Timeline Analysis
The process of reconstructing a chronological sequence of events during a security investigation to understand the full attack chain.
Definition
Timeline analysis aggregates timestamped artifacts — log entries, file system metadata, registry changes, authentication events, network flows — into a unified chronological view. This allows investigators to establish when an attacker first gained access, how they moved through the environment, and what actions they took over time.
Why It Matters
Attackers rarely compromise a target in a single step. Understanding the sequence and timing of events is essential for establishing scope, identifying patient zero, detecting lateral movement, and confirming whether an incident is contained. Timelines also form the backbone of incident reports and legal documentation.
How It Works
Investigators collect artifacts from all relevant sources — endpoint logs, SIEM data, email headers, cloud audit logs — and normalize timestamps to a common timezone. Artifacts are merged into a single timeline, then reviewed to identify attacker activity patterns, correlate events across systems, and distinguish malicious actions from legitimate noise.
DFIR Platform
BEC Investigation API
The BEC Investigation API includes a timeline reconstruction endpoint that maps the full attack sequence from initial compromise to exfiltration, correlating sign-in events, inbox rule creation, and mail flow anomalies. https://platform.dfir-lab.ch/docs/bec/timeline
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.