diff --git a/x-pack/plugins/security_solution/common/ecs/index.ts b/x-pack/plugins/security_solution/common/ecs/index.ts
index ff21ebc5ef973..e31d42b02f80b 100644
--- a/x-pack/plugins/security_solution/common/ecs/index.ts
+++ b/x-pack/plugins/security_solution/common/ecs/index.ts
@@ -27,52 +27,28 @@ import { SystemEcs } from './system';
 
 export interface Ecs {
   _id: string;
-
   _index?: string;
-
   auditd?: AuditdEcs;
-
   destination?: DestinationEcs;
-
   dns?: DnsEcs;
-
   endgame?: EndgameEcs;
-
   event?: EventEcs;
-
   geo?: GeoEcs;
-
   host?: HostEcs;
-
   network?: NetworkEcs;
-
   rule?: RuleEcs;
-
   signal?: SignalEcs;
-
   source?: SourceEcs;
-
   suricata?: SuricataEcs;
-
   tls?: TlsEcs;
-
   zeek?: ZeekEcs;
-
   http?: HttpEcs;
-
   url?: UrlEcs;
-
   timestamp?: string;
-
   message?: string[];
-
   user?: UserEcs;
-
   winlog?: WinlogEcs;
-
   process?: ProcessEcs;
-
   file?: File;
-
   system?: SystemEcs;
 }
diff --git a/x-pack/plugins/security_solution/common/search_strategy/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
new file mode 100644
index 0000000000000..0576871a2bf81
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/common/index.ts
@@ -0,0 +1,119 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../src/plugins/data/common';
+
+export type Maybe<T> = T | null;
+
+export type SearchHit = IEsSearchResponse<object>['rawResponse']['hits']['hits'][0];
+
+export interface TotalValue {
+  value: number;
+  relation: string;
+}
+
+export interface Inspect {
+  dsl: string[];
+}
+
+export interface PageInfoPaginated {
+  activePage: number;
+  fakeTotalCount: number;
+  showMorePagesIndicator: boolean;
+}
+
+export interface CursorType {
+  value?: Maybe<string>;
+  tiebreaker?: Maybe<string>;
+}
+
+export enum Direction {
+  asc = 'asc',
+  desc = 'desc',
+}
+
+export interface SortField<Field = string> {
+  field: Field;
+  direction: Direction;
+}
+
+export interface TimerangeInput {
+  /** The interval string to use for last bucket. The format is '{value}{unit}'. For example '5m' would return the metrics for the last 5 minutes of the timespan. */
+  interval: string;
+  /** The end of the timerange */
+  to: string;
+  /** The beginning of the timerange */
+  from: string;
+}
+
+export interface PaginationInput {
+  /** The limit parameter allows you to configure the maximum amount of items to be returned */
+  limit: number;
+  /** The cursor parameter defines the next result you want to fetch */
+  cursor?: Maybe<string>;
+  /** The tiebreaker parameter allow to be more precise to fetch the next item */
+  tiebreaker?: Maybe<string>;
+}
+
+export interface PaginationInputPaginated {
+  /** The activePage parameter defines the page of results you want to fetch */
+  activePage: number;
+  /** The cursorStart parameter defines the start of the results to be displayed */
+  cursorStart: number;
+  /** The fakePossibleCount parameter determines the total count in order to show 5 additional pages */
+  fakePossibleCount: number;
+  /** The querySize parameter is the number of items to be returned */
+  querySize: number;
+}
+
+export interface DocValueFields {
+  field: string;
+  format: string;
+}
+
+export interface Explanation {
+  value: number;
+  description: string;
+  details: Explanation[];
+}
+
+export interface TotalValue {
+  value: number;
+  relation: string;
+}
+export interface ShardsResponse {
+  total: number;
+  successful: number;
+  failed: number;
+  skipped: number;
+}
+
+export interface TotalHit {
+  value: number;
+  relation: string;
+}
+
+export interface Hit {
+  _index: string;
+  _type: string;
+  _id: string;
+  _score: number | null;
+}
+
+export interface Hits<T, U> {
+  hits: {
+    total: T;
+    max_score: number | null;
+    hits: U[];
+  };
+}
+
+export interface GenericBuckets {
+  key: string;
+  doc_count: number;
+}
+
+export type StringOrNumber = string | number;
diff --git a/x-pack/plugins/security_solution/common/search_strategy/index.ts b/x-pack/plugins/security_solution/common/search_strategy/index.ts
new file mode 100644
index 0000000000000..cff9f4ca2f029
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/index.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+export * from './common';
+export * from './security_solution';
+export * from './timeline';
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/all/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/all/index.ts
index 91a53066b4f4b..5ddcd8da30efb 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/all/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/all/index.ts
@@ -7,7 +7,8 @@
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
 
 import { HostItem, HostsFields } from '../common';
-import { CursorType, Inspect, Maybe, PageInfoPaginated, RequestOptionsPaginated } from '../..';
+import { CursorType, Inspect, Maybe, PageInfoPaginated } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
 
 export interface HostsEdges {
   node: HostItem;
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/authentications/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/authentications/index.ts
index 0071fe3deeb1f..0fb0609b60ba5 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/authentications/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/authentications/index.ts
@@ -13,11 +13,11 @@ import {
   Inspect,
   Maybe,
   PageInfoPaginated,
-  RequestOptionsPaginated,
   StringOrNumber,
   Hit,
   TotalHit,
-} from '../../';
+} from '../../../common';
+import { RequestOptionsPaginated } from '../../';
 
 export interface AuthenticationsStrategyResponse extends IEsSearchResponse {
   edges: AuthenticationsEdges[];
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts
index d15da4bf07ae7..8ae41a101cee2 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/common/index.ts
@@ -6,7 +6,7 @@
 
 import { CloudEcs } from '../../../../ecs/cloud';
 import { HostEcs, OsEcs } from '../../../../ecs/host';
-import { Maybe, SearchHit, TotalValue } from '../..';
+import { Maybe, SearchHit, TotalValue } from '../../../common';
 
 export enum HostPolicyResponseActionStatus {
   success = 'success',
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/first_last_seen/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/first_last_seen/index.ts
index cbabe9dd11115..adf70a109bc03 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/first_last_seen/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/first_last_seen/index.ts
@@ -5,7 +5,8 @@
  */
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
-import { Inspect, Maybe, RequestOptionsPaginated } from '../..';
+import { Inspect, Maybe } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
 import { HostsFields } from '../common';
 
