Initial SOC memory POC implementation

evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json

@@ -0,0 +1,15 @@
+{
+  "doc_id": "PB-PHISH-001",
+  "doc_type": "playbook",
+  "title": "Phishing Email Investigation Playbook",
+  "scenario": "phishing",
+  "summary": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
+  "applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
+  "key_points": ["Validate sender authentication results.", "Inspect landing URL and attachment behavior.", "Check whether the user clicked or submitted credentials."],
+  "investigation_guidance": ["Query email telemetry for same sender, subject, or URL.", "Review mailbox click logs and endpoint browser artifacts.", "Reset credentials if submission is suspected."],
+  "decision_points": ["If sender auth fails and user interaction exists, treat as likely phishing.", "If destination is allowlisted and communication pattern is expected, investigate false positive path."],
+  "related_entities": {"ttps": ["T1566"], "iocs": []},
+  "related_refs": {"kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
+  "tags": ["playbook", "phishing", "email"],
+  "updated_at": "2026-04-10T09:00:00+08:00"
+}