Knowledge Tree

Time Machine

Travel back in time to inspect your infrastructure graph at any point in history, compare snapshots, and perform forensic analysis.

Overview

The Time Machine feature captures point-in-time snapshots of your knowledge graph at every discovery run. You can travel back to any point in history, view the infrastructure as it existed, compare snapshots side by side, and trace exactly when and how resources changed.

Forensic power
Time Machine is invaluable for incident forensics. When an incident occurs at 14:30, you can inspect the graph at 14:00 to see precisely what changed before the incident.

Snapshot timeline

Each discovery run creates a full snapshot of the graph for that scope. The timeline view lets you:

  • Browse snapshots -- scroll through the timeline of snapshots
  • Jump to date -- select a specific date and time to view
  • Playback mode -- animate through snapshots to see infrastructure evolution
  • Snapshot metadata -- see what changed between snapshots (resource count, type distribution)

Point-in-time queries

All Knowledge Tree queries support an optional timestamp parameter that executes the query against the graph as it existed at that point in time:

# Query the graph as of a specific date
GET /api/v1/resources?scope=production&as_of=2025-05-15T00:00:00Z

# Cypher query against historical state
POST /api/v1/graph/query
{
  "cypher": "MATCH (r:Resource) WHERE r.type = 'aws_ec2_instance' RETURN r",
  "as_of": "2025-05-15T00:00:00Z"
}

Diff comparison

Side-by-side comparison of any two snapshots shows exactly what changed:

Diff typeDescription
Resources addedNew resources that appeared between snapshots
Resources removedResources that were deleted between snapshots
Properties changedResources whose attributes were modified
Relationships changedNew or removed connections between resources
# Diff between two snapshots
GET /api/v1/timemachine/diff?from=2025-05-14T00:00:00Z&to=2025-05-15T00:00:00Z

{
  "from": "2025-05-14T00:00:00Z",
  "to": "2025-05-15T00:00:00Z",
  "summary": {
    "resources_added": 3,
    "resources_removed": 1,
    "properties_changed": 7,
    "relationships_added": 5,
    "relationships_removed": 2
  }
}

Forensic analysis

Time Machine is designed for post-incident forensic analysis:

  • Change attribution -- identify exactly when a security group rule was added
  • Cascade tracing -- follow a change chain from a modified resource through its dependents
  • Drift timeline -- visualize how a resource drifted from its baseline over time
  • Compliance history -- show compliance status at any point for audit purposes
  • Export evidence -- export snapshots and diffs as audit evidence
Storage considerations
Snapshots are retained based on the data retention policy. For long-term forensic storage, configure retention to match your compliance requirements (typically 1-7 years for regulated industries).