36 lines
1.2 KiB
JSON
36 lines
1.2 KiB
JSON
{
|
|
"id": "PB-O365-LOGIN-001",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "playbook",
|
|
"scenario": "o365_suspicious_login",
|
|
"title": "O365 Suspicious Login Investigation Playbook",
|
|
"abstract": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
|
|
"key_points": [
|
|
"Confirm user travel and business context.",
|
|
"Review sign-in logs, device IDs, and user agents.",
|
|
"Inspect downstream actions such as inbox rules, app consent, and forwarding."
|
|
],
|
|
"investigation_guidance": [
|
|
"Correlate MFA telemetry with sign-in sequence.",
|
|
"Check risky sign-ins and risky users views.",
|
|
"Revoke sessions and reset credentials when compromise is confirmed."
|
|
],
|
|
"decision_points": [
|
|
"Impossible travel alone is insufficient without corroborating evidence.",
|
|
"Inbox rule creation after foreign login strongly increases confidence of compromise."
|
|
],
|
|
"related_refs": {
|
|
"kb": [
|
|
"KB-O365-IMPOSSIBLE-TRAVEL",
|
|
"KB-O365-MFA-FATIGUE",
|
|
"KB-O365-INBOX-RULE-ABUSE"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json",
|
|
"tags": [
|
|
"playbook",
|
|
"o365",
|
|
"login"
|
|
]
|
|
} |