Investigate security events

When Elastic Security's detection engine creates an alert, you need to understand what happened: the threat's scope, root cause, and impact. Elastic Security provides a range of tools for this purpose, from an interactive event workspace and forensic visualizers to live host interrogation and collaborative case management.

Together, these tools let you move from a single alert to a complete picture of an incident without leaving Kibana. You can correlate events across data sources in Timeline, trace process execution chains with the visual event analyzer, inspect running hosts with Osquery, and document findings in cases and notes. AI chat can help you interpret alerts, generate queries, and suggest next steps throughout your investigations.

Investigation typically progresses from initial triage to documented resolution:

1. Triage the alert. The detection engine generates an alert. You open it to review the alert details, severity, and affected entities. Attack discovery can help you prioritize by identifying coordinated attacks that span multiple alerts.
2. Explore context in Timeline. Add the alert to a Timeline and query related events using KQL, EQL, or ES|QL. Correlate data across hosts, users, and network activity to understand the broader event sequence.
3. Dive into forensic detail. Use the visual event analyzer to inspect the process tree that led to the alert, or use Session View to review full Linux sessions, including terminal output and user activity.
4. Interrogate the live environment. Run Osquery against affected hosts to check running processes, open ports, installed software, and other OS-level context that helps confirm or rule out compromise.
5. Cross-reference threat intelligence. Check indicators of compromise to learn whether observed artifacts (IPs, domains, file hashes) match known threats.
6. Document and collaborate. Attach your findings to notes on alerts and events, and organize everything in a case. Cases integrate with external ticketing systems like Jira and ServiceNow for cross-team coordination.

Chatting with AI can accelerate any stage of this workflow by helping you interpret alert data, generate queries, and suggest next steps.

Timeline is the central workspace for investigations and threat hunting. You can add alerts from multiple indices, drag fields from tables and histograms across the Elastic Security app, and build complex queries using KQL, EQL, or ES|QL. Use the Correlation tab to write EQL sequence queries that reveal ordered attack patterns across event categories, or use the ES|QL tab for flexible, pipe-based data exploration.

You can also create Timeline templates and attach them to detection rules so alerts automatically open with the right filters.

Attack discovery uses large language models to analyze alerts in your environment and identify threats spanning multiple alerts. Each discovery describes relationships among alerts, maps them to the MITRE ATT&CK matrix, identifies involved users and hosts, and suggests which threat actor might be responsible. Use Attack discovery to reduce alert fatigue, prioritize the incidents that matter most, and shorten your mean time to respond.

The visual event analyzer displays a graphical, process-based timeline of events that preceded an alert and events that followed it. Each node represents a process, and you can expand the tree to examine child processes, associated alerts, and related events. This is particularly useful for understanding lateral movement, privilege escalation, and multi-stage attacks.

Session View presents Linux process data in a terminal-inspired, tree-like display organized by parentage and execution time. It shows interactive and non-interactive processes, user information (including privilege escalation), process and network alerts in context, and captured terminal output.

Osquery lets you query operating systems like a database using SQL. Run live queries against one or more hosts to inspect processes, files, network connections, installed packages, and hundreds of other OS-level attributes. You can also schedule query packs to capture changes over time, save queries to build a reusable library, and run live queries directly from alerts or investigation guides to streamline triage.

The Indicators page collects data from your enabled threat intelligence feeds and provides a centralized view of indicators of compromise (IoCs). Use it to search, filter, and examine indicator details, then cross-reference them with your investigation data. Indicators integrate with indicator match rules in the detection engine to automatically surface alerts when known threats appear in your environment.

Cases let you track incidents, attach alerts and events, document findings, and collaborate with your SOC team in one place. You can link Timelines to preserve investigation context, attach threat intelligence indicators, and view metrics that summarize alert scope and response times. Cases integrate with Jira, ServiceNow, and IBM Resilient so you can escalate and track incidents across your security workflow.

Notes let you attach written findings to individual alerts, events, and Timelines. Use notes to document what you've observed, coordinate with other analysts, and build a record of investigative reasoning that persists alongside your data. You can manage all notes from the Notes page, where you can search, filter, and review notes across your investigations.

Several other Elastic Security features complement these investigation tools:

• AI chat helps you interpret alerts, generate queries, and get contextual guidance throughout your investigation.
• Entity analytics provides risk scores and behavioral anomaly detection for hosts, users, and services, giving you additional context when evaluating the significance of an alert.
• ES|QL for security describes how to use the Elasticsearch Query Language across the Elastic Security app, including in Timeline.