 export interface HostFirstLastSeenRequestOptions
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts
index dc81c0a9137f8..9cb43c91adfd9 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/index.ts
@@ -4,6 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
+export * from './authentications';
 export * from './all';
 export * from './common';
 export * from './overview';
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/overview/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/overview/index.ts
index 8d54481f56dbd..7d212a951905a 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/overview/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts/overview/index.ts
@@ -5,9 +5,9 @@
  */
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
-
+import { Inspect, Maybe, TimerangeInput } from '../../../common';
 import { HostItem, HostsFields } from '../common';
-import { Inspect, Maybe, RequestOptionsPaginated, TimerangeInput } from '../..';
+import { RequestOptionsPaginated } from '../..';
 
 export interface HostOverviewStrategyResponse extends IEsSearchResponse {
   hostOverview: HostItem;
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts
index d87ce42ab1418..85ffc6aa4c734 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/index.ts
@@ -4,7 +4,7 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { IEsSearchRequest, IEsSearchResponse } from '../../../../../../src/plugins/data/common';
+import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
 import {
   HostOverviewStrategyResponse,
@@ -28,116 +28,19 @@ import {
   NetworkTopCountriesStrategyResponse,
   NetworkTopCountriesRequestOptions,
 } from './network';
+import {
+  DocValueFields,
+  TimerangeInput,
+  SortField,
+  PaginationInput,
+  PaginationInputPaginated,
+} from '../common';
 
 export * from './hosts';
 export * from './network';
-export type Maybe<T> = T | null;
 
 export type FactoryQueryTypes = HostsQueries | NetworkQueries;
 
-export type SearchHit = IEsSearchResponse<object>['rawResponse']['hits']['hits'][0];
-
-export interface TotalValue {
-  value: number;
-  relation: string;
-}
-
-export interface Inspect {
-  dsl: string[];
-}
-
-export interface PageInfoPaginated {
-  activePage: number;
-  fakeTotalCount: number;
-  showMorePagesIndicator: boolean;
-}
-
-export interface CursorType {
-  value?: Maybe<string>;
-  tiebreaker?: Maybe<string>;
-}
-
-export enum Direction {
-  asc = 'asc',
-  desc = 'desc',
-}
-
-export interface SortField<Field = string> {
-  field: Field;
-  direction: Direction;
-}
-
-export interface TimerangeInput {
-  /** The interval string to use for last bucket. The format is '{value}{unit}'. For example '5m' would return the metrics for the last 5 minutes of the timespan. */
-  interval: string;
-  /** The end of the timerange */
-  to: string;
-  /** The beginning of the timerange */
-  from: string;
-}
-
-export interface PaginationInput {
-  /** The limit parameter allows you to configure the maximum amount of items to be returned */
-  limit: number;
-  /** The cursor parameter defines the next result you want to fetch */
-  cursor?: Maybe<string>;
-  /** The tiebreaker parameter allow to be more precise to fetch the next item */
-  tiebreaker?: Maybe<string>;
-}
-
-export interface PaginationInputPaginated {
-  /** The activePage parameter defines the page of results you want to fetch */
-  activePage: number;
-  /** The cursorStart parameter defines the start of the results to be displayed */
-  cursorStart: number;
-  /** The fakePossibleCount parameter determines the total count in order to show 5 additional pages */
-  fakePossibleCount: number;
-  /** The querySize parameter is the number of items to be returned */
-  querySize: number;
-}
-
-export interface DocValueFields {
-  field: string;
-  format: string;
-}
-
-export interface Explanation {
-  value: number;
-  description: string;
-  details: Explanation[];
-}
-
-export interface TotalValue {
-  value: number;
-  relation: string;
-}
-export interface ShardsResponse {
-  total: number;
-  successful: number;
-  failed: number;
-  skipped: number;
-}
-
-export interface TotalHit {
-  value: number;
-  relation: string;
-}
-
-export interface Hit {
-  _index: string;
-  _type: string;
-  _id: string;
-  _score: number | null;
-}
-
-export interface Hits<T, U> {
-  hits: {
-    total: T;
-    max_score: number | null;
-    hits: U[];
-  };
-}
-
 export interface RequestBasicOptions extends IEsSearchRequest {
   timerange: TimerangeInput;
   filterQuery: ESQuery | string | undefined;
@@ -189,10 +92,3 @@ export type StrategyRequestType<T extends FactoryQueryTypes> = T extends HostsQu
   : T extends NetworkQueries.topCountries
   ? NetworkTopCountriesRequestOptions
   : never;
-
-export type StringOrNumber = string | number;
-
-export interface GenericBuckets {
-  key: string;
-  doc_count: number;
-}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/http/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/http/index.ts
index c42b3d2ab8db3..ad58442b16994 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/http/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/http/index.ts
@@ -5,14 +5,8 @@
  */
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
-import {
-  Maybe,
-  CursorType,
-  Inspect,
-  RequestOptionsPaginated,
-  PageInfoPaginated,
-  GenericBuckets,
-} from '../..';
+import { Maybe, CursorType, Inspect, PageInfoPaginated, GenericBuckets } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
 
 export interface NetworkHttpRequestOptions extends RequestOptionsPaginated {
   ip?: string;
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/tls/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/tls/index.ts
index b1d30c3d4f9bf..dffc994fcf4cb 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/tls/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/tls/index.ts
@@ -5,7 +5,8 @@
  */
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
-import { CursorType, Inspect, Maybe, PageInfoPaginated, RequestOptionsPaginated } from '../..';
+import { CursorType, Inspect, Maybe, PageInfoPaginated } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
 import { FlowTargetSourceDest } from '../common';
 
 export interface TlsBuckets {
diff --git a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_countries/index.ts b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_countries/index.ts
index 6d514d12519c3..3188a26dd69fd 100644
--- a/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_countries/index.ts
+++ b/x-pack/plugins/security_solution/common/search_strategy/security_solution/network/top_countries/index.ts
@@ -6,7 +6,8 @@
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
 import { GeoEcs } from '../../../../ecs/geo';
-import { CursorType, Inspect, Maybe, PageInfoPaginated, RequestOptionsPaginated } from '../..';
+import { CursorType, Inspect, Maybe, PageInfoPaginated } from '../../../common';
+import { RequestOptionsPaginated } from '../..';
 import { FlowTargetSourceDest } from '../common';
 
