Quick Start

Get up and running with your first timeline analysis in under a minute.

Open a File

There are three ways to open a file:

Menu: File > Open (Cmd+O)
Drag and drop: Drag a file onto the application window
Double-click: Double-click a supported file in Finder

IRFlow Timeline will automatically detect the file format and begin streaming the import.

Import Progress

During import you will see:

A progress bar showing rows imported
Automatic delimiter detection for CSV/TSV files
Sheet selection dialog for multi-sheet Excel files
Column discovery for EVTX files

Large Files

Files over 1GB may take a minute to import. The streaming architecture processes data in 128MB chunks with adaptive batch sizes (up to 100,000 rows per batch), so the UI remains responsive throughout. After import, column indexes and full-text search indexes build in the background — you can start working immediately.

Navigate the Grid

Once imported, your data appears in a virtual-scrolling grid:

Scroll through millions of rows smoothly — only ~5,000 rows are loaded at a time
Sort by clicking any column header (click again to toggle ASC/DESC)
Resize columns by dragging the column header borders
Pin columns by Cmd+Click on a header and selecting Pin Left
Select rows by clicking; hold Shift for range selection

Search Your Data

Use the search bar at the top (Cmd+F):

Type your search term
Select a search mode from the dropdown:
- Mixed — Combines full-text and substring search (default)
- FTS — Full-text search (word-level matching)
- LIKE — Substring match
- Fuzzy — Tolerates typos
- Regex — Regular expression patterns

Results update as you type (debounced at 500ms).

Filter by Column

Click the filter icon on any column header to:

Text filter: Type to match values in that column
Checkbox filter: Select/deselect specific unique values
Date range: For timestamp columns, pick a start and end date

Bookmark Important Rows

Click the star icon on any row to bookmark it. Bookmarked rows are preserved across sessions and included in exported reports.

Toggle Cmd+B to show only bookmarked rows.

Add Tags

Cmd+Click a row and select Add Tag to annotate it. Tags are color-coded and can be used for filtering and reporting. Common tags include:

Suspicious
Lateral Movement
Exfiltration
Persistence
C2

View the Histogram

Click the histogram toggle button in the toolbar to open the timeline visualization:

See event distribution across days, hours, or minutes
Click and drag to brush-select a time range — the grid filters automatically
Color-coded by artifact source when using merged timelines

Next Steps

Learn about all search modes and filters
Set up color rules for visual pattern matching
Explore the Process Inspector for Sysmon analysis
Track lateral movement with the Lateral Movement Tracker
Configure KAPE integration for auto-detection

Quick Start ​

Open a File ​

Import Progress ​

Navigate the Grid ​

Search Your Data ​

Filter by Column ​

Bookmark Important Rows ​

Add Tags ​

View the Histogram ​

Next Steps ​