Handout C: Security Alert Log
CHIMERA INTERACTIVE β SECURITY OPERATIONS CENTER
These alerts were generated over the past 72 hours. The SOC analyst marked several as βlow priorityβ due to the privacy teamβs urgent DSAR workload consuming attention.
| Timestamp (UTC) | Severity | Source | Destination | Data Volume | Status |
|---|---|---|---|---|---|
| 2026-02-04 02:14 | LOW | accounts-prod-west | 185.234.72.19:443 | 12.4 MB | Dismissed |
| 2026-02-04 06:47 | LOW | accounts-prod-west | 185.234.72.19:443 | 8.7 MB | Dismissed |
| 2026-02-04 14:22 | LOW | analytics-prod | 185.234.72.19:443 | 24.1 MB | Dismissed |
| 2026-02-05 01:33 | MEDIUM | accounts-prod-west | 185.234.72.19:443 | 156.8 MB | Under Review |
| 2026-02-05 03:18 | MEDIUM | gamedata-prod | 185.234.72.19:443 | 89.3 MB | Under Review |
| 2026-02-05 11:45 | LOW | payment-api-v2 | 185.234.72.19:443 | 4.2 MB | Dismissed |
| 2026-02-06 00:12 | HIGH | accounts-prod-west | 185.234.72.19:443 | 412.6 MB | OPEN |
| 2026-02-06 04:28 | HIGH | analytics-prod | 91.198.44.88:8443 | 267.3 MB | OPEN |
| 2026-02-06 08:55 | CRITICAL | Multiple Sources | 185.234.72.19:443 | 1.2 GB | OPEN |
Summary
| Field | Value |
|---|---|
| Total Outbound to 185.234.72.19: | 2.17 GB over 72 hours |
| IP Geolocation: | Moldova (bulletproof hosting) |
| Affected Systems: | accounts-prod, analytics-prod, gamedata-prod, payment-api |
| First Alert: | Feb 4, 02:14 UTC (DISMISSED) |
| Time to Escalation: | 54+ hours |
IM NOTES: Key observations for players to discover:
- Same destination IP (185.234.72.19) across multiple source systems β coordinated exfiltration
- Exfiltration started Feb 4 β BEFORE the DSAR spike was noticed (Feb 5) β the DSARs are distraction/cover
- Early alerts were DISMISSED because SOC was told βfocus on the DSAR emergencyβ
- Source systems match exactly what was revealed in DSAR Response Section 5 (the infrastructure map)
- Second IP (91.198.44.88) appeared Feb 6 β attacker may be rotating infrastructure