{
  "id": "CASE-2026-1001",
  "memory_type": "case",
  "scenario": "o365_suspicious_login",
  "title": "Impossible travel login followed by MFA prompt fatigue",
  "abstract": "User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.",
  "verdict": "true_positive",
  "severity": "high",
  "entities": {
    "users": [
      "david@corp.example"
    ],
    "hosts": [
      "WS-DAVID-01"
    ],
    "mailboxes": [
      "david@corp.example"
    ]
  },
  "observables": {
    "ips": [
      "203.0.113.150",
      "198.51.100.61"
    ],
    "domains": [],
    "urls": [],
    "hashes": []
  },
  "evidence": [
    "Two successful sign-ins from geographically impossible locations within 15 minutes.",
    "MFA challenge volume increased abnormally before final success.",
    "User confirmed they did not initiate overseas login."
  ],
  "patterns": [
    "verdict:true_positive",
    "scenario:o365_suspicious_login",
    "alert_type:azuread_impossible_travel"
  ],
  "related_refs": {
    "playbooks": [
      "PB-O365-LOGIN-001"
    ],
    "kb": [
      "KB-O365-IMPOSSIBLE-TRAVEL",
      "KB-O365-MFA-FATIGUE"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1001.json",
  "tags": [
    "o365",
    "login",
    "impossible-travel",
    "mfa-fatigue"
  ]
}