F029Suspiciousvalidator: blocked
Admin-share access to internal host 172.16.5.26
Lateral movement via admin share to 172.16.5.26
Analyst narrative
candidate cand-0010: admin_share_access signals across event logs and network IOCs targeting 172.16.5.26. fact_ids=event_log_fact-0026891, event_log_fact-0026905
Claims asserted
connection172.16.5.26
Proof chain · 0 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
Source tools
extract_network_iocsparse_event_logs