memory-gateway/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1002 - Legacy protocol sign-in from unfamiliar IP blocked by policy.md

case_id, scenario, alert_type, severity, verdict, source, openviking_enriched

case_id	scenario	alert_type	severity	verdict	source	openviking_enriched
CASE-2026-1002	o365_suspicious_login	azuread_legacy_auth_attempt	medium	false_positive	soc-memory-poc	true

CASE-2026-1002 Legacy protocol sign-in from unfamiliar IP blocked by policy

基本信息

• Case ID: CASE-2026-1002
• 标题: Legacy protocol sign-in from unfamiliar IP blocked by policy
• 告警类型: azuread_legacy_auth_attempt
• 来源系统: SOC Memory POC Mock Dataset
• 时间范围: 待补充
• 研判人 / Agent: AI Agent Draft
• 最终结论: 误报
• 严重等级: medium

告警摘要

Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.

关键实体

• 用户: svc-migration@corp.example
• 主机: 无
• 邮箱: svc-migration@corp.example
• IP: 192.0.2.24
• 域名: 无
• 文件 Hash: 无
• 其他 IOC: 无

关键证据

• The account is a known migration service account.
• Source IP matched approved cloud migration vendor range.
• No successful sign-in occurred due to policy block.

研判过程摘要

1. 确认告警场景与核心风险：Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.
2. 提取关键证据并交叉验证：The account is a known migration service account.
3. 对照关联 playbook / KB 复核告警模式与处置路径。
4. 基于关键证据与场景模式完成结论判定：误报。

结论依据

• 结论为误报。
• 最关键依据：The account is a known migration service account.
• 补充依据：Source IP matched approved cloud migration vendor range.

处置建议

• 记录误报原因，并更新检测例外或抑制条件。

可复用模式

• 命中模式: scenario:o365_suspicious_login, alert_type:azuread_legacy_auth_attempt
• 误报特征: 本案最终确认为误报，可用于补充抑制条件。
• 需关注的变体: 相关标签：o365, login, false-positive, legacy-auth

关联知识

• 关联 Playbook: PB-O365-LOGIN-001
• 关联 KB: KB-O365-LEGACY-AUTH, KB-O365-IMPOSSIBLE-TRAVEL
• 关联历史 Case: CASE-2026-1001, CASE-2026-1004
• 关联实体: svc-migration@corp.example

自动关联推荐

推荐历史 Case

• CASE-2026-1001 (case score=0.651) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified...
• CASE-2026-1004 (case score=0.634) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...

推荐知识条目

• KB-O365-IMPOSSIBLE-TRAVEL (knowledge score=0.626) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
• PB-O365-LOGIN-001 (knowledge score=0.61) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...

Lessons Learned

• 本案可沉淀为后续同类告警的快速判定参考。
• 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。

标签

• #case
• #scenario/o365_suspicious_login
• #alert/azuread_legacy_auth_attempt
• #verdict/false-positive
• #o365
• #login
• #false-positive
• #legacy-auth