🔒 CONFIDENTIAL - INTERNAL USE ONLY
Generated by: GitHub Copilot in Agent mode with Claude Opus 4.6 | Machine: WORKSTATION-001 | Date: 2025-12-14 13:43:16

John Smith🛡️ | john.smith@contoso.com • Security Analyst

Security Operations • Seattle • 📍 US📍 CA📍 AU📍 GB📍 BR
● Active • Member
Investigation Date: 2025-12-14
Period: 2025-10-04 to 2025-12-05

📊 Key Metrics

10
Anomalies
27.4K
Sign-ins
5
DLP Events
412
Failures

🔐 MFA Status

Windowshelloforbusiness Password Phone Email Authenticator

🎯 Risk Assessment

Overall Risk: HIGH
Risk level is calculated based on 6 risk factors and 3 mitigating factors.
Risk Factors (6)
  • 🌍 Geographic anomalies: 3 new countries (BR, HK, IE)
  • 🔓 Device compliance: 277 failures (53000)
  • 📤 DLP violations: 5 events (network share + cloud)
  • 🎭 Anonymous IPs: VPN/proxy usage detected
  • ⚠️ Identity Protection: User at low risk (atRisk)
  • 🔑 Privileged account: SecOps Analyst
Mitigating Factors (3)
  • ✅ MFA active (5 methods including Authenticator)
  • ✅ 98.5% sign-in success rate
  • ✅ Managed/compliant devices available

🎯 Critical Actions

🚨 CRITICAL: 1. Investigate DLP events
5 sensitive file operations detected (network share + chatgpt.com upload)
⚠️ HIGH: 2. Review geographic anomalies
Verify VPN usage for BR, HK, IE sign-ins
⚠️ HIGH: 3. Address device compliance
Fix non-compliant devices (277 failures)

🛡️ Identity Protection

Risk Level: ⚠️ LOW
State: Active Risk
⚠️ 1 Active Risk Detection
📋 Recent Risk Detections
Date Type Level State IP Location
2025-11-26 anonymizedIPAddress medium Remediated 146.70.130.174 Dublin, Dublin, IE
2025-11-26 anonymizedIPAddress low Remediated 146.70.130.174 Dublin, Dublin, IE
2025-11-25 anomalousToken low Active Risk 146.70.9.214 Shek Kip Mei, Kowloon, HK
2025-11-24 anonymizedIPAddress medium Remediated 146.70.9.214 Shek Kip Mei, Kowloon, HK
2025-11-24 anonymizedIPAddress medium Remediated 146.70.9.214 Shek Kip Mei, Kowloon, HK

💻 Registered Devices🛡️

Device Name OS Compliant Last Seen
CORP-DESKTOP-01 Windows ✓ Yes 2025-12-11
CORP-LAPTOP-02 Windows ✗ No 2025-12-04
CORP-VM-03 Windows ✓ Yes 2025-11-20
CORP-WVD-04 ⚠ STALE Windows ✗ No 2025-03-21
LAPTOP-ABC123 ⚠ STALE Windows ✗ No 2023-04-12

📍 Top Locations

Location Total Success Failures
CA 21953 ✓ 21618 ✗ 335
US 5998 ✓ 5881 ✗ 117
AU 258 ✓ 249 ✗ 9
Page 1 of 2

📱 Top Applications

Application Total Success Failures
Microsoft 365 Security and Compliance Center 8351 ✓ 8336 ✗ 15
WindowsDefenderATP 3763 ✓ 3763 ✗ 0
Microsoft Threat Protection 3430 ✓ 3430 ✗ 0
Page 1 of 2

🌐 User Sign-in IP Intelligence

146.70.9.214🚨 THREAT⚠️ RISKYANOMALY
High
Location: Shek Kip Mei, HK
Sign-ins: ✓ 11 ✗ 1
First Seen: 2025-11-24
Last Seen: 2025-11-24
Type: 🌐 ISP | 🔒 VPN
Recent Auth: 🎫 Token
🔍 Details
Organization: AS9009 M247 Europe SRL
ASN: AS9009
IP Type: 🌐 ISP | 🔒 VPN | ⚠️ THREAT DETECTED
Threat Match: Sentinel: Threat Intel IOC Test Match
146.70.130.174⚠️ RISKYANOMALY
Medium
Location: Dublin, IE
Sign-ins: ✓ 11 ✗ 1
First Seen: 2025-11-26
Last Seen: 2025-11-26
Type: 🌐 ISP | 🔒 VPN
Recent Auth: 🔒 MFA
🔍 Details
Organization: AS9009 M247 Europe SRL
ASN: AS9009
IP Type: 🌐 ISP | 🔒 VPN | ⚠️ THREAT DETECTED
Threat Match: AbuseIPDB: Medium Risk (52/100, 27 reports)
149.22.81.146⚠️ RISKY
Medium
Location: Vancouver, CA
Sign-ins: ✓ 5 ✗ 7
Detected: 2025-11-18
Last Seen: 2025-11-18
Type: 🌐 ISP | 🔒 VPN
Recent Auth: ❌ Failed
🔍 Details
Organization: AS212238 Datacamp Limited
ASN: AS212238
IP Type: 🌐 ISP | 🔒 VPN | ⚠️ THREAT DETECTED
Threat Match: AbuseIPDB: Medium Risk (32/100, 13 reports)
193.19.205.125ANOMALY
Medium
Location: Sao Paulo, BR
Sign-ins: ✓ 9 ✗ 3
First Seen: 2025-11-23
Last Seen: 2025-11-23
Type: 🌐 ISP | 🔒 VPN
Recent Auth: ❌ Failed
🔍 Details
Organization: AS203020 HostRoyale Technologies Pvt Ltd
ASN: AS203020
IP Type: 🌐 ISP | 🔒 VPN | ✓ Clean
Threat Match: AbuseIPDB: Low Risk (19/100, 4 reports)
Page 1 of 3

