{
  "id": "KB-O365-IMPOSSIBLE-TRAVEL",
  "memory_type": "knowledge",
  "doc_type": "kb",
  "scenario": "o365_suspicious_login",
  "title": "Interpreting O365 Impossible Travel Alerts",
  "abstract": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
  "key_points": [
    "Impossible travel must be validated against user travel context.",
    "VPN egress and cloud proxy routing are common false-positive sources.",
    "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."
  ],
  "investigation_guidance": [
    "Validate source ASN and IP history.",
    "Check user-approved travel or remote work context.",
    "Compare device ID and user agent consistency."
  ],
  "decision_points": [
    "User denial of travel plus new device strongly increases confidence.",
    "Approved travel and trusted VPN topology reduce confidence."
  ],
  "related_refs": {
    "playbooks": [
      "PB-O365-LOGIN-001"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-IMPOSSIBLE-TRAVEL.json",
  "tags": [
    "kb",
    "o365",
    "impossible-travel"
  ]
}