Well that answered my question! 
Thank you.
However when trying to view a “timeline” in log search when querying “Endpoint Activity” it’s not a very easy thing to do especially with all the scrolling.
If you have any good tips on a better way to look at the “Endpoint Activity” logs as a whole to get a decent timeline please please please share.
It depends on what you would like to visualize, but for instance if you wanted to see which machines were sending of the most events and of which event type you could select the Endpoint Activity → Sysmon log and run
groupby(“hostname”, “event_id”)limit(10000)timeslice(1h)
If you were to select Endpoint Activity → Process Start Events you might want to visualize which processes are running, and on how many unique machines such as
groupby(“process.name”)calculate(unique:hostname)limit(10000)timeslice(1h)
David
Thanks David.
I get all that however I’m talking more about investigating one host and getting a clear timeline leveraging sysmon.
I find myself exporting the last 6 hrs of all “Endpoint Activity” for the host in question and importing that csv into elastic where I can easily perform my analysis.
A simple thing like in-line filtering would make a world of a difference.
Hope this makes sense.
Can you give me an example of what you mean by in-line filtering?
One thing to note we do have the option to hide unwanted keys in log search, by clicking the settings cog to the right and selecting Edit Keys. This can help focus your eyes on the necessary data
David
