55 lines
1.3 KiB
JSON
55 lines
1.3 KiB
JSON
{
|
|
"id": "CASE-2026-1003",
|
|
"memory_type": "case",
|
|
"scenario": "o365_suspicious_login",
|
|
"title": "Suspicious inbox rule creation after successful foreign login",
|
|
"abstract": "An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.",
|
|
"verdict": "true_positive",
|
|
"severity": "high",
|
|
"entities": {
|
|
"users": [
|
|
"emma@corp.example"
|
|
],
|
|
"hosts": [
|
|
"WS-EMMA-07"
|
|
],
|
|
"mailboxes": [
|
|
"emma@corp.example"
|
|
]
|
|
},
|
|
"observables": {
|
|
"ips": [
|
|
"198.51.100.98"
|
|
],
|
|
"domains": [],
|
|
"urls": [],
|
|
"hashes": []
|
|
},
|
|
"evidence": [
|
|
"Successful sign-in from untrusted ASN.",
|
|
"Inbox rule moved wire transfer emails to RSS Feeds folder.",
|
|
"Mailbox audit showed rule creation minutes after login."
|
|
],
|
|
"patterns": [
|
|
"verdict:true_positive",
|
|
"scenario:o365_suspicious_login",
|
|
"alert_type:azuread_suspicious_inbox_rule_after_login"
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-O365-LOGIN-001"
|
|
],
|
|
"kb": [
|
|
"KB-O365-INBOX-RULE-ABUSE",
|
|
"KB-O365-IMPOSSIBLE-TRAVEL"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1003.json",
|
|
"tags": [
|
|
"o365",
|
|
"login",
|
|
"inbox-rule",
|
|
"account-compromise"
|
|
]
|
|
} |