Demo data mode: synthetic Catcher cases and notification events are being displayed.
Case Detail
INC-20260511-0008
Invoice INV-44821 for April services
Triage
- Verdict
- benign
- Severity
- low
- Risk
- 8.5%
- Confidence
- high
- Action
- close_as_benign
- Status
- analysis_completed
- SPF/DKIM/DMARC passed
- Known vendor domain
- No suspicious URLs
AI Summary
The message appears consistent with a legitimate invoice flow. Authentication passed and no suspicious URLs were extracted.
- Advisory
- yes
- Status
- ok
- Classification
- benign
- Model
- demo-llm
- Generated
- 2026-05-11T12:18:42Z
- Action
- close_as_benign
- Known vendor pattern
- SPF/DKIM/DMARC passed
- No suspicious URLs
Manual Triage Summary
Closed as benign after vendor/domain validation and invoice number confirmation with Finance.
- Disposition
- benign_confirmed
- Updated by
- soc-analyst@example.test
- Updated
- 2026-05-11T12:19:10Z
- Created
- 2026-05-11T12:19:00Z
- Vendor domain is allowlisted
- Invoice number matches expected Finance workflow
Action Broker
Governed action state shown for analyst review before mutation approval.
- Action path
- securityfabric.action-broker -> catcher.case/close
- Approval tier
- auto_approved
- Execution mode
- mutation
- Dispatch status
- completed
- Blocked reason
- -
- Result
- case_closed
Dry-run vs mutation mode is controlled by mutation and policy approval tier.
Closure evidence: closure_event_id: CLS-20260511-0008, notification_event_id: 102
Callback request/action IDs: tenant-dev/CORR-INC-20260511-0008/ABR-20260511-0008
Callback publish/ingest: published / ingested
Message
- From
- Contoso Billing <billing@contoso.example>
- Sender domain
- contoso.example
- Reporter
- maria.sales@example.test
- Reply-To
- billing@contoso.example
- Return-Path
- billing-bounces@contoso.example
- Message ID
- <m365-report-0008@example.test>
Signals
- SPF
- pass
- DKIM
- pass
- DMARC
- pass
- Clickable URLs
- 0
- Shorteners
- 0
- Attachments
- 1
- Attachment reputation
- clean
- Stego reviews
- 0
- QR decoded
- 0
- Containers
- 0
- Lure theme
- invoice_or_payment
- Platforms
- -
- Objectives
- -
- URL enrichment
- off
- Domain enrichment
- off
- Redirects
- 0
- Final mismatch
- 0
- Browser forms
- 0/0
- Threat intel
- off
- Intel matches
- -
URL Enrichment
- Status
- off
- Attempted
- 0
- Redirected
- 0
- Max hops
- 0
- Shorteners expanded
- 0
- Blocked/errors
- 0/0
No URL trace items are available.
Evidence gaps: url_enrichment_off, domain_enrichment_off, threat_intel_off
Browser Metadata
- Items
- 0
- Password / OTP
- 0/0
- CAPTCHA/checks
- 0
- Brand mismatch
- 0
- Browser final mismatch
- 0
- Blocked/errors
- 0/0
No browser metadata items are available.
Domain Infrastructure
- Status
- off
- Domains
- 0
- DNS / TLS
- 0/0
- New domains
- 0
- Recent certs
- 0
- Blocked/errors
- 0/0
No domain infrastructure items are available.
Attachment Coverage
- QR URLs
- none
- PDF QR URLs
- none
- PDF QR scan
- available or not needed
- OCR login page
- not detected
- Disk image / LNK
- 0
- Unsupported containers
- 0
Threat Intel
- Status
- off
- Matches
- -
- Malicious
- -
- Suspicious
- -
- Sources
- -
No SecurityFabric threat-intel hits are attached to this case.
Pipeline
- Tenant
- tenant-dev
- Evidence ID
- EVID-20260511-0008
- Queue job
- 43
- Run ID
- 20260511_121001_0000_EVID-20260511-0008
- Closed by
- soc-analyst@example.test
- Close reason
- Legitimate vendor invoice from allowlisted sender.
- Closure note
- Legitimate vendor invoice from allowlisted sender.
Artifacts
- report_ui_json
- runs/tenant-dev/20260511_121001_0000_EVID-20260511-0008/artifacts/report_ui.json
- evidence_json
- runs/tenant-dev/20260511_121001_0000_EVID-20260511-0008/artifacts/evidence.json
Comments
No analyst comments yet.
Notifications
- incident_closed2026-05-11T12:19:31Z
delivered to maria.sales@example.test (202)