Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/docs/hermes-demo-prompts.md
+++ b/docs/hermes-demo-prompts.md
@ -0,0 +1,91 @@
+# Hermes Demo Prompts
+
+## Recommended: Raw Email / Freeform Alert
+
+Use this when you want to show that Hermes does not need a rigid input schema. The `soc-memory-poc` skill should route the content through `triage_email.py`, extract useful fields, retrieve memory, search Obsidian, and return the fixed SOC triage sections.
+
+```text
+Use the soc-memory-poc skill. Triage this email alert and include Memory Retrieval and Obsidian references.
+
+From: billing@vendor-payments.com
+To: alice@corp.example
+Subject: Invoice overdue notice
+Attachment: invoice_review.html
+
+User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12.
+
+Return exactly these sections:
+研判结果
+关键证据
+关联 Memory Retrieval
+关联 Obsidian 文档
+建议动作
+```
+
+Equivalent direct script check:
+
+```bash
+python /home/tom/.hermes/skills/soc-memory-poc/scripts/triage_email.py --text "From: billing@vendor-payments.com
+To: alice@corp.example
+Subject: Invoice overdue notice
+Attachment: invoice_review.html
+User clicked the link after opening the HTML attachment. DMARC failed. Review at https://vendor-payments-login.com/review from IP 198.51.100.20 on host FIN-LAPTOP-12."
+```
+
+## Structured Phishing Alert
+
+Use this when you want maximum repeatability with explicit fields.
+
+```text
+Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.
+
+Scenario: phishing
+Alert type: mail_suspicious_attachment
+User: alice@corp.example
+Host: FIN-LAPTOP-12
+Sender: billing@vendor-payments.com
+Subject: Invoice overdue notice
+Attachment: invoice_review.html
+URL: https://vendor-payments-login.com/review
+IP: 198.51.100.20
+Known facts:
+- DMARC failed
+- User may have clicked the link
+
+Return exactly these sections:
+研判结果
+关键证据
+关联 Memory Retrieval
+关联 Obsidian 文档
+建议动作
+```
+
+## Structured O365 Alert
+
+```text
+Use the soc-memory-poc skill. Treat the following as a structured SOC alert and use the preferred Scheme A path.
+
+Scenario: o365_suspicious_login
+Alert type: azuread_impossible_travel
+User: david@corp.example
+Host: WS-DAVID-01
+IP: 203.0.113.150
+Known facts:
+- Impossible travel observed between Shanghai and Amsterdam within 15 minutes
+- MFA fatigue occurred before final success
+- User denied initiating the overseas login
+- Inbox rule creation was observed after login
+
+Return exactly these sections:
+研判结果
+关键证据
+关联 Memory Retrieval
+关联 Obsidian 文档
+建议动作
+```
+
+## Generate Case Note
+
+```text
+Use the soc-memory-poc skill. Generate an Obsidian case note for /home/tom/soc_memory_poc/evaluation/datasets/normalized_cases/CASE-2026-0003.json with OpenViking enrichment, then tell me the output path and confirm whether the note was written successfully.
+```