Einstein Deduction #7
00:00
The Case
Three unrelated production systems failed simultaneously at 3:15 AM, causing a major outage. Investigation reveals a bad TLS certificate was pushed to the shared configuration server. Six engineers had some level of access: Layla (DevOps), Faisal (SysAdmin), Grace (Backend), Hugo (Frontend), Kenji (QA), and Noor (Security). Case file EINSTEIN-007.
Who pushed the bad certificate?
Evidence (10)
#1All three failed systems depend on TLS certificates from configuration server config-01.
#2A malformed certificate was pushed to config-01 at 3:12 AM via the deployment API.
#3The deployment API requires a personal API key. The push used Layla's API key.
#4Faisal has sudo access to config-01's OS, but the change was done via API, not direct filesystem access.
#5Grace, Hugo, and Kenji have read-only access to config-01.
#6Noor can audit config-01 logs but cannot push configuration changes.
#7VPN logs show a connection from Layla's home IP at 3:08 AM — four minutes before the push.
#8Layla's API key was stored on a team wiki page, but that page's access log shows no views in the past 30 days except by Layla.
#9Network logs confirm the deployment API call at 3:12 AM originated from Layla's VPN session.
#10Layla was disciplined the previous week for an unrelated incident and expressed frustration to a colleague.