 export enum NetworkTopTablesFields {
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
new file mode 100644
index 0000000000000..e5e1c41f4731a
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/details/index.ts
@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
+import { Inspect, Maybe } from '../../common';
+import { TimelineRequestOptionsPaginated } from '..';
+
+export interface DetailItem {
+  field: string;
+  values?: Maybe<string[]>;
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  originalValue?: Maybe<any>;
+}
+
+export interface TimelineDetailsStrategyResponse extends IEsSearchResponse {
+  data?: Maybe<DetailItem[]>;
+  inspect?: Maybe<Inspect>;
+}
+
+export interface TimelineDetailsRequestOptions extends Partial<TimelineRequestOptionsPaginated> {
+  defaultIndex: string[];
+  executeQuery: boolean;
+  indexName: string;
+  eventId: string;
+}
diff --git a/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
new file mode 100644
index 0000000000000..a7bf61c102cd4
--- /dev/null
+++ b/x-pack/plugins/security_solution/common/search_strategy/timeline/index.ts
@@ -0,0 +1,70 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
+import { ESQuery } from '../../typed_json';
+import { Ecs } from '../../ecs';
+import {
+  CursorType,
+  Maybe,
+  TimerangeInput,
+  DocValueFields,
+  PaginationInput,
+  PaginationInputPaginated,
+  SortField,
+} from '../common';
+import { TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse } from './details';
+
+export * from './details';
+
+export enum TimelineQueries {
+  details = 'details',
+}
+
+export type TimelineFactoryQueryTypes = TimelineQueries;
+
+export interface TimelineEdges {
+  node: TimelineItem;
+  cursor: CursorType;
+}
+
+export interface TimelineItem {
+  _id: string;
+  _index?: Maybe<string>;
+  data: TimelineNonEcsData[];
+  ecs: Ecs;
+}
+
+export interface TimelineNonEcsData {
+  field: string;
+  value?: Maybe<string[] | string>;
+}
+
+export interface TimelineRequestBasicOptions extends IEsSearchRequest {
+  timerange: TimerangeInput;
+  filterQuery: ESQuery | string | undefined;
+  defaultIndex: string[];
+  docValueFields?: DocValueFields[];
+  factoryQueryType?: TimelineFactoryQueryTypes;
+}
+
+export interface TimelineRequestOptions extends TimelineRequestBasicOptions {
+  pagination: PaginationInput;
+  sortField?: SortField;
+}
+
+export interface TimelineRequestOptionsPaginated extends TimelineRequestBasicOptions {
+  pagination: PaginationInputPaginated;
+  sortField?: SortField;
+}
+
+export type TimelineStrategyResponseType<
+  T extends TimelineFactoryQueryTypes
+> = T extends TimelineQueries.details ? TimelineDetailsStrategyResponse : never;
+
+export type TimelineStrategyRequestType<
+  T extends TimelineFactoryQueryTypes
+> = T extends TimelineQueries.details ? TimelineDetailsRequestOptions : never;
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
index 1cc50b7d951a2..8068d51a80153 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx
@@ -9,7 +9,7 @@ import React, { useMemo } from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../graphql/types';
+import { DetailItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 import { EventFieldsBrowser } from './event_fields_browser';
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
index 00a4e581320bb..9737a09c89f49 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_fields_browser.tsx
@@ -10,7 +10,7 @@ import React, { useMemo } from 'react';
 
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { BrowserFields, getAllFieldsByName } from '../../containers/source';
-import { DetailItem } from '../../../graphql/types';
+import { DetailItem } from '../../../../common/search_strategy/timeline';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
 import { getColumns } from './columns';
diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
index 0bb0532eee7be..f4028c988acb8 100644
--- a/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
+++ b/x-pack/plugins/security_solution/public/common/components/event_details/stateful_event_details.tsx
@@ -7,7 +7,7 @@
 import React, { useCallback, useState } from 'react';
 
 import { BrowserFields } from '../../containers/source';
-import { DetailItem } from '../../../graphql/types';
+import { DetailItem } from '../../../../common/search_strategy/timeline';
 import { ColumnHeaderOptions } from '../../../timelines/store/timeline/model';
 import { OnUpdateColumns } from '../../../timelines/components/timeline/events';
 
diff --git a/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.tsx
index 19294fc5e4780..79d83404f8c4a 100644
--- a/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/containers/authentications/index.tsx
@@ -18,12 +18,10 @@ import {
   HostPolicyResponseActionStatus,
   HostsQueries,
   PageInfoPaginated,
-} from '../../../../common/search_strategy/security_solution';
-import {
   AuthenticationsRequestOptions,
   AuthenticationsStrategyResponse,
   AuthenticationsEdges,
-} from '../../../../common/search_strategy/security_solution/hosts/authentications';
+} from '../../../../common/search_strategy';
 import { ESTermQuery } from '../../../../common/typed_json';
 
 import { inputsModel, State } from '../../../common/store';
diff --git a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
index 74748e5399b78..958d62dfe9b6a 100644
--- a/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
+++ b/x-pack/plugins/security_solution/public/hosts/containers/hosts/index.tsx
@@ -22,7 +22,7 @@ import {
   HostsQueries,
   HostsRequestOptions,
   HostsStrategyResponse,
-} from '../../../../common/search_strategy/security_solution';
+} from '../../../../common/search_strategy';
 import { ESTermQuery } from '../../../../common/typed_json';
 
 import * as i18n from './translations';
diff --git a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
index dfd93caf25394..114bca9f59d9c 100644
--- a/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
+++ b/x-pack/plugins/security_solution/public/network/components/network_top_countries_table/index.tsx
@@ -17,7 +17,7 @@ import {
   NetworkTopCountriesEdges,
   NetworkTopTablesFields,
   SortField,
-} from '../../../../common/search_strategy/security_solution';
+} from '../../../../common/search_strategy';
 import { State } from '../../../common/store';
 
