[Feature Request] Timeline View

[zpriddy]

Request Type

Feature Request

Problem Description

Talking to the team we came up with idea of a Timeline View in a case. This is a critical feature for IR. Originally I was looking at trying to hack my way though using tasks for this, but I thought that this should be a full feature request that would be make The Hive an even more critical tool.

The idea would be to add a new tab to the case view call Timeline
The timeline should show all actions taken on a case such as:

• Task log lines
• Updated descriptions
• Updated severity
• Merged alerts into a case
• Cortex analyzers ran
• Cortex responders ran
• Cortex results (For things line process logs in cortex, we should have an eventTime field - aka the time that the process was ran as well as a discoveryTime field - the time that the logs were retrieved by Cortex)

This view should be sortable by either the Event Time or Discovery Time. And each log line should be expandable to show you the full details of that action.

This would be useful to see a timeline of when things were discovered as well as being able to see the full event timeline as things happened before they were discovered.

I know this is a big ask and should probably be discussed, but it would be awesome to start the discussion around this idea and see what everyone's thoughts are.

[zpriddy]

This does look related to #84 (Didn't see that before but could be worth bringing up again) I also think the timeline should not be something that can be manually changed, but just pulls in data from the rest of the case into one spot.

[zpriddy]

It would be even better to have an export or connector to something like:
https://github.com/google/timesketch