{
  "id": "KB-O365-MFA-FATIGUE",
  "memory_type": "knowledge",
  "doc_type": "kb",
  "scenario": "o365_suspicious_login",
  "title": "MFA Fatigue Detection Notes",
  "abstract": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
  "key_points": [
    "Repeated MFA prompts preceding one successful prompt is suspicious.",
    "User-reported prompt fatigue is strong supporting evidence.",
    "MFA fatigue is often coupled with credential theft rather than password spray alone."
  ],
  "investigation_guidance": [
    "Review MFA event counts and timing.",
    "Check if the user acknowledged unexpected prompts.",
    "Look for subsequent session hijacking or mailbox abuse."
  ],
  "decision_points": [
    "Prompt flood plus user denial usually warrants immediate containment."
  ],
  "related_refs": {
    "playbooks": [
      "PB-O365-LOGIN-001"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json",
  "tags": [
    "kb",
    "o365",
    "mfa-fatigue"
  ]
}