Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1003.json
+++ b/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1003.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-1003",
+  "title": "Suspicious inbox rule creation after successful foreign login",
+  "scenario": "o365_suspicious_login",
+  "alert_type": "azuread_suspicious_inbox_rule_after_login",
+  "severity": "high",
+  "status": "confirmed",
+  "time_window": {"start": "2026-04-06T19:20:00+08:00", "end": "2026-04-06T20:45:00+08:00"},
+  "summary": "An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.",
+  "alert_source": "Microsoft Defender for Cloud Apps",
+  "entities": {"users": ["emma@corp.example"], "hosts": ["WS-EMMA-07"], "mailboxes": ["emma@corp.example"]},
+  "observables": {"ips": ["198.51.100.98"], "domains": [], "urls": [], "hashes": []},
+  "evidence": ["Successful sign-in from untrusted ASN.", "Inbox rule moved wire transfer emails to RSS Feeds folder.", "Mailbox audit showed rule creation minutes after login."],
+  "investigation_steps": ["Review mailbox audit logs.", "Export suspicious inbox rules.", "Check for OAuth app consent and forwarding settings."],
+  "conclusion": {"verdict": "true_positive", "reason": "Account compromise indicators plus malicious inbox rule persistence.", "recommended_actions": ["Remove malicious rules.", "Reset account and revoke refresh tokens."]},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-INBOX-RULE-ABUSE", "KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
+  "lessons_learned": ["Mailbox rule inspection should be default for suspicious O365 login cases."],
+  "tags": ["o365", "login", "inbox-rule", "account-compromise"]
+}