🚨 Recent Security Incidents🛡️

Time Severity ID 🔔 Title Status Owner
Dec 03 14:59 Low 2288 1 Privileged User Logon from new ASN involving one user Closed analyst1@contoso.com
Nov 29 14:59 High 2281 1 Privileged User Logon from new ASN involving one user Closed john.smith@contoso.com
Nov 29 16:01 High 2283 1 Rare RDP Connections Closed john.smith@contoso.com
Nov 29 16:34 High 2284 1 RDP Nesting Closed analyst2@contoso.com
Page 1 of 3

📈 Common Office 365 Activity

292
Emails Accessed
229
Teams Messages
192
Teams Card Actions
150
Emails Sent
71
SharePoint Access

📤 Recent DLP Events

Time Operation File Target IP Address
Nov 26 18:19 Network Share 1-MB-Test-2.docx \\10.0.0.50\Share\Temp\sample-data.pdf 198.51.100.10
Nov 26 18:19 Network Share 1-MB-Test-2.docx \\10.0.0.50\Share\Temp\1-MB-Test-2.docx 198.51.100.10
Nov 26 18:19 Network Share sample-data.csv \\10.0.0.50\Share\Temp\sample-data.csv 198.51.100.10
Nov 26 18:19 Network Share sample-data.pdf \\10.0.0.50\Share\Temp\sample-data.pdf 198.51.100.10
Nov 26 18:03 Cloud Upload 1-MB-Test.docx chatgpt.com 198.51.100.10

🔒 Recent Sign-in Failures

Error Description Count Applications Locations
53000 Conditional Access policy requires a compliant device, and the device is not compliant. Have the ... 277 Visual Studio Code, Microsoft Edge CA, US
65002 Other 79 Visual Studio Code, Enterprise Dashboard Project, Windows Search US, CA
700003 Other 23 Microsoft 365 Copilot extension, Azure Portal, Office365 Shell WCSS-Client CA, US
700084 The refresh token was issued to a single page app (SPA), and therefore has a fixed, limited lifet... 17 Office365 Shell WCSS-Client, Security Copilot Portal, Microsoft Docs CA, US
50074 Strong Authentication is required. 16 Azure Portal, Visual Studio Code, Microsoft Sentinel CLI CA, US

📋 Recent Azure AD Audit Log Activity

Category Count Result Operations
ApplicationManagement 38 success 🔐 Add delegated permission grant, 🔐 Remove delegated permission grant, 🔐 Consent to application, Add service principal, Update service principal, Update application, 🔐 Create application – Certificates and secrets management , Add application, 🔐 Add app role assignment to service principal, 🔐 Remove app role assignment from service principal
GroupManagement 30 success Features_GetFeaturesAsync, Settings_GetSettingsAsync, Group_GetDynamicGroupProperties, GroupsODataV4_Get, Add group, Add member to group
ApplicationManagement 11 failure Add application
Authentication 11 success Validate user authentication
Policy 9 success 🔐 Update policy, 🔐 Update conditional access policy
Page 1 of 3

💡 Recommendations

Critical (Immediate)

  • 1. Investigate DLP events: 5 sensitive file operations detected (network share + chatgpt.com upload)

High Priority (24 hours)

  • 2. Review geographic anomalies: Verify VPN usage for BR, HK, IE sign-ins
  • 3. Address device compliance: Fix non-compliant devices (277 failures)
  • 4. Investigate risky sign-ins: 2 at-risk sign-ins from 1 IP

Monitoring (14 days)

  • Monitor for additional DLP events
  • Track VPN/proxy usage patterns
  • Monitor threat intelligence feeds for new indicators
  • Watch for sign-ins during unusual hours
⚠️ CONFIDENTIAL - Security Investigation Report | Generated: 2025-12-14 | Investigation Period: 2025-10-04 to 2025-12-05
×

