20 lines
1.6 KiB
JSON
20 lines
1.6 KiB
JSON
{
|
|
"case_id": "CASE-2026-1004",
|
|
"title": "Multiple failed logins from residential proxy but no successful access",
|
|
"scenario": "o365_suspicious_login",
|
|
"alert_type": "azuread_password_spray_attempt",
|
|
"severity": "medium",
|
|
"status": "pending",
|
|
"time_window": {"start": "2026-04-08T02:00:00+08:00", "end": "2026-04-08T03:10:00+08:00"},
|
|
"summary": "Repeated failed Microsoft 365 sign-in attempts targeted one user from a residential proxy network, with no successful authentication observed.",
|
|
"alert_source": "Microsoft Entra ID",
|
|
"entities": {"users": ["frank@corp.example"], "hosts": [], "mailboxes": ["frank@corp.example"]},
|
|
"observables": {"ips": ["203.0.113.201"], "domains": [], "urls": [], "hashes": []},
|
|
"evidence": ["High-volume failed attempts over a short period.", "Source IP attributed to a residential proxy provider.", "No matching successful sign-in or MFA event found."],
|
|
"investigation_steps": ["Check password spray pattern across tenant.", "Confirm user recent password reset history.", "Review conditional access outcomes."],
|
|
"conclusion": {"verdict": "uncertain", "reason": "Suspicious authentication pattern but no confirmed access or downstream activity.", "recommended_actions": ["Monitor account closely.", "Consider temporary sign-in risk remediation."]},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
|
|
"lessons_learned": ["Pending cases should still capture reusable spray indicators without overcommitting verdict."],
|
|
"tags": ["o365", "login", "password-spray", "pending"]
|
|
}
|