological view of significant events in an attack, helping security analysts understand the full progression of an offense. The feature automatically identifies and displays critical milestones, reducing the time needed for manual correlation and investigation.
Key capabilities
Attack Timeline feature offers the following capabilities:
- Timeline view
- Display a clear, visual sequence of attack progression, allowing analysts to map the full journey in less time compared to manual correlation workflows.
- Milestone detection
- Automatically flags key events and flows as critical milestones using six analytic fields: Source IP, Destination IP, Username, Rule, Log Source, and Flow Source. This marking identifies pivotal moments in each attack for focused investigation.
- Deep correlation
- Links related events and flows to show attack depth by correlating hundreds of raw data points down to milestones per offense.
- Progressive loading
- Milestones load in batches (100 initially, then 50 at a time) for optimal performance, allowing analysts to start investigation immediately while more data loads in the background.
- Advanced filtering
- Multi-criteria filtering with real-time statistics enables rapid narrowing of investigation scope across multiple attributes.
- Bookmark management
- Save and quickly access critical milestones for reference and reporting.
- Flexible search
- Global search across all milestone data plus category-specific filtering for precise investigation.
- Copy functionality
- Export milestone information for documentation and incident reporting.
User interface components
The Attack Timeline interface includes the following components:
| Component | Description |
|---|---|
| Header section | Contains the offense ID, milestone count, and refresh icon. The refresh icon regenerates the entire timeline with the latest data. |
| Bookmark icon | Toggles between showing all milestones or only bookmarked ones. |
| Toggle icon | Shows or hides the filter panel. |
| Filter panel | Filters milestones based on selected categories. You can select multiple checkboxes from different categories to filter the milestones. Click the show more link to see more values for a particular category. The clear all link clears all active filters. |
| Milestone cards | Display milestones in chronological order. Each card includes:
|
| More details section | Displays all available attributes for the selected milestone, including Source IP, Destination IP, Username, Hostname, Log Source, Flow Source, Rule Name, URL, File Name, File Hash, Category, Source MAC, Destination MAC, and any other available attributes. |
System requirements
Attack Timeline feature requires the following:
- QRadar 7.6.0 or later
- One of the following browsers:
- Mozilla Firefox (latest version)
- Google Chrome (latest version)
- Microsoft Edge (latest version)
User permissions
To use Attack Timeline feature, you need specific permissions based on the action you want to perform.
- Generating milestones
- You must have at least one of these capabilities:
- Full administrative access
- SaaS administrative access
- Security Event Manager access
- Events access if the offense contains events
- Flows access if the offense contains flows
- Both Events and Flows access if the offense contains both events and flows
- Security Profile assignment
- Domain or Tenant association
- Viewing milestones
- You must have at least one of these capabilities:
- Full administrative access
- SaaS administrative access
- Security Event Manager access
- Milestones from your security profile
- Milestones for offenses you have permission to view