Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/normalized_kb/PB-O365-LOGIN-001.json
+++ b/evaluation/datasets/normalized_kb/PB-O365-LOGIN-001.json
@ -0,0 +1,36 @@
+{
+  "id": "PB-O365-LOGIN-001",
+  "memory_type": "knowledge",
+  "doc_type": "playbook",
+  "scenario": "o365_suspicious_login",
+  "title": "O365 Suspicious Login Investigation Playbook",
+  "abstract": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
+  "key_points": [
+    "Confirm user travel and business context.",
+    "Review sign-in logs, device IDs, and user agents.",
+    "Inspect downstream actions such as inbox rules, app consent, and forwarding."
+  ],
+  "investigation_guidance": [
+    "Correlate MFA telemetry with sign-in sequence.",
+    "Check risky sign-ins and risky users views.",
+    "Revoke sessions and reset credentials when compromise is confirmed."
+  ],
+  "decision_points": [
+    "Impossible travel alone is insufficient without corroborating evidence.",
+    "Inbox rule creation after foreign login strongly increases confidence of compromise."
+  ],
+  "related_refs": {
+    "kb": [
+      "KB-O365-IMPOSSIBLE-TRAVEL",
+      "KB-O365-MFA-FATIGUE",
+      "KB-O365-INBOX-RULE-ABUSE"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json",
+  "tags": [
+    "playbook",
+    "o365",
+    "login"
+  ]
+}