Fluency MSSP · Case Investigation · Acme Corp (acme)

john.smith@acme.example Risk 11,600 · >8000

Cluster username_john.smith@acme.example_20260529 · 29 May 2026, 16:34–22:28 UTC (~6h) · status NEW · incident: true · 4 behavior rules / 11 cluster hits

11,600

Risk score (>8000 band)

Behavior rules fired

767

Underlying events

SSN DLP matches

~6h

Activity window

Executive summary

User john.smith triggered an Exchange DLP policy for US SSN content for the first time in 30 days (ML_NEW_USER) while moving a large volume of files through SharePoint/OneDrive — 207 uploads, 205 downloads, full OneDrive syncs — which also raised a bandwidth anomaly. Eighty-two mailbox accesses and a single SharePoint site-collection admin grant occurred in the same window. Sign-ins came over consumer ISPs (T-Mobile, Comcast) from two US cities. The behavioural shape is consistent with data staging/egress, but it is equally consistent with ordinary OneDrive sync by a remote employee. Net read: lean benign, but not closeable until external-sharing, the admin grant, and the two-geo login are checked.

Fluency AI Assistant — findings already on the case

The case arrived with an AI triage comment (validation: true, actionable: true). It assessed a first-time SSN DLP trigger with multiple SharePoint/OneDrive uploads and accesses, and flagged three anomalies: first-seen SSN DLP for this user in 30 days, multiple file uploads, multiple file accesses. It found no contradiction between the alert and the events but noted that missing IP/location context limits investigation; no mitigation was applied. It left five open questions — user intent, whether the activity fits the user's job, any external exposure, DLP follow-up/education, and possible account compromise. The analysis below extends that AI triage with the full record composition, an ATT&CK mapping, the detection gaps, and the quantified two-sided verdict it did not provide.

MITRE ATT&CK mapping Inferred from signatures & activity

TA0043

Reconnaissance

—

TA0001

Initial Access

T1078.004

TA0004

Priv. Escalation

T1098.003

TA0009

Collection

T1530·T1114·T1213

TA0010

Exfiltration

T1567.002

TA0040

Impact

—

Tactic	Technique	Driver (signal / activity)	Basis
Initial Access	T1078.004 Cloud Accounts	O365_AzureAD_UserLoggedIn over T-Mobile + Comcast, 2 cities, Chrome/Win10	signature + activity
Priv. Escalation	T1098.003 Additional Cloud Roles	SiteCollectionAdminAdded (1) — SharePoint admin grant in-window	activity
Collection	T1530 Data from Cloud Storage	205 FileDownloaded + O365_SharePoint_FileAccessed_Multiple (FILE_DOWNLOAD)	signature + activity
Collection	T1114 Email Collection	82 MailItemsAccessed (Audit.Exchange)	activity
Exfiltration	T1567.002 Exfil to Cloud Storage	207 FileUploaded + FileSyncUploadedFull + BANDWIDTH_ANOMALY	signature + activity
Sensitive data	O365_DLP_Policy_SSN	Exchange DLP — possible US SSN content (ALERT_POLICY)	signature

What's in the records (767 events)

Top operations

Event operations in the capture window

Source workload

Where the 767 events came from

SharePoint — 495 (65%)

Exchange — 263 (34%)

Azure AD — 7

DLP — 2 (SSN)

Element	Detail from the record
Identity	john.smith@acme.example (named employee)
Sign-in	Chrome / Windows 10 · OAuth2:Authorize · 7 logins
Networks	ISPs T-Mobile USA & Comcast; ActorIPs 2607:fb91:802:1645:…, 2601:152:4f80:8420:… (IPv6)
Geo	Cities Metro A & Metro B, United States (~1,300 mi apart, same window)
Risk flags	ALERT_POLICY ML_NEW_USER BANDWIDTH_ANOMALY FILE_DOWNLOAD
Notable single events	1× SiteCollectionAdminAdded · 4× DLPRuleMatch · FileSyncUploadedFull/DownloadedFull
DLP event gap	Exchange DLP hit carried no IP / city / country (__undefined)

What we did alert on

Behavior rule	Sub-score	Risk flags	What it caught
O365_DLP_Policy_SSN	4,400	ALERT_POLICY ML_NEW_USER	Exchange DLP match on possible US SSN; first-seen for this user
O365_SharePoint_OneDrive_FileUploaded_Multiple	1,000	ALERT_POLICY BANDWIDTH_ANOMALY	Burst of uploads to OneDrive/SharePoint
O365_SharePoint_FileAccessed_Multiple	200	FILE_DOWNLOAD ALERT_POLICY	Repeated file access/download over ~5.5h
O365_AzureAD_UserLoggedIn	0	—	Sign-in context (ISP / city / device)

What we could have alerted on (detection gaps)

SharePoint admin grant — SiteCollectionAdminAdded fired in-window but isn't its own detection. An admin grant during a DLP/bulk-move event is a priority escalation signal.
External / anonymous sharing — no rule checks AnonymousLinkCreated / external-recipient. Its absence is the strongest benign signal; surfacing it either way would resolve exfil concern fast.
Bulk-download / byte-volume threshold — 205 downloads + full syncs only rolled into the generic FileAccessed rule; the bandwidth anomaly fired but no MB figure is surfaced.
Mail forwarding / external send on the DLP hit — 82 MailItemsAccessed beside an Exchange SSN match; no rule correlated whether SSN data was emailed out.
Risky sign-in / impossible travel — Metro A (TX) ↔ Metro B (MD) in one 6h window; an Azure AD impossible-travel correlation would separate compromise from a dual-homed mobile worker.
DLP IP/geo enrichment — the DLP event's IP/city/country were __undefined; the Fluency AI triage flagged this exact blind spot.

Verdict — issue vs. benign

True positive 35%Benign / false positive 65%

Likely a real issue

~35%

SSN DLP genuinely fired — sensitive data is confirmed present, not hypothetical.
First-seen behavior (ML_NEW_USER) — a deviation from this user's 30-day baseline.
Bandwidth anomaly + 207 uploads / 205 downloads + full syncs — the shape of staging/egress.
SiteCollectionAdminAdded in-window — a privilege change expected in takeover or insider staging.
Two metros / two consumer ISPs in one window — consistent with a shared or compromised credential.
Asymmetric risk: because the data is SSNs, even a low probability warrants confirmation.

Likely benign

~65%

All operations are normal O365 productivity; the upload/download/FileSyncUploadedFull mix is the textbook signature of a OneDrive client syncing.
No external/anonymous sharing, no foreign geo, no anonymizer, no malware — US-only over ordinary home/mobile ISPs.
Named employee; construction firms routinely handle subcontractor SSNs / certified payroll, making SSN DLP a high-FP detector.
ML_NEW_USER only means "first hit in 30 days" — a weak signal.
Two-city pattern is readily explained by T-Mobile mobile (poor IPv6 geo) + Comcast home; same browser/OS.
Fluency AI triage: "no contradictions, but lacking context" — unresolved, not malicious.

Recommended next steps

Check external exposure — query the window for external/anonymous sharing and external mail recipients on john.smith's SharePoint/Exchange activity. None = strongly benign.
Investigate the SiteCollectionAdminAdded — who was granted admin on which site, and by whom.
Resolve the two-geo login — confirm whether Metro A and Metro B sign-ins are concurrent (impossible travel) or sequential mobile/home use.
Evidence is preserved in scenario scn-n5gkgzkuueww4 for detection testing against the gaps above.