 import { Criteria, ItemsPerRow, PaginatedTable } from '../../../common/components/paginated_table';
diff --git a/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx
index 857d7fe0229b2..d3e8067d1802e 100644
--- a/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx
+++ b/x-pack/plugins/security_solution/public/network/containers/network_http/index.tsx
@@ -22,7 +22,7 @@ import {
   NetworkHttpRequestOptions,
   NetworkHttpStrategyResponse,
   SortField,
-} from '../../../../common/search_strategy/security_solution';
+} from '../../../../common/search_strategy';
 import { AbortError } from '../../../../../../../src/plugins/data/common';
 import * as i18n from './translations';
 import { InspectResponse } from '../../../types';
diff --git a/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.tsx b/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.tsx
index 0b07991725f87..6bed779d49638 100644
--- a/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.tsx
+++ b/x-pack/plugins/security_solution/public/network/containers/network_top_countries/index.tsx
@@ -14,7 +14,6 @@ import { DEFAULT_INDEX_KEY } from '../../../../common/constants';
 import { inputsModel, State } from '../../../common/store';
 import { useKibana } from '../../../common/lib/kibana';
 import { createFilter } from '../../../common/containers/helpers';
-import { PageInfoPaginated } from '../../../../common/search_strategy/security_solution';
 import { generateTablePaginationOptions } from '../../../common/components/paginated_table/helpers';
 import { networkModel, networkSelectors } from '../../store';
 import {
@@ -23,7 +22,8 @@ import {
   NetworkTopCountriesEdges,
   NetworkTopCountriesRequestOptions,
   NetworkTopCountriesStrategyResponse,
-} from '../../../../common/search_strategy/security_solution/network';
+  PageInfoPaginated,
+} from '../../../../common/search_strategy';
 import { AbortError } from '../../../../../../../src/plugins/data/common';
 import { getInspectResponse } from '../../../helpers';
 import { InspectResponse } from '../../../types';
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
index c91fc473708e2..9691327f2c988 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/body/events/stateful_event.tsx
@@ -11,8 +11,9 @@ import VisibilitySensor from 'react-visibility-sensor';
 
 import { TimelineId } from '../../../../../../common/types/timeline';
 import { BrowserFields, DocValueFields } from '../../../../../common/containers/source';
-import { TimelineDetailsQuery } from '../../../../containers/details';
-import { TimelineItem, DetailItem, TimelineNonEcsData } from '../../../../../graphql/types';
+import { useTimelineDetails } from '../../../../containers/details';
+import { TimelineItem, TimelineNonEcsData } from '../../../../../graphql/types';
+import { DetailItem } from '../../../../../../common/search_strategy/timeline';
 import { Note } from '../../../../../common/lib/note';
 import { ColumnHeaderOptions, TimelineModel } from '../../../../../timelines/store/timeline/model';
 import { AddNoteToEvent, UpdateNote } from '../../../notes/helpers';
@@ -137,6 +138,12 @@ const StatefulEventComponent: React.FC<Props> = ({
     (state) => state.timeline.timelineById[TimelineId.active]
   );
   const divElement = useRef<HTMLDivElement | null>(null);
+  const [loading, detailsData] = useTimelineDetails({
+    docValueFields,
+    indexName: event._index!,
+    eventId: event._id,
+    executeQuery: !!expanded[event._id],
+  });
 
   const onToggleShowNotes = useCallback(() => {
     const eventId = event._id;
@@ -174,94 +181,84 @@ const StatefulEventComponent: React.FC<Props> = ({
       {({ isVisible }) => {
         if (isVisible || disableSensorVisibility) {
           return (
-            <TimelineDetailsQuery
-              docValueFields={docValueFields}
-              sourceId="default"
-              indexName={event._index!}
-              eventId={event._id}
-              executeQuery={!!expanded[event._id]}
+            <EventsTrGroup
+              className={STATEFUL_EVENT_CSS_CLASS_NAME}
+              data-test-subj="event"
+              eventType={getEventType(event.ecs)}
+              showLeftBorder={!isEventViewer}
+              ref={divElement}
             >
-              {({ detailsData, loading }) => (
-                <EventsTrGroup
-                  className={STATEFUL_EVENT_CSS_CLASS_NAME}
-                  data-test-subj="event"
-                  eventType={getEventType(event.ecs)}
-                  showLeftBorder={!isEventViewer}
-                  ref={divElement}
+              <EventColumnView
+                id={event._id}
+                actionsColumnWidth={actionsColumnWidth}
+                associateNote={associateNote}
+                columnHeaders={columnHeaders}
+                columnRenderers={columnRenderers}
+                data={event.data}
+                ecsData={event.ecs}
+                expanded={!!expanded[event._id]}
+                eventIdToNoteIds={eventIdToNoteIds}
+                getNotesByIds={getNotesByIds}
+                isEventPinned={isEventPinned}
+                isEventViewer={isEventViewer}
+                loading={loading}
+                loadingEventIds={loadingEventIds}
+                onColumnResized={onColumnResized}
+                onEventToggled={onToggleExpanded}
+                onPinEvent={onPinEvent}
+                onRowSelected={onRowSelected}
+                onUnPinEvent={onUnPinEvent}
+                refetch={refetch}
+                selectedEventIds={selectedEventIds}
+                showCheckboxes={showCheckboxes}
+                showNotes={!!showNotes[event._id]}
+                timelineId={timelineId}
+                toggleShowNotes={onToggleShowNotes}
+                updateNote={updateNote}
+              />
+
+              <EventsTrSupplementContainerWrapper>
+                <EventsTrSupplement
+                  className="siemEventsTable__trSupplement--notes"
+                  data-test-subj="event-notes-flex-item"
                 >
-                  <EventColumnView
-                    id={event._id}
-                    actionsColumnWidth={actionsColumnWidth}
+                  <NoteCards
                     associateNote={associateNote}
-                    columnHeaders={columnHeaders}
-                    columnRenderers={columnRenderers}
-                    data={event.data}
-                    ecsData={event.ecs}
-                    expanded={!!expanded[event._id]}
-                    eventIdToNoteIds={eventIdToNoteIds}
+                    data-test-subj="note-cards"
+                    getNewNoteId={getNewNoteId}
                     getNotesByIds={getNotesByIds}
-                    isEventPinned={isEventPinned}
-                    isEventViewer={isEventViewer}
-                    loading={loading}
-                    loadingEventIds={loadingEventIds}
-                    onColumnResized={onColumnResized}
-                    onEventToggled={onToggleExpanded}
-                    onPinEvent={onPinEvent}
-                    onRowSelected={onRowSelected}
-                    onUnPinEvent={onUnPinEvent}
-                    refetch={refetch}
-                    selectedEventIds={selectedEventIds}
-                    showCheckboxes={showCheckboxes}
-                    showNotes={!!showNotes[event._id]}
-                    timelineId={timelineId}
-                    toggleShowNotes={onToggleShowNotes}
+                    noteIds={eventIdToNoteIds[event._id] || emptyNotes}
+                    showAddNote={!!showNotes[event._id]}
+                    status={timelineStatus}
+                    toggleShowAddNote={onToggleShowNotes}
                     updateNote={updateNote}
                   />
+                </EventsTrSupplement>
 
