ContainmentCountdown
Open missionRun the containment countdownReview decisionInspect SPL transcript and approval policyOpen dossierVerify the proof artifact
Seeded Splunk-compatible telemetry
Dossier DEMO-001CONTAINED
VERIFIED

ava.kline@northstar.example

Final state: CONTAINED in replay mode. Verification uses deterministic Splunk-compatible replay.

Evidence chain
  • impossible_travel_detected10:04:12 · +18 confidence
  • mfa_fatigue_pattern10:04:27 · +12 confidence
  • privileged_app_touch10:04:49 · +16 confidence
  • sensitive_export_started10:05:06 · +14 confidence
  • admin_policy_changed10:05:23 · +11 confidence
Threshold policy
Threshold
80%
Final confidence
98%
Crossing event
privileged_app_touch
Approval record
Approver
demo operator
Decision
approved
Policy
Confidence 98% crossed threshold 80%
Execution log
  1. Action queued by approval record.
  2. Deterministic containment endpoint accepted entity id.
  3. Identity state changed from ACTIVE to CONTAINED.
Replay verification result
PASSEDindex=identity user=ava.kline action=containment | stats latest(status) as status by userVerified against deterministic Splunk-compatible replay, not a live Splunk index.status=CONTAINED verified_by=spl_replay
Export artifact
Ready for export

This proof artifact contains the evidence chain, SPL transcript, approval record, execution log, and replay verification result.

Evidence chain proofVerification result proofInspect architecture proof