Visualize Events Over Time in Time Chart

Track event frequency in 5-minute intervals using time chart visualization

This is a query example for the Events over time widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
metadata.eventType!=ReconNotificationSummary*
| metadata.customerIDString = *
| timechart(span=5m, metadata.eventType)

Introduction

This widget creates a time chart visualization showing the distribution of events across 5-minute time intervals, excluding reconnaissance notifications.

In this widget, the timeChart() function is used to generate data for a time chart visualization, grouping events into 5-minute buckets to show their temporal distribution.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_300_17682133652026-01-12T10:22:45{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-WEB01Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.2.143Command and Controlb2c3d4e5f6g7h8i9j0k1MediumExecutionT1059.001 - PowerShelladamsba1b2c3d4e5f6g7h8i9j01768213365060DetectionSummaryEvent
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_301_17682133652026-01-12T10:22:46{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-APP02Detected potential credential dumping from LSASS memorySuspicious Registry Modification192.168.0.87Credential Theftd4e5f6g7h8i9j0k1l2m3LowCredential AccessT1003.001 - LSASS Memoryandersonkc3d4e5f6g7h8i9j0k1l21768213365928DetectionSummaryEvent
2026-01-12T10:22:46auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_302_17682133662026-01-12T10:22:47{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-DB01Detected suspicious access to administrative sharesCredential Dumping via Mimikatz192.168.3.211Internal Reconnaissancef6g7h8i9j0k1l2m3n4o5HighLateral MovementT1021.002 - SMB/Windows Admin Sharesbakerme5f6g7h8i9j0k1l2m3n41768213366748DetectionSummaryEvent
2026-01-12T10:22:47auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_303_17682133672026-01-12T10:22:48{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-FILE01Detected authentication using potentially compromised domain accountSuspicious Service Creation192.168.1.54Privilege Escalationh8i9j0k1l2m3n4o5p6q7CriticalDefense EvasionT1078.002 - Domain Accountsblackjg7h8i9j0k1l2m3n4o5p61768213367566DetectionSummaryEvent
2026-01-12T10:22:48auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_304_17682133682026-01-12T10:22:49{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-SQL01Detected suspicious scheduled task creation for persistenceLateral Movement via WMI192.168.4.198Persistence Establishmentj0k1l2m3n4o5p6q7r8s9MediumPersistenceT1053.005 - Scheduled Taskbrownri9j0k1l2m3n4o5p6q7r81768213368386DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType!=ReconNotificationSummary*

    Filters out events where metadata.eventType matches ReconNotificationSummary.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | metadata.customerIDString = *

    Further filters to include only events that have a metadata.customerIDString field.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3["Expression"] result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | timechart(span=5m, metadata.eventType)

    Creates a time chart by organizing events into 5-minute intervals using span=5m, grouping by metadata.eventType to show event frequency over time.

  5. Event Result set.

Summary and Results

The widget creates a time chart visualizing event frequency distribution across time intervals.

This widget is useful to identify temporal patterns in event occurrence and detect unusual spikes or gaps in event activity.

Sample output from the incoming example data:

_bucket_countmetadata.eventType
17682123000000DetectionSummaryEvent
17682126000000DetectionSummaryEvent
17682129000000DetectionSummaryEvent
1768213200000100DetectionSummaryEvent
17682120000000DetectionSummaryEvent

The output data is visualized in a time chart where event counts are plotted against 5-minute time buckets, showing the temporal distribution of events. Each time bucket (_bucket) shows the count of events for that specific 5-minute interval.

Example of a Events over Time widget