16 lines
1.1 KiB
JSON
16 lines
1.1 KiB
JSON
{
|
|
"doc_id": "KB-O365-IMPOSSIBLE-TRAVEL",
|
|
"doc_type": "kb",
|
|
"title": "Interpreting O365 Impossible Travel Alerts",
|
|
"scenario": "o365_suspicious_login",
|
|
"summary": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
|
|
"applicability": ["azuread_impossible_travel"],
|
|
"key_points": ["Impossible travel must be validated against user travel context.", "VPN egress and cloud proxy routing are common false-positive sources.", "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."],
|
|
"investigation_guidance": ["Validate source ASN and IP history.", "Check user-approved travel or remote work context.", "Compare device ID and user agent consistency."],
|
|
"decision_points": ["User denial of travel plus new device strongly increases confidence.", "Approved travel and trusted VPN topology reduce confidence."],
|
|
"related_entities": {"ttps": ["T1078"], "iocs": []},
|
|
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
|
"tags": ["kb", "o365", "impossible-travel"],
|
|
"updated_at": "2026-04-10T09:30:00+08:00"
|
|
}
|