-                  <EventsTrSupplementContainerWrapper>
-                    <EventsTrSupplement
-                      className="siemEventsTable__trSupplement--notes"
-                      data-test-subj="event-notes-flex-item"
-                    >
-                      <NoteCards
-                        associateNote={associateNote}
-                        data-test-subj="note-cards"
-                        getNewNoteId={getNewNoteId}
-                        getNotesByIds={getNotesByIds}
-                        noteIds={eventIdToNoteIds[event._id] || emptyNotes}
-                        showAddNote={!!showNotes[event._id]}
-                        status={timelineStatus}
-                        toggleShowAddNote={onToggleShowNotes}
-                        updateNote={updateNote}
-                      />
-                    </EventsTrSupplement>
-
-                    {getRowRenderer(event.ecs, rowRenderers).renderRow({
-                      browserFields,
-                      data: event.ecs,
-                      timelineId,
-                    })}
+                {getRowRenderer(event.ecs, rowRenderers).renderRow({
+                  browserFields,
+                  data: event.ecs,
+                  timelineId,
+                })}
 
-                    <EventsTrSupplement
-                      className="siemEventsTable__trSupplement--attributes"
-                      data-test-subj="event-details"
-                    >
-                      <ExpandableEvent
-                        browserFields={browserFields}
-                        columnHeaders={columnHeaders}
-                        event={detailsData || emptyDetails}
-                        forceExpand={!!expanded[event._id] && !loading}
-                        id={event._id}
-                        onEventToggled={onToggleExpanded}
-                        onUpdateColumns={onUpdateColumns}
-                        timelineId={timelineId}
-                        toggleColumn={toggleColumn}
-                      />
-                    </EventsTrSupplement>
-                  </EventsTrSupplementContainerWrapper>
-                </EventsTrGroup>
-              )}
-            </TimelineDetailsQuery>
+                <EventsTrSupplement
+                  className="siemEventsTable__trSupplement--attributes"
+                  data-test-subj="event-details"
+                >
+                  <ExpandableEvent
+                    browserFields={browserFields}
+                    columnHeaders={columnHeaders}
+                    event={detailsData || emptyDetails}
+                    forceExpand={!!expanded[event._id] && !loading}
+                    id={event._id}
+                    onEventToggled={onToggleExpanded}
+                    onUpdateColumns={onUpdateColumns}
+                    timelineId={timelineId}
+                    toggleColumn={toggleColumn}
+                  />
+                </EventsTrSupplement>
+              </EventsTrSupplementContainerWrapper>
+            </EventsTrGroup>
           );
         } else {
           // Height place holder for visibility detection as well as re-rendering sections.
diff --git a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
index 269cd14b5973c..49f17db242f75 100644
--- a/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/components/timeline/expandable_event/index.tsx
@@ -4,12 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import React from 'react';
+import React, { useCallback } from 'react';
 import styled from 'styled-components';
 
 import { BrowserFields } from '../../../../common/containers/source';
 import { ColumnHeaderOptions } from '../../../../timelines/store/timeline/model';
-import { DetailItem } from '../../../../graphql/types';
+import { DetailItem } from '../../../../../common/search_strategy/timeline';
 import { StatefulEventDetails } from '../../../../common/components/event_details/stateful_event_details';
 import { LazyAccordion } from '../../lazy_accordion';
 import { OnUpdateColumns } from '../events';
@@ -51,27 +51,43 @@ export const ExpandableEvent = React.memo<Props>(
     toggleColumn,
     onEventToggled,
     onUpdateColumns,
-  }) => (
-    <ExpandableDetails hideExpandButton={true}>
-      <LazyAccordion
-        id={`timeline-${timelineId}-row-${id}`}
-        renderExpandedContent={() => (
-          <StatefulEventDetails
-            browserFields={browserFields}
-            columnHeaders={columnHeaders}
-            data={event}
-            id={id}
-            onEventToggled={onEventToggled}
-            onUpdateColumns={onUpdateColumns}
-            timelineId={timelineId}
-            toggleColumn={toggleColumn}
-          />
-        )}
-        forceExpand={forceExpand}
-        paddingSize="none"
-      />
-    </ExpandableDetails>
-  )
+  }) => {
+    const handleRenderExpandedContent = useCallback(
+      () => (
+        <StatefulEventDetails
+          browserFields={browserFields}
+          columnHeaders={columnHeaders}
+          data={event}
+          id={id}
+          onEventToggled={onEventToggled}
+          onUpdateColumns={onUpdateColumns}
+          timelineId={timelineId}
+          toggleColumn={toggleColumn}
+        />
+      ),
+      [
+        browserFields,
+        columnHeaders,
+        event,
+        id,
+        onEventToggled,
+        onUpdateColumns,
+        timelineId,
+        toggleColumn,
+      ]
+    );
+
+    return (
+      <ExpandableDetails hideExpandButton={true}>
+        <LazyAccordion
+          id={`timeline-${timelineId}-row-${id}`}
+          renderExpandedContent={handleRenderExpandedContent}
+          forceExpand={forceExpand}
+          paddingSize="none"
+        />
+      </ExpandableDetails>
+    );
+  }
 );
 
 ExpandableEvent.displayName = 'ExpandableEvent';
diff --git a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
index a07420dead29b..35f8c7ae90e6e 100644
--- a/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
+++ b/x-pack/plugins/security_solution/public/timelines/containers/details/index.tsx
@@ -4,71 +4,129 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { getOr } from 'lodash/fp';
+import { noop } from 'lodash/fp';
 import memoizeOne from 'memoize-one';
-import React from 'react';
-import { Query } from 'react-apollo';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import deepEqual from 'fast-deep-equal';
 
