Triage QueueCASE-2026-0847

AdvisoryESCALATE92%

All three source systems independently observed exfiltration-shaped behavior on the same identity within 72 hours, with a file-fingerprint pivot from blocked USB to personal cloud. Destinations are exclusively personal/external. Employment is terminating. Confidence is high; FP likelihood is low.

Suggested next steps · one-click (advisory)

AI Triage (live)LIVE AI · Gemini Flash PII redacted

ToneStrict

Click Generate to call the model. Streams in real time from Lovable AI. Citations like [E1] link to timeline events.

Incident Narrative (live)LIVE AI · Gemini Flash PII redacted

ToneStrict

Click Generate to call the model. Streams in real time from Lovable AI. Citations like [E1] link to timeline events.

AI Audit Log0 entries

No AI calls recorded for this case yet. Triage, narrative, and chat calls will appear here automatically.

SLA Timer

11m remaining

✓

Triage

Investigation

Resolution

Bulk borrower-NPI egress by departing Loan Operations Analyst

ToolHigh→AICriticalΔIn Triage

James Mitchell · Senior Loan Operations Analyst · Mortgage Servicing

EMP-4471Mgr: Sarah O'BrienNew York, NYHours: 09:30–18:30 EST

Resigned — last working day in 4 days

Critical

7d trend

Collapsed from

DLP×6Proxy×4SIEM×4

Created2026-06-08 10:30 IST

Assigneeunassigned

MITRE T1078 · Valid AccountsMITRE T1530 · Data from Cloud StorageMITRE T1052 · Exfiltration / Physical MediumMITRE T1567.002 · Exfil to Cloud StorageMITRE T1537 · Transfer to Cloud AccountMITRE T1048 · Exfil / Alternative ProtocolMITRE T1213 · Data from Info Repositories

Correlation graph — why these are one case

Open Correlation Explorer

Identity File Destination Device3 cross-case pivots touch this case

Click any node to inspect the pivot and other cases that share it.

Drill-down

Click a node in the graph to see its pivot details and any other cases it links to.

Unified incident timeline

DLP Proxy SIEM

06 Jun 2026

07 Jun 2026

08 Jun 2026

AI triage assist · advisory

Case summary

Departing Sr. Loan Operations Analyst (EMP-4471, last day in 4) shows a 72-hour pattern consistent with intentional borrower-NPI exfiltration across endpoint, web, and email. The pivot is a single file (Servicing_Portfolio_Q2) blocked on USB, then successfully uploaded to personal Google Drive within 2 hours — corroborated by 740 MB to mega.nz, a quarantined NPI email to a personal account, and a 9,200-record servicing-portfolio export.

MITRE kill-chain

1.Initial Access — Off-hours VPN from first-seen residential IP (T1078).
2.Collection — 287-file bulk read of borrower repository; 9,200-row servicing export.
3.Staging — Servicing_Portfolio_Q2 prepared on endpoint; USB copy attempted.
4.Exfiltration — Personal Google Drive (fingerprint match), mega.nz 740 MB, quarantined email to personal Gmail.

False-positive likelihood

RAG citations

SOP-IR-014 — Insider Threat / Departing Employee Triage — §3.2 mandatory escalation
Altisource GLBA Safeguards Policy — §5 NPI handling on personal devices
Forcepoint DLP Policy NPI-SSN-Block — rev 2026.04

Similar past cases

CASE-2025-9112— Departing analyst — NPI to personal Drive (Escalated)
CASE-2025-8730— USB copy → mega.nz pattern, Mortgage Ops

Analyst notes (0)

No notes yet — add your first observation below.

Case audit timeline

2026-06-08 10:30 ISTingestAlerts ingested— 14 alerts (DLP 6, PROXY 4, QRADAR 4)

2026-06-08 10:30 ISTredactorPII redaction applied— SSN, loan numbers masked

2026-06-08 10:30 ISTenricherIdentity + HR context enriched

2026-06-08 10:30 ISTai-triageCorrelated 14 → 1 case— shared identity + fingerprint + 72h burst

2026-06-08 10:30 ISTai-triageAdvisory: ESCALATE (92%)

AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. Sensitive values (SSN, account/loan numbers) are redacted before AI processing.