Activity Feed

All incident events across active sessions

INC-0039ai1:15:31 PM

12 accounts show success-after-failure pattern consistent with credential stuffing from HaveIBeenPwned corpus.

INC-0042human1:10:31 PM

Confirmed phishing email received at 08:42 UTC. Attachment analysis in progress.

INC-0039system1:07:31 PM

Auth failure spike detected: 4,200 failures in 30 min — 8x baseline

INC-0042ai12:55:31 PM

Anomalous AWS ListBuckets call from ci-deploy role — 12 minutes after credential exfil. Recommend immediate credential rotation.

INC-0042system12:50:31 PM

Alert escalated to SEV-1 by detection rules

INC-0042system12:44:31 PM

EDR alert: LSASS dump detected on eng-mbp-msilva.local

INC-0040system11:55:31 AM

Incident resolved. Postmortem scheduled.

INC-0041human11:25:31 AM

All sessions terminated. Two API tokens identified as attacker-created — pending deletion.

INC-0041ai10:55:31 AM

Session token reuse pattern confirmed. New device fingerprint, no MFA challenge logged. Recommend immediate session termination.

INC-0041system10:27:31 AM

Impossible travel alert: Paris (09:14 UTC) → Lagos (18:22 UTC) — same account, 9h apart

INC-0040human8:55:31 AM

Legal review complete. Customer notifications sent. DPA filed.

INC-0040ai4:55:31 AM

7 external IPs accessed 43 objects during the 43-minute exposure window. Estimated 1,400 records. GDPR Article 33 likely triggered (72h notification window).

INC-0040human3:37:31 AM

Public access block re-enabled. Bucket secured.

INC-0040system2:54:31 AM

S3 public access alert: incidentconnect-customer-exports bucket made public