Last 24 hours · Jul 07, 2026 00:09 – Jul 08, 2026 00:09 UTC Demonstration Mode (synthetic data) Generated: 2026-07-08 00:09:10 UTC

Key Metrics

Traffic (GB)
847.30
Sources
1,284
12847Alerts
2081Threats
5716648Findings
Events/Min
5,787
SIGMA Alerts
23
Event Type Count Sources Destinations
flow 2,847,392 1,284 18,472
dns 1,523,847 892 142
tls 948,271 743 12,384
alert 12,847 234 1,892
http 384,291 521 8,743

Insight

AI-generated security assessment using claude-haiku-4-5-20251001 — refreshed every report cycle.

Insight anthropic / claude-haiku-4-5-20251001

Security Posture

Elevated — The network shows active threat indicators requiring investigation. Rockfish observed 4,821 behavioral detections across 847 assets in the last 24 hours, with 23 elevated to pre-intrusion alerts. The OCCAM engine's 81.9% suppression rate indicates a well-tuned baseline, but the 8 elevated alerts in the datacenter segment and 3 in the DMZ warrant immediate attention. Total IDS alert volume (12,847) is within normal range for the 1,284 monitored hosts, with 847.3 GB of traffic processed.

Key Findings

  • SIGMA Pre-Intrusion: 10.0.12.45 (datacenter) triggered 3 C2 alerts with surprisal up to 8.73 bits — the highest anomaly score observed this period. Viterbi path shows Benign→Reconnaissance→Staging→LateralMovement progression.
  • Lateral Movement: 10.0.3.118 (corporate) shows lateral spread pattern with 7.21-bit surprisal across 64 detection windows. Cross-segment traffic increasing.
  • Data Exfiltration: 10.0.12.201 (datacenter) flagged for exfiltration behavior with 6.84-bit surprisal. 52 detection windows with sustained anomaly scores above 0.68.
  • IDS Alerts: 47 critical-severity alerts across 12 source hosts — 1,247 trojan-class signatures firing, consistent with the SIGMA C2 detections.
  • DNS: DGA candidate domains detected alongside DNS tunneling indicators — potential malware communication channels.
  • TLS: 97.2% TLS 1.2+ compliance. Remaining 2.8% legacy TLS from IoT segment.

Threat Indicators

  • 10.0.12.45 — Persistent C2 beaconing, 3 pre-intrusion alerts in 24h, Occam predictor confidence 84.7%. Highest priority for containment.
  • 10.0.3.118 — Active lateral movement across corporate segment, 5 elevated detections. May be pivoting from initial compromise on 10.0.12.45.
  • 10.0.12.201 — Exfiltration pattern with 4 pre-intrusion alerts. Data leaving datacenter to external destinations at elevated rates.
  • 172.16.0.89 — DMZ host conducting reconnaissance, 2 elevated alerts. Potential perimeter breach or compromised web server.
  • 192.168.1.44 — IoT device with C2 indicators, 1 elevated alert. Likely botnet enrollment — isolate and reimage.

Recommendations

1. Contain 10.0.12.45 immediately — 3 C2 alerts with 8.73-bit surprisal and progressive attack path indicate active compromise. Isolate and begin forensics.

2. Investigate lateral movement from 10.0.3.118 — 5 elevated detections suggest attacker pivoting through corporate segment. Check for credential reuse.

3. Block exfiltration from 10.0.12.201 — monitor outbound data flows from this datacenter host; apply egress filtering pending investigation.

4. Quarantine IoT device 192.168.1.44 — C2 indicators on IoT are high-confidence; segment or remove from network.

5. Remediate legacy TLS endpoints — 2.8% of sessions still on TLS 1.0/1.1, concentrated in IoT segment. Upgrade firmware or isolate behind TLS-terminating proxy.