{
  "case_id": "CASE-2026-1002",
  "title": "Legacy protocol sign-in from unfamiliar IP blocked by policy",
  "scenario": "o365_suspicious_login",
  "alert_type": "azuread_legacy_auth_attempt",
  "severity": "medium",
  "status": "false_positive",
  "time_window": {"start": "2026-04-04T07:50:00+08:00", "end": "2026-04-04T08:10:00+08:00"},
  "summary": "Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.",
  "alert_source": "Microsoft Entra ID",
  "entities": {"users": ["svc-migration@corp.example"], "hosts": [], "mailboxes": ["svc-migration@corp.example"]},
  "observables": {"ips": ["192.0.2.24"], "domains": [], "urls": [], "hashes": []},
  "evidence": ["The account is a known migration service account.", "Source IP matched approved cloud migration vendor range.", "No successful sign-in occurred due to policy block."],
  "investigation_steps": ["Review service account inventory.", "Check change ticket for migration activity.", "Validate source IP against vendor allowlist."],
  "conclusion": {"verdict": "false_positive", "reason": "Expected migration tool behavior with policy block and approved change window.", "recommended_actions": ["Tune alert suppression for approved migration windows."]},
  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-LEGACY-AUTH"], "cases": []},
  "lessons_learned": ["Service account context is essential before escalating legacy auth alerts."],
  "tags": ["o365", "login", "false-positive", "legacy-auth"]
}