Interactive Demo
Experience IRFlow Timeline's core analysis workflow on a realistic 50-event attack scenario — directly in your browser.
IRFlow Timeline — interactive_demo.csv
IRFlowLIVE DEMO
🔍
Try:
50 / 50 events
03:10▲ BURST: 03:10–03:12 (12 events)03:27
2025-02-14 03:10:01Security.evtx4624WS-PC01Logon Type 3 - user: jsmith@corp.local
2025-02-14 03:10:15Sysmon.evtx1WS-PC01outlook.exe spawned WINWORD.EXE
2025-02-14 03:10:22Sysmon.evtx11WS-PC01FileCreate: C:\Users\jsmith\Q4-Report.docm
2025-02-14 03:10:30Sysmon.evtx1WS-PC01WINWORD.EXE spawned cmd.exe /c macro
2025-02-14 03:10:45Security.evtx4624WS-PC01Logon Type 10 - RDP from 10.0.1.50 (WorkstationName: KALI)
2025-02-14 03:11:02Sysmon.evtx1WS-PC01cmd.exe spawned powershell.exe -enc base64blob
2025-02-14 03:11:18Sysmon.evtx1WS-PC01powershell.exe -ep bypass -nop IEX(download)
2025-02-14 03:11:33Sysmon.evtx3WS-PC01powershell.exe → 185.220.101.42:443 (C2 beacon)
2025-02-14 03:11:45Sysmon.evtx7WS-PC01ImageLoad: amsi.dll in powershell.exe (bypass attempt)
2025-02-14 03:11:58Hayabusa0WS-PC01ALERT: Suspicious PowerShell execution detected
2025-02-14 03:12:10Sysmon.evtx1WS-PC01powershell.exe spawned rundll32.exe
2025-02-14 03:12:22Sysmon.evtx11WS-PC01FileCreate: C:\Windows\Temp\stager.ps1
2025-02-14 03:13:01Sysmon.evtx1WS-PC01powershell.exe spawned whoami.exe /all
2025-02-14 03:13:12Sysmon.evtx1WS-PC01net.exe group "Domain Admins" /domain
2025-02-14 03:13:25Sysmon.evtx1WS-PC01nltest.exe /dclist:corp.local
2025-02-14 03:13:38Sysmon.evtx1WS-PC01systeminfo.exe → output piped to file
2025-02-14 03:13:50Sysmon.evtx1WS-PC01ipconfig.exe /all
2025-02-14 03:14:02Sysmon.evtx1WS-PC01arp.exe -a (network mapping)
2025-02-14 03:15:01Sysmon.evtx1WS-PC01mimikatz.exe sekurlsa::logonpasswords
2025-02-14 03:15:15Sysmon.evtx10WS-PC01LSASS.exe accessed by mimikatz.exe (0x1010)
2025-02-14 03:15:28Security.evtx4648WS-PC01Explicit credentials used: admin@corp.local
2025-02-14 03:15:40Sysmon.evtx1WS-PC01procdump.exe -ma lsass.exe lsass.dmp
2025-02-14 03:15:55Sysmon.evtx11WS-PC01FileCreate: C:\Windows\Temp\lsass.dmp
2025-02-14 03:16:08Sysmon.evtx1WS-PC01secretsdump.py → NTDS.dit extraction
2025-02-14 03:16:20Hayabusa0WS-PC01ALERT: Credential dumping tool detected
2025-02-14 03:18:01Sysmon.evtx1WS-PC01PsExec.exe \\DC01 -s cmd.exe
2025-02-14 03:18:15Security.evtx4624DC01Logon Type 3 - pass-the-hash from WS-PC01
2025-02-14 03:18:30Sysmon.evtx1DC01PSEXESVC.exe spawned cmd.exe on DC01
2025-02-14 03:18:45Security.evtx4624SRV-DB01Logon Type 10 - RDP from DC01
2025-02-14 03:19:00Sysmon.evtx3WS-PC01SMB connection → SRV-FILE02:445
2025-02-14 03:19:15Sysmon.evtx1WS-PC01wmic.exe /node:SRV-WEB01 process call create
2025-02-14 03:19:30Security.evtx4624SRV-WEB01Logon Type 3 from WS-PC01 (wmic)
2025-02-14 03:19:45Sysmon.evtx1DC01winrm.cmd → Invoke-Command on SRV-FILE02
2025-02-14 03:20:00Sysmon.evtx18SRV-DB01PipeConnected: \\pipe\atsvc (schtasks)
2025-02-14 03:20:15Hayabusa0DC01ALERT: Lateral movement detected - 4 hops
2025-02-14 03:22:01Sysmon.evtx13DC01Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost_update
2025-02-14 03:22:15Sysmon.evtx1DC01sc.exe create UpdateSvc binPath= C:\Windows\Temp\svc.exe
2025-02-14 03:22:30Sysmon.evtx1SRV-DB01schtasks.exe /create /tn Updater /sc ONLOGON
2025-02-14 03:22:45Security.evtx4698DC01Scheduled task created: \Microsoft\WindowsUpdate
2025-02-14 03:23:00Sysmon.evtx11DC01FileCreate: C:\Windows\System32\malware.dll
2025-02-14 03:25:01Sysmon.evtx1DC01vssadmin.exe delete shadows /all /quiet
2025-02-14 03:25:15Sysmon.evtx1DC01bcdedit.exe /set {default} recoveryenabled no
2025-02-14 03:25:30Sysmon.evtx1SRV-DB01cipher.exe /w:C:\ (anti-forensics)
2025-02-14 03:25:45Sysmon.evtx11SRV-FILE02FileCreate: README-RECOVER.txt (ransom note)
2025-02-14 03:26:00Sysmon.evtx1SRV-FILE02encrypt.exe processing *.docx *.xlsx *.pdf
2025-02-14 03:26:15Sysmon.evtx3SRV-FILE02encrypt.exe → 45.33.32.156:8443 (exfil)
2025-02-14 03:26:30Security.evtx1102DC01Security event log cleared
2025-02-14 03:26:45Sysmon.evtx1DC01wevtutil.exe cl System
2025-02-14 03:27:00Hayabusa0DC01ALERT: Mass log clearing detected
