L1
L1 Analyst
SOC · New York
Triage QueueCASE-2026-0849
AdvisoryINVESTIGATE71%
AI Gateway ·triage · Llama 3.1 8Broutineembed · BGE-large-en-v1.5view grounding

Ambiguous: paste-site could be debugging snippet or credential leak. Repo access could be approved cross-team work. Recommend RFI to user's manager.

Recommended next steps (advisory)
  • Validate the unified timeline and evidence bundle against the policy citations below.
  • Confirm employment / asset context (manager, working hours, departing-employee flag).
  • If verdict stands, create or update the L2 ticket using the auto-drafted handoff.
  • If benign, close with a reason code so the platform can learn from the disposition.
The analyst makes every decision. The platform's only outward action is creating or updating a ticket.
AI Triage (live)Local · Llama 3.1 8B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Incident Narrative (live)Local · Llama 3.1 8B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Knowledge — retrieved by RAG
embed · BGE-large-en-v1.5
§3.2 Mandatory L2 escalation when a departing employee triggers any NPI-class DLP block within their final 14 working days.
AI Audit Log0 entries
No AI calls recorded for this case yet. Triage, narrative, and chat calls will appear here automatically.
SLA Timer
90m remaining
1
Triage
2
Investigation
3
Resolution
TM

Developer hit paste-site + cross-team repo access

MediumNew
Thomas Müller · Software Engineer II · Platform Engineering
EMP-3380Mgr: Sophie DuboisFrankfurt, DEHours: 10:30–19:30 CET
56
Medium
7d trend
Collapsed from
DLP×0Proxy×1SIEM×1
Created2026-06-08 09:00 IST
Assigneeunassigned

Correlation graph — why these are one caseThe pivots (identity, files, destinations, devices) that link every alert in this case. Click any node to drill into other cases that share it.

Open Correlation Explorer
Identity File Destination Device1 cross-case pivot touch this case
EMP-3380Thomas Müllerfinance-eng/risk-modelspastebin.commega.nz
Click any node to inspect the pivot and other cases that share it.
Drill-down
Click a node in the graph to see its pivot details and any other cases it links to.

Unified incident timelineAll raw alerts in this case merged in chronological order. Click an item to expand the redacted evidence.

DLP Proxy SIEM
08 Jun 2026

AI triage assist · advisoryAI-drafted summary, FP likelihood and citations. Always advisory — analyst must validate before acting.

Case summary

Proxy alert for paste-site usage (pastebin) combined with a QRadar offense for repo access outside the user's team. No DLP content match — needs human judgment.

False-positive likelihood
45%
RAG citations
  • SOP-DEV-008 — Paste-site triage §1 requires content review

Analyst notes (0)Free-text observations added by analysts during triage. Visible to L2 on escalation.

No notes yet — add your first observation below.

Case audit timelineImmutable log of every action on this case — analyst, AI, and integrations. Used for compliance review.

2026-06-08 09:00 ISTai-triageAdvisory: INVESTIGATE (71%)
AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. The AI runs on local open-weights inference inside the customer perimeter — no alert content leaves the boundary.