CoursesDetection engineeringCloud DFIR & forensics

Timeline analysis

Reconstruct the intrusion; feed new detections.

Advanced30 min · lesson 12 of 15

A pile of evidence is not an investigation until it is ordered in time. Timeline analysis reconstructs the sequence of an intrusion from many sources, turning artifacts into a narrative you can act on — and into detections that catch the same sequence next time.

Building the super timeline

Timeline analysis merges timestamped events from every available source — audit logs, authentication records, process execution, file changes, network flows — into one chronological view, often called a super timeline. Where a single log answers "what happened here?", the timeline answers "what happened, in what order, across the whole environment?", revealing the attacker’s path: the initial foothold, when they escalated, what they touched, where they moved, and what they took. Correlating across sources also fills gaps — an action invisible in one log may be clear in another at the same moment. This end-to-end reconstruction is what lets you scope an incident fully rather than chase fragments.

correlate sources into one narrative
# Merge events from all sources on time, for the compromised principal:
#
# 14:02 CloudTrail ConsoleLogin (no MFA) from new ASN ← initial access
# 14:05 CloudTrail CreateAccessKey for self ← persistence
# 14:09 K8s audit exec into payments pod ← execution
# 14:11 runtime secret read: prod-db credentials ← credential access
# 14:18 flow logs egress to unknown host, 240 MB ← exfiltration
# ⇒ one timeline: access → persist → execute → steal creds → exfiltrate.

From timeline to detection

The reconstructed timeline is the richest possible input to detection engineering. Each step is a technique — a login without MFA, a new access key, an exec into a production pod, a secret read, an anomalous egress — that you should now detect automatically and, ideally, correlate into a single high-confidence incident the way this investigation did manually. The post-incident review asks, for every step: would we have detected this in real time, and if not, why? Those answers become new detections, new telemetry, and tuning. This is the loop that makes each incident improve future coverage — the reason detection and DFIR are one discipline, not two.

Timeline closes the loop
reconstruct
merge sources on time
the super timeline
scope the full intrusion
access → impact
improve
per step: could we detect it?
find the gaps
new detections + telemetry
catch it next time
The timeline turns fragments into a narrative and every step into a detection question. Incidents become coverage — detection and DFIR are one loop.
An incident without a detection retro wastes the lesson
Closing an incident without asking "which steps could we not detect, and why?" throws away its most valuable output. Feed every reconstructed timeline back into detection engineering — each undetected step is a gap to close, or the same intrusion will succeed again unseen.