Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1005.json
+++ b/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1005.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-1005",
+  "title": "Traveling executive triggered impossible travel but activity was legitimate",
+  "scenario": "o365_suspicious_login",
+  "alert_type": "azuread_impossible_travel",
+  "severity": "medium",
+  "status": "false_positive",
+  "time_window": {"start": "2026-04-09T09:00:00+08:00", "end": "2026-04-09T09:40:00+08:00"},
+  "summary": "Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.",
+  "alert_source": "Microsoft Entra ID",
+  "entities": {"users": ["grace@corp.example"], "hosts": ["VIP-LAPTOP-01"], "mailboxes": ["grace@corp.example"]},
+  "observables": {"ips": ["192.0.2.90", "203.0.113.77"], "domains": [], "urls": [], "hashes": []},
+  "evidence": ["Approved travel request existed.", "One login originated from corporate VPN exit node.", "Device and user agent were consistent with known user profile."],
+  "investigation_steps": ["Check travel approval and itinerary.", "Review VPN egress mapping.", "Compare user agent and managed device posture."],
+  "conclusion": {"verdict": "false_positive", "reason": "Legitimate travel combined with VPN routing caused impossible travel signal.", "recommended_actions": ["Document travel context and improve analyst checklist."]},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
+  "lessons_learned": ["Impossible travel should consider approved travel and VPN topology before escalation."],
+  "tags": ["o365", "login", "false-positive", "travel"]
+}