20 lines
1.6 KiB
JSON
20 lines
1.6 KiB
JSON
{
|
|
"case_id": "CASE-2026-1001",
|
|
"title": "Impossible travel login followed by MFA prompt fatigue",
|
|
"scenario": "o365_suspicious_login",
|
|
"alert_type": "azuread_impossible_travel",
|
|
"severity": "high",
|
|
"status": "confirmed",
|
|
"time_window": {"start": "2026-04-02T22:10:00+08:00", "end": "2026-04-02T23:30:00+08:00"},
|
|
"summary": "User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.",
|
|
"alert_source": "Microsoft Entra ID",
|
|
"entities": {"users": ["david@corp.example"], "hosts": ["WS-DAVID-01"], "mailboxes": ["david@corp.example"]},
|
|
"observables": {"ips": ["203.0.113.150", "198.51.100.61"], "domains": [], "urls": [], "hashes": []},
|
|
"evidence": ["Two successful sign-ins from geographically impossible locations within 15 minutes.", "MFA challenge volume increased abnormally before final success.", "User confirmed they did not initiate overseas login."],
|
|
"investigation_steps": ["Review sign-in logs and device IDs.", "Check MFA event sequence.", "Validate user travel status with manager."],
|
|
"conclusion": {"verdict": "true_positive", "reason": "Impossible travel plus user denial and MFA fatigue pattern.", "recommended_actions": ["Revoke sessions and reset credentials.", "Review mailbox rules and app consent."]},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-IMPOSSIBLE-TRAVEL", "KB-O365-MFA-FATIGUE"], "cases": []},
|
|
"lessons_learned": ["Impossible travel needs to be combined with user confirmation and MFA telemetry."],
|
|
"tags": ["o365", "login", "impossible-travel", "mfa-fatigue"]
|
|
}
|