Initial SOC memory POC implementation

evaluation/datasets/mock_cases/phishing/CASE-2026-0002.json

@@ -0,0 +1,19 @@
+{
+  "case_id": "CASE-2026-0002",
+  "title": "Payroll notification email flagged but determined benign",
+  "scenario": "phishing",
+  "alert_type": "mail_suspicious_link",
+  "severity": "medium",
+  "status": "false_positive",
+  "time_window": {"start": "2026-04-03T08:40:00+08:00", "end": "2026-04-03T09:20:00+08:00"},
+  "summary": "Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.",
+  "alert_source": "Secure Email Gateway",
+  "entities": {"users": ["bob@corp.example"], "hosts": ["HR-LAPTOP-03"], "mailboxes": ["bob@corp.example"]},
+  "observables": {"sender_emails": ["notify@hr-vendor.example"], "domains": ["hr-vendor.example"], "urls": ["https://bit.ly/hr-portal-example"], "ips": [], "hashes": []},
+  "evidence": ["Sender domain aligned with SPF and DKIM.", "Destination domain matched approved supplier inventory.", "No credential prompt anomaly observed."],
+  "investigation_steps": ["Expand shortened URL.", "Validate vendor domain against allowlist.", "Review prior communication pattern with HR users."],
+  "conclusion": {"verdict": "false_positive", "reason": "Trusted vendor communication with expected destination.", "recommended_actions": ["Tune mail rule to reduce noisy alerts for approved HR vendor."]},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK"], "cases": []},
+  "lessons_learned": ["Short URLs alone should not drive phishing conclusion without destination validation."],
+  "tags": ["phishing", "email", "false-positive", "vendor"]
+}