Step 3 · Agentic triage

Agentic Triage

The assistant assembles a provisional picture — what we know, what we are assuming, and what is still unknown — then names the affected identities, assets, services, and the evidence that must survive containment.

AI assessment

Deterministic mock · no API key

Generating assessment…

Correlating signals across identity, endpoint and mailbox telemetry.

Recommended tier

Targeted Containment (Option B)

—

Watch items

Resolve: Whether the payment gateway has actually been accessed or only is reachable.
Resolve: Whether lateral movement to FIN-FS-01 resulted in data staging or exfiltration.
Resolve: Whether the batch service account (svc-finbatch) has been reused.
Preserve 4 volatile evidence items before any containment action.

Known facts

Anomalous, encoded PowerShell executed on FIN-EP-204 under P. Martin's session.
Identity provider shows failed logins from an unusual geography, then one success.
A new mailbox rule auto-forwards payment-related threads to an external address.
An SMB session opened from FIN-EP-204 to the shared finance file server (FIN-FS-01).
P. Martin holds privileged access to payroll and payment-initiation systems.

Assumptions

The PowerShell activity is attacker-driven rather than sanctioned admin tooling.
The forwarding rule was created by the threat actor, not the user.
Credentials for P. Martin should be treated as compromised until proven otherwise.

Unknowns

Whether the payment gateway has actually been accessed or only is reachable.
Whether lateral movement to FIN-FS-01 resulted in data staging or exfiltration.
Whether the batch service account (svc-finbatch) has been reused.
The full scope of mailbox data already forwarded externally.

Affected identities

P. MartinSenior Payroll Administrator

Suspicious PowerShell spawned under this session; failed logins from new geo.

Payroll writePayment initiationFinance file server

Critical

svc-finbatchFinance batch service accountNo MFA

Non-interactive account; potential target for privilege reuse.

Scheduled payroll jobsFile server read/write

High

J. LoweFinance Manager (delegate)

Delegate on the affected mailbox; forwarding rule references this inbox.

Payment approvalMailbox delegate access

Medium

Affected assets

FIN-EP-204endpoint

Origin of anomalous PowerShell; encoded command + outbound beacon attempt.

Critical

FIN-FS-01server

Shared finance file server; SMB session from FIN-EP-204 in last 20 min.

High

M365 Mailbox (P. Martin)saas

New inbox rule auto-forwarding payment threads to external address.

High

Identity Provideridentity-provider

Failed logins from unusual geography, then one success for P. Martin.

High

Payment Gatewaysaas

No confirmed access yet; reachable from the compromised identity.

Critical

Affected business services

Payroll Processing

Owner: Head of Payroll

Run completes by 18:00; salaries settle next business day

Critical

Outbound Payments

Owner: Treasury

Same-day payment cutoff 15:00

High

Finance Reporting

Owner: Controller

Month-end close in progress

Medium

Evidence to preserve before containment

Sequencing matters — capture volatile evidence first

Volatile memory capture — FIN-EP-204EndpointPreserve first

Capture before isolation/power actions; holds in-memory payload + injected handles.

High volatility

PowerShell + Script Block logsEndpoint / SIEMPreserve first

Decoded command line and module-load history; export before any reimage.

Medium volatility

Mailbox audit + forwarding rule historyM365Preserve first

Snapshot rules and audit log before disabling the rule, to retain attribution.

Medium volatility

Identity sign-in + risk detectionsIdentity Provider

Retained centrally; export at convenience for the timeline.

Low volatility

File server SMB session + access logsFIN-FS-01Preserve first

Confirms or refutes lateral movement; preserve before session teardown.

Medium volatility