ContainmentCountdown
Open missionRun the containment countdownReview decisionInspect SPL transcript and approval policyOpen dossierVerify the proof artifact
Seeded Splunk-compatible telemetry
Risk identity
ACTIVE

ava.kline@northstar.example

Privileged Finance Admin

Entity
risk-identity-ava-kline
Replay seed
splunk-identity-replay-060
Risk band
Threshold crossed
Containment command
THRESHOLD84% confidence
Evidence confidence84%

Threshold 80% crossed

ready
Evidence ticker
Seeded SPL-compatible replay
  • impossible_travel_detected
    +18

    Two successful sessions resolve to locations 4,810 miles apart inside 11 minutes.

    index=identity sourcetype=okta:events
  • mfa_fatigue_pattern
    +12

    Seven push attempts land before one accepted challenge from a new device.

    index=identity sourcetype=duo:auth
  • privileged_app_touch
    +16

    Identity opens payment approval workflow outside normal access window.

    index=finance sourcetype=app:auditThis event changed the outcome
SPL transcript previewindex=finance sourcetype=app:audit user=ava.kline app=payments action=open | stats count by action
Signal3 events
Contextconfidence 84%
Decisionapproval ready
Actionqueued
Proofpending
Impossible travel replayMFA fatigue replayReview the decision chamber