Timeline analysis
Reconstruct the intrusion; feed new detections.
A pile of evidence is not an investigation until it is ordered in time. Timeline analysis reconstructs the sequence of an intrusion from many sources, turning artifacts into a narrative you can act on — and into detections that catch the same sequence next time.
Building the super timeline
Timeline analysis merges timestamped events from every available source — audit logs, authentication records, process execution, file changes, network flows — into one chronological view, often called a super timeline. Where a single log answers "what happened here?", the timeline answers "what happened, in what order, across the whole environment?", revealing the attacker’s path: the initial foothold, when they escalated, what they touched, where they moved, and what they took. Correlating across sources also fills gaps — an action invisible in one log may be clear in another at the same moment. This end-to-end reconstruction is what lets you scope an incident fully rather than chase fragments.
# Merge events from all sources on time, for the compromised principal:## 14:02 CloudTrail ConsoleLogin (no MFA) from new ASN ← initial access# 14:05 CloudTrail CreateAccessKey for self ← persistence# 14:09 K8s audit exec into payments pod ← execution# 14:11 runtime secret read: prod-db credentials ← credential access# 14:18 flow logs egress to unknown host, 240 MB ← exfiltration# ⇒ one timeline: access → persist → execute → steal creds → exfiltrate.
From timeline to detection
The reconstructed timeline is the richest possible input to detection engineering. Each step is a technique — a login without MFA, a new access key, an exec into a production pod, a secret read, an anomalous egress — that you should now detect automatically and, ideally, correlate into a single high-confidence incident the way this investigation did manually. The post-incident review asks, for every step: would we have detected this in real time, and if not, why? Those answers become new detections, new telemetry, and tuning. This is the loop that makes each incident improve future coverage — the reason detection and DFIR are one discipline, not two.