📅 Investigation Timeline

2025-12-03
🚨
08:00 PST
Sign-in Anomaly
NewInteractiveIP: 198.51.100.20 from Vancouver, CA ANOMALY
🛡️
06:59 PST
Security Incident: Privileged User Logon from new ASN involving one user
Status: Closed | Severity: Low
2025-12-02
🚨
14:00 PST
Sign-in Anomaly
NewInteractiveIP: 198.51.100.60 from Santa Clara, US ANOMALY
🚨
09:00 PST
Sign-in Anomaly
NewNonInteractiveIP: 203.0.113.60 from San Jose, US ANOMALY
🚨
09:00 PST
Sign-in Anomaly
NewInteractiveIP: 203.0.113.60 from San Jose, US ANOMALY
2025-11-29
🛡️
08:34 PST
Security Incident: RDP Nesting
Status: Closed | Severity: High
🛡️
08:01 PST
Security Incident: Rare RDP Connections
Status: Closed | Severity: High
🛡️
06:59 PST
Security Incident: Privileged User Logon from new ASN involving one user
Status: Closed | Severity: High
2025-11-28
🛡️
17:03 PST
Security Incident: Defense evasion incident on one endpoint
Status: Closed | Severity: High
🛡️
12:09 PST
Security Incident: Authentications of Privileged Accounts Outside of Expected Controls involving one user
Status: Closed | Severity: Medium
2025-11-26
🛡️
12:59 PST
Security Incident: File containing PII / PCI / PHI detected in the cloud (built-in DLP engine) involving one user
Status: Closed | Severity: Medium
🛡️
10:21 PST
Security Incident: DLP policy (Endpoint DLP) matched for document (sample-data.pdf) in a device
Status: Closed | Severity: Medium
📁
10:19 PST
DLP Events (4 files)
FileCopiedToNetworkShare - 1-MB-Test-2.docx PRIMARY, 1-MB-Test-2.docx PRIMARY, sample-data.csv PRIMARY... | Device IP: 198.51.100.10
📁
10:03 PST
DLP Event
FileUploadedToCloud - 1-MB-Test.docx PRIMARY | Device IP: 198.51.100.10
2025-11-25
🚨
17:00 PST
Sign-in Anomaly
NewNonInteractiveIP: 146.70.130.174 from Dublin, IE ⚠️ RISKYANOMALY
🚨
17:00 PST
Sign-in Anomaly
NewInteractiveIP: 146.70.130.174 from Dublin, IE ⚠️ RISKYANOMALY
⚠️
16:27 PST
Identity Protection: anonymizedIPAddress
Dublin, IE (146.70.130.174) - remediated ⚠️ RISKYANOMALY
⚠️
16:27 PST
Identity Protection: anonymizedIPAddress
Dublin, IE (146.70.130.174) - remediated ⚠️ RISKYANOMALY
🛡️
12:10 PST
Security Incident: Authentications of Privileged Accounts Outside of Expected Controls involving one user
Status: Closed | Severity: Medium
2025-11-24
⚠️
23:24 PST
Identity Protection: anomalousToken
Shek Kip Mei, HK (146.70.9.214) - atRisk 🚨 THREAT⚠️ RISKYANOMALY
🚨
14:00 PST
Sign-in Anomaly
NewInteractiveIP: 146.70.9.214 from Shek Kip Mei, HK 🚨 THREAT⚠️ RISKYANOMALY
🚨
14:00 PST
Sign-in Anomaly
NewNonInteractiveIP: 146.70.9.214 from Shek Kip Mei, HK 🚨 THREAT⚠️ RISKYANOMALY
⚠️
13:20 PST
Identity Protection: anonymizedIPAddress
Shek Kip Mei, HK (146.70.9.214) - remediated 🚨 THREAT⚠️ RISKYANOMALY
⚠️
13:20 PST
Identity Protection: anonymizedIPAddress
Shek Kip Mei, HK (146.70.9.214) - remediated 🚨 THREAT⚠️ RISKYANOMALY
2025-11-23
🚨
08:30 PST
Sign-in Anomaly
NewNonInteractiveIP: 198.51.100.40 from Vancouver, CA ANOMALY
🚨
08:30 PST
Sign-in Anomaly
NewNonInteractiveIP: 193.19.205.125 from Sao Paulo, BR ANOMALY
2025-11-22
🛡️
11:21 PST
Security Incident: Device Code Authentication Flow Detected involving one user
Status: Closed | Severity: High
2025-11-18
🔐
15:00 PST
Risky Sign-in: Azure Portal
Vancouver, CA (149.22.81.146) - atRisk ⚠️ RISKY
🔐
15:00 PST
Risky Sign-in: Azure Portal
Vancouver, CA (149.22.81.146) - atRisk ⚠️ RISKY