Attack Timeline

Attack Timeline feature analyzes events and flows that are associated with an offense in IBM QRadar and creates milestones that represent important changes or new occurrences during the attack progression.

Attack Timeline feature provides a chronological view of significant events in an attack, helping security analysts understand the full progression of an offense. The feature automatically identifies and displays critical milestones, reducing the time needed for manual correlation and investigation.

Key capabilities

Attack Timeline feature offers the following capabilities:

Timeline view
Display a clear, visual sequence of attack progression, allowing analysts to map the full journey in less time compared to manual correlation workflows.
Milestone detection
Automatically flags key events and flows as critical milestones using six analytic fields: Source IP, Destination IP, Username, Rule, Log Source, and Flow Source. This marking identifies pivotal moments in each attack for focused investigation.
Deep correlation
Links related events and flows to show attack depth by correlating hundreds of raw data points down to milestones per offense.
Progressive loading
Milestones load in batches (100 initially, then 50 at a time) for optimal performance, allowing analysts to start investigation immediately while more data loads in the background.
Advanced filtering
Multi-criteria filtering with real-time statistics enables rapid narrowing of investigation scope across multiple attributes.
Bookmark management
Save and quickly access critical milestones for reference and reporting.
Flexible search
Global search across all milestone data plus category-specific filtering for precise investigation.
Copy functionality
Export milestone information for documentation and incident reporting.

User interface components

The Attack Timeline interface includes the following components:

Component Description
Header section Contains the offense ID, milestone count, and refresh icon. The refresh icon regenerates the entire timeline with the latest data.
Bookmark icon Toggles between showing all milestones or only bookmarked ones.
Toggle icon Shows or hides the filter panel.
Filter panel Filters milestones based on selected categories. You can select multiple checkboxes from different categories to filter the milestones. Click the show more link to see more values for a particular category. The clear all link clears all active filters.
Milestone cards Display milestones in chronological order. Each card includes:
  • Red circle (●) that marks new appearance of tracked field
  • Bookmark icon that is empty when not bookmarked and filled when bookmarked
  • Copy icon that copies visible milestone information
  • White border when the milestone is selected
More details section Displays all available attributes for the selected milestone, including Source IP, Destination IP, Username, Hostname, Log Source, Flow Source, Rule Name, URL, File Name, File Hash, Category, Source MAC, Destination MAC, and any other available attributes.

System requirements

Attack Timeline feature requires the following:

  • QRadar 7.6.0 or later
  • One of the following browsers:
    • Mozilla Firefox (latest version)
    • Google Chrome (latest version)
    • Microsoft Edge (latest version)

User permissions

To use Attack Timeline feature, you need specific permissions based on the action you want to perform.
Generating milestones
You must have at least one of these capabilities:
  • Full administrative access
  • SaaS administrative access
  • Security Event Manager access
You must also have valid event or flow access:
  • Events access if the offense contains events
  • Flows access if the offense contains flows
  • Both Events and Flows access if the offense contains both events and flows
You must have access to the offense based on:
  • Security Profile assignment
  • Domain or Tenant association
Viewing milestones
You must have at least one of these capabilities:
  • Full administrative access
  • SaaS administrative access
  • Security Event Manager access
You can only view:
  • Milestones from your security profile
  • Milestones for offenses you have permission to view