OBSERVA emblem

OBSERVA

Incident Journal

Unexpected 2FA prompts for finance account

Potential account compromise indicator. Requires verification through identity provider and finance workflow review.

high

triage / 6/20/2024, 9:24:00 AM

DNS resolver anomaly on remote endpoint

Endpoint resolver differed from managed baseline; no compromise claim made.

medium

contained / 6/19/2024, 3:10:00 PM

Timeline Builder

User reported push prompt they did not initiate.

6/20/2024, 9:24:00 AM / account / evidence high

Unexpected 2FA prompts for finance account

Screenshot captured and attached to case notes.

6/20/2024, 9:31:00 AM / screenshot / evidence medium

Unexpected 2FA prompts for finance account

Sign-in logs requested from identity owner.

6/20/2024, 9:48:00 AM / log / evidence medium

Unexpected 2FA prompts for finance account

Resolver screenshot captured before remediation.

6/19/2024, 3:10:00 PM / network / evidence high

DNS resolver anomaly on remote endpoint

VPN and proxy profile inventory completed.

6/19/2024, 3:36:00 PM / device / evidence medium

DNS resolver anomaly on remote endpoint

Evidence Checklist

Account Compromise Checklist

Suspicious Login Checklist

Phishing Event Checklist

Device Anomaly Checklist

Recommended Escalation

Escalate to forensic review when privileged accounts, high-risk users, unknown device management, financial workflows or spyware concerns are involved. Preserve evidence before remediation when safe.