Initial SOC memory POC implementation
This commit is contained in:
15
evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json
Normal file
15
evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "KB-CRED-HARVEST-PATTERNS",
|
||||
"doc_type": "kb",
|
||||
"title": "Credential Harvesting Indicators",
|
||||
"scenario": "phishing",
|
||||
"summary": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
|
||||
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link"],
|
||||
"key_points": ["Landing page mimics Microsoft 365 or common SaaS login pages.", "HTML attachment often acts as a redirector rather than containing malware.", "Credential harvest campaigns frequently reuse branding and lures across tenants."],
|
||||
"investigation_guidance": ["Capture full redirect chain.", "Look for post-click login anomalies in identity logs.", "Search for same lure across multiple mailboxes."],
|
||||
"decision_points": ["User click plus sign-in anomaly greatly increases confidence.", "Branding reuse can help link separate phishing cases into one campaign."],
|
||||
"related_entities": {"ttps": ["T1566.002"], "iocs": []},
|
||||
"related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
|
||||
"tags": ["kb", "phishing", "credential-harvest"],
|
||||
"updated_at": "2026-04-10T09:25:00+08:00"
|
||||
}
|
||||
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "KB-O365-IMPOSSIBLE-TRAVEL",
|
||||
"doc_type": "kb",
|
||||
"title": "Interpreting O365 Impossible Travel Alerts",
|
||||
"scenario": "o365_suspicious_login",
|
||||
"summary": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
|
||||
"applicability": ["azuread_impossible_travel"],
|
||||
"key_points": ["Impossible travel must be validated against user travel context.", "VPN egress and cloud proxy routing are common false-positive sources.", "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."],
|
||||
"investigation_guidance": ["Validate source ASN and IP history.", "Check user-approved travel or remote work context.", "Compare device ID and user agent consistency."],
|
||||
"decision_points": ["User denial of travel plus new device strongly increases confidence.", "Approved travel and trusted VPN topology reduce confidence."],
|
||||
"related_entities": {"ttps": ["T1078"], "iocs": []},
|
||||
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
||||
"tags": ["kb", "o365", "impossible-travel"],
|
||||
"updated_at": "2026-04-10T09:30:00+08:00"
|
||||
}
|
||||
15
evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json
Normal file
15
evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "KB-O365-INBOX-RULE-ABUSE",
|
||||
"doc_type": "kb",
|
||||
"title": "Inbox Rule Abuse After Account Compromise",
|
||||
"scenario": "o365_suspicious_login",
|
||||
"summary": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
|
||||
"applicability": ["azuread_suspicious_inbox_rule_after_login"],
|
||||
"key_points": ["Attackers often hide financial emails using move-to-folder rules.", "Forwarding and delete rules are strong post-compromise indicators.", "Mailbox audit logs should be reviewed immediately after suspicious login confirmation."],
|
||||
"investigation_guidance": ["Enumerate all inbox rules and forwarding settings.", "Check mailbox audit timeline around suspicious sign-in.", "Review OAuth consents if inbox rules are absent but suspicious mail actions continue."],
|
||||
"decision_points": ["Inbox rule creation shortly after suspicious login strongly supports compromise verdict."],
|
||||
"related_entities": {"ttps": ["T1114"], "iocs": []},
|
||||
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
||||
"tags": ["kb", "o365", "inbox-rule"],
|
||||
"updated_at": "2026-04-10T09:40:00+08:00"
|
||||
}
|
||||
15
evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json
Normal file
15
evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "KB-O365-MFA-FATIGUE",
|
||||
"doc_type": "kb",
|
||||
"title": "MFA Fatigue Detection Notes",
|
||||
"scenario": "o365_suspicious_login",
|
||||
"summary": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
|
||||
"applicability": ["azuread_impossible_travel", "azuread_suspicious_login"],
|
||||
"key_points": ["Repeated MFA prompts preceding one successful prompt is suspicious.", "User-reported prompt fatigue is strong supporting evidence.", "MFA fatigue is often coupled with credential theft rather than password spray alone."],
|
||||
