Triage Queue
Correlated cases, sorted by SLA urgency.
updatingLast updated—
Actionable alerts todayTotal raw alerts across all three source tools that the platform considered actionable today, before correlation.
27
DLP 11 · SIEM 8 · Proxy 8
Grouped cases todayCases produced after correlation. The ratio shows how much noise the platform absorbs vs. analysts seeing every raw alert.
9
from 27 raw alerts
Redaction failuresTimes the redactor could not mask a sensitive value before the AI saw it. Target = 0. Any non-zero is an incident.
0
Enrichment blockedExternal enrichment calls blocked by the privacy egress guardrail (IOC still contained PII or circuit-breaker OPEN).
5
queue recomputing
Open CasesCorrelated cases not yet closed. Equals SIEM + DLP + Proxy open cases below.
9
SIEM CasesOpen cases whose primary source is QRadar SIEM.
3
DLP CasesOpen cases whose primary source is Forcepoint DLP.
5
Proxy CasesOpen cases whose primary source is Forcepoint Proxy.
1
Awaiting ValidationSubset of Open Cases waiting for an L1 analyst to accept, override, or escalate.
9
SLA at RiskSubset of Open Cases with less than 15 minutes left on their triage SLA.
1
AI p95 Latency95th-percentile time for the local LLM to produce an advisory. Health indicator only.
1.8s
Effort SavedEstimated analyst-hours saved by correlation vs. triaging every raw alert individually.
73%
Alert volume & case throughput — Apr 27 → Jun 1 (6w)Raw alerts ingested per source vs. correlated cases the AI produced. The gap shows how much noise correlation absorbs.
recomputingSEED
Fromto
Loading…
Alert sources (today)Where today's raw alerts came from before correlation. SIEM / DLP / Proxy.
recomputingLIVE
Loading…
Severity mix (cases)Distribution of open cases by AI-assigned severity. Critical/High should be triaged first.
recomputingLIVE
Loading…
SLA agingHow long open cases have been waiting. Bars on the right are breaching or near breach.
recomputingLIVE
Loading…
Top departmentsBusiness units generating the most cases today. Useful for spotting hotspots.
recomputingLIVE
Loading…
DLP cases by sensitive data typeDistribution of cases by the kind of regulated data implicated (multi-tag — case can appear under several types).
recomputingLIVE
Loading…
Repeat users — by DLP volumeUsers generating the most DLP traffic across persisted cases. Persistent top entries often indicate insider-threat patterns or a missing business workflow.
recomputingHYBRID
Loading…
Cases (9)Each row is one correlated case — multiple raw alerts grouped by shared user, file, or session. Sorted by AI risk score.
| Risk | Case | Entity | Sources | Alerts | Dominant policy | Sensitive data | Severity | Confidence | Status | SLA | Assignee | Advisory | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
94 | CASE-2026-0847 Bulk borrower-NPI egress by departing Loan Operations Analyst | James Mitchell EMP-4471 · Mortgage Servicing | DLP×6Proxy×4SIEM×4 | 14 | NPI-SSN-Block | SSN · redactedLoan # · redacted+1 | Critical | 92% | In Triage | 11m | M. Kim (L1) | ESCALATE92% | Open |
79 | CASE-2026-0850 Finance user — failed-logins-then-success + unusual download | Maria Rossi EMP-1108 · Finance | DLP×1Proxy×1SIEM×2 | 4 | — | — | High | 74% | New | 25m | M. Kim (L1) | ESCALATE74% | Open |
56 | CASE-2026-0849 Developer hit paste-site + cross-team repo access | Thomas Müller EMP-3380 · Platform Engineering | Proxy×1SIEM×1 | 2 | — | — | Medium | 71% | New | 90m | P. Garcia (L1) | INVESTIGATE71% | Open |
38 | CASE-2026-0854 AI external enrichment BLOCKED — IOC contained borrower PII | James Mitchell EMP-4471 · Mortgage Servicing | DLP×1 | 1 | Egress-PII-Block | Loan # · redactedEmail · redacted | Medium | 81% | New | 95m | — | INVESTIGATE81% | Open |
41 | CASE-2026-0852 Contractor email to personal — small spreadsheet (no NPI) | Lucas Fernandez EMP-9921 · Analytics | DLP×1 | 1 | Email-Internal-Confidential | — | Medium | 64% | Pending Info | 120m | P. Garcia (L1) | INVESTIGATE64% | Open |
22 | CASE-2026-0855 Detokenization request DENIED — L1 attempted Reveal on SSN | James Mitchell EMP-4471 · Mortgage Servicing | DLP×1 | 1 | RBAC-Reveal-Deny | SSN · redacted | Low | 90% | Pending Info | 180m | A. Reeves (L1) | INVESTIGATE90% | Open |
18 | CASE-2026-0848 Marketing user emailed brochure to personal address | Emma Wilson EMP-2210 · Marketing | DLP×1 | 1 | Email-Outbound-Personal | — | Low | 88% | New | 240m | S. Ito (L1) | CLOSE88% | Open |
32 | CASE-2026-0851 HR user — large download from L&D portal | David Park EMP-5520 · HR | Proxy×1SIEM×1 | 2 | — | — | Low | 80% | New | 360m | S. Ito (L1) | CLOSE80% | Open |
22 | CASE-2026-0853 Servicing agent — proxy alert to crypto site (off-hours browsing) | Michael Johnson EMP-7732 · Mortgage Servicing | Proxy×1 | 1 | — | — | Low | 84% | New | 480m | R. Andersen (L2) | CLOSE84% | Open |