AI assistant · glass-box

Copilot

Conversational investigation across alerts, entities, and historical incidents. Every step visible, every tool queried, every conclusion cited.

Is INC-2026-0418 a real intrusion?

Claude 4.5 Sonnet · 14 tools
Walk me through your reasoning on INC-2026-0418 and show every tool you queried.
investigation plan · 5 steps
  1. [1] Decode the PowerShell payload and classify the loader family.
  2. [2] Check the upstream email for phishing indicators.
  3. [3] Score the C2 IP across all configured threat-intel sources.
  4. [4] Profile svc_backup's authentication baseline.
  5. [5] Search the lake for staging or exfil from WIN-FIN-0142.
tool calls · 14runtime 9.2s
  • sentinel.searchSecurityEvent | where Host == 'WIN-FIN-0142' | take 200112 rowsok
  • crowdstrike.process_treehost=WIN-FIN-0142 since=15m1 treeok
  • virustotal.file_lookupsha256: a3f9…c21e12/89 maliciousok
  • greynoise.ip185.220.101.42malicious · torok
  • abuseipdb.report185.220.101.42conf 96 · 412 reportsok
  • proofpoint.email_searchto=m.kowalski@corp.io since=4h1 matchok
  • okta.user_auth_loguser=svc_backup window=90d0 RDPok
  • sentinel.searchlateral movement DC-EU-013 rowsok
  • sentinel.searchS3 GetObject volume baselinedeferredskipped
verdict

True positive · confidence 0.94. The Outlook → cmd → encoded PowerShell chain [1] decodes to a Cobalt Strike beacon [2], beaconing to a Tor exit IP confirmed malicious by 2 independent sources [3]. svc_backup's RDP to DC-EU-01 is a 90-day first [4]. No exfil yet [5] — contain now.