Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/mock_cases/phishing/CASE-2026-0001.json
+++ b/evaluation/datasets/mock_cases/phishing/CASE-2026-0001.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-0001",
+  "title": "Finance user received invoice-themed phishing email",
+  "scenario": "phishing",
+  "alert_type": "mail_suspicious_attachment",
+  "severity": "high",
+  "status": "confirmed",
+  "time_window": {"start": "2026-04-01T09:10:00+08:00", "end": "2026-04-01T11:30:00+08:00"},
+  "summary": "Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.",
+  "alert_source": "Secure Email Gateway",
+  "entities": {"users": ["alice@corp.example"], "hosts": ["FIN-LAPTOP-12"], "mailboxes": ["alice@corp.example"]},
+  "observables": {"sender_emails": ["billing@vendor-payments.com"], "domains": ["vendor-payments.com", "vendor-payments-login.com"], "urls": ["https://vendor-payments-login.com/review"], "ips": ["198.51.100.20"], "hashes": ["sha256:phish0001"]},
+  "evidence": ["Sender domain was newly observed and failed DMARC.", "Attachment redirected to a fake Microsoft 365 login page.", "User clicked the link before mail quarantine completed."],
+  "investigation_steps": ["Validate sender authentication results.", "Detonate HTML attachment in sandbox.", "Check mailbox click telemetry and account sign-in logs."],
+  "conclusion": {"verdict": "true_positive", "reason": "Aligned phishing indicators and confirmed click behavior.", "recommended_actions": ["Reset impacted account password.", "Block sender domain and landing URL.", "Hunt for similar emails in tenant."]},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
+  "lessons_learned": ["Invoice lure remains effective against finance users."],
+  "tags": ["phishing", "email", "credential-harvest", "finance"]
+}
--- a/evaluation/datasets/mock_cases/phishing/CASE-2026-0002.json
+++ b/evaluation/datasets/mock_cases/phishing/CASE-2026-0002.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-0002",
+  "title": "Payroll notification email flagged but determined benign",
+  "scenario": "phishing",
+  "alert_type": "mail_suspicious_link",
+  "severity": "medium",
+  "status": "false_positive",
+  "time_window": {"start": "2026-04-03T08:40:00+08:00", "end": "2026-04-03T09:20:00+08:00"},
+  "summary": "Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.",
+  "alert_source": "Secure Email Gateway",
+  "entities": {"users": ["bob@corp.example"], "hosts": ["HR-LAPTOP-03"], "mailboxes": ["bob@corp.example"]},
+  "observables": {"sender_emails": ["notify@hr-vendor.example"], "domains": ["hr-vendor.example"], "urls": ["https://bit.ly/hr-portal-example"], "ips": [], "hashes": []},
+  "evidence": ["Sender domain aligned with SPF and DKIM.", "Destination domain matched approved supplier inventory.", "No credential prompt anomaly observed."],
+  "investigation_steps": ["Expand shortened URL.", "Validate vendor domain against allowlist.", "Review prior communication pattern with HR users."],
+  "conclusion": {"verdict": "false_positive", "reason": "Trusted vendor communication with expected destination.", "recommended_actions": ["Tune mail rule to reduce noisy alerts for approved HR vendor."]},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK"], "cases": []},
+  "lessons_learned": ["Short URLs alone should not drive phishing conclusion without destination validation."],
+  "tags": ["phishing", "email", "false-positive", "vendor"]
+}
--- a/evaluation/datasets/mock_cases/phishing/CASE-2026-0003.json
+++ b/evaluation/datasets/mock_cases/phishing/CASE-2026-0003.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-0003",
+  "title": "Executive impersonation email requested urgent wire transfer",
+  "scenario": "phishing",
+  "alert_type": "mail_bec_impersonation",
+  "severity": "high",
+  "status": "confirmed",
+  "time_window": {"start": "2026-04-05T13:15:00+08:00", "end": "2026-04-05T15:00:00+08:00"},
+  "summary": "An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.",
+  "alert_source": "Secure Email Gateway",
+  "entities": {"users": ["carol@corp.example"], "hosts": ["FIN-LAPTOP-08"], "mailboxes": ["carol@corp.example"]},
+  "observables": {"sender_emails": ["ceo@c0rp-example.com"], "domains": ["c0rp-example.com"], "urls": [], "ips": ["203.0.113.45"], "hashes": []},
+  "evidence": ["Lookalike domain used numeric substitution.", "Language pressure matched prior BEC pattern.", "No historical communication from sender domain."],
+  "investigation_steps": ["Compare sender domain with corporate domain.", "Review historical communication graph.", "Confirm with executive assistant out of band."],
+  "conclusion": {"verdict": "true_positive", "reason": "Strong BEC indicators and confirmed spoofed sender identity.", "recommended_actions": ["Block sender domain.", "Notify finance team and update awareness content."]},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-CRED-HARVEST-PATTERNS"], "cases": []},
+  "lessons_learned": ["Lookalike domains need strong entity normalization in retrieval and detection logic."],
+  "tags": ["phishing", "bec", "executive-impersonation"]
+}
--- a/evaluation/datasets/mock_cases/phishing/CASE-2026-0004.json
+++ b/evaluation/datasets/mock_cases/phishing/CASE-2026-0004.json
@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-0004",
+  "title": "Shared mailbox received OneDrive lure with HTML attachment",
+  "scenario": "phishing",
+  "alert_type": "mail_suspicious_attachment",
+  "severity": "medium",
+  "status": "confirmed",
+  "time_window": {"start": "2026-04-07T10:00:00+08:00", "end": "2026-04-07T12:05:00+08:00"},
+  "summary": "Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.",
+  "alert_source": "Secure Email Gateway",
+  "entities": {"users": ["shared-finance@corp.example"], "hosts": [], "mailboxes": ["shared-finance@corp.example"]},
+  "observables": {"sender_emails": ["noreply@sharepoint-notify.com"], "domains": ["sharepoint-notify.com"], "urls": ["https://onedrive-review-login.example"], "ips": ["198.51.100.87"], "hashes": ["sha256:phish0004"]},
+  "evidence": ["Attachment rendered a fake Microsoft sign-in page.", "Landing page hosted outside Microsoft IP space.", "Mail body reused branding from previous phishing campaign."],
+  "investigation_steps": ["Render attachment safely.", "Review URL hosting provider reputation.", "Search tenant for same subject and sender."],
+  "conclusion": {"verdict": "true_positive", "reason": "Credential harvesting lure with campaign reuse indicators.", "recommended_actions": ["Block sender and URL.", "Search and purge duplicate emails."]},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-CRED-HARVEST-PATTERNS"], "cases": ["CASE-2026-0001"]},
+  "lessons_learned": ["Campaign reuse makes historical phishing similarity especially valuable."],
+  "tags": ["phishing", "email", "onedrive-lure"]
+}