Arctic Wolf Security Dashboard · Affordable Solar / Gridworks

Reporting period: 08 Jun – 13 Jul 2026 (5 weeks · W5 partial) · MOCKUP — data parsed from weekly AW reports
Weeks W1–W5 run Mon–Mon from Jun 8 (W5 partial). Select a domain tab below — charts marked ⊞ detail open row-level data on click. · Zip Extractor ↗
Coverage Score
95%
stable all 4 weeks
Observations (W4)
29.8 M
▼ 38% over 4 weeks — ask CST
Ticketed Incidents
1
1 in W1 · none since
Investigations
5
2 · 0 · 1 · 2 by week
Failed Logins (W4)
30.0 K
▼ 31% vs W3 peak
Identity Protection Alerts
15
10 · 0 · 4 · 1 — one guest acct
External Vulns (Jul)
2 Low
0 critical/high network vulns

⚠ Needs Attention

Service Health
Identity & Access
Endpoint
Data Movement
Network & Shadow IT
External Attack Surface

Observations Ingested Security Review — trending down 38%

Investigations vs Ticketed Incidents⊞ detail

Ticket Activity Appendix B, Security Review

WeekTicket IDSeverityDescriptionStatus
W117498988MEDAdd member to role in PIM completed (permanent)closed
W117458858MEDSuspicious External Teams Chat Createdclosed
W117448750MEDCloud Microsoft Mass Phishing Emails Deliveredclosed
W117448867MEDScreenConnect Activity Detectedclosed
W117445905MEDFile Malware Detectedclosed
W217558673Technical support assistancepending → closed W3
W417629013Quarterly Service Review Follow-uppending
Full month: 8 tickets W1 (all closed), 4 W2, 4 W3, 1 W4 open.

M365 Logins — Success vs Failed

kirlos.mansour — Failed Logins Azure report, rising weekly

Top Login-Failure Users by Week

WeekUserFailures
W1kevin.bassalleck3,458
W2brian.terrell2,691
W3brian.terrell3,391
W4kirlos.mansour3,442
Persistent spray against shared mailboxes (info@, sales@, no-reply@) from Russia/China via legacy Authenticated SMTP — blocked; disable basic auth to eliminate.

Anonymous-VPN Activity⊞ detail CSV export — capped at 500 rows/week · W5 = Jul 6–13

UserW1W2W3W4W5
tesh@nexussolar.net (guest)1479381156167
long.nguyen105221016561
karl.lukes8932
kirlos.mansour481064792
jordan.fredrickson662815
W5 (Jul 6–13): only the anonymous_vpn CSV has arrived so far — other W5 report types pending from AW. tesh@nexussolar.net at its highest weekly count yet.

Identity Protection Alerts⊞ detail all attributable to tesh@nexussolar.net

Sophos Events by Priority⊞ detail

Sophos Rule-Type Trends DLP & runtime detections rising

EDR: Failed Logins & USB Events⊞ detail Sat–Sat weeks; 3 weeks available

Endpoint Watch List

Host / UserSignal
Kevin MBP 2023 (kevin.bassalleck)Fails Sophos prerequisites 2×/day, 4 weeks — all high-sev rows
EMARTINS-W11PM10× "Lockdown" exploit prevented in claude.exe (W4)
MMONTANO-W11PMAP28× Generic ML PUA detections (W1)
KMANSOUR-W11PM2Top failed-login host W3 + high-sev incident
DRICE-W10PM3USB spike: 22 events W3 (EDR)
ALEWIS-W11PMChronic "system time changed" events (noise, but chronic)
JCONNALLY-W11PMSophos ServiceNotRunning W2 & W4
Agent check-ins fell 35.9 M → 25.7 M (−28%). Russia (Moskva) check-ins present all 3 EDR weeks (5, 1, 1).

SharePoint Anonymous Links Created⊞ detail W4 spike

Sophos DLP Events (auto-allowed)⊞ partial unblocked data egress

Collaboration & Mailbox Changes

MetricW1W2W3W4
Exchange mailbox changes (mostly system)87484251
Anonymous SharePoint links15111529
Auth-group assignments14181435
Group users removed655711
New e-mail forwarding rules0000
M365 DLP triggers0000

Generative-AI Traffic (log rows)⊞ detail declining; ~95% ChatGPT/OpenAI

Top AI Users rows/week; process shows how

UserW1W2W3W4Via
alejandro.ruiz194667110codex.exe / VS Code
justin.ramseyrecurring, browserchrome
david.adams, dylan.fortney, travis.ross…8–12 distinct users/weekbrowser
Tools seen: ChatGPT/OpenAI (dominant), Gemini (3 rows total). Zero DNS hits for Claude, Copilot, Perplexity, DeepSeek, Grok.

Network Traffic Snapshot Security Review W1

Top country: US — 84.9 GB / 657 K flows / 19 devices Top outbound: https 55.4 GB Inbound: tcp 21.9 GB Interesting countries: no data all month AD lockouts / admin-group adds: none all month

Vulnerabilities⊞ detail Jul 2026 scan

Dashboard "High 1 / Medium 1" are dark-web ATO findings; actual network vulns = 2 Low (ICMP timestamp disclosure).

Account Takeover Risks dark-web breaches

UserRiskDetail
david@affordable-solar.comHIGH 8Sep 2025 breach — plaintext/decryptable password
jim.kacerguisMED 4Jun 2026 breach — no passwords exposed
nick.babicMED 4
ryan.centerwallMED 4
whitney.bushnellMED 4

Exposed Services

HostExposure
138.199.112.18018 open ports incl. telnet/23 & SMB/445
138.199.112.18319 open ports
affordable-solar.com11 public subdomains (vpn1/vpn2, ftp, dev…)
gridworks.com11 public subdomains
Scan scope: 138.199.112.180/30, 50.188.162.57–61, affordable-solar.com, gridworks.com. Monthly cadence — next data point Aug 2026.