AI assistant · glass-box
Copilot
Conversational investigation across alerts, entities, and historical incidents. Every step visible, every tool queried, every conclusion cited.
Is INC-2026-0418 a real intrusion?
Walk me through your reasoning on INC-2026-0418 and show every tool you queried.
investigation plan · 5 steps
- [1] Decode the PowerShell payload and classify the loader family.
- [2] Check the upstream email for phishing indicators.
- [3] Score the C2 IP across all configured threat-intel sources.
- [4] Profile svc_backup's authentication baseline.
- [5] Search the lake for staging or exfil from WIN-FIN-0142.
tool calls · 14runtime 9.2s
- sentinel.searchSecurityEvent | where Host == 'WIN-FIN-0142' | take 200112 rowsok
- crowdstrike.process_treehost=WIN-FIN-0142 since=15m1 treeok
- virustotal.file_lookupsha256: a3f9…c21e12/89 maliciousok
- greynoise.ip185.220.101.42malicious · torok
- abuseipdb.report185.220.101.42conf 96 · 412 reportsok
- proofpoint.email_searchto=m.kowalski@corp.io since=4h1 matchok
- okta.user_auth_loguser=svc_backup window=90d0 RDPok
- sentinel.searchlateral movement DC-EU-013 rowsok
- sentinel.searchS3 GetObject volume baselinedeferredskipped
verdict
True positive · confidence 0.94. The Outlook → cmd → encoded PowerShell chain [1] decodes to a Cobalt Strike beacon [2], beaconing to a Tor exit IP confirmed malicious by 2 independent sources [3]. svc_backup's RDP to DC-EU-01 is a 90-day first [4]. No exfil yet [5] — contain now.