{
  "id": "PB-O365-LOGIN-001",
  "memory_type": "knowledge",
  "doc_type": "playbook",
  "scenario": "o365_suspicious_login",
  "title": "O365 Suspicious Login Investigation Playbook",
  "abstract": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
  "key_points": [
    "Confirm user travel and business context.",
    "Review sign-in logs, device IDs, and user agents.",
    "Inspect downstream actions such as inbox rules, app consent, and forwarding."
  ],
  "investigation_guidance": [
    "Correlate MFA telemetry with sign-in sequence.",
    "Check risky sign-ins and risky users views.",
    "Revoke sessions and reset credentials when compromise is confirmed."
  ],
  "decision_points": [
    "Impossible travel alone is insufficient without corroborating evidence.",
    "Inbox rule creation after foreign login strongly increases confidence of compromise."
  ],
  "related_refs": {
    "kb": [
      "KB-O365-IMPOSSIBLE-TRAVEL",
      "KB-O365-MFA-FATIGUE",
      "KB-O365-INBOX-RULE-ABUSE"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json",
  "tags": [
    "playbook",
    "o365",
    "login"
  ]
}