Book a briefing
§THE INVESTIGATION REPORT

The Investigation Report is not a paragraph. It's a record.

Read it the way an examiner would — the verdict, the evidence beneath it, the reasoning that connects them, the gaps that bound it, the actions it recommends. Every alert produces one.

  • For the analystThe verdict and the chain that supports it.
  • For the auditorThe reasoning, traceable end to end.
  • For the SOC managerThe decision and what comes next.

One artifact. Three readings. The shape of a defensible decision.

INVESTIGATION REPORT
PRM-2026-04-2841 · 28 Apr 2026 · 14:07 UTC
Tenant — Northwind Energy · EU-WEST
TRUE POSITIVE
Investigation-grade confidence
High · evidence-bound

Suspicious PowerShell access to LSASS on a privileged endpoint.

Alert raised by Microsoft Defender for Endpoint · sev. medium · MITRE ATT&CK T1003.001 (LSASS Memory).

Investigation Hypotheses · tested
Malicious scenario

Credential-dumping attempt against LSASS via comsvcs.dll MiniDump, executed under elevated PowerShell on host NW-FIN-W11-204.

— Supported by evidence
Benign scenario

Sanctioned IR or red-team exercise; or an EDR self-test triggering identical signatures.

— Rejected
Verdict synthesis

Process tree, parent-child lineage, and command-line entropy on host NW-FIN-W11-204 match the malicious scenario. No sanctioned IR engagement or red-team window covers this activity. Identity context shows the user signed in from an unusual ASN seventeen minutes prior. Evidence is sufficient to conclude.

Recommended containment

Isolate NW-FIN-W11-204 at the network layer; force credential reset for the affected identity; preserve LSASS dump artifact for forensics. Confidence sufficient for automatic action with analyst sign-off.

MITRE T1003.001 MITRE T1059.001 Endpoint Identity Credential access
Audit trail
    Evidence chain · selected

    EDR · proc tree captured · powershell.exe → rundll32.exe comsvcs.dll, MiniDump
    IDP · sign-in from ASN 14061 · 17 min prior · unusual
    BASE · host has no prior LSASS-handle history

    Generated by AVA · Investigation Discipline Defensible by construction
    §THREE VERDICTS

    Evidence sufficiency determines the verdict.

    Most products force every alert into a binary. AVA's third verdict exists because real investigations don't always conclude — and pretending otherwise is how plausible-but-wrong gets shipped.

    • True positive Concluded, evidence-bound.
    • False positive Closed, defensibly — not auto-suppressed.
    • Inconclusive When evidence is insufficient, AVA says so — and names exactly what's missing. INCONCLUSIVE is a feature, not a fallback.

    Read the full thinking

    §THE OFFER

    See AVA investigate your own alerts.

    Send us one alert