Skip to main content

The Data Exfiltration Timeline

Melissa
  • Updated

Team: Huntress Managed Identity Threat Detection and Response (ITDR)
Product: Incident Reports
Environment: Huntress.io portal
Summary: The Data Exfiltration Timeline provides a chronological view of the events associated with an Incident Report, helping you understand the sequence of the attack and the actions taken to resolve it.

In this article

Overview
Viewing the Timeline
Reading the Timeline
     Summary
     Event Feed
Timeline events
     Incident Lifecycle & Response
     Threat Actor Activity 
FAQ
 

Overview

The Data Exfiltration Timeline offers a detailed, chronological view of the events surrounding an Incident Report. This includes the suspicious activities that triggered the report, as well as the specific actions Huntress took to remediate the threat. By reviewing the timeline, you can see the full sequence of the incident—from the initial compromise to the final resolution—helping you confirm the scope of the attack and verify that the threat has been neutralized.


 

Viewing the Timeline

You can access the timeline directly from any active or resolved Incident Report using the new report format.
No Timeline tab? See the FAQ for more information. 

  1. Log in to the Huntress Platform and go to Incidents.
  2. Select the View Report option in the Incident row you want to review to open the report page.
  3. Select the Timeline tab.
     


Reading the Timeline

The timeline is divided into a high-level Summary Dashboard and a detailed Event Feed.

Summary 

The top section provides a snapshot of the incident's impact and resolution status.

  • Milestones: Four cards track key moments in the incident lifecycle: Attack Start Time, Microsoft Logs Received (including any ingestion delay), Incident Report Sent, and Incident Report Resolved.
  • Attack Overview: Displays the total Duration of the attack, the Compromised identity, and Threat actor actions such as Files Downloaded.
  • Huntress Remediations: A breakdown of remediation actions categorized by status (Active, Assisted, and Manual).
  • Timeline Status: Located in the top right corner, the Last updated timestamp indicates the most recent data refresh. The timeline continues to populate with new details for approximately one hour after the initial report is sent. After that you will see a Final Update timestamp in the top right corner.

Exporting the Timeline

You can export the Incident Timeline as a PDF directly from the report. This is useful for sharing a formatted summary of the incident with leadership, customers, or for record-keeping.

  1. Open the Incident Report and navigate to the Timeline tab.
  2. Select the Export PDF button in the top-right corner of the timeline.
    1. The PDF will include the full Summary Dashboard and Event Feed as displayed, including all expanded event details.


Note: PDF export is available for all Incident Reports that support the Timeline view. If the Export PDF button is not visible, ensure your incident is using the new report format. See the FAQ for more information.

 

Event Feed

Below the summary, the event feed lists individual activities in chronological order.

  • Sort & View: Use Sort By to toggle between "Newest to Oldest" or "Oldest to Newest". You can also use Collapse All to simplify the view.
  • Relative Time: Next to each event header, a label indicates how much time has passed since the start of the attack (e.g., "30 seconds after Initial Access"). This helps you track the velocity of the attack without calculating the difference between timestamps manually.
  • Event Details: Click the arrow on any event card to expand it to reveal specific details

 

Timeline Events

The timeline captures a mix of automated signals, Huntress analyst actions, and threat actor behaviors.
 

Incident Lifecycle & Response

These events track the progress of the incident from signal detection to resolution.

  • Signal Event Occurred: Indicates when the malicious activity occurred that caused Huntress to generate the lead signal for the report.
  • Huntress received event data: The time Huntress first ingested the data associated with the signal.
  • Analyst Investigation: Marks when a Huntress analyst claimed the signal and began investigating.
  • Huntress started an Incident Report: The time the report was created.
  • Identity disabled: Logs when Huntress containment remediations are applied to an account.
  • Manual remediation completed: Logs when a partner confirms a manual step, such as rotating credentials.
  • Incident Report resolved: The final event marking the resolution of the report.
     

Threat Actor Activity

These events highlight specific actions taken by the threat actor during the session, which help identify other potential vulnerabilities or data exfiltration risks.

  • Email Interactions: Tracks if the attacker accessed, copied, deleted, or moved emails within the victim's mailbox. Specific events include MailItemsAccessed, HardDelete, SoftDelete, and MoveToDeletedItems.
  • Email Sending: Records if the attacker used the compromised account to send emails, including SendAs and SendOnBehalf actions.
  • Mailbox Manipulation: Shows changes to mailbox or folder permissions, such as Add-MailboxPermission or UpdateCalendarDelegation.
  • Inbox Rules: Flags the creation or modification of inbox rules (often used to hide malicious activity) via events like New-InboxRule and Set-InboxRule.
  • File Interactions: Logs access, modification, copy, or deletion of files across SharePoint, OneDrive, and Teams. Events include FileAccessed, FileDeleted, FileModified, and FileRenamed.
  • File Downloads: Specifically highlights when a threat actor has downloaded files from SharePoint or OneDrive (FileDownloaded).
  • File Uploads: Tracks when files are uploaded to SharePoint or OneDrive (FileUploaded).
  • Page & Site Interactions: Indicates when a threat actor viewed SharePoint site pages or performed search queries.
  • Teams Messaging: Tracks interactions with Teams messages, including reading, sending, deleting, or editing messages (MessageRead, MessageSent, MessageDeleted).
  • Copilot Interactions: Flags interactions with Microsoft Copilot (CopilotInteraction).
     

FAQ

Q. Why don't I see a Timeline tab on my Incident Report? 

A. The Timeline view is currently available for specific types of incidents, primarily those related to Unwanted Access and Shadow Workflows. If an incident does not have associated timeline data, or is in an older report format, the tab may not appear.

 

Q. Can I export the Incident Timeline as a PDF?


A. Yes. Any Incident Report with a Timeline tab supports PDF export. Open the report, navigate to the Timeline tab, and select Export PDF in the top-right corner. The exported PDF captures the full timeline — including the Summary Dashboard, all milestones, and the complete Event Feed — in a print-ready format suitable for sharing with stakeholders or storing for compliance purposes.


 

Related articles