Roadmap

This page outlines the planned direction for IRFlow Timeline. Priorities may shift based on community feedback and real-world investigation needs. Have a feature request? Open an issue on GitHub.

In Progress

Enhanced Detection Rules

Expand the detection rules library beyond the current ones
Community-contributed rule packs with shared rule repositories

Planned

Cross-Platform Support

Windows and Linux builds to make IRFlow Timeline available beyond macOS
Platform-specific packaging (MSI/EXE for Windows, AppImage/deb for Linux)

Sigma Rule Integration

Import and match Sigma detection rules against event log timelines
Map Sigma rule hits to MITRE ATT&CK techniques alongside existing detections
Support for custom Sigma rule collections

Timeline Diffing

Compare two timelines or sessions side by side
Highlight events present in one timeline but not the other
Useful for comparing baseline vs. compromised host activity

Collaborative Sessions

Share .tle session files with annotations via a link
Real-time collaborative analysis for team-based investigations

Under Consideration

AI-Assisted Analysis

LLM-powered summarization of tagged findings for report drafting
Natural language queries against timeline data ("show me all lateral movement after 3 AM")
Anomaly detection suggestions based on statistical patterns

Plugin System

Extensible architecture for community-developed analysis modules
Custom parsers for proprietary log formats

Cloud Evidence Formats

Native parsing of Azure AD sign-in logs, AWS CloudTrail, GCP audit logs
Unified authentication timeline across on-prem and cloud environments

Network Traffic Integration

Zeek/Bro log ingestion for network-level correlation
Merge network and host timelines for full-stack visibility

Recently Completed

See the Changelog for detailed release notes on everything shipped so far. Highlights from recent releases:

Auto-Update — In-app update notifications with download progress, one-click install, and automatic startup checks
NTFS Analysis Tools — Raw $MFT and $J (USN Journal) import with six analysis tools: Ransomware Analysis (with PDF export), Timestomping Detection, File Activity Heatmap, ADS Analyzer, USN Journal Analysis with UsnJrnl Rewind path reconstruction (11 categories), and Resident Data Extraction for recovering deleted threat actor artifacts
VirusTotal Integration — API key configuration, single and bulk IOC lookups, persistent SQLite cache with configurable TTL, rate limiting, color-coded verdict badges, and auto-tagging
Analyst Profiles — Suppressions and baselines for Process Inspector false-positive management with save/load persistence
v1.0.5 — Cell context menu (Cmd+Click filter in/out), multi-row tagging, Tags hover submenu, Plaso import fix, .timeline format support, V8 heap limit for main process
v1.0.4 — Stacking 3→1 query, CSV O(n²)→O(n) parsing, Plaso single-pass sampling, sample-based empty column detection, MFT buffer overflow protection, VT retry cancellation
v1.0.3 — Lateral Movement attack pattern detection, RDP session grouping, menu bar redesign, row checkbox selection, Find Duplicates, Persistence Analyzer custom rules
v1.0.2 — 342 detection rules library, import queue system, IOC matching expansion (17+ types), Process Tree overhaul, Lateral Movement expansion with RDP correlation
v1.0.0 — Persistence Analyzer (30+ techniques), lateral movement outlier detection, background indexing pipeline, phase-tuned SQLite performance

Roadmap ​

In Progress ​

Enhanced Detection Rules ​

Planned ​

Cross-Platform Support ​

Sigma Rule Integration ​

Timeline Diffing ​

Collaborative Sessions ​

Under Consideration ​

AI-Assisted Analysis ​

Plugin System ​

Cloud Evidence Formats ​

Network Traffic Integration ​

Recently Completed ​