--- case_id: CASE-2026-1002 scenario: o365_suspicious_login alert_type: azuread_legacy_auth_attempt severity: medium verdict: false_positive source: soc-memory-poc openviking_enriched: true --- # CASE-2026-1002 Legacy protocol sign-in from unfamiliar IP blocked by policy ## 基本信息 - Case ID: CASE-2026-1002 - 标题: Legacy protocol sign-in from unfamiliar IP blocked by policy - 告警类型: azuread_legacy_auth_attempt - 来源系统: SOC Memory POC Mock Dataset - 时间范围: 待补充 - 研判人 / Agent: AI Agent Draft - 最终结论: 误报 - 严重等级: medium ## 告警摘要 Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test. ## 关键实体 - 用户: svc-migration@corp.example - 主机: 无 - 邮箱: svc-migration@corp.example - IP: 192.0.2.24 - 域名: 无 - 文件 Hash: 无 - 其他 IOC: 无 ## 关键证据 - The account is a known migration service account. - Source IP matched approved cloud migration vendor range. - No successful sign-in occurred due to policy block. ## 研判过程摘要 1. 确认告警场景与核心风险:Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test. 2. 提取关键证据并交叉验证:The account is a known migration service account. 3. 对照关联 playbook / KB 复核告警模式与处置路径。 4. 基于关键证据与场景模式完成结论判定:误报。 ## 结论依据 - 结论为误报。 - 最关键依据:The account is a known migration service account. - 补充依据:Source IP matched approved cloud migration vendor range. ## 处置建议 - 记录误报原因,并更新检测例外或抑制条件。 ## 可复用模式 - 命中模式: scenario:o365_suspicious_login, alert_type:azuread_legacy_auth_attempt - 误报特征: 本案最终确认为误报,可用于补充抑制条件。 - 需关注的变体: 相关标签:o365, login, false-positive, legacy-auth ## 关联知识 - 关联 Playbook: [[PB-O365-LOGIN-001]] - 关联 KB: [[KB-O365-LEGACY-AUTH]], [[KB-O365-IMPOSSIBLE-TRAVEL]] - 关联历史 Case: [[CASE-2026-1001]], [[CASE-2026-1004]] - 关联实体: [[svc-migration@corp.example]] ## 自动关联推荐 ### 推荐历史 Case - [[CASE-2026-1001]] (case score=0.651) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified... - [[CASE-2026-1004]] (case score=0.634) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c... ### 推荐知识条目 - [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.626) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events... - [[PB-O365-LOGIN-001]] (knowledge score=0.61) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M... ## Lessons Learned - 本案可沉淀为后续同类告警的快速判定参考。 - 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。 ## 标签 - #case - #scenario/o365_suspicious_login - #alert/azuread_legacy_auth_attempt - #verdict/false-positive - #o365 - #login - #false-positive - #legacy-auth