+import { inputsModel } from '../../../common/store';
 import { DEFAULT_INDEX_KEY } from '../../../../common/constants';
-import { DetailItem, GetTimelineDetailsQuery } from '../../../graphql/types';
-import { useUiSetting } from '../../../common/lib/kibana';
-
-import { timelineDetailsQuery } from './index.gql_query';
-import { DocValueFields } from '../../../common/containers/source';
-
+import { useKibana } from '../../../common/lib/kibana';
+import {
+  DocValueFields,
+  DetailItem,
+  TimelineQueries,
+  TimelineDetailsRequestOptions,
+  TimelineDetailsStrategyResponse,
+} from '../../../../common/search_strategy';
 export interface EventsArgs {
   detailsData: DetailItem[] | null;
   loading: boolean;
 }
 
 export interface TimelineDetailsProps {
-  children?: (args: EventsArgs) => React.ReactElement;
   docValueFields: DocValueFields[];
   indexName: string;
   eventId: string;
   executeQuery: boolean;
-  sourceId: string;
 }
 
 const getDetailsEvent = memoizeOne(
   (variables: string, detail: DetailItem[]): DetailItem[] => detail
 );
 
-const TimelineDetailsQueryComponent: React.FC<TimelineDetailsProps> = ({
-  children,
+export const useTimelineDetails = ({
   docValueFields,
   indexName,
   eventId,
   executeQuery,
-  sourceId,
-}) => {
-  const variables: GetTimelineDetailsQuery.Variables = {
+}: TimelineDetailsProps): [boolean, EventsArgs['detailsData']] => {
+  const { data, notifications, uiSettings } = useKibana().services;
+  const refetch = useRef<inputsModel.Refetch>(noop);
+  const abortCtrl = useRef(new AbortController());
+  const defaultIndex = uiSettings.get<string[]>(DEFAULT_INDEX_KEY);
+  const [loading, setLoading] = useState(false);
+  const [timelineDetailsRequest, setTimelineDetailsRequest] = useState<
+    TimelineDetailsRequestOptions
+  >({
+    defaultIndex,
     docValueFields,
-    sourceId,
+    executeQuery,
     indexName,
     eventId,
-    defaultIndex: useUiSetting<string[]>(DEFAULT_INDEX_KEY),
-  };
-  return executeQuery ? (
-    <Query<GetTimelineDetailsQuery.Query, GetTimelineDetailsQuery.Variables>
-      query={timelineDetailsQuery}
-      fetchPolicy="network-only"
-      notifyOnNetworkStatusChange
-      variables={variables}
-    >
-      {({ data, loading, refetch }) =>
-        children!({
-          loading,
-          detailsData: getDetailsEvent(
-            JSON.stringify(variables),
-            getOr([], 'source.TimelineDetails.data', data)
-          ),
-        })
-      }
-    </Query>
-  ) : (
-    children!({ loading: false, detailsData: null })
+    factoryQueryType: TimelineQueries.details,
+  });
+
+  const [timelineDetailsResponse, setTimelineDetailsResponse] = useState<EventsArgs['detailsData']>(
+    null
   );
-};
 
-export const TimelineDetailsQuery = React.memo(TimelineDetailsQueryComponent);
+  const timelineDetailsSearch = useCallback(
+    (request: TimelineDetailsRequestOptions) => {
+      let didCancel = false;
+      const asyncSearch = async () => {
+        abortCtrl.current = new AbortController();
+        setLoading(true);
+
+        const searchSubscription$ = data.search
+          .search<TimelineDetailsRequestOptions, TimelineDetailsStrategyResponse>(request, {
+            strategy: 'securitySolutionTimelineSearchStrategy',
+            abortSignal: abortCtrl.current.signal,
+          })
+          .subscribe({
+            next: (response) => {
+              if (!response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                  setTimelineDetailsResponse(
+                    getDetailsEvent(JSON.stringify(timelineDetailsRequest), response.data || [])
+                  );
+                }
+                searchSubscription$.unsubscribe();
+              } else if (response.isPartial && !response.isRunning) {
+                if (!didCancel) {
+                  setLoading(false);
+                }
+                // TODO: Make response error status clearer
+                notifications.toasts.addWarning('An error has occurred');
+                searchSubscription$.unsubscribe();
+              }
+            },
+            error: () => {
+              notifications.toasts.addDanger('Failed to run search');
+            },
+          });
+      };
+      abortCtrl.current.abort();
+      asyncSearch();
+      refetch.current = asyncSearch;
+      return () => {
+        didCancel = true;
+        abortCtrl.current.abort();
+      };
+    },
+    [data.search, notifications.toasts, timelineDetailsRequest]
+  );
+
+  useEffect(() => {
+    setTimelineDetailsRequest((prevRequest) => {
+      const myRequest = {
+        ...prevRequest,
+        defaultIndex,
+        docValueFields,
+        indexName,
+        eventId,
+      };
+      if (!deepEqual(prevRequest, myRequest)) {
+        return myRequest;
+      }
+      return prevRequest;
+    });
+  }, [defaultIndex, docValueFields, eventId, indexName]);
+
+  useEffect(() => {
+    if (executeQuery) timelineDetailsSearch(timelineDetailsRequest);
+  }, [executeQuery, timelineDetailsRequest, timelineDetailsSearch]);
+
+  return [loading, timelineDetailsResponse];
+};
diff --git a/x-pack/plugins/security_solution/public/types.ts b/x-pack/plugins/security_solution/public/types.ts
index 4fdacb2621abd..62069484dd8bd 100644
--- a/x-pack/plugins/security_solution/public/types.ts
+++ b/x-pack/plugins/security_solution/public/types.ts
@@ -22,7 +22,7 @@ import {
 import { SecurityPluginSetup } from '../../security/public';
 import { AppFrontendLibs } from './common/lib/lib';
 import { ResolverPluginSetup } from './resolver/types';
-import { Inspect } from '../common/search_strategy/security_solution';
+import { Inspect } from '../common/search_strategy';
 
 export interface SetupPlugins {
   home?: HomePublicPluginSetup;
diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts
index 38120bf42fbba..24cf1f8746d89 100644
--- a/x-pack/plugins/security_solution/server/plugin.ts
+++ b/x-pack/plugins/security_solution/server/plugin.ts
@@ -61,6 +61,7 @@ import { initUsageCollectors } from './usage';
 import { AppRequestContext } from './types';
 import { registerTrustedAppsRoutes } from './endpoint/routes/trusted_apps';
 import { securitySolutionSearchStrategyProvider } from './search_strategy/security_solution';
+import { securitySolutionTimelineSearchStrategyProvider } from './search_strategy/timeline';
 
