The behavior timeline displays instances where behavior models were triggered. When creating a behavior model, there is a checkbox to indicate whether an event should appear on the behavior timeline when triggered by the rule.
The chart at the top of the page indicates the total RiskScore at any time over the search window.
The facet on the left side can be used to filter events. There are five fields associated with a behavior rule that can be used for search filters: key, key type, behavior rule, behavior, and risks.
Clicking on the search icon redirects you to the events page and conducts a search using the name of the behavior alert and the alert's key as the search parameters.
The first value in the header is the name of the behavior model that triggered the alert. Beside this is the behavior type. In the middle of the header, the key is displayed, followed by the score associated with the alert. Below this are the risks that were triggered, in addition to their descriptions and values.
Click on the alert to expand it. This allows you to view all the associated fields and their corresponding values. Clicking the blue icon in the corner of the table opens the JSON data associated with the event.
Click the "Actions" button to open a menu with options for configuring different actions for this alert. Actions allow a user to set up a method of notification when certain alerts or behaviors are triggered. Clicking one of these options will redirect you to a configuration page for the indicated action option.