Illustrative investigation / Synthetic data · no customer data shown
Case VL-0147
Unusual sign-in followed by privileged access
- OPENED
- 02:14:07 UTC
- OUTCOME
- SYNTHETIC HUMAN REVIEW COMPLETEEV-03 · EV-06
Evidence trail / 6 sources
Facts keep their source, time, and freshness.
Every observation stays attributable. Conflicting evidence remains visible instead of being flattened into a confident-looking answer.
Identity provider
Successful sign-in from a network not seen for this identity in the previous 30 days.
- OBSERVED
- 02:14:07 UTC
- FRESHNESS
- 12 s at collection
Endpoint posture
Managed device, current controls, and a valid certificate associated with the identity.
- OBSERVED
- 02:13:42 UTC
- FRESHNESS
- 37 s at collection
Cloud activity
A privileged role was assumed four minutes after the sign-in.
- OBSERVED
- 02:18:11 UTC
- FRESHNESS
- 9 s at collection
Identity history
A prior session appears geographically incompatible; corporate egress could explain the mismatch.
- OBSERVED
- 02:18:15 UTC
- FRESHNESS
- 30 d window
Network reputation
No confirmed malicious reputation. Hosting and VPN classifications disagree.
- OBSERVED
- 02:18:20 UTC
- FRESHNESS
- 18 min old
Synthetic responder note
The simulated account owner denies initiating the sign-in or requesting the privileged role.
- OBSERVED
- 02:26:40 UTC
- FRESHNESS
- Recorded at review
Analysis ledger / six explicit states
Reasoning stays inspectable.
Known facts, inference, conflicting evidence, unknowns, policy, and recommendation remain separate so a responder can inspect where each conclusion came from.
- JD-01KNOWN
The sign-in used a managed device.
Device identity and posture reduce—but do not remove—the risk of credential misuse.
EV-01 · EV-02
- JD-02INFERENCE
Device trust lowers risk; it does not clear the sequence.
The managed endpoint makes a stolen-device scenario less likely, while the rapid privilege change still requires explanation.
EV-02 · EV-03
- JD-03CONFLICT
The location signal has two plausible explanations.
Identity history suggests an incompatible location, while network classification could indicate corporate egress or a VPN.
EV-04 · EV-05
- JD-04UNKNOWN
Business intent is unknown before human verification.
The evidence shows what happened, but not whether the account owner expected the privileged role change.
EV-03 · EV-04 · EV-05
- JD-05POLICY
Privilege change requires human confirmation.
The illustrative policy boundary blocks a close recommendation when privileged access follows an unresolved identity conflict.
EV-03 · EV-04
HUMAN AUTHORITY BOUNDARY - JD-06RECOMMENDATION
Escalate with the evidence trail attached.
Ask the responder to verify the user and the business reason for the privilege change before disposition.
EV-01 · EV-02 · EV-03 · EV-04 · EV-05
Policy constraint
Automation pauses here.Privileged access plus unresolved identity conflict requires a human decision before any response action. EV-03 · EV-04
Fully synthetic outcome / human-reviewed
Authority comes before action.
This product-state demonstration records a human decision, then shows the bounded actions the orchestration model would take. No live system was contacted.
Recorded outcome
SYNTHETIC HUMAN REVIEW COMPLETEIn this illustrative walkthrough, a human reviewer confirms the activity was unauthorized. The action sequence that follows is simulated; no live system was contacted.
EV-03 · EV-06
- DS-01HUMAN DECISION
RECORDED
Confirm unauthorized activity and approve containment.
The simulated reviewer accepts the account owner denial, resolves the open business-intent question, and authorizes the bounded response.
- DS-02AUTOMATED ACTION
SIMULATED · NOT EXECUTED
Revoke active sessions and remove the privileged role.
The product model records the post-approval containment requests it would send. This walkthrough did not connect to or change a live environment.
- DS-03AUTOMATED ACTION
SIMULATED · NOT EXECUTED
Attach the disposition and evidence trail to the case record.
The modeled writeback preserves the human decision, cited evidence, policy version, and correction path as one reviewable record.
Demonstration boundary: the human-reviewed outcome, action requests, and writeback above are entirely synthetic. They illustrate the intended control model, not a live capability, customer result, or deployment.
Investigation memory / synthetic closed record
The decision remains reviewable.
Memory is not silent model training. It preserves the human decision, modeled actions, owner, policy version, citations, supersession rule, and correction path.
- RECORD STATUS
- Synthetic closed record · human-reviewedThe closed state belongs only to this illustrative walkthrough.
- OWNER
- Synthetic responder · decision recordedHuman authority remains explicit and attributable.
- HUMAN DECISION
- Unauthorized activity confirmedSupported by EV-03 and the synthetic verification record EV-06.
- AUTOMATED ACTION
- Containment + case writeback · simulated onlySupported by EV-03 and EV-06; the walkthrough records intended actions and executes nothing.
- POLICY VERSION
- ID-ACCESS / 0.4The policy version stays attached to the decision.
- EVIDENCE CITATIONS
- EV-01 · EV-02 · EV-03 · EV-04 · EV-05 · EV-06Every cited observation resolves to a source and collection time.
- SUPERSESSION
- Expires when evidence or policy changesA future record should not silently reuse stale judgment.
- CORRECTION PATH
- Analyst revises outcome + records reasonCorrections remain part of the audit trail.