// THREAT DETECTION AND DATA PRIVACY TERM
Timeline
A timeline is a chronological record of all events related to a security incident. Investigators create it to understand the sequence of actions taken by an attacker and to piece together the full story of the breach.
TECHNICAL DEFINITION
In cybersecurity incident response (IR) and digital forensics (DFIR), a timeline is a chronological sequence of events constructed from digital artifacts, logs, and evidence to reconstruct the attack lifecycle. This analytical tool is critical for root cause analysis (RCA) and understanding the scope of a security incident.
BACKGROUND
The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed for a variety of standards published by the National Institute of Standards and Technology.
READ MORE ON WIKIPEDIASYNONYMS & ALIASES
- chronology of events
- attack timeline
- incident chronology
- sequence of events
- forensic timeline
- event reconstruction
- SoE
USAGE NOTE
The timeline is a living document during an investigation, constantly updated as new forensic evidence is discovered and correlated.
DEVELOPERS
Organizations developing technology related to Timeline.
A market leader in Security Information and Event Management (SIEM). The Splunk platform ingests and correlates time-stamped machine data from across an enterprise, allowing security analysts to build detailed timelines of events to investigate incidents and hunt for threats.
Provider of the Cortex XDR platform, which automatically stitches together endpoint, network, and cloud data to create a comprehensive incident timeline. This visualization helps analysts understand the root cause and progression of a complex attack chain.
A leading provider of Endpoint Detection and Response (EDR) solutions. The CrowdStrike Falcon platform provides detailed process timelines and attack visualizations, enabling security teams to see the exact chronological sequence of events during a security breach on an endpoint.
A global leader in digital forensics software. Their flagship product, Magnet AXIOM, is designed to recover and analyze digital evidence from various sources and consolidate artifacts into a unified timeline view, helping investigators chronologically reconstruct events.
The company behind the Elastic Stack. Their Elastic Security solution provides SIEM and endpoint security, featuring a dedicated 'Timeline' tool that allows analysts to drag-and-drop events, create investigation notes, and visualize attack sequences over time.
A research and education organization that develops and maintains the SIFT (SANS Investigative Forensic Toolkit) Workstation. SIFT includes powerful open-source tools like Plaso/log2timeline, specifically designed to create a 'super timeline' from hundreds of digital artifacts for in-depth forensic analysis.
Develops Microsoft Sentinel, a cloud-native SIEM, and Microsoft Defender for Endpoint. These tools provide powerful investigation graphs and event timelines that correlate activities across an organization's digital estate to reconstruct the full scope of an attack.
A non-profit organization known for the ATT&CK framework. While not a product vendor, MITRE develops foundational technology and standards used by security tools to map events on a timeline to specific adversary behaviors, providing crucial context to an attack's progression.