1  {
 2    "incident_id": "INC-SOC-9917",
 3    "executive_summary": "Critical security incident detected involving compromised finance service credentials and lateral movement across jump hosts. Evidence indicates active intrusion with potential access to sensitive financial systems.",
 4    "severity": "critical",
 5    "suspected_root_cause": "Compromised service principal credentials enabling unauthorized access and lateral movement",
 6    "impacted_assets": [
 7      "svc-fin-admin",
 8      "jump-us-east-2",
 9      "jump-us-east-3",
10      "ad-dc-02",
11      "finance-admin-portal",
12      "iam-federation-prod"
13    ],
14    "confidence": 0.95,
15    "recommended_actions": [
16      {
17        "action": "Disable compromised service principal",
18        "owner": "Identity Engineering",
19        "priority": "P1",
20        "rationale": "Immediate containment of compromised credentials"
21      },
22      {
23        "action": "Isolate affected jump hosts from the network",
24        "owner": "Infrastructure Security",
25        "priority": "P1",
26        "rationale": "Prevent further lateral movement"
27      },
28      {
29        "action": "Invalidate active sessions and tokens",
30        "owner": "Identity Engineering",
31        "priority": "P1",
32        "rationale": "Terminate active attacker sessions"
33      },
34      {
35        "action": "Force credential rotation",
36        "owner": "Identity Engineering",
37        "priority": "P1",
38        "rationale": "Ensure compromised credentials are no longer valid"
39      },
40      {
41        "action": "Escalate to SOC incident response and identity engineering",
42        "owner": "Incident Commander",
43        "priority": "P1",
44        "rationale": "Engage specialized response teams"
45      }
46    ],
47    "escalation_team": "SOC Incident Response and Identity Engineering",
48    "change_risk": "low",
49    "machine_json_valid": true
50  }