Black Hat USA 2025 | Autonomous Timeline Analysis and Threat Hunting: An AI Agent for Timesketch

Digital incident timeline analysis is a complex and time-consuming task. It demands highly skilled professionals with deep domain knowledge, who must invest significant time, sometimes weeks, to unravel difficult cases. Investigators must reconstruct event timelines, from initial access to exploitation and lateral movement, by sifting through hundreds of millions of log records from hundreds of different and potentially unfamiliar log types. Log-normalization and collaborative analysis tools like Plaso and Timesketch offer valuable assistance, yet the cost in time and expertise remains substantial. In this talk, we present the first AI-powered agent capable of autonomously performing digital forensic analysis on the large and varied log volumes typically encountered in real–world incidents. Furthermore, we demonstrate the agent's proficiency in threat hunting, that is, identifying and explaining evidence of system compromise without needing predefined attack signatures. We evaluate our technique on a dataset of 100 diverse, real-world compromised systems. The agent achieves high recall and precision on finding and contextualizing individual log records pertaining to the overall attack chain. This performance is driven by a core combining sophisticated prompting techniques and reinforcement learning. By: Alex Kantchelian | Staff Software Engineer, Google Maarten van Dantzig | Senior Security Engineer, Google Diana Kramer | Senior Security Engineer, Google Presentation Materials Available at: https://ift.tt/C3Z5sHB

source https://www.youtube.com/watch?v=9EA7kz4bGvQ