ContainmentCountdown
Open missionRun the containment countdownReview decisionInspect SPL transcript and approval policyOpen dossierVerify the proof artifact
Seeded Splunk-compatible telemetry
Decision chamber

Threshold crossed. Human approval required.

Evidence changed the outcome; containment stays gated until an operator records the decision.

Approval record
Identity
ava.kline@northstar.example
Policy
Confidence 98% crossed threshold 80%
Status
Approval enabled
SPL transcript
index=identity sourcetype=okta:events user=ava.kline action=success | stats values(src_ip) by userindex=identity sourcetype=duo:auth user=ava.kline result IN (denied,success) | transaction user maxspan=10mindex=finance sourcetype=app:audit user=ava.kline app=payments action=open | stats count by actionindex=dlp sourcetype=gateway:events user=ava.kline filetype=zip dest_category=unknown | table _time dest bytes
Dossier preview
DEMO-001Signal, context, decision, action, and proof are ready for export.
Threshold crossed eventApproval-ready transcriptOpen the proof dossier