20 lines
1.5 KiB
JSON
20 lines
1.5 KiB
JSON
{
|
|
"case_id": "CASE-2026-1002",
|
|
"title": "Legacy protocol sign-in from unfamiliar IP blocked by policy",
|
|
"scenario": "o365_suspicious_login",
|
|
"alert_type": "azuread_legacy_auth_attempt",
|
|
"severity": "medium",
|
|
"status": "false_positive",
|
|
"time_window": {"start": "2026-04-04T07:50:00+08:00", "end": "2026-04-04T08:10:00+08:00"},
|
|
"summary": "Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.",
|
|
"alert_source": "Microsoft Entra ID",
|
|
"entities": {"users": ["svc-migration@corp.example"], "hosts": [], "mailboxes": ["svc-migration@corp.example"]},
|
|
"observables": {"ips": ["192.0.2.24"], "domains": [], "urls": [], "hashes": []},
|
|
"evidence": ["The account is a known migration service account.", "Source IP matched approved cloud migration vendor range.", "No successful sign-in occurred due to policy block."],
|
|
"investigation_steps": ["Review service account inventory.", "Check change ticket for migration activity.", "Validate source IP against vendor allowlist."],
|
|
"conclusion": {"verdict": "false_positive", "reason": "Expected migration tool behavior with policy block and approved change window.", "recommended_actions": ["Tune alert suppression for approved migration windows."]},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-LEGACY-AUTH"], "cases": []},
|
|
"lessons_learned": ["Service account context is essential before escalating legacy auth alerts."],
|
|
"tags": ["o365", "login", "false-positive", "legacy-auth"]
|
|
}
|