Initial SOC memory POC implementation

evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1002.json

@@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-1002",
+  "title": "Legacy protocol sign-in from unfamiliar IP blocked by policy",
+  "scenario": "o365_suspicious_login",
+  "alert_type": "azuread_legacy_auth_attempt",
+  "severity": "medium",
+  "status": "false_positive",
+  "time_window": {"start": "2026-04-04T07:50:00+08:00", "end": "2026-04-04T08:10:00+08:00"},
+  "summary": "Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.",
+  "alert_source": "Microsoft Entra ID",
+  "entities": {"users": ["svc-migration@corp.example"], "hosts": [], "mailboxes": ["svc-migration@corp.example"]},
+  "observables": {"ips": ["192.0.2.24"], "domains": [], "urls": [], "hashes": []},
+  "evidence": ["The account is a known migration service account.", "Source IP matched approved cloud migration vendor range.", "No successful sign-in occurred due to policy block."],
+  "investigation_steps": ["Review service account inventory.", "Check change ticket for migration activity.", "Validate source IP against vendor allowlist."],
+  "conclusion": {"verdict": "false_positive", "reason": "Expected migration tool behavior with policy block and approved change window.", "recommended_actions": ["Tune alert suppression for approved migration windows."]},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-LEGACY-AUTH"], "cases": []},
+  "lessons_learned": ["Service account context is essential before escalating legacy auth alerts."],
+  "tags": ["o365", "login", "false-positive", "legacy-auth"]
+}