Shadow IT Discovery

Medium Resolved

ALR-00368 · 2026-04-06T21:36:53Z

Description

Attack Surface Scanner discovered unauthorised SaaS application (file sharing) used by 'a.wilson'. 14GB of company data synced to unapproved cloud storage.

Alert Metadata

Alert ID: ALR-00368
Timestamp: 2026-04-06T21:36:53Z
Severity: Medium
Status: Resolved
Detection Source: Attack Surface Scanner
Assigned Analyst: Marcus Webb

Endpoint Information

Hostname: SRV-WEB-01
User Account: a.wilson
Source IP: 45.155.148.228
Destination IP: 10.0.37.109
Origin Country: NL Netherlands

MITRE ATT&CK Mapping

Tactic: Exfiltration
Technique: T1567
Reference: attack.mitre.org/techniques/T1567

Investigation Timeline

21:36:53 Event ingested by SOC365 Engine

21:36:58 EmilyAI triage started — correlation enrichment

21:37:07 EmilyAI confidence: 86% — escalated to human analyst

21:37:09 Alert assigned to analyst: Marcus Webb

21:39:00 Investigation started — querying SIEM and threat intelligence

21:41:58 Containment action taken — endpoint isolated

21:48:28 Alert resolved — remediation complete

Related Alerts

ID	Time	Alert	Severity	Status	Host
ALR-00307	53m ago	Lateral Movement Detected	Medium	Escalated	SRV-WEB-01
ALR-00305	1h ago	Unauthorised USB Device	Low	Escalated	SRV-WEB-01
ALR-00465	8h ago	Shadow IT Discovery	Medium	Escalated	SRV-SQL-01
ALR-00078	11h ago	Failed MFA Challenge	Low	Resolved	SRV-WEB-01
ALR-00106	12h ago	Pass-the-Hash Detected	High	Open	SRV-WEB-01