| Week | Ticket ID | Severity | Description | Status |
|---|---|---|---|---|
| W1 | 17498988 | MED | Add member to role in PIM completed (permanent) | closed |
| W1 | 17458858 | MED | Suspicious External Teams Chat Created | closed |
| W1 | 17448750 | MED | Cloud Microsoft Mass Phishing Emails Delivered | closed |
| W1 | 17448867 | MED | ScreenConnect Activity Detected | closed |
| W1 | 17445905 | MED | File Malware Detected | closed |
| W2 | 17558673 | — | Technical support assistance | pending → closed W3 |
| W4 | 17629013 | — | Quarterly Service Review Follow-up | pending |
| Week | User | Failures |
|---|---|---|
| W1 | kevin.bassalleck | 3,458 |
| W2 | brian.terrell | 2,691 |
| W3 | brian.terrell | 3,391 |
| W4 | kirlos.mansour | 3,442 |
| User | W1 | W2 | W3 | W4 | W5 |
|---|---|---|---|---|---|
| tesh@nexussolar.net (guest) | 147 | 93 | 81 | 156 | 167 |
| long.nguyen | 105 | 22 | 101 | 65 | 61 |
| karl.lukes | 89 | 32 | — | — | — |
| kirlos.mansour | — | 48 | 106 | 47 | 92 |
| jordan.fredrickson | 66 | — | 28 | — | 15 |
| Host / User | Signal |
|---|---|
| Kevin MBP 2023 (kevin.bassalleck) | Fails Sophos prerequisites 2×/day, 4 weeks — all high-sev rows |
| EMARTINS-W11PM | 10× "Lockdown" exploit prevented in claude.exe (W4) |
| MMONTANO-W11PMAP2 | 8× Generic ML PUA detections (W1) |
| KMANSOUR-W11PM2 | Top failed-login host W3 + high-sev incident |
| DRICE-W10PM3 | USB spike: 22 events W3 (EDR) |
| ALEWIS-W11PM | Chronic "system time changed" events (noise, but chronic) |
| JCONNALLY-W11PM | Sophos ServiceNotRunning W2 & W4 |
| Metric | W1 | W2 | W3 | W4 |
|---|---|---|---|---|
| Exchange mailbox changes (mostly system) | 87 | 48 | 42 | 51 |
| Anonymous SharePoint links | 15 | 11 | 15 | 29 |
| Auth-group assignments | 14 | 18 | 14 | 35 |
| Group users removed | 6 | 55 | 7 | 11 |
| New e-mail forwarding rules | 0 | 0 | 0 | 0 |
| M365 DLP triggers | 0 | 0 | 0 | 0 |
| User | W1 | W2 | W3 | W4 | Via |
|---|---|---|---|---|---|
| alejandro.ruiz | 194 | 66 | 71 | 10 | codex.exe / VS Code |
| justin.ramsey | recurring, browser | chrome | |||
| david.adams, dylan.fortney, travis.ross… | 8–12 distinct users/week | browser | |||
| User | Risk | Detail |
|---|---|---|
| david@affordable-solar.com | HIGH 8 | Sep 2025 breach — plaintext/decryptable password |
| jim.kacerguis | MED 4 | Jun 2026 breach — no passwords exposed |
| nick.babic | MED 4 | |
| ryan.centerwall | MED 4 | |
| whitney.bushnell | MED 4 |
| Host | Exposure |
|---|---|
| 138.199.112.180 | 18 open ports incl. telnet/23 & SMB/445 |
| 138.199.112.183 | 19 open ports |
| affordable-solar.com | 11 public subdomains (vpn1/vpn2, ftp, dev…) |
| gridworks.com | 11 public subdomains |