Triage QueueCASE-2026-0854
Working as intended: external enrichment must never see customer PII. The block proves the guardrail works; analyst should add a hash-only IOC instead.
Recommended next steps (advisory)
- Validate the unified timeline and evidence bundle against the policy citations below.
- Confirm employment / asset context (manager, working hours, departing-employee flag).
- If verdict stands, create or update the L2 ticket using the auto-drafted handoff.
- If benign, close with a reason code so the platform can learn from the disposition.
The analyst makes every decision. The platform's only outward action is creating or updating a ticket.
AI Triage (live)Local · Phi-4 14B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Incident Narrative (live)Local · Phi-4 14B
Click Generate to call the model. Streams in real time from the local AI Gateway. Citations like [E1] link to timeline events.
Knowledge — retrieved by RAG
embed · BGE-large-en-v1.5§3.2 Mandatory L2 escalation when a departing employee triggers any NPI-class DLP block within their final 14 working days.
Similar past cases
validated history- CASE-2025-9112EscalatedDeparting analyst — NPI to personal Drivesim 92%closed 2025-11-14
- CASE-2025-8730True PositiveUSB copy → mega.nz pattern, Mortgage Opssim 87%closed 2025-09-22
AI Audit Log0 entries
No AI calls recorded for this case yet. Triage, narrative, and chat calls will appear here automatically.
SLA Timer
95m remaining
1
Triage
2
Investigation
3
Resolution
JM
AI external enrichment BLOCKED — IOC contained borrower PII
MediumNewJames Mitchell · Senior Loan Operations Analyst · Mortgage Servicing
EMP-4471Mgr: Sarah O'BrienNew York, NYHours: 09:30–18:30 EST
Resigned — last working day in 4 days
38
Low
7d trend
Collapsed from
DLP×1Proxy×0SIEM×0
Created2026-06-08 10:25 IST
Assigneeunassigned
Correlation graph — why these are one caseThe pivots (identity, files, destinations, devices) that link every alert in this case. Click any node to drill into other cases that share it.
Open Correlation Explorer Identity File Destination Device1 cross-case pivot touch this case
Click any node to inspect the pivot and other cases that share it.
Drill-down
Click a node in the graph to see its pivot details and any other cases it links to.Unified incident timelineAll raw alerts in this case merged in chronological order. Click an item to expand the redacted evidence.
DLP Proxy SIEM
08 Jun 2026
AI triage assist · advisoryAI-drafted summary, FP likelihood and citations. Always advisory — analyst must validate before acting.
Case summary
AI investigator attempted to enrich indicators (personal email, masked loan number) against VirusTotal as part of CASE-2026-0847. Privacy egress guardrail BLOCKED both calls because the IOC string still contained classified PII patterns after partial redaction.
False-positive likelihood
12%
RAG citations
- Privacy Egress Policy v3.1 — §2 No raw PII to external providers
- SOP-PRIV-007 — Indicator hashing — §1 use sha256 IOC
Similar past cases
- CASE-2026-0701— Same guardrail fired on Account#
Analyst notes (0)Free-text observations added by analysts during triage. Visible to L2 on escalation.
No notes yet — add your first observation below.
Case audit timelineImmutable log of every action on this case — analyst, AI, and integrations. Used for compliance review.
2026-06-08 10:25 ISTegress-guardBLOCKED egress— VirusTotal · Loan# pattern · TKN-LN-9981
2026-06-08 10:30 ISTegress-guardBLOCKED egress— VirusTotal · Email pattern · TKN-EM-4471
2026-06-08 10:30 ISTai-triageAdvisory: INVESTIGATE (81%)— Recommend re-running with sha256 IOC only.
AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. The AI runs on local open-weights inference inside the customer perimeter — no alert content leaves the boundary.