 export interface SetupPlugins {
   alerts: AlertingSetup;
@@ -271,10 +272,17 @@ export class Plugin implements IPlugin<PluginSetup, PluginStart, SetupPlugins, S
 
     core.getStartServices().then(([_, depsStart]) => {
       const securitySolutionSearchStrategy = securitySolutionSearchStrategyProvider(depsStart.data);
+      const securitySolutionTimelineSearchStrategy = securitySolutionTimelineSearchStrategyProvider(
+        depsStart.data
+      );
       plugins.data.search.registerSearchStrategy(
         'securitySolutionSearchStrategy',
         securitySolutionSearchStrategy
       );
+      plugins.data.search.registerSearchStrategy(
+        'securitySolutionTimelineSearchStrategy',
+        securitySolutionTimelineSearchStrategy
+      );
     });
 
     return {};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
index ea1b896452c4e..93390c314a637 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/all/query.all_hosts.dsl.ts
@@ -11,7 +11,7 @@ import {
   HostsRequestOptions,
   SortField,
   HostsFields,
-} from '../../../../../../common/search_strategy/security_solution';
+} from '../../../../../../common/search_strategy';
 import { createQueryFilterClauses } from '../../../../../utils/build_query';
 import { assertUnreachable } from '../../../../../../common/utility_types';
 
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/helpers.ts
index 722445a7275a1..c6b68bd1c0762 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/helpers.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/helpers.ts
@@ -6,13 +6,11 @@
 import { get, getOr } from 'lodash/fp';
 import { set } from '@elastic/safer-lodash-set/fp';
 import { mergeFieldsWithHit } from '../../../../../utils/build_query';
+import { toArray } from '../../../../helpers/to_array';
 import {
   AuthenticationsEdges,
   AuthenticationHit,
   AuthenticationBucket,
-} from '../../../../../../common/search_strategy/security_solution/hosts/authentications';
-import { toArray } from '../../../../helpers/to_array';
-import {
   FactoryQueryTypes,
   StrategyResponseType,
 } from '../../../../../../common/search_strategy/security_solution';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
index d07c239dfab86..200818c40dec5 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/authentications/index.tsx
@@ -9,13 +9,13 @@ import { getOr } from 'lodash/fp';
 import { IEsSearchResponse } from '../../../../../../../../../src/plugins/data/common';
 
 import { DEFAULT_MAX_TABLE_QUERY_SIZE } from '../../../../../../common/constants';
-import { HostsQueries } from '../../../../../../common/search_strategy/security_solution';
 import {
+  HostsQueries,
   AuthenticationsEdges,
   AuthenticationsRequestOptions,
   AuthenticationsStrategyResponse,
   AuthenticationHit,
-} from '../../../../../../common/search_strategy/security_solution/hosts/authentications';
+} from '../../../../../../common/search_strategy/security_solution/hosts';
 
 import { inspectStringifyObject } from '../../../../../utils/build_query';
 import { SecuritySolutionFactory } from '../../types';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/index.ts
index ddd2a458b3b8c..6585abde60281 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/hosts/index.ts
@@ -4,8 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { FactoryQueryTypes } from '../../../../../common/search_strategy/security_solution';
-import { HostsQueries } from '../../../../../common/search_strategy/security_solution/hosts';
+import {
+  FactoryQueryTypes,
+  HostsQueries,
+} from '../../../../../common/search_strategy/security_solution';
 
 import { SecuritySolutionFactory } from '../types';
 import { allHosts } from './all';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts
index 31d695d6a0591..feffe7f70afd9 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/http/query.http_network.dsl.ts
@@ -6,10 +6,7 @@
 
 import { createQueryFilterClauses } from '../../../../../utils/build_query';
 
-import {
-  NetworkHttpRequestOptions,
-  SortField,
-} from '../../../../../../common/search_strategy/security_solution';
+import { NetworkHttpRequestOptions, SortField } from '../../../../../../common/search_strategy';
 
 const getCountAgg = () => ({
   http_count: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/index.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/index.ts
index 93e5f113197da..9e73312bdb8e1 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/index.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/index.ts
@@ -4,8 +4,10 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { FactoryQueryTypes } from '../../../../../common/search_strategy/security_solution';
-import { NetworkQueries } from '../../../../../common/search_strategy/security_solution/network';
+import {
+  FactoryQueryTypes,
+  NetworkQueries,
+} from '../../../../../common/search_strategy/security_solution';
 
 import { SecuritySolutionFactory } from '../types';
 import { networkHttp } from './http';
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/query.tls_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/query.tls_network.dsl.ts
index eb4e25c29e3a1..6e5ba0674a0e7 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/query.tls_network.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/tls/query.tls_network.dsl.ts
@@ -12,7 +12,7 @@ import {
   SortField,
   Direction,
   TlsFields,
-} from '../../../../../../common/search_strategy/security_solution';
+} from '../../../../../../common/search_strategy';
 
 const getAggs = (querySize: number, sort: SortField<TlsFields>) => ({
   count: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/query.top_countries_network.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/query.top_countries_network.dsl.ts
index 88007b3329a90..4f4b347e4db02 100644
--- a/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/query.top_countries_network.dsl.ts
+++ b/x-pack/plugins/security_solution/server/search_strategy/security_solution/factory/network/top_countries/query.top_countries_network.dsl.ts
@@ -12,7 +12,7 @@ import {
   NetworkTopTablesFields,
   NetworkTopCountriesRequestOptions,
   SortField,
-} from '../../../../../../common/search_strategy/security_solution';
+} from '../../../../../../common/search_strategy';
 
