Suspicious activity on SRV-DC-01 — need urgent review
TKT-0001
Urgent
Open
Incident Response
- Created By
- l.johnson
- Created
- 2026-06-21 13:57
- Last Updated
- 2026-06-23 06:47
- Assigned Analyst
- Emma Richardson
- Category
- Incident Response
- Messages
- 9
Conversation
l.johnson
Customer
2026-06-21 13:57
We've noticed some concerning activity and would like the SOC team to investigate urgently.
Subject: Suspicious activity on SRV-DC-01 — need urgent review
Please provide an initial assessment as soon as possible. Our IT team is standing by to assist with any containment actions needed.
Subject: Suspicious activity on SRV-DC-01 — need urgent review
Please provide an initial assessment as soon as possible. Our IT team is standing by to assist with any containment actions needed.
Emma Richardson
SOC Analyst
2026-06-21 14:31
I've updated the DLP policy as requested. The HR shared drive is now excluded from the external transfer monitoring rule, but internal audit logging remains active.
l.johnson
Customer
2026-06-21 18:30
We've applied the patch on our end. Can you run a verification scan?
Emma Richardson
SOC Analyst
2026-06-21 21:15
Good news — our analysis confirms this is a true positive. We've implemented the containment measures and will send a full incident summary within 24 hours.
l.johnson
Customer
2026-06-21 23:42
Thanks. Could you also check if any other accounts were affected?
Emma Richardson
SOC Analyst
2026-06-22 02:16
The alert you referenced (ALR-00023) was generated by our DecoyPulse honeypot system. This has zero false positive rate — the activity is genuine and warrants investigation.
l.johnson
Customer
2026-06-22 03:53
That's reassuring. Can we schedule a call to discuss the remediation steps?
Emma Richardson
SOC Analyst
2026-06-22 06:14
I've checked with our threat intelligence team. The dark web finding is from a third-party breach, not a direct compromise. We recommend enforcing a password reset for the affected account.
l.johnson
Customer
2026-06-22 09:46
We've applied the patch on our end. Can you run a verification scan?