3.5 KiB
3.5 KiB
case_id, scenario, alert_type, severity, verdict, source, openviking_enriched
| case_id | scenario | alert_type | severity | verdict | source | openviking_enriched |
|---|---|---|---|---|---|---|
| CASE-2026-1001 | o365_suspicious_login | azuread_impossible_travel | high | true_positive | soc-memory-poc | true |
CASE-2026-1001 Impossible travel login followed by MFA prompt fatigue
基本信息
- Case ID: CASE-2026-1001
- 标题: Impossible travel login followed by MFA prompt fatigue
- 告警类型: azuread_impossible_travel
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 真报
- 严重等级: high
告警摘要
User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.
关键实体
- 用户: david@corp.example
- 主机: WS-DAVID-01
- 邮箱: david@corp.example
- IP: 203.0.113.150, 198.51.100.61
- 域名: 无
- 文件 Hash: 无
- 其他 IOC: 无
关键证据
- Two successful sign-ins from geographically impossible locations within 15 minutes.
- MFA challenge volume increased abnormally before final success.
- User confirmed they did not initiate overseas login.
研判过程摘要
- 确认告警场景与核心风险:User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.
- 提取关键证据并交叉验证:Two successful sign-ins from geographically impossible locations within 15 minutes.
- 对照关联 playbook / KB 复核告警模式与处置路径。
- 基于关键证据与场景模式完成结论判定:真报。
结论依据
- 结论为真报。
- 最关键依据:Two successful sign-ins from geographically impossible locations within 15 minutes.
- 补充依据:MFA challenge volume increased abnormally before final success.
处置建议
- 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。
- 若存在账号接管迹象,立即执行会话失效和凭据重置。
可复用模式
- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_impossible_travel
- 误报特征: 无
- 需关注的变体: 相关标签:o365, login, impossible-travel, mfa-fatigue
关联知识
- 关联 Playbook: PB-O365-LOGIN-001
- 关联 KB: KB-O365-IMPOSSIBLE-TRAVEL, KB-O365-MFA-FATIGUE
- 关联历史 Case: CASE-2026-1005, CASE-2026-1004
- 关联实体: david@corp.example, WS-DAVID-01
自动关联推荐
推荐历史 Case
- CASE-2026-1005 (case score=0.687) This directory contains a single case record documenting a false positive alert triggered by Microsoft 365’s impossible travel detection sys...
- CASE-2026-1004 (case score=0.636) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...
推荐知识条目
- KB-O365-IMPOSSIBLE-TRAVEL (knowledge score=0.69) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
- PB-O365-LOGIN-001 (knowledge score=0.63) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
Lessons Learned
- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
标签
- #case
- #scenario/o365_suspicious_login
- #alert/azuread_impossible_travel
- #verdict/true-positive
- #o365
- #login
- #impossible-travel
- #mfa-fatigue