Signal — Incident INC-20460419-0473

Subject employee

Daniel Reyes

Senior Financial Analyst · Finance · FP&A

emp_00418 · dreyes@northwind.corp

Manager

S. Alvarez

Tenure

4y 2m

Location

Seattle · remote

Device

MBP · managed

Clearance

Tier 2 · Finance

Last login

2m ago · VPN

Risk score Elevated · 78th pctl

74/100

baseline 33 · peer avg 28 ▲ +41 · 24h

Behavioral context last 90d

Prior DLP events: 3
Prior incidents (any): 0
First offense of this class: No
Pattern: recurring · escalating
Peer-group deviation: +3.2σ
Training completed: 2045-11-14
Policy acknowledged: Yes · v4.2

Share activity · 24hpeak 14:30

0006121824

After-hours shares

vs peer 1.4 avg

External recipients

8 new

in last 14d

Sensitive files touched

+22% MoM

USB volume

0 B

blocked by policy

Related incidents 3 · 90d

MEDINC-20460412-0128 7d MEDINC-20460403-0091 16d LOWINC-20460219-0051 59d

Sensitivity

RESTRICTED · tier 3

Records exposed

14,208 rows

External recipients

1 · personal gmail

Blast radius

contained · no fwd

Q2-Pricing-Forecast.xlsx

sharepoint://finance/fp&a/forecasting/2046/Q2/ · 4.1 MB · modified 11:42 PDT

RESTRICTED PII · 3 types financial

Rows · cols

14,208 × 42

Customer records

11,642

Revenue figures

Q2 + FY forecast

Classifier match

98.6% conf

Sensitivity

PUBINTCONFRESTRSEC

Data types · PII·email · PII·name · financial·forecast · pricing·strategy Owner · S. Alvarez

Activity timeline

Activity timeline · incident ±2h window

12:08:41PDT · 2h 37m ago

VPN session established from Seattle · res ISP

ip 73.82.114.201dev MBP-DR-14auth sso+mfa

auth.session

13:42:19PDT · 1h 03m ago

Accessed SharePoint path /finance/fp&a/forecasting/2046/Q2/

session 9a1f…e814 files listed2 opened

sharepoint.list

14:11:02PDT · 34m ago

Downloaded Q2-Pricing-Forecast.xlsx to local device

4.1 MBclassification RESTRICTEDpolicy allow · audit

file.download

14:19:47PDT · 26m ago

Renamed file to q2-forecast-personal.xlsx

local fs~/Downloads/removes classification tag

file.rename

14:32:07PDT · 13m ago

Outbound email attempted · attachment blocked by DLP

to daniel.reyes.84@gmail.comsubj "weekend numbers"attach 1 · 4.1 MBpolicy DLP-R-019 · external-share-restricted

INCIDENT

14:32:09PDT · 13m ago

User acknowledged policy prompt and retried with 2nd attempt via shared link

onedrive.share · anonymous-linkblocked by policyelapsed 2s after 1st block

INTENT ↑

14:33:54PDT · 11m ago

Opened browser tab · support article "how to share a file outside company"

intranet.northwind/help/s/2146s dwell

browser.visit

14:35:12PDT · 10m ago

Auto-quarantine q2-forecast-personal.xlsx on managed device

crowdstrike.mdmfile hash sha256:6f3c…a1user notified

endpoint.quarantine

14:38:20PDT · 7m ago

User opened Slack DM to manager S. Alvarez — draft not sent

typing 42sdeleted draft

slack.draft

14:42:11PDT · 3m ago

Incident triaged and assigned to M. Kwon by auto-router

priority HIGHsla 4hplaybook PB-DATA-019

incident.triage

showing 10 of 1,240 events in window

Intent classification

model v2.8

confidence · deliberate

Likely deliberate exfiltration

Retry after block, rename to strip classification, and external personal address raise intent probability. Not yet conclusive.

68% deliberate → recommends notify manager + escalate to insider threat

Signals contributing to score

Retried after DLP block (+2s)

▲ +28

Renamed file to strip classification tag

▲ +21

Recipient is personal email of same user

▲ +14

Opened help article after block

▼ −9

No prior exfil pattern on this device

▼ −6

↳ Because intent is classified likely deliberate · 68%, response is weighted toward containment.

Response actions ← triggered by intent score

Playbook PB-DATA-019 ↗

4 actions available 2 recommended · 1 permanent

Notify manager REC Reversible

Send automated incident summary + evidence packet to S. Alvarez with 24h response required.

channel · email+slack · template MGR-03

→

Assign targeted training Reversible

Data-handling · external-share module. Completion required within 7 days or access auto-restricts.

module DLP-201 · 18 min · tracked

→

Restrict access Reversible

Revoke external-share scope and downgrade SharePoint clearance to Tier 1 pending review.

scope · finance.share.external · downgrade · audit-logged

→

Escalate to Insider Threat REC Permanent · Legal hold

Open IR case with IT-Sec insider-threat team; preserves device, inbox and endpoint telemetry for forensics.

team · it-sec.insider · case auto-created · legal-hold

Cannot be reversed without IT-Sec approval. Excluded from "Run all recommended" — requires explicit confirmation.

→

Policy hit

View rule ↗

rule DLP-R-019

name external-share-restricted

match classification IN (RESTRICTED,SECRET) AND recipient.domain NOT IN allow_list

action BLOCK + INCIDENT

owner sec.policy@northwind

External share of Q2-Pricing-Forecast.xlsx to personal email

Activity timeline · incident ±2h window