 const getCountAgg = (flowTarget: FlowTargetSourceDest) => ({
   top_countries_count: {
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
new file mode 100644
index 0000000000000..b772dec773dce
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/helpers.ts
@@ -0,0 +1,55 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { get, isEmpty, isNumber, isObject, isString } from 'lodash/fp';
+
+import { DetailItem } from '../../../../../common/search_strategy/timeline';
+import { baseCategoryFields } from '../../../../utils/beat_schema/8.0.0';
+
+export const getFieldCategory = (field: string): string => {
+  const fieldCategory = field.split('.')[0];
+  if (!isEmpty(fieldCategory) && baseCategoryFields.includes(fieldCategory)) {
+    return 'base';
+  }
+  return fieldCategory;
+};
+
+export const getDataFromHits = (
+  sources: EventSource,
+  category?: string,
+  path?: string
+): DetailItem[] =>
+  Object.keys(sources).reduce<DetailItem[]>((accumulator, source) => {
+    const item: EventSource = get(source, sources);
+    if (Array.isArray(item) || isString(item) || isNumber(item)) {
+      const field = path ? `${path}.${source}` : source;
+      const fieldCategory = getFieldCategory(field);
+
+      return [
+        ...accumulator,
+        {
+          category: fieldCategory,
+          field,
+          values: Array.isArray(item)
+            ? item.map((value) => {
+                if (isObject(value)) {
+                  return JSON.stringify(value);
+                }
+
+                return value;
+              })
+            : [item],
+          originalValue: item,
+        } as DetailItem,
+      ];
+    } else if (isObject(item)) {
+      return [
+        ...accumulator,
+        ...getDataFromHits(item, category || source, path ? `${path}.${source}` : source),
+      ];
+    }
+    return accumulator;
+  }, []);
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
new file mode 100644
index 0000000000000..e1fabe2b4d586
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/index.ts
@@ -0,0 +1,44 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { getOr, merge } from 'lodash/fp';
+
+import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
+import {
+  TimelineQueries,
+  TimelineDetailsStrategyResponse,
+  TimelineDetailsRequestOptions,
+} from '../../../../../common/search_strategy/timeline';
+import { inspectStringifyObject } from '../../../../utils/build_query';
+import { SecuritySolutionTimelineFactory } from '../types';
+import { buildTimelineDetailsQuery } from './query.timeline_details.dsl';
+import { getDataFromHits } from './helpers';
+
+export const timelineDetails: SecuritySolutionTimelineFactory<TimelineQueries.details> = {
+  buildDsl: (options: TimelineDetailsRequestOptions) => {
+    const { indexName, eventId, docValueFields = [] } = options;
+    return buildTimelineDetailsQuery(indexName, eventId, docValueFields);
+  },
+  parse: async (
+    options: TimelineDetailsRequestOptions,
+    response: IEsSearchResponse<unknown>
+  ): Promise<TimelineDetailsStrategyResponse> => {
+    const { indexName, eventId, docValueFields = [] } = options;
+    const sourceData = getOr({}, 'hits.hits.0._source', response.rawResponse);
+    const hitsData = getOr({}, 'hits.hits.0', response.rawResponse);
+    delete hitsData._source;
+    const inspect = {
+      dsl: [inspectStringifyObject(buildTimelineDetailsQuery(indexName, eventId, docValueFields))],
+    };
+    const data = getDataFromHits(merge(sourceData, hitsData));
+
+    return {
+      ...response,
+      data,
+      inspect,
+    };
+  },
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
new file mode 100644
index 0000000000000..4f003c1c27ef2
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/details/query.timeline_details.dsl.ts
@@ -0,0 +1,26 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { DocValueFields } from '../../../../../common/search_strategy';
+
+export const buildTimelineDetailsQuery = (
+  indexName: string,
+  id: string,
+  docValueFields: DocValueFields[]
+) => ({
+  allowNoIndices: true,
+  index: indexName,
+  ignoreUnavailable: true,
+  body: {
+    docvalue_fields: docValueFields,
+    query: {
+      terms: {
+        _id: [id],
+      },
+    },
+  },
+  size: 1,
+});
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
new file mode 100644
index 0000000000000..aa4cdaeedb131
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/index.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import {
+  TimelineFactoryQueryTypes,
+  TimelineQueries,
+} from '../../../../common/search_strategy/timeline';
+
+import { timelineDetails } from './details';
+import { SecuritySolutionTimelineFactory } from './types';
+
+export const securitySolutionTimelineFactory: Record<
+  TimelineFactoryQueryTypes,
+  SecuritySolutionTimelineFactory<TimelineFactoryQueryTypes>
+> = {
+  [TimelineQueries.details]: timelineDetails,
+};
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/types.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/types.ts
new file mode 100644
index 0000000000000..55eddf64b68ff
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/factory/types.ts
@@ -0,0 +1,20 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { IEsSearchResponse } from '../../../../../../../src/plugins/data/common';
+import {
+  TimelineFactoryQueryTypes,
+  TimelineStrategyRequestType,
+  TimelineStrategyResponseType,
+} from '../../../../common/search_strategy/timeline';
+
+export interface SecuritySolutionTimelineFactory<T extends TimelineFactoryQueryTypes> {
+  buildDsl: (options: TimelineStrategyRequestType<T>) => unknown;
+  parse: (
+    options: TimelineStrategyRequestType<T>,
+    response: IEsSearchResponse
+  ) => Promise<TimelineStrategyResponseType<T>>;
+}
diff --git a/x-pack/plugins/security_solution/server/search_strategy/timeline/index.ts b/x-pack/plugins/security_solution/server/search_strategy/timeline/index.ts
new file mode 100644
index 0000000000000..6d8505211123b
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/search_strategy/timeline/index.ts
@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { ISearchStrategy, PluginStart } from '../../../../../../src/plugins/data/server';
+import {
+  TimelineFactoryQueryTypes,
+  TimelineStrategyResponseType,
+  TimelineStrategyRequestType,
+} from '../../../common/search_strategy/timeline';
+import { securitySolutionTimelineFactory } from './factory';
+import { SecuritySolutionTimelineFactory } from './factory/types';
+
+export const securitySolutionTimelineSearchStrategyProvider = <T extends TimelineFactoryQueryTypes>(
+  data: PluginStart
+): ISearchStrategy<TimelineStrategyRequestType<T>, TimelineStrategyResponseType<T>> => {
+  const es = data.search.getSearchStrategy('es');
+
+  return {
+    search: async (context, request, options) => {
+      if (request.factoryQueryType == null) {
+        throw new Error('factoryQueryType is required');
+      }
+      const queryFactory: SecuritySolutionTimelineFactory<T> =
+        securitySolutionTimelineFactory[request.factoryQueryType];
+      const dsl = queryFactory.buildDsl(request);
+      const esSearchRes = await es.search(context, { ...request, params: dsl }, options);
+      return queryFactory.parse(request, esSearchRes);
+    },
+    cancel: async (context, id) => {
+      if (es.cancel) {
+        es.cancel(context, id);
+      }
+    },
+  };
+};