Knogin
[Developers]

Profile Timeline Events

A fraud investigator is reviewing a compromised account. The account holder claims they were abroad when the fraudulent transactions occurred, but something in the activity log does not add up. Walking through the profil

Back to All Modules
Category: InvestigationLast Updated: Feb 5, 2026
investigationcompliancegeospatial

Overview#

A fraud investigator is reviewing a compromised account. The account holder claims they were abroad when the fraudulent transactions occurred, but something in the activity log does not add up. Walking through the profile's event timeline, the investigator sees a login from a domestic IP address at 02:47, a password change at 02:49, and a series of transfers beginning at 02:51. Three events, two minutes apart, at an unusual hour. That sequence tells a story that no single data point could tell alone.

The Profile Timeline Events module captures and organises every event associated with an entity profile in chronological order, running continuous pattern detection to surface sequences, anomalies, and correlations that merit investigator attention. It handles high event volumes without compromising query performance, and it links related events across multiple profiles to support cross-entity investigation work.

Open Standards#

  • GraphQL (June 2018 specification): The entire profile timeline and event API surface is exposed through a typed GraphQL schema, with queries for chronological retrieval and mutations for event creation, correlation, and export.
  • ISO 8601 / RFC 3339: All event timestamps, timeline start and end positions, and export data use ISO 8601 date-time format (UTC) throughout the event and timeline models, ensuring unambiguous chronological ordering across time zones.
  • JSON (RFC 8259): Event records, pattern detection results, correlation metadata, and timeline exports are serialised and exchanged as JSON, the primary interchange format for all timeline data at rest and in transit.
  • ArcSight Common Event Format (CEF): Audit trail events generated by the timeline module are exportable in CEF format for ingestion into SIEM platforms, using the standard CEF header and severity mapping (0, 10 scale).
  • NENA i3 (NG911 i3 Standard): The audit action vocabulary used to record timeline state-change events includes NENA i3-defined action identifiers (call ingress, ADR query/response, SIPREC, routing decisions), keeping the event log admissible and compatible with NG911 compliance queries.
  • EDXL (Emergency Data Exchange Language): EDXL Transfer of Emergency Personnel (TEP) and Hospital AVailability Exchange (HAVE) event types are part of the timeline audit vocabulary, enabling interoperability with emergency management systems that consume EDXL messages.
  • JSON Web Token / RS256 (RFC 7519): Access to all timeline queries and mutations is gated on JWT bearer tokens verified against a JWKS endpoint using RS256, enforcing authorisation at the API layer.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Key Features#

  • High-Volume Event Capture: Efficient event ingestion handles large volumes of events per profile with batch processing, validation, enrichment, and configurable buffering to ensure reliable capture of all profile-related activities across the platform.
  • Chronological Timeline Views: Multiple timeline perspectives with configurable time periods and grouping strategies including hourly, daily, weekly, monthly, by-category, and by-severity views provide flexible chronological navigation of profile activity history.
  • Pattern Detection: Automated behavioural analysis identifies recurring activity patterns, anomalies, burst activity, sequences, correlations, trends, dormancy periods, and geographic anomalies with confidence scoring and actionable recommendations for each detected pattern.
  • Event Correlation: Related events are linked through correlation identifiers and parent-child hierarchies, enabling investigators to trace activity chains, understand causal relationships between events, and reconstruct complete sequences of related actions.
  • Activity Heatmaps: Visual heatmap representations of activity patterns across time dimensions reveal peak activity periods, unusual timing patterns, and behavioural rhythms at hourly, daily, and weekly resolution for anomaly identification.
  • Comprehensive Event Categorisation: Events are classified across categories covering authentication, profile management, security, transactions, investigations, alerts, risk management, compliance, integrations, and system activities, with severity levels from debug through critical for prioritised review.
  • Privacy and Retention Controls: Configurable privacy levels control event visibility, while retention policies with automatic archival and deletion manage the event lifecycle according to organisational and regulatory requirements.
  • Timeline Search and Filtering: Full-text search across event data combined with multi-dimensional filtering by event type, category, severity, actor, tags, time range, and privacy level enables precise discovery of specific activities within large event histories.
  • Export Capabilities: Timeline data exports in JSON, CSV, PDF, and interactive HTML timeline formats support investigation documentation, compliance reporting, and external sharing of profile activity histories.

Use Cases#

  • Investigation Activity Reconstruction: Investigators review chronological timelines to reconstruct the sequence of events surrounding suspicious activities, tracing actions from initial triggers through investigation outcomes with full context.
  • Behavioural Anomaly Detection: Pattern detection identifies unusual changes in activity patterns such as unexpected login locations, abnormal transaction timing, sudden activity bursts, or prolonged dormancy periods that may indicate compromised accounts or suspicious behaviour.
  • Compliance Audit Trail: Complete event histories with actor information, timestamps, and contextual metadata provide auditable records of all profile-related activities for regulatory examinations and internal compliance reviews.
  • Security Incident Analysis: Security teams trace the timeline of security-related events including suspicious logins, access denials, permission changes, and API key activities to investigate potential security incidents and determine scope of impact.
  • Operational Monitoring: Activity heatmaps and trend analysis reveal operational patterns, peak usage periods, and system health indicators that support capacity planning and service optimisation decisions.
  • Cross-Profile Event Correlation: Correlation identifiers link related events across multiple profiles, enabling investigators to discover coordinated activities, shared sessions, and connected actions spanning multiple entities.

Integration#

The Profile Timeline Events module integrates with the platform's profile management, investigation management, security monitoring, and compliance systems. Events are captured from all platform activities and external integrations, pattern detection results feed into alert and risk scoring systems, and timeline data connects to investigation workspaces for evidence gathering and activity reconstruction. Export capabilities integrate with reporting and document management systems for regulatory submissions.

Ready to Build?

Get started with our APIs or contact our integration team for support.