Initial SOC memory POC implementation

evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "PB-O365-LOGIN-001",
+  "doc_type": "playbook",
+  "title": "O365 Suspicious Login Investigation Playbook",
+  "scenario": "o365_suspicious_login",
+  "summary": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
+  "applicability": ["azuread_impossible_travel", "azuread_legacy_auth_attempt", "azuread_suspicious_inbox_rule_after_login", "azuread_password_spray_attempt"],
+  "key_points": ["Confirm user travel and business context.", "Review sign-in logs, device IDs, and user agents.", "Inspect downstream actions such as inbox rules, app consent, and forwarding."],
+  "investigation_guidance": ["Correlate MFA telemetry with sign-in sequence.", "Check risky sign-ins and risky users views.", "Revoke sessions and reset credentials when compromise is confirmed."],
+  "decision_points": ["Impossible travel alone is insufficient without corroborating evidence.", "Inbox rule creation after foreign login strongly increases confidence of compromise."],
+  "related_entities": {"ttps": ["T1078"], "iocs": []},
+  "related_refs": {"kb": ["KB-O365-IMPOSSIBLE-TRAVEL", "KB-O365-MFA-FATIGUE", "KB-O365-INBOX-RULE-ABUSE"], "cases": []},
+  "tags": ["playbook", "o365", "login"],
+  "updated_at": "2026-04-10T09:10:00+08:00"
+}