Initial SOC memory POC implementation

evaluation/datasets/normalized_cases/CASE-2026-1001.json

@@ -0,0 +1,56 @@
+{
+  "id": "CASE-2026-1001",
+  "memory_type": "case",
+  "scenario": "o365_suspicious_login",
+  "title": "Impossible travel login followed by MFA prompt fatigue",
+  "abstract": "User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.",
+  "verdict": "true_positive",
+  "severity": "high",
+  "entities": {
+    "users": [
+      "david@corp.example"
+    ],
+    "hosts": [
+      "WS-DAVID-01"
+    ],
+    "mailboxes": [
+      "david@corp.example"
+    ]
+  },
+  "observables": {
+    "ips": [
+      "203.0.113.150",
+      "198.51.100.61"
+    ],
+    "domains": [],
+    "urls": [],
+    "hashes": []
+  },
+  "evidence": [
+    "Two successful sign-ins from geographically impossible locations within 15 minutes.",
+    "MFA challenge volume increased abnormally before final success.",
+    "User confirmed they did not initiate overseas login."
+  ],
+  "patterns": [
+    "verdict:true_positive",
+    "scenario:o365_suspicious_login",
+    "alert_type:azuread_impossible_travel"
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "kb": [
+      "KB-O365-IMPOSSIBLE-TRAVEL",
+      "KB-O365-MFA-FATIGUE"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1001.json",
+  "tags": [
+    "o365",
+    "login",
+    "impossible-travel",
+    "mfa-fatigue"
+  ]
+}