{
  "case_id": "CASE-2026-1005",
  "title": "Traveling executive triggered impossible travel but activity was legitimate",
  "scenario": "o365_suspicious_login",
  "alert_type": "azuread_impossible_travel",
  "severity": "medium",
  "status": "false_positive",
  "time_window": {"start": "2026-04-09T09:00:00+08:00", "end": "2026-04-09T09:40:00+08:00"},
  "summary": "Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.",
  "alert_source": "Microsoft Entra ID",
  "entities": {"users": ["grace@corp.example"], "hosts": ["VIP-LAPTOP-01"], "mailboxes": ["grace@corp.example"]},
  "observables": {"ips": ["192.0.2.90", "203.0.113.77"], "domains": [], "urls": [], "hashes": []},
  "evidence": ["Approved travel request existed.", "One login originated from corporate VPN exit node.", "Device and user agent were consistent with known user profile."],
  "investigation_steps": ["Check travel approval and itinerary.", "Review VPN egress mapping.", "Compare user agent and managed device posture."],
  "conclusion": {"verdict": "false_positive", "reason": "Legitimate travel combined with VPN routing caused impossible travel signal.", "recommended_actions": ["Document travel context and improve analyst checklist."]},
  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
  "lessons_learned": ["Impossible travel should consider approved travel and VPN topology before escalation."],
  "tags": ["o365", "login", "false-positive", "travel"]
}