Timeline

Definition

A timeline is a structured record of events arranged in the order they occurred during a security investigation. Analysts build timelines to understand how an incident unfolded from beginning to end. Each entry shows what happened, when it happened, and where the activity took place. Timelines help connect individual events into a clear picture of attacker actions, their path through the environment, and the impact on systems or data.

Data for a timeline usually comes from logs such as authentication events, network traffic, file changes, and process execution. Analysts review each event’s timestamp and then organize the sequence to answer key questions:

* How did the attacker first gain access?
* Which systems and accounts were involved?
* When did privilege escalate or malware deploy?
* What happened last before detection or containment?

Timelines support multiple parts of incident response. They help investigators validate theories, measure how long an attacker has been active, and identify missed warning signs. They are also used to communicate findings to leadership and guide recovery actions. A well-built timeline allows defenders to understand the full scope of an intrusion and prevent similar attacks in the future.

Timeline

Definition

Explore More Terms