NEXUS
Documentation menu

Docs · SecOps

Time-travel Incident Replay

Wind the clock back and watch an attack unfold frame by frame. Replay reconstructs the chronological sequence of real events and alerts, so you can scrub through exactly how an intrusion progressed — by XDR incident, by agent, or across any time window.

Topic
Forensics · Incident reconstruction
Scope by
Incident · Agent · Time window
Data
Real ingested events & alerts only
API
/replay

What it does

Replay is a forensic scrubber. It pulls the real events and alerts in scope, orders them on a single timeline, and turns them into a sequence of frames. Each frame carries cumulative counters — cum_events and cum_alerts— so as you scrub forward you watch the attack's footprint grow, step by step, exactly as it happened.

  • Chronological — events and alerts are interleaved on one timeline by timestamp.
  • Cumulative — every frame knows how many events and alerts have occurred up to that point.
  • Real data only — Replay operates on actually ingested telemetry; nothing is synthesized.

Frames

Each frame is a point on the timeline. It records when it happened, whether it is an event or an alert, its severity and title, and the running totals at that moment.

a single frame
{
  "ts": 1718900000,
  "ts_iso": "2026-06-20T14:13:20Z",
  "kind": "alert",
  "severity": 14,
  "title": "Canary token triggered",
  "detail": "NEXUS-CANARY-001 ...",
  "cum_events": 47,
  "cum_alerts": 3
}

How to use it

1
Replay an agent's timeline
Reconstruct everything that happened on a single endpoint.
bash
nexus-cli replay --agent <agent_id>
2
Replay an XDR incident
Scope the scrubber to one correlated incident to see exactly how its kill-chain assembled.
bash
nexus-cli replay --incident <incident_id>
3
Replay a time window
Bound the replay to an epoch range and cap how many frames you pull back.
bash
nexus-cli replay --from <epoch> --to <epoch> --limit 2000

REST API

endpoint
GET /replay?agent_id=&from=&to=&incident=&limit=

The response carries the resolved scope, the totals, the raw lists, and the ordered frames:

response shape
{
  "ok": true,
  "scope": { "agent_id": "...", "incident": "...", "from": 0, "to": 0 },
  "frame_count": 50,
  "events": [ ... ],
  "alerts": [ ... ],
  "frames": [
    {
      "ts": 1718900000,
      "ts_iso": "2026-06-20T14:13:20Z",
      "kind": "event",
      "severity": 5,
      "title": "...",
      "detail": "...",
      "cum_events": 1,
      "cum_alerts": 0
    }
  ]
}

How it fits the pipeline

Replay sits downstream of detection and correlation. Once XDR fuses alerts into an incident, scope a replay to that incident and walk it frame by frame — turning a static incident record into a playable forensic timeline for triage and post-incident review.

Tips

  • Start from an XDR incident to keep the timeline tight, then widen to --agent if you need surrounding context.
  • Use --limit on broad time windows so a busy endpoint doesn't return an unwieldy frame set.
  • Watch cum_alerts climb relative to cum_events to spot the moment an attack turned noisy.
Press play on the incident. Logs tell you what happened; Replay shows you the order it happened in. Scrub the timeline and the kill-chain reveals itself — from first foothold to the alert that finally fired.
PreviousNexus Canary (deception)Next Nexus Aware (phishing sim)