20 lines
1.5 KiB
JSON
20 lines
1.5 KiB
JSON
{
|
|
"case_id": "CASE-2026-1005",
|
|
"title": "Traveling executive triggered impossible travel but activity was legitimate",
|
|
"scenario": "o365_suspicious_login",
|
|
"alert_type": "azuread_impossible_travel",
|
|
"severity": "medium",
|
|
"status": "false_positive",
|
|
"time_window": {"start": "2026-04-09T09:00:00+08:00", "end": "2026-04-09T09:40:00+08:00"},
|
|
"summary": "Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.",
|
|
"alert_source": "Microsoft Entra ID",
|
|
"entities": {"users": ["grace@corp.example"], "hosts": ["VIP-LAPTOP-01"], "mailboxes": ["grace@corp.example"]},
|
|
"observables": {"ips": ["192.0.2.90", "203.0.113.77"], "domains": [], "urls": [], "hashes": []},
|
|
"evidence": ["Approved travel request existed.", "One login originated from corporate VPN exit node.", "Device and user agent were consistent with known user profile."],
|
|
"investigation_steps": ["Check travel approval and itinerary.", "Review VPN egress mapping.", "Compare user agent and managed device posture."],
|
|
"conclusion": {"verdict": "false_positive", "reason": "Legitimate travel combined with VPN routing caused impossible travel signal.", "recommended_actions": ["Document travel context and improve analyst checklist."]},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "kb": ["KB-O365-IMPOSSIBLE-TRAVEL"], "cases": []},
|
|
"lessons_learned": ["Impossible travel should consider approved travel and VPN topology before escalation."],
|
|
"tags": ["o365", "login", "false-positive", "travel"]
|
|
}
|