Time Agent

Most breaches don’t happen instantly. They evolve quietly — over weeks or months. Validate compliance and audit trails

Time Agent is iLink Digital’s advanced retro-hunting and forensic investigation agent for Microsoft Sentinel, designed to help security teams analyze the past, uncover hidden threats, and strengthen future defenses through a single natural-language interface.

Time Agent is your forensic intelligence agent, powered by Microsoft Sentinel, designed to uncover what was missed. It empowers security teams to retroactively hunt indicators of compromise, reconstruct activity timelines, detect long-running behavioral anomalies, and retrieve audit-ready evidence — all through a natural language interface.

Time Agent autonomously analyzes historical Sentinel data, correlates signals across identity, endpoint, network, and alert sources, and surfaces meaningful patterns that would otherwise require complex manual investigation. It also strengthens detection by validating analytics rules against past data and enabling controlled automation of response workflows.

The result is a more complete security posture — where past activity is continuously leveraged to improve detection accuracy, accelerate investigations, and reduce manual effort across the SOC.


1533 (1).jpg
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
%
Faster Investigation
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
+
Years of Lookback
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
1
2
3
4
5
6
7
8
9
0
KQL Required

Everything Your SOC Needs.

Nothing It Doesn't.

Six forensic intelligence modules, unified under a single conversational interface. No KQL. No manual pivoting. No dead ends.

Retroactive IOC Hunting

Feed Time Machine any indicator — IP, domain, URL, file hash, username — and it executes time-bounded KQL queries across months or years of Sentinel data lake records to surface first/last-seen timestamps and all affected entities.

Behavioral Anomaly Detection

Aggregates authentication, network, endpoint, and alert signals over extended windows to compute UEBA-style behavior scores for users and hosts — catching low-and-slow attacks that evade traditional threshold alerting.

Forensic Timeline Reconstruction

Merges telemetry from auth, endpoint, network, and alert tables into a clean chronological narrative. Automatically identifies inflection points: initial access, privilege escalation, lateral movement, exfiltration.

Compliance & Audit Retrieval

Builds time-bounded KQL queries for admin and audit tables, summarizing by actor, operation, and target resource. Verifies log retention against compliance policy requirements — audit-ready in minutes.

Analytics Rule Lifecycle

Identifies detection coverage gaps, proposes new or tuned rules with full KQL, entity mappings, and MITRE tactics, backtests them over historical data, then deploys with analyst approval — closing gaps before the next attack.

Automation Rule Provisioning

Creates or updates Sentinel automation rules — playbook triggers, severity tagging, investigation task assignment — after explicit analyst approval. Reduces MTTR without removing human oversight from the loop.

Architecture

Five Steps from Question to Forensic Clarity

Infographic 6.png

USE CASES

Real Investigations. Natural Language.

Just describe what you need. Time Machine handles the KQL, the correlation, and the evidence trail.

Threat Hunter

"Hunt for IP 198.51.100.42 across the last 6 months." Surfaces every touchpoint of a suspicious IP across firewall logs, sign-in events, and endpoint telemetry — with first-seen/last-seen timestamps and affected entity summaries.

Incident Investigator

"Investigate incident ID 92630 and search the last 1 year of related activity." Locates the incident record, extracts key entities (hosts, users, IPs, hashes), correlates related alerts by shared indicators, and delivers a full enriched narrative — hours of manual work in seconds.

Forensic Analyst

"Build a forensic timeline for user jsmith@contoso.com from January to March 2025." Reconstructs every auth, process, network, and alert event into a clean chronological narrative with attack phase annotations — ready for incident response documentation or legal hold.

Compliance Officer

"Show all admin role assignment changes in 2024 for our compliance audit." Queries audit and activity logs, summarizes by actor and operation, and verifies log retention against compliance policy requirements — giving auditors exactly what they need.

Detection Engineer

"Are there coverage gaps in our analytics rules for lateral movement tactics?" Maps deployed rules against MITRE ATT&CK, identifies uncovered techniques, proposes new rules with backtested performance data, and deploys them post-approval.

SOC Lead

"Create an automation rule to tag high-severity incidents and assign them to the SOC queue." Provisions automation rules with playbook triggers and task assignments in Sentinel — reducing MTTR while keeping analysts fully in control of every action.

Technology Integrations

Time Machine runs entirely within your Microsoft security stack. No third-party data egress. No external dependencies.

Together, let’s focus on real

Start The Conversation