L1
L1 Analyst
SOC · New York
Triage QueueCASE-2026-0853
AdvisoryCLOSE84%
AI Gateway ·triage · Gemma 3 12Broutineembed · BGE-large-en-v1.5view grounding

No data movement, no sensitive systems touched.

Recommended next steps (advisory)
  • Validate the unified timeline and evidence bundle against the policy citations below.
  • Confirm employment / asset context (manager, working hours, departing-employee flag).
  • If verdict stands, create or update the L2 ticket using the auto-drafted handoff.
  • If benign, close with a reason code so the platform can learn from the disposition.
The analyst makes every decision. The platform's only outward action is creating or updating a ticket.
AI Triage (live)Local · Gemma 3 12B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Incident Narrative (live)Local · Gemma 3 12B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Knowledge — retrieved by RAG
embed · BGE-large-en-v1.5
Step 1 — Confirm the destination category is 'File Sharing (personal)' in Forcepoint Proxy; block at category level if not already enforced for the user's group.
Similar past cases
validated history
  • CASE-2026-0512True Positive
    Engineer pasted client config to pastebin
    sim 82%closed 2026-03-04
AI Audit Log0 entries
No AI calls recorded for this case yet. Triage, narrative, and chat calls will appear here automatically.
SLA Timer
480m remaining
1
Triage
2
Investigation
3
Resolution
MJ

Servicing agent — proxy alert to crypto site (off-hours browsing)

LowNew
Michael Johnson · Servicing Agent · Mortgage Servicing
EMP-7732Mgr: Sarah O'BrienChicago, ILHours: 09:30–18:30 CST
22
Low
7d trend
Collapsed from
DLP×0Proxy×1SIEM×0
Created2026-06-08 06:30 IST
Assigneeunassigned

Correlation graph — why these are one caseThe pivots (identity, files, destinations, devices) that link every alert in this case. Click any node to drill into other cases that share it.

Open Correlation Explorer
Identity File Destination Device1 cross-case pivot touch this case
EMP-7732Michael Johnsoncoindesk.comServicing_Portfolio_Q2
Click any node to inspect the pivot and other cases that share it.
Drill-down
Click a node in the graph to see its pivot details and any other cases it links to.

Unified incident timelineAll raw alerts in this case merged in chronological order. Click an item to expand the redacted evidence.

DLP Proxy SIEM
08 Jun 2026

AI triage assist · advisoryAI-drafted summary, FP likelihood and citations. Always advisory — analyst must validate before acting.

Case summary

Single proxy alert — crypto news site during break. Acceptable-use policy minor.

False-positive likelihood
90%
RAG citations
  • AUP-001 — Acceptable Use §4 minor browsing

Analyst notes (0)Free-text observations added by analysts during triage. Visible to L2 on escalation.

No notes yet — add your first observation below.

Case audit timelineImmutable log of every action on this case — analyst, AI, and integrations. Used for compliance review.

AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. The AI runs on local open-weights inference inside the customer perimeter — no alert content leaves the boundary.