Using Attack Timeline
Use the Attack Timeline feature to investigate offenses by viewing chronological milestones, filter events, and bookmark important findings.
Before you begin
You must have access to the Offenses tab in IBM QRadar.
About this task
The Attack Timeline provides a chronological view of offense milestones. You can browse, filter, and bookmark milestones to investigate security incidents effectively.
Procedure
-
Open the Attack Timeline.
- Click on Offenses in QRadar application.
- Click an offense to view its details.
-
In the toolbar, click the Attack Timeline button, which is located just
before the Offense Summary.
The system initiates milestone generation. Initial milestones appear while more milestones load progressively.
First-time generation might take longer for large offenses. You can start investigating as soon as the first batch of milestones appears.
Previously generated milestones load immediately on subsequent opens.
Use the refresh icon to regenerate milestones from scratch.
-
Browse the timeline by using one of the following methods:
- Use your mouse wheel or trackpad to scroll left or right through the timeline.
- Drag the scrollbar at the end of the timeline.
- Click any milestone card to view its details in the More Details section.
Milestones display in chronological order. When you scroll toward the end of visible milestones, the system automatically loads the next 50 milestones for seamless continuation.
-
Filter milestones by using one or more of the following methods:
-
To use global search, click in the global search box and type a search term such as an IP
address, username, or hostname.
The timeline filters automatically as you type, and the milestone count updates to show matches. Clear the search box to remove the filter.
-
To use category filters, expand the wanted filter category and select the checkboxes for values
to include.
The timeline updates immediately, and the milestone count shows the filtered total.
-
To combine filters, select values from multiple categories.
All selected filters must match (AND logic). Within a category, any value can match (OR logic). Filter statistics update to show available options.
-
To clear filters, click Clear All to remove all filters or clear
individual boxes to remove specific filters.
The timeline reloads with all milestones.
-
To use global search, click in the global search box and type a search term such as an IP
address, username, or hostname.
- Optional:
To refresh milestones, click the refresh icon in the header.
Milestones regenerate from scratch.
- Optional:
Bookmark milestones for quick reference.
-
To add a bookmark, locate the milestone and click the bookmark icon on the milestone card or in
the More Details panel.
The icon changes to a filled state, and a notification confirms that
Bookmark added
. -
To view bookmarked milestones, click the Show Bookmark link in the filter panel.
The timeline displays only bookmarked milestones, and the milestone count updates (for example, "Showing 5 of 150 milestones"). The link changes to Hide Bookmark.
-
To return to the full view, click Hide Bookmark.
The timeline shows all milestones, and the milestone count returns to the total.
-
To remove a bookmark, click the filled bookmark icon on the milestone card.
The icon changes to an empty state, and a notification confirms "Bookmark removed". If you are in the bookmarked view, the milestone disappears from the timeline.
Bookmarks are stored in the browser's local storage. They persist across browser sessions and offense ID organized them. Bookmarks are not shared between users or browsers. They remain until you manually delete them or clear browser data.
-
To add a bookmark, locate the milestone and click the bookmark icon on the milestone card or in
the More Details panel.
- Optional:
Use the menu for quick actions.
-
Right-click any attribute in a milestone card.
A menu appears with the following actions:
- Filter by value: Applies a filter for the clicked attribute, adds to existing filters, and updates the timeline immediately. This is useful for investigating related milestones.
- Copy value: Copies only the specific attribute value.
- Bookmark milestone: Same as clicking the bookmark icon. This is convenient when you right-click for other actions and toggles the bookmark state.
-
Right-click any attribute in a milestone card.