Initial SOC memory POC implementation

evaluation/datasets/normalized_kb/KB-O365-IMPOSSIBLE-TRAVEL.json

@@ -0,0 +1,34 @@
+{
+  "id": "KB-O365-IMPOSSIBLE-TRAVEL",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "o365_suspicious_login",
+  "title": "Interpreting O365 Impossible Travel Alerts",
+  "abstract": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
+  "key_points": [
+    "Impossible travel must be validated against user travel context.",
+    "VPN egress and cloud proxy routing are common false-positive sources.",
+    "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."
+  ],
+  "investigation_guidance": [
+    "Validate source ASN and IP history.",
+    "Check user-approved travel or remote work context.",
+    "Compare device ID and user agent consistency."
+  ],
+  "decision_points": [
+    "User denial of travel plus new device strongly increases confidence.",
+    "Approved travel and trusted VPN topology reduce confidence."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-IMPOSSIBLE-TRAVEL.json",
+  "tags": [
+    "kb",
+    "o365",
+    "impossible-travel"
+  ]
+}