diff --git a/docs/cases/images/indicator-in-timeline.png b/docs/cases/images/indicator-in-timeline.png
index ce3e7a0028..6aa344c50c 100644
Binary files a/docs/cases/images/indicator-in-timeline.png and b/docs/cases/images/indicator-in-timeline.png differ
diff --git a/docs/cases/images/indicator-query-timeline.png b/docs/cases/images/indicator-query-timeline.png
index d794041327..41b688872b 100644
Binary files a/docs/cases/images/indicator-query-timeline.png and b/docs/cases/images/indicator-query-timeline.png differ
diff --git a/docs/cases/indicators-of-compromise.asciidoc b/docs/cases/indicators-of-compromise.asciidoc
index 850571477c..c7d25f852c 100644
--- a/docs/cases/indicators-of-compromise.asciidoc
+++ b/docs/cases/indicators-of-compromise.asciidoc
@@ -92,14 +92,14 @@ When you add an indicator to Timeline, a new Timeline opens with an auto-generat
 
 The following image shows a file hash indictor being investigated in Timeline. The indicator field-value pair is:
 
-`threat.indicator.file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba`
+`threat.indicator.file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
 
 [role="screenshot"]
 image::images/indicator-in-timeline.png[Shows the results of an indicator being investigated in Timeline]
 
 The auto-generated query contains the indicator field-value pair (mentioned previously) and the auto-mapped source event field-value pair, which is:
 
-`file.hash.sha256 : c207213257a63589b1e1bd2f459b47becd000c1af8ea7983dd9541aff145c3ba`
+`file.hash.sha256 : 116dd9071887611c19c24aedde270285a4cf97157b846e6343407cf3bcec115a`
 
 The query results show an alert with a matching `file.hash.sha256` field value, which may indicate suspicious or malicious activity in the environment.