memory-gateway/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1005 - Traveling executive triggered impossible travel but activity was legitimate.md

case_id, scenario, alert_type, severity, verdict, source, openviking_enriched

case_id	scenario	alert_type	severity	verdict	source	openviking_enriched
CASE-2026-1005	o365_suspicious_login	azuread_impossible_travel	medium	false_positive	soc-memory-poc	true

CASE-2026-1005 Traveling executive triggered impossible travel but activity was legitimate

基本信息

• Case ID: CASE-2026-1005
• 标题: Traveling executive triggered impossible travel but activity was legitimate
• 告警类型: azuread_impossible_travel
• 来源系统: SOC Memory POC Mock Dataset
• 时间范围: 待补充
• 研判人 / Agent: AI Agent Draft
• 最终结论: 误报
• 严重等级: medium

告警摘要

Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.

关键实体

• 用户: grace@corp.example
• 主机: VIP-LAPTOP-01
• 邮箱: grace@corp.example
• IP: 192.0.2.90, 203.0.113.77
• 域名: 无
• 文件 Hash: 无
• 其他 IOC: 无

关键证据

• Approved travel request existed.
• One login originated from corporate VPN exit node.
• Device and user agent were consistent with known user profile.

研判过程摘要

1. 确认告警场景与核心风险：Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.
2. 提取关键证据并交叉验证：Approved travel request existed.
3. 对照关联 playbook / KB 复核告警模式与处置路径。
4. 基于关键证据与场景模式完成结论判定：误报。

结论依据

• 结论为误报。
• 最关键依据：Approved travel request existed.
• 补充依据：One login originated from corporate VPN exit node.

处置建议

• 记录误报原因，并更新检测例外或抑制条件。

可复用模式

• 命中模式: scenario:o365_suspicious_login, alert_type:azuread_impossible_travel
• 误报特征: 本案最终确认为误报，可用于补充抑制条件。
• 需关注的变体: 相关标签：o365, login, false-positive, travel

关联知识

• 关联 Playbook: PB-O365-LOGIN-001
• 关联 KB: KB-O365-IMPOSSIBLE-TRAVEL
• 关联历史 Case: CASE-2026-1001, CASE-2026-1004
• 关联实体: grace@corp.example, VIP-LAPTOP-01

自动关联推荐

推荐历史 Case

• CASE-2026-1001 (case score=0.684) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified...
• CASE-2026-1004 (case score=0.63) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...

推荐知识条目

• KB-O365-IMPOSSIBLE-TRAVEL (knowledge score=0.703) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
• PB-O365-LOGIN-001 (knowledge score=0.626) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...

Lessons Learned

• 本案可沉淀为后续同类告警的快速判定参考。
• 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。

标签

• #case
• #scenario/o365_suspicious_login
• #alert/azuread_impossible_travel
• #verdict/false-positive
• #o365
• #login
• #false-positive
• #travel