Catcher

Overview

Demo data mode: synthetic Catcher cases and notification events are being displayed.

Case Detail

INC-20260511-0008

Invoice INV-44821 for April services

Triage

Verdict
benign
Severity
low
Risk
8.5%
Confidence
high
Action
close_as_benign
Status
analysis_completed
  • SPF/DKIM/DMARC passed
  • Known vendor domain
  • No suspicious URLs

AI Summary

The message appears consistent with a legitimate invoice flow. Authentication passed and no suspicious URLs were extracted.

Advisory
yes
Status
ok
Classification
benign
Model
demo-llm
Generated
2026-05-11T12:18:42Z
Action
close_as_benign
  • Known vendor pattern
  • SPF/DKIM/DMARC passed
  • No suspicious URLs

Manual Triage Summary

Closed as benign after vendor/domain validation and invoice number confirmation with Finance.

Disposition
benign_confirmed
Updated by
soc-analyst@example.test
Updated
2026-05-11T12:19:10Z
Created
2026-05-11T12:19:00Z
  • Vendor domain is allowlisted
  • Invoice number matches expected Finance workflow

Action Broker

Governed action state shown for analyst review before mutation approval.

Action path
securityfabric.action-broker -> catcher.case/close
Approval tier
auto_approved
Execution mode
mutation
Dispatch status
completed
Blocked reason
-
Result
case_closed

Dry-run vs mutation mode is controlled by mutation and policy approval tier.

Closure evidence: closure_event_id: CLS-20260511-0008, notification_event_id: 102

Callback request/action IDs: tenant-dev/CORR-INC-20260511-0008/ABR-20260511-0008

Callback publish/ingest: published / ingested

Message

From
Contoso Billing <billing@contoso.example>
Sender domain
contoso.example
Reporter
maria.sales@example.test
Reply-To
billing@contoso.example
Return-Path
billing-bounces@contoso.example
Message ID
<m365-report-0008@example.test>

Signals

SPF
pass
DKIM
pass
DMARC
pass
Clickable URLs
0
Shorteners
0
Attachments
1
Attachment reputation
clean
Stego reviews
0
QR decoded
0
Containers
0
Lure theme
invoice_or_payment
Platforms
-
Objectives
-
URL enrichment
off
Domain enrichment
off
Redirects
0
Final mismatch
0
Browser forms
0/0
Threat intel
off
Intel matches
-

URL Enrichment

Status
off
Attempted
0
Redirected
0
Max hops
0
Shorteners expanded
0
Blocked/errors
0/0

No URL trace items are available.

Evidence gaps: url_enrichment_off, domain_enrichment_off, threat_intel_off

Browser Metadata

Items
0
Password / OTP
0/0
CAPTCHA/checks
0
Brand mismatch
0
Browser final mismatch
0
Blocked/errors
0/0

No browser metadata items are available.

Domain Infrastructure

Status
off
Domains
0
DNS / TLS
0/0
New domains
0
Recent certs
0
Blocked/errors
0/0

No domain infrastructure items are available.

Attachment Coverage

QR URLs
none
PDF QR URLs
none
PDF QR scan
available or not needed
OCR login page
not detected
Disk image / LNK
0
Unsupported containers
0

Threat Intel

Status
off
Matches
-
Malicious
-
Suspicious
-
Sources
-

No SecurityFabric threat-intel hits are attached to this case.

Pipeline

Tenant
tenant-dev
Evidence ID
EVID-20260511-0008
Queue job
43
Run ID
20260511_121001_0000_EVID-20260511-0008
Closed by
soc-analyst@example.test
Close reason
Legitimate vendor invoice from allowlisted sender.
Closure note
Legitimate vendor invoice from allowlisted sender.

Artifacts

report_ui_json
runs/tenant-dev/20260511_121001_0000_EVID-20260511-0008/artifacts/report_ui.json
evidence_json
runs/tenant-dev/20260511_121001_0000_EVID-20260511-0008/artifacts/evidence.json

Comments

No analyst comments yet.

    Notifications

    1. incident_closed2026-05-11T12:19:31Z

      delivered to maria.sales@example.test (202)

    Edit Manual Summary

    Add Comment

    Close Case