"investigation_guidance": ["Review MFA event counts and timing.", "Check if the user acknowledged unexpected prompts.", "Look for subsequent session hijacking or mailbox abuse."],
|
||||
"decision_points": ["Prompt flood plus user denial usually warrants immediate containment."],
|
||||
"related_entities": {"ttps": ["T1621"], "iocs": []},
|
||||
"related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
|
||||
"tags": ["kb", "o365", "mfa-fatigue"],
|
||||
"updated_at": "2026-04-10T09:35:00+08:00"
|
||||
}
|
||||
15
evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json
Normal file
15
evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "KB-PHISH-HEADER-CHECK",
|
||||
"doc_type": "kb",
|
||||
"title": "Phishing Header Validation Checklist",
|
||||
"scenario": "phishing",
|
||||
"summary": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
|
||||
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
|
||||
"key_points": ["Review SPF, DKIM, and DMARC alignment.", "Compare display name, envelope sender, and reply-to anomalies.", "Check domain age and known-good communication history."],
|
||||
"investigation_guidance": ["Use message trace and header parser.", "Compare sender domain with vendor allowlist.", "Escalate lookalike domains even when content appears business-relevant."],
|
||||
"decision_points": ["Newly observed domains with failed auth are high-risk.", "Benign vendor mail often has consistent historical sending patterns."],
|
||||
"related_entities": {"ttps": ["T1566.001"], "iocs": []},
|
||||
"related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
|
||||
"tags": ["kb", "phishing", "email-header"],
|
||||
"updated_at": "2026-04-10T09:20:00+08:00"
|
||||
}
|
||||
15
evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json
Normal file
15
evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "PB-O365-LOGIN-001",
|
||||
"doc_type": "playbook",
|
||||
"title": "O365 Suspicious Login Investigation Playbook",
|
||||
"scenario": "o365_suspicious_login",
|
||||
"summary": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
|
||||
"applicability": ["azuread_impossible_travel", "azuread_legacy_auth_attempt", "azuread_suspicious_inbox_rule_after_login", "azuread_password_spray_attempt"],
|
||||
"key_points": ["Confirm user travel and business context.", "Review sign-in logs, device IDs, and user agents.", "Inspect downstream actions such as inbox rules, app consent, and forwarding."],
|
||||
"investigation_guidance": ["Correlate MFA telemetry with sign-in sequence.", "Check risky sign-ins and risky users views.", "Revoke sessions and reset credentials when compromise is confirmed."],
|
||||
"decision_points": ["Impossible travel alone is insufficient without corroborating evidence.", "Inbox rule creation after foreign login strongly increases confidence of compromise."],
|
||||
"related_entities": {"ttps": ["T1078"], "iocs": []},
|
||||
"related_refs": {"kb": ["KB-O365-IMPOSSIBLE-TRAVEL", "KB-O365-MFA-FATIGUE", "KB-O365-INBOX-RULE-ABUSE"], "cases": []},
|
||||
"tags": ["playbook", "o365", "login"],
|
||||
"updated_at": "2026-04-10T09:10:00+08:00"
|
||||
}
|
||||
15
evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json
Normal file
15
evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json
Normal file
@ -0,0 +1,15 @@
|
||||
{
|
||||
"doc_id": "PB-PHISH-001",
|
||||
"doc_type": "playbook",
|
||||
"title": "Phishing Email Investigation Playbook",
|
||||
"scenario": "phishing",
|
||||
"summary": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
|
||||
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
|
||||
"key_points": ["Validate sender authentication results.", "Inspect landing URL and attachment behavior.", "Check whether the user clicked or submitted credentials."],
|
||||
"investigation_guidance": ["Query email telemetry for same sender, subject, or URL.", "Review mailbox click logs and endpoint browser artifacts.", "Reset credentials if submission is suspected."],
|
||||
"decision_points": ["If sender auth fails and user interaction exists, treat as likely phishing.", "If destination is allowlisted and communication pattern is expected, investigate false positive path."],
|
||||
"related_entities": {"ttps": ["T1566"], "iocs": []},
|
||||
"related_refs": {"kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
|
||||
"tags": ["playbook", "phishing", "email"],
|
||||
"updated_at": "2026-04-10T09:00:00+08:00"
|
||||
}
|
||||
Reference in New Issue
Block a user