Building Incident Timelines

Purpose and Scope

Real world incidents span multiple systems, each generating logs in different formats. This playbook covers practical techniques for combining Windows event logs, Linux syslogs, network telemetry, cloud audit trails, and application logs into a unified timeline for incident investigation.

Prerequisites

• SIEM access: Platform aggregating logs from multiple sources
• Query proficiency: Ability to search and filter logs in your platform
• Data export capability: Method to extract events for offline analysis
• Spreadsheet or timeline tool: For manual correlation and annotation

Log Source Characteristics

Windows Event Logs

• Time format: Typically local time or UTC depending on configuration
• Key fields: EventID, TimeCreated, Computer, Account, LogonType
• Challenges: Multiple logs for same event type, verbose output, XML structure

Linux Syslogs

• Time format: Varies by syslog version; may lack year
• Key fields: Timestamp, hostname, facility, severity, message
• Challenges: Unstructured messages require parsing, time zone often local

Zeek/Network Logs

• Time format: Unix epoch with microsecond precision
• Key fields: ts, uid, orig_h, resp_h, proto, service
• Challenges: High volume, multiple log types for same connection

Cloud Audit Logs

• Time format: Usually ISO 8601 UTC
• Key fields: eventTime, eventSource, userIdentity, eventName
• Challenges: Nested JSON structure, different schema per service

Data Collection Workflow

1. Identify Relevant Sources

Based on incident type, prioritize data sources:

• Phishing: Email logs, proxy logs, endpoint execution logs
• Lateral movement: Authentication logs, RDP/SMB logs, endpoint process logs
• Data theft: File access logs, cloud storage logs, network egress data
• Ransomware: File system changes, process execution, network connections

2. Define Time Window

• Start with alert timestamp or reported incident time
• Expand backward to capture initial access
• Extend forward to capture full scope of activity
• Be prepared to adjust as you discover earlier or later events

3. Export and Normalize

For each source, extract:

• Timestamp converted to UTC
• Source identifier (hostname, IP, service name)
• Event type or action
• Subject (user, account, process)
• Target (file, system, resource)
• Additional context fields

Building the Combined Timeline

Schema Design

Create a common schema that accommodates all sources:

Timestamp (UTC) | Source Type | Source Host | Event Type | Subject | Target | Details | Raw Event Reference

Normalization Examples

Windows Logon (Event ID 4624):

• Timestamp: Convert TimeCreated to UTC
• Source Type: Windows Security
• Source Host: Computer name from event
• Event Type: Logon
• Subject: TargetUserName
• Target: Workstation name or IP
• Details: LogonType, LogonProcess, AuthenticationPackage

Zeek HTTP Request:

• Timestamp: Convert ts epoch to UTC
• Source Type: Zeek HTTP
• Source Host: orig_h (client IP)
• Event Type: HTTP Request
• Subject: User from proxy enrichment if available
• Target: host + uri
• Details: method, user_agent, status_code, resp_mime_types

AWS CloudTrail:

• Timestamp: eventTime (already UTC)
• Source Type: AWS CloudTrail
• Source Host: sourceIPAddress
• Event Type: eventName
• Subject: userIdentity (extract ARN or user name)
• Target: Resource ARN from requestParameters
• Details: eventSource, awsRegion, errorCode if present

Correlation Techniques

User Pivoting

Track a user across sources:

• Map username variations (DOMAIN\user, [email protected], user)
• Correlate endpoint logon with VPN connection time
• Match email recipient with subsequent web activity

Host Pivoting

Track activity on a system:

• Correlate hostname with IP address from DHCP or DNS
• Match network connections to endpoint process data
• Link file creation to subsequent network transfer

IP Address Pivoting

Track external connections:

• Correlate external IP across proxy, firewall, and DNS logs
• Link C2 IP to all internal hosts that connected
• Map attacker IP to authentication attempts

Handling Gaps and Conflicts

Log Gaps

• Document time periods with missing data
• Note when logs were overwritten before collection
• Use inference from surrounding events when appropriate
• Mark inferred events clearly in the timeline

Time Conflicts

• When events appear out of logical order, investigate time sync issues
• Compare against authoritative time sources (domain controllers, NTP servers)
• Adjust timestamps if systematic drift is identified
• Document any corrections made

SIEM Query Examples

Splunk

index=* (host="compromised-host" OR user="compromised-user" OR dest_ip="c2.evil.com")
| eval norm_time = strftime(_time, "%Y-%m-%dT%H:%M:%S.%3NZ")
| table norm_time, index, source, sourcetype, host, user, action, dest
| sort norm_time

Elastic

GET /logs-*/_search
{
  "query": {
    "bool": {
      "should": [
        { "match": { "host.name": "compromised-host" } },
        { "match": { "user.name": "compromised-user" } }
      ]
    }
  },
  "sort": [{ "@timestamp": "asc" }]
}

Output Formats

Spreadsheet

Best for manual review and annotation:

• Use conditional formatting to highlight event types
• Add columns for analyst notes and findings
• Filter by source type or event category

Timeline Visualization Tools

For complex incidents:

• Timesketch for collaborative analysis
• log2timeline/plaso for forensic parsing
• SIEM dashboards for interactive exploration

Validation

• Walk through the timeline with a second analyst
• Verify key events appear in expected order
• Confirm correlations are accurate across sources
• Check for logical consistency in attacker actions

Escalation Guidance

Escalate when timeline reveals:

• Initial access earlier than originally understood
• Additional compromised systems not in original scope
• Evidence of data access or exfiltration
• Ongoing attacker activity

References

• Elastic Common Schema: elastic.co/guide/en/ecs
• Splunk Common Information Model
• OCSF (Open Cybersecurity Schema Framework)
• Timesketch: timesketch.org
• SANS FOR508: Advanced Incident Response and Threat Hunting