2025-02-14 03:27:15Hayabusa0SRV-FILE02ALERT: Ransomware behavior - 847 files encrypted
PROCESS INSPECTORSYSMON EID 1
explorer.exe:1204
\u251C\u2500outlook.exe:2108
│ \u251C\u2500WINWORD.EXE:3456
│ │ \u251C\u2500cmd.exe:5528T1059.003
│ │ │ \u251C\u2500powershell.exe:6744T1059.001
│ │ │ │ \u251C\u2500whoami.exe:7012
│ │ │ │ \u251C\u2500net.exe:7180T1087.002
│ │ │ │ \u251C\u2500mimikatz.exe:7344T1003.001CREDENTIAL DUMP
│ │ │ │ \u251C\u2500PsExec.exe:7520T1570LATERAL TOOL
│ │ │ │ \u251C\u2500procdump.exe:7688T1003.001LSASS DUMP
LATERAL MOVEMENT TRACKEROUTLIER DETECTED
6HOSTS
6CONNECTIONS
4CHAIN DEPTH
1OUTLIERS
⚠
CRITICAL Outlier Host Detected — Possible Threat Actor Workstation
Hostname KALI matches Kali Linux default naming pattern. This machine initiated the RDP session to WS-PC01 and is likely the attacker's workstation. IRFlow flags these automatically using hostname pattern matching.
ATTACK CHAINKALI→WS-PC01→DC01→SRV-DB01
OUTLIER PATTERNS
KALIPARROTDESKTOP-XXXXXWIN-XXXXXHACKERATTACKER
● In-Browser Demo50 rowstext search
50 sample events
What You're Seeing
The 50 events above tell the story of a complete attack chain across 7 phases:
| Phase | Events | What Happened |
|---|---|---|
| Initial Access | 1–5 | Phishing email → malicious .docm opened via Outlook |
| Execution | 6–12 | Encoded PowerShell, C2 beacon to 185.220.101.42 |
| Discovery | 13–18 | whoami, net group, nltest, systeminfo enumeration |
| Credential Access | 19–25 | mimikatz, LSASS dump, secretsdump, procdump |
| Lateral Movement | 26–35 | PsExec to DC01, RDP to SRV-DB01, WMIC, WinRM |
| Persistence | 36–40 | Registry Run key, service install, scheduled tasks |
| Impact | 41–50 | Shadow delete, ransomware encryption, log clearing |
Timeline Histogram
The histogram above the grid buckets events by minute (03:10–03:27). It updates live as you search — try "mimikatz" to see activity spike at 03:15, or "DC01" to watch it shift to the 03:18+ lateral movement window. The burst label dynamically identifies the densest 3-minute window.
Process Inspector
The process tree below the grid reconstructs the attack chain from Sysmon Event ID 1 (process creation). Each node shows the parent-child relationship, with MITRE ATT&CK technique IDs (blue badges) and threat labels (red badges) on suspicious processes. The tree tells the classic phishing-to-ransomware story: explorer.exe → outlook.exe → WINWORD.EXE → cmd.exe → powershell.exe → mimikatz/PsExec/procdump.
Search Modes
| Mode | How It Works | Example |
|---|---|---|
| Text | Case-insensitive substring match across all columns | mimikatz, 4624, DC01 |
| Regex | Full regular expression with new RegExp(pattern, 'i') | \d+\.\d+ matches IP addresses, PsExec|wmic matches either |
| Fuzzy | Bigram similarity — tolerates typos and partial matches | mimkatz still finds mimikatz, powrshell finds powershell |
Lateral Movement Tracker
Below the grid you'll see a network graph showing how the attacker moved between machines. The key insight: IRFlow immediately identifies the threat actor's machine by hostname pattern matching.
In this scenario, the attacker connected via RDP from a machine named KALI — the default Kali Linux hostname. IRFlow's two-tier outlier detection automatically flags this:
- Tier 1 (Red): Known attacker OS defaults —
KALI,PARROT,HACKER,ATTACKER - Tier 2 (Orange): Suspicious patterns —
DESKTOP-XXXXXXX,WIN-XXXXXXXX,VPS,WINVM
Click any node in the graph to highlight its connections.
Tips
- Click column headers to sort ascending, click again for descending, third click to reset
- Click any row to expand full details (especially useful on mobile)
- Press Escape to clear the search field
- The histogram updates reactively as you search — watch the burst detection shift
- The sparkline in the results bar updates live to show event density as you filter
- Click graph nodes to highlight connections in the lateral movement tracker
Ready for the Real Thing?
The full app handles 30–50 GB+ forensic timelines with 847,000+ rows, SQLite-backed virtual scrolling, process trees, lateral movement graphs, and 342 detection rules.