L1
L1 Analyst
SOC · New York

Reports

SLA performance, AI accuracy indicators, and evidence of human validation.

SLA met (7d)Share of cases triaged within their SLA window over the last 7 days.
96%
Target: 95%
AI accept rateHow often analysts accept the AI's recommended verdict without changes.
88%
Trending up
Analyst overrideHow often analysts override the AI. 5–20% is healthy — too low means rubber-stamping, too high means low AI quality.
12%
Healthy band
FP rateReduction in false-positive workload after correlation, vs. triaging every raw alert individually.
-31%
vs. raw triage
L1 effort saved (7d)Triage time saved by AI-assisted summarisation and correlation, compared with manual L1 triage of every raw alert.
73%
≈ 184 analyst-hours
Avg. triage timeMedian time from case creation to L1 disposition.
4m 12s
Manual baseline: 16m
L3 escalations (7d)Cases escalated past L2 to L3 Insider Threat / IR specialists.
7
2 insider-threat
Redaction coverageShare of evidence with sensitive fields (SSN, account/loan #, email) tokenised before AI processing.
100%
NPI fields
QRadar EPS (24h avg)Events-per-second ingest from QRadar SIEM. Stays well below the licensed cap; bursts are absorbed by the Redis stream buffer.
48.2k
Peak 71k · cap 90k

False positives vs true positives (7d)Daily mix of confirmed-benign vs confirmed-malicious dispositions. Lower FP bars = better signal.

Daily dispositions
stacked — last 7 days
False positives
True positives

Analyst accept vs override (weekly)Weekly trend of analyst agreement with AI advisories. Watch for sudden jumps in override rate — may signal model drift.

Agreement trend
last 4 weeks
Accept88%
Override12%

Top DLP departmentsBusiness units generating the most DLP-driven cases. Helps target awareness training and policy tuning.

Hotspots
cases per business unit

Evidence of human validationAudit-ready proof that every case had a human in the loop. AI never closes a case on its own.

Cases dispositioned by analyst (7d)412 / 412 (100%)
AI-only closures0 (policy)
L2 acceptance of L1 handoffs94%
Audit completeness100% — every action logged
Redaction coverage (NPI fields)100% (SSN, account/loan numbers)
AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. Every disposition reflects an analyst decision.

Top policies triggered (7d)Forcepoint DLP / Proxy policies that fired most often — useful for tuning thresholds and reducing alert noise.

NPI-SSN-Block
DLP
1,842FP 8%+12%
NPI-Loan#-Block
DLP
1,204FP 11%+4%
Egress-PII-Block
DLP
612FP 6%-2%
Personal-Cloud-Upload
PROXY
388FP 22%+19%
Unsanctioned-AI-Upload
PROXY
244FP 14%+31%
Email-Internal-Confidential
DLP
197FP 9%-5%

L3 escalations (7d)Cases handed off past L2 to L3 Insider Threat / Incident Response. These are the cases that warranted specialist attention.

CASE-2026-0847Bulk borrower-NPI egress by departing analystInsider ThreatMet · Confirmed TP
CASE-2026-0812Off-hours USB mass-write + DLP burstInsider ThreatMet · Confirmed TP
CASE-2026-0798Lateral movement after credential reuseIncident ResponseMet · Confirmed TP
CASE-2026-0776Privileged user — anomalous repo accessInsider ThreatAt risk · Under review
CASE-2026-0754Vendor account — unusual data pullIncident ResponseMet · Closed — benign
CASE-2026-0741Exec phishing landing + token theftIncident ResponseMet · Confirmed TP
CASE-2026-0729Repeat copy-paste of customer PIIInsider ThreatMet · Policy training

Redaction & detokenization audit (7d)Proof that sensitive fields are tokenised before the AI sees them, and that only authorised roles can reveal the raw value.

Fields tokenised before AI processing84,212 / 84,212 (100%)
Reveal requests — granted (L3 / Manager)38
Reveal requests — denied by RBAC14 (L1/L2)
Detokenization attempts blocked9
External enrichment blocked by privacy guardrail6
Token vault audit completeness100% — every access logged
Sensitive values (SSN, account/loan #, email PII) are tokenised at ingest. Reveal is gated by RBAC and every event is logged for compliance review.

QRadar ingest health (24h)Throughput from the authoritative SIEM. Stays well below the licensed EPS cap; bursts are absorbed by the Redis stream buffer.

EPS — 24h average48,200
EPS — peak71,400
EPS — licensed cap90,000
Offenses ingested412
Offenses promoted to cases38 (9.2%)
Buffer headroom22% — healthy
QRadar remains the authoritative SIEM. This platform consumes offences from QRadar and never writes back — telemetry stays inside QRadar for retention and audit.