--- case_id: CASE-2026-1005 scenario: o365_suspicious_login alert_type: azuread_impossible_travel severity: medium verdict: false_positive source: soc-memory-poc openviking_enriched: true --- # CASE-2026-1005 Traveling executive triggered impossible travel but activity was legitimate ## 基本信息 - Case ID: CASE-2026-1005 - 标题: Traveling executive triggered impossible travel but activity was legitimate - 告警类型: azuread_impossible_travel - 来源系统: SOC Memory POC Mock Dataset - 时间范围: 待补充 - 研判人 / Agent: AI Agent Draft - 最终结论: 误报 - 严重等级: medium ## 告警摘要 Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip. ## 关键实体 - 用户: grace@corp.example - 主机: VIP-LAPTOP-01 - 邮箱: grace@corp.example - IP: 192.0.2.90, 203.0.113.77 - 域名: 无 - 文件 Hash: 无 - 其他 IOC: 无 ## 关键证据 - Approved travel request existed. - One login originated from corporate VPN exit node. - Device and user agent were consistent with known user profile. ## 研判过程摘要 1. 确认告警场景与核心风险:Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip. 2. 提取关键证据并交叉验证:Approved travel request existed. 3. 对照关联 playbook / KB 复核告警模式与处置路径。 4. 基于关键证据与场景模式完成结论判定:误报。 ## 结论依据 - 结论为误报。 - 最关键依据:Approved travel request existed. - 补充依据:One login originated from corporate VPN exit node. ## 处置建议 - 记录误报原因,并更新检测例外或抑制条件。 ## 可复用模式 - 命中模式: scenario:o365_suspicious_login, alert_type:azuread_impossible_travel - 误报特征: 本案最终确认为误报,可用于补充抑制条件。 - 需关注的变体: 相关标签:o365, login, false-positive, travel ## 关联知识 - 关联 Playbook: [[PB-O365-LOGIN-001]] - 关联 KB: [[KB-O365-IMPOSSIBLE-TRAVEL]] - 关联历史 Case: [[CASE-2026-1001]], [[CASE-2026-1004]] - 关联实体: [[grace@corp.example]], [[VIP-LAPTOP-01]] ## 自动关联推荐 ### 推荐历史 Case - [[CASE-2026-1001]] (case score=0.684) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified... - [[CASE-2026-1004]] (case score=0.63) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c... ### 推荐知识条目 - [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.703) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events... - [[PB-O365-LOGIN-001]] (knowledge score=0.626) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M... ## Lessons Learned - 本案可沉淀为后续同类告警的快速判定参考。 - 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。 ## 标签 - #case - #scenario/o365_suspicious_login - #alert/azuread_impossible_travel - #verdict/false-positive - #o365 - #login - #false-positive - #travel