This is a real Sentinel report against a synthetic target. Severity, evidence, and remediation steps are written in the same plain language an IT generalist can follow on a Friday afternoon.
The Outlook installation on the target accepts crafted ms-exchange links that exfiltrate the user's NTLM hash to an attacker controlled SMB server. Active exploitation reported in the wild. Public exploit code available.
Evidence. The target responded to a probe with the vulnerable Outlook header pattern and version string Outlook/16.0.17328.
Remediation. Apply the February 2024 Microsoft cumulative update. Block outbound SMB at the firewall as a defensive control. Audit recent NTLM authentication events in the Windows security log to confirm no credentials have already been captured.
The HTTPS certificate served by mail.demo.example.ch expired on 2026-03-12. Browsers warn users that the connection is not secure. Most modern email clients refuse to connect.
Evidence. openssl s_client returned a notAfter date of 12 March 2026 GMT.
Remediation. Renew the certificate via the existing ACME workflow or vendor portal. If the site no longer needs HTTPS, retire the DNS record. Set a calendar alert thirty days before the next expiry.
The host accepts password authentication on SSH. Automated brute-force attempts are guaranteed to follow.
Evidence. The SSH banner advertises PasswordAuthentication and the daemon accepts password attempts.
Remediation. Set PasswordAuthentication no in /etc/ssh/sshd_config. Distribute SSH keys to operators who still log in. Restart the daemon. Confirm with a test login that key based authentication works before logging out the last password session.
A real Sentinel report continues with each finding, including informational items and a closing summary of actionable next steps.