3.4 KiB
3.4 KiB
case_id, scenario, alert_type, severity, verdict, source, openviking_enriched
| case_id | scenario | alert_type | severity | verdict | source | openviking_enriched |
|---|---|---|---|---|---|---|
| CASE-2026-1003 | o365_suspicious_login | azuread_suspicious_inbox_rule_after_login | high | true_positive | soc-memory-poc | true |
CASE-2026-1003 Suspicious inbox rule creation after successful foreign login
基本信息
- Case ID: CASE-2026-1003
- 标题: Suspicious inbox rule creation after successful foreign login
- 告警类型: azuread_suspicious_inbox_rule_after_login
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 真报
- 严重等级: high
告警摘要
An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.
关键实体
- 用户: emma@corp.example
- 主机: WS-EMMA-07
- 邮箱: emma@corp.example
- IP: 198.51.100.98
- 域名: 无
- 文件 Hash: 无
- 其他 IOC: 无
关键证据
- Successful sign-in from untrusted ASN.
- Inbox rule moved wire transfer emails to RSS Feeds folder.
- Mailbox audit showed rule creation minutes after login.
研判过程摘要
- 确认告警场景与核心风险:An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.
- 提取关键证据并交叉验证:Successful sign-in from untrusted ASN.
- 对照关联 playbook / KB 复核告警模式与处置路径。
- 基于关键证据与场景模式完成结论判定:真报。
结论依据
- 结论为真报。
- 最关键依据:Successful sign-in from untrusted ASN.
- 补充依据:Inbox rule moved wire transfer emails to RSS Feeds folder.
处置建议
- 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。
- 若存在账号接管迹象,立即执行会话失效和凭据重置。
可复用模式
- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_suspicious_inbox_rule_after_login
- 误报特征: 无
- 需关注的变体: 相关标签:o365, login, inbox-rule, account-compromise
关联知识
- 关联 Playbook: PB-O365-LOGIN-001
- 关联 KB: KB-O365-INBOX-RULE-ABUSE, KB-O365-IMPOSSIBLE-TRAVEL
- 关联历史 Case: CASE-2026-1005, CASE-2026-1001
- 关联实体: emma@corp.example, WS-EMMA-07
自动关联推荐
推荐历史 Case
- CASE-2026-1005 (case score=0.667) This directory contains a single case record documenting a false positive alert triggered by Microsoft 365’s impossible travel detection sys...
- CASE-2026-1001 (case score=0.666) This document is a structured case report detailing a high-severity security incident involving suspicious login activity in an Office 365 e...
推荐知识条目
- PB-O365-LOGIN-001 (knowledge score=0.653) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
- KB-O365-IMPOSSIBLE-TRAVEL (knowledge score=0.645) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
Lessons Learned
- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
标签
- #case
- #scenario/o365_suspicious_login
- #alert/azuread_suspicious_inbox_rule_after_login
- #verdict/true-positive
- #o365
- #login
- #inbox-rule
- #account-compromise