Phase 1 Demo

Overview

Admin console

Unauthorized device detected

A previously unknown endpoint appeared in ACME Health's tenant environment. Fixture data is shown because the backend API is unavailable.

Risk score

82

Control

SOC2-CC7.2

Tenant

ACME Health

Schema

v1

RMM + SIEM lite + compliance

Platform story

RMM

Asset visibility

Endpoint appeared from agent-simulator and was compared with approved inventory.

SIEM lite

Rule trace

A deterministic rule converted a validated event into a critical alert.

Compliance

Auditor ready

Evidence links source event, alert, delivery, and audit chain to SOC2-CC7.2.

Tenant

ACME Health

All records remain tenant-scoped.

Correlation

44444444-...-8444

One trace across event, alert, delivery, evidence, and audit.

Schema

v1

Envelope and payload validated before persistence.

Idempotency

sha256 tenant/event/rule/adapter

Duplicate events do not create duplicate deliveries.

Tenant posture

Controlled

1 critical workflow active

warning

Detection latency

42s

Event to alert

success

Audit coverage

100%

All workflow steps recorded

success

Evidence chain

Linked

Event -> alert -> delivery

info

Immediate attention

Latest critical alert

criticalOpen

Unauthorized device detected

rogue-laptop ยท ALT-1048

Delivery

delivered

Evidence

EVD-2206

Unauthorized Device Detection

Detection timeline

trace complete

Workflow SLA

3m

discovery to auditor view

Material actions

5

all audit recorded

Delivery

idempotent

attempt persisted

12:01 UTC

Device discovered

agent-simulator

info

New endpoint fingerprint observed in ACME network segment.

Device: rogue-laptopIP: 10.0.8.55
12:02 UTC

Classified as unmanaged

rule-worker

warning

Device ID not found in approved inventory for tenant ACME.

Rule: unknown_device_v1Inventory: not approved
12:02 UTC

Risk score assigned

rule-worker

warning

Risk score elevated because ownership and baseline are unknown.

Score: 82Reason: unmanaged asset
12:02 UTC

Alert generated

alert-service

critical

Critical unauthorized device alert opened for operator review.

Alert: ALT-1048Severity: critical

Affected entity

Asset context

rogue-laptop

device_id: rogue-laptop

unmanaged
Tenant
ACME Health
Observed IP
10.0.8.55
Fingerprint
fp-rogue-laptop
OS guess
macOS
Classification
unmanaged
Last seen
12:01 UTC
Collector
agent-simulator
Confidence
95%
Approved inventory check

No approved inventory record found for this device in the tenant inventory.

Command and quarantine actions require future command-policy API contracts.

API boundary

Data source

Current read mode

fixture fallback
Backend fallback reason: /api/v1/demo/unauthorized-device returned 401
API client keeps bearer/session support