INC17837981654658

P1newai_assisted

Anomalous burst of authentication failures from distributed IP range

Assembled Context — bounded to last 30 minutes
Rolling logs
Recent commits
(none in lookback window)
Similar past incidents
INC17837400865642 · security/P1 · 9999d ago — Anomalous burst of authentication failures from distributed IP range
INC177828583670327 · security/P1 · 61d ago — Anomalous burst of authentication failures from distributed IP range
INC177746467291767 · security/P1 · 69d ago — Anomalous burst of authentication failures from distributed IP range
Diagnosis Agent
ran in parallel
A coordinated credential‑stuffing/brute‑force attack from a distributed botnet exploiting the auth service’s permissive rate‑limit configuration (WAF in monitor mode) caused a flood of failed login attempts, overwhelming authentication and risking account lockout.
  • [auth-service] WARN 4200 failed login attempts in 5 minutes across 340 distinct source IPs
  • [auth-service] WARN failed attempts targeting 12 distinct high-value accounts
  • [waf] INFO rate-limit rule triggered but not blocking (monitor mode)
  • Similar past incidents (INC17837400865642, INC177828583670327, INC177746467291767) were classified as security/P1
Assessed: P1 / security
Self-reported confidence: 93% (audit-only — not used by the gate)
openai/gpt-oss-120b · 2290ms
Severity / Routing Agent
ran in parallel
P1 / security
Routed to: security-operations
The incident describes a credential stuffing or brute-force attack targeting high-value accounts, evidenced by the high volume of failed attempts from distributed IPs and WAF logs. Given the history of similar P1 security incidents and the risk to high-value credentials, this requires immediate mitigation.
Self-reported confidence: 100% (audit-only — not used by the gate)
gemini-flash-lite-latest · 998ms
Scenario Matcher
deterministic, pre-LLM
Anomalous authentication failure burst
Authentication anomalies are always escalated to the security on-call; no automated remediation action is in the bounded catalog for this class.
Match score: 74% · Recommended action: escalate_to_human
Matched tags: security
Confidence Gate

Computed from 4 measurable signals — not the model's self-reported confidence.

Severity match rate100%
x
Runbook coverage74%
x
Data completeness67%
x
Recency32%
x
Computed confidence (v1)76%
Auto-execute threshold: 75%