The security incident was triggered by a role revocation action by user 'owen.shaw' against user 'fiona.park' (ctx://meridian/splunk-events/evt_4c04931e9b298bb6).
Investigated in 3.9s·12 artifacts read·3 entities traversed
Impact
summarizing business impact…
Severity
high
Events in chain
3
Window
5m 0s
from 20:10:46
Entities affected
2
I·0 · B·0 · C·2
Actions
2
1 high / crit
Root cause hypothesis
agent-meridian-reasoner
The security incident was triggered by a role revocation action by user 'owen.shaw' against user 'fiona.park' (ctx://meridian/splunk-events/evt_4c04931e9b298bb6). This revocation was immediately preceded in the causal chain by two distinct 'restricted_access' warnings (ctx://meridian/splunk-events/evt_cff1fcce8ed0239d and ctx://meridian/splunk-events/evt_89b5eeff43c10060) involving the same actor 'owen.shaw', suggesting a corrective action following an access control enforcement failure or misconfiguration.
Causal chain · 3 events
ordered by USC temporal
20:10:46 UTC
audit:access on iam-svc-01: {"level":"WARN","action":"restricted_access","actor":"owen.shaw","resou…
ctx://meridian/splunk-events/evt_cff1fcce8ed0239d
20:11:09 UTC
audit:access on iam-svc-01: {"level":"WARN","action":"restricted_access","actor":"owen.shaw","resou…
ctx://meridian/splunk-events/evt_89b5eeff43c10060
20:15:46 UTC
iam:role-change on iam-svc-01: {"level":"WARN","action":"role_revoke","actor":"owen.shaw","target":…
01highInvestigate the nature and target of the 'restricted_access' warnings for 'owen.shaw' (ctx://meridian/splunk-events/evt_cff1fcce8ed0239d, ctx://meridian/splunk-events/evt_89b5eeff43c10060) to determine if the subsequent 'role_revoke' (ctx://meridian/splunk-events/evt_4c04931e9b298bb6) was an intended, authorized administrative action.
02mediumEnsure the 'role_revoke' event (ctx://meridian/splunk-events/evt_4c04931e9b298bb6) is properly documented and reported to satisfy compliance requirements (SOC 2 Incident Reporting, PCI DSS Requirement 10) identified in the blast radius.