Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/normalized_cases/CASE-2026-1003.json
+++ b/evaluation/datasets/normalized_cases/CASE-2026-1003.json
@ -0,0 +1,55 @@
+{
+  "id": "CASE-2026-1003",
+  "memory_type": "case",
+  "scenario": "o365_suspicious_login",
+  "title": "Suspicious inbox rule creation after successful foreign login",
+  "abstract": "An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.",
+  "verdict": "true_positive",
+  "severity": "high",
+  "entities": {
+    "users": [
+      "emma@corp.example"
+    ],
+    "hosts": [
+      "WS-EMMA-07"
+    ],
+    "mailboxes": [
+      "emma@corp.example"
+    ]
+  },
+  "observables": {
+    "ips": [
+      "198.51.100.98"
+    ],
+    "domains": [],
+    "urls": [],
+    "hashes": []
+  },
+  "evidence": [
+    "Successful sign-in from untrusted ASN.",
+    "Inbox rule moved wire transfer emails to RSS Feeds folder.",
+    "Mailbox audit showed rule creation minutes after login."
+  ],
+  "patterns": [
+    "verdict:true_positive",
+    "scenario:o365_suspicious_login",
+    "alert_type:azuread_suspicious_inbox_rule_after_login"
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "kb": [
+      "KB-O365-INBOX-RULE-ABUSE",
+      "KB-O365-IMPOSSIBLE-TRAVEL"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/o365_suspicious_login/CASE-2026-1003.json",
+  "tags": [
+    "o365",
+    "login",
+    "inbox-rule",
+    "account-compromise"
+  ]
+}