Initial SOC memory POC implementation

evaluation/datasets/normalized_cases/CASE-2026-0001.json

@@ -0,0 +1,65 @@
+{
+  "id": "CASE-2026-0001",
+  "memory_type": "case",
+  "scenario": "phishing",
+  "title": "Finance user received invoice-themed phishing email",
+  "abstract": "Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.",
+  "verdict": "true_positive",
+  "severity": "high",
+  "entities": {
+    "users": [
+      "alice@corp.example"
+    ],
+    "hosts": [
+      "FIN-LAPTOP-12"
+    ],
+    "mailboxes": [
+      "alice@corp.example"
+    ]
+  },
+  "observables": {
+    "sender_emails": [
+      "billing@vendor-payments.com"
+    ],
+    "domains": [
+      "vendor-payments.com",
+      "vendor-payments-login.com"
+    ],
+    "urls": [
+      "https://vendor-payments-login.com/review"
+    ],
+    "ips": [
+      "198.51.100.20"
+    ],
+    "hashes": [
+      "sha256:phish0001"
+    ]
+  },
+  "evidence": [
+    "Sender domain was newly observed and failed DMARC.",
+    "Attachment redirected to a fake Microsoft 365 login page.",
+    "User clicked the link before mail quarantine completed."
+  ],
+  "patterns": [
+    "verdict:true_positive",
+    "scenario:phishing",
+    "alert_type:mail_suspicious_attachment"
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-PHISH-001"
+    ],
+    "kb": [
+      "KB-PHISH-HEADER-CHECK",
+      "KB-CRED-HARVEST-PATTERNS"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/phishing/CASE-2026-0001.json",
+  "tags": [
+    "phishing",
+    "email",
+    "credential-harvest",
+    "finance"
+  ]
+}