34 lines
1.2 KiB
JSON
34 lines
1.2 KiB
JSON
{
|
|
"id": "KB-O365-IMPOSSIBLE-TRAVEL",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "kb",
|
|
"scenario": "o365_suspicious_login",
|
|
"title": "Interpreting O365 Impossible Travel Alerts",
|
|
"abstract": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
|
|
"key_points": [
|
|
"Impossible travel must be validated against user travel context.",
|
|
"VPN egress and cloud proxy routing are common false-positive sources.",
|
|
"Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."
|
|
],
|
|
"investigation_guidance": [
|
|
"Validate source ASN and IP history.",
|
|
"Check user-approved travel or remote work context.",
|
|
"Compare device ID and user agent consistency."
|
|
],
|
|
"decision_points": [
|
|
"User denial of travel plus new device strongly increases confidence.",
|
|
"Approved travel and trusted VPN topology reduce confidence."
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-O365-LOGIN-001"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-IMPOSSIBLE-TRAVEL.json",
|
|
"tags": [
|
|
"kb",
|
|
"o365",
|
|
"impossible-travel"
|
|
]
|
|
} |