Initial SOC memory POC implementation

evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "KB-CRED-HARVEST-PATTERNS",
+  "doc_type": "kb",
+  "title": "Credential Harvesting Indicators",
+  "scenario": "phishing",
+  "summary": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
+  "applicability": ["mail_suspicious_attachment", "mail_suspicious_link"],
+  "key_points": ["Landing page mimics Microsoft 365 or common SaaS login pages.", "HTML attachment often acts as a redirector rather than containing malware.", "Credential harvest campaigns frequently reuse branding and lures across tenants."],
+  "investigation_guidance": ["Capture full redirect chain.", "Look for post-click login anomalies in identity logs.", "Search for same lure across multiple mailboxes."],
+  "decision_points": ["User click plus sign-in anomaly greatly increases confidence.", "Branding reuse can help link separate phishing cases into one campaign."],
+  "related_entities": {"ttps": ["T1566.002"], "iocs": []},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
+  "tags": ["kb", "phishing", "credential-harvest"],
+  "updated_at": "2026-04-10T09:25:00+08:00"
+}

evaluation/datasets/mock_kb/kb/KB-O365-IMPOSSIBLE-TRAVEL.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "KB-O365-IMPOSSIBLE-TRAVEL",
+  "doc_type": "kb",
+  "title": "Interpreting O365 Impossible Travel Alerts",
+  "scenario": "o365_suspicious_login",
+  "summary": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
+  "applicability": ["azuread_impossible_travel"],
+  "key_points": ["Impossible travel must be validated against user travel context.", "VPN egress and cloud proxy routing are common false-positive sources.", "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."],
+  "investigation_guidance": ["Validate source ASN and IP history.", "Check user-approved travel or remote work context.", "Compare device ID and user agent consistency."],
+  "decision_points": ["User denial of travel plus new device strongly increases confidence.", "Approved travel and trusted VPN topology reduce confidence."],
+  "related_entities": {"ttps": ["T1078"], "iocs": []},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
+  "tags": ["kb", "o365", "impossible-travel"],
+  "updated_at": "2026-04-10T09:30:00+08:00"
+}

evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "KB-O365-INBOX-RULE-ABUSE",
+  "doc_type": "kb",
+  "title": "Inbox Rule Abuse After Account Compromise",
+  "scenario": "o365_suspicious_login",
+  "summary": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
+  "applicability": ["azuread_suspicious_inbox_rule_after_login"],
+  "key_points": ["Attackers often hide financial emails using move-to-folder rules.", "Forwarding and delete rules are strong post-compromise indicators.", "Mailbox audit logs should be reviewed immediately after suspicious login confirmation."],
+  "investigation_guidance": ["Enumerate all inbox rules and forwarding settings.", "Check mailbox audit timeline around suspicious sign-in.", "Review OAuth consents if inbox rules are absent but suspicious mail actions continue."],
+  "decision_points": ["Inbox rule creation shortly after suspicious login strongly supports compromise verdict."],
+  "related_entities": {"ttps": ["T1114"], "iocs": []},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
+  "tags": ["kb", "o365", "inbox-rule"],
+  "updated_at": "2026-04-10T09:40:00+08:00"
+}

evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "KB-O365-MFA-FATIGUE",
+  "doc_type": "kb",
+  "title": "MFA Fatigue Detection Notes",
+  "scenario": "o365_suspicious_login",
+  "summary": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
+  "applicability": ["azuread_impossible_travel", "azuread_suspicious_login"],
+  "key_points": ["Repeated MFA prompts preceding one successful prompt is suspicious.", "User-reported prompt fatigue is strong supporting evidence.", "MFA fatigue is often coupled with credential theft rather than password spray alone."],
+  "investigation_guidance": ["Review MFA event counts and timing.", "Check if the user acknowledged unexpected prompts.", "Look for subsequent session hijacking or mailbox abuse."],
+  "decision_points": ["Prompt flood plus user denial usually warrants immediate containment."],
+  "related_entities": {"ttps": ["T1621"], "iocs": []},
+  "related_refs": {"playbooks": ["PB-O365-LOGIN-001"], "cases": []},
+  "tags": ["kb", "o365", "mfa-fatigue"],
+  "updated_at": "2026-04-10T09:35:00+08:00"
+}

evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "KB-PHISH-HEADER-CHECK",
+  "doc_type": "kb",
+  "title": "Phishing Header Validation Checklist",
+  "scenario": "phishing",
+  "summary": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
+  "applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
+  "key_points": ["Review SPF, DKIM, and DMARC alignment.", "Compare display name, envelope sender, and reply-to anomalies.", "Check domain age and known-good communication history."],
+  "investigation_guidance": ["Use message trace and header parser.", "Compare sender domain with vendor allowlist.", "Escalate lookalike domains even when content appears business-relevant."],
+  "decision_points": ["Newly observed domains with failed auth are high-risk.", "Benign vendor mail often has consistent historical sending patterns."],
+  "related_entities": {"ttps": ["T1566.001"], "iocs": []},
+  "related_refs": {"playbooks": ["PB-PHISH-001"], "cases": []},
+  "tags": ["kb", "phishing", "email-header"],
+  "updated_at": "2026-04-10T09:20:00+08:00"
+}