Correlation ExplorerBrowse pivots — shared identities, files, destinations, and devices — that link multiple cases across the dataset. Use this to spot coordinated activity or repeat behavior the per-case view can't show.
Cross-case pivots derived from every case's correlation graph. Click a row to inspect the cluster.
Total pivotsPivot nodes that appear in 2+ cases.
3
Identity linksSame user (EMP-ID) across multiple cases.
1
File linksSame document or fingerprint across cases.
1
Destination linksSame external endpoint touched by multiple cases.
1
Cases in clustersDistinct cases that share at least one pivot.
6
Sources
Min cases2+
Shared pivots (3)Each row is a node that appears in 2 or more cases. Sources column shows which QRadar SIEM / Forcepoint DLP / Forcepoint Proxy systems observed it.
| Pivot | Type | Cases | Sources | Sev | Last activity |
|---|---|---|---|---|---|
James Mitchell (EMP-4471) | Identity | 3 | DLPProxySIEM | Critical | 2026-06-08 13:22 IST |
mega.nz | Destination | 3 | Proxy | Critical | 2026-06-08 13:22 IST |
Servicing_Portfolio_Q2 | File | 2 | DLPSIEM | Critical | 2026-06-08 13:22 IST |
Cluster detailPivot node in the center with each linked case orbiting it. Open any case to inspect its full correlation graph and evidence.
Pivot
James Mitchell (EMP-4471)
Same identity appears across multiple cases — possible coordinated insider activity or repeat behavior.
Linked cases (3)
- OpenCASE-2026-0847CriticalBulk borrower-NPI egress by departing Loan Operations AnalystJames Mitchell · EMP-4471 · risk 94
- OpenCASE-2026-0854MediumAI external enrichment BLOCKED — IOC contained borrower PIIJames Mitchell · EMP-4471 · risk 38
- OpenCASE-2026-0855LowDetokenization request DENIED — L1 attempted Reveal on SSNJames Mitchell · EMP-4471 · risk 22
Correlations are computed from the cases' shared graph nodes. AI output is advisory — analysts must validate before acting.