Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/evaluation/datasets/normalized_kb/KB-CRED-HARVEST-PATTERNS.json
+++ b/evaluation/datasets/normalized_kb/KB-CRED-HARVEST-PATTERNS.json
@ -0,0 +1,34 @@
+{
+  "id": "KB-CRED-HARVEST-PATTERNS",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "phishing",
+  "title": "Credential Harvesting Indicators",
+  "abstract": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
+  "key_points": [
+    "Landing page mimics Microsoft 365 or common SaaS login pages.",
+    "HTML attachment often acts as a redirector rather than containing malware.",
+    "Credential harvest campaigns frequently reuse branding and lures across tenants."
+  ],
+  "investigation_guidance": [
+    "Capture full redirect chain.",
+    "Look for post-click login anomalies in identity logs.",
+    "Search for same lure across multiple mailboxes."
+  ],
+  "decision_points": [
+    "User click plus sign-in anomaly greatly increases confidence.",
+    "Branding reuse can help link separate phishing cases into one campaign."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-PHISH-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json",
+  "tags": [
+    "kb",
+    "phishing",
+    "credential-harvest"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/KB-O365-IMPOSSIBLE-TRAVEL.json
+++ b/evaluation/datasets/normalized_kb/KB-O365-IMPOSSIBLE-TRAVEL.json
@ -0,0 +1,34 @@
+{
+  "id": "KB-O365-IMPOSSIBLE-TRAVEL",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "o365_suspicious_login",
+  "title": "Interpreting O365 Impossible Travel Alerts",
+  "abstract": "Guidance for validating impossible travel alerts, including VPN, proxy, and approved travel false-positive conditions.",
+  "key_points": [
+    "Impossible travel must be validated against user travel context.",
+    "VPN egress and cloud proxy routing are common false-positive sources.",
+    "Pair sign-in anomaly with MFA, mailbox, or device anomalies before concluding compromise."
+  ],
+  "investigation_guidance": [
+    "Validate source ASN and IP history.",
+    "Check user-approved travel or remote work context.",
+    "Compare device ID and user agent consistency."
+  ],
+  "decision_points": [
+    "User denial of travel plus new device strongly increases confidence.",
+    "Approved travel and trusted VPN topology reduce confidence."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-IMPOSSIBLE-TRAVEL.json",
+  "tags": [
+    "kb",
+    "o365",
+    "impossible-travel"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/KB-O365-INBOX-RULE-ABUSE.json
+++ b/evaluation/datasets/normalized_kb/KB-O365-INBOX-RULE-ABUSE.json
@ -0,0 +1,33 @@
+{
+  "id": "KB-O365-INBOX-RULE-ABUSE",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "o365_suspicious_login",
+  "title": "Inbox Rule Abuse After Account Compromise",
+  "abstract": "Common mailbox persistence behaviors after O365 account compromise, especially rule creation to hide or forward finance emails.",
+  "key_points": [
+    "Attackers often hide financial emails using move-to-folder rules.",
+    "Forwarding and delete rules are strong post-compromise indicators.",
+    "Mailbox audit logs should be reviewed immediately after suspicious login confirmation."
+  ],
+  "investigation_guidance": [
+    "Enumerate all inbox rules and forwarding settings.",
+    "Check mailbox audit timeline around suspicious sign-in.",
+    "Review OAuth consents if inbox rules are absent but suspicious mail actions continue."
+  ],
+  "decision_points": [
+    "Inbox rule creation shortly after suspicious login strongly supports compromise verdict."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-INBOX-RULE-ABUSE.json",
+  "tags": [
+    "kb",
+    "o365",
+    "inbox-rule"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/KB-O365-MFA-FATIGUE.json
+++ b/evaluation/datasets/normalized_kb/KB-O365-MFA-FATIGUE.json
@ -0,0 +1,33 @@
+{
+  "id": "KB-O365-MFA-FATIGUE",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "o365_suspicious_login",
+  "title": "MFA Fatigue Detection Notes",
+  "abstract": "Patterns for identifying MFA fatigue / push bombing during account compromise attempts.",
+  "key_points": [
+    "Repeated MFA prompts preceding one successful prompt is suspicious.",
+    "User-reported prompt fatigue is strong supporting evidence.",
+    "MFA fatigue is often coupled with credential theft rather than password spray alone."
+  ],
+  "investigation_guidance": [
+    "Review MFA event counts and timing.",
+    "Check if the user acknowledged unexpected prompts.",
+    "Look for subsequent session hijacking or mailbox abuse."
+  ],
+  "decision_points": [
+    "Prompt flood plus user denial usually warrants immediate containment."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-O365-LOGIN-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-O365-MFA-FATIGUE.json",
+  "tags": [
+    "kb",
+    "o365",
+    "mfa-fatigue"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/KB-PHISH-HEADER-CHECK.json
+++ b/evaluation/datasets/normalized_kb/KB-PHISH-HEADER-CHECK.json
@ -0,0 +1,34 @@
+{
+  "id": "KB-PHISH-HEADER-CHECK",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "phishing",
+  "title": "Phishing Header Validation Checklist",
+  "abstract": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
+  "key_points": [
+    "Review SPF, DKIM, and DMARC alignment.",
+    "Compare display name, envelope sender, and reply-to anomalies.",
+    "Check domain age and known-good communication history."
+  ],
+  "investigation_guidance": [
+    "Use message trace and header parser.",
+    "Compare sender domain with vendor allowlist.",
+    "Escalate lookalike domains even when content appears business-relevant."
+  ],
+  "decision_points": [
+    "Newly observed domains with failed auth are high-risk.",
+    "Benign vendor mail often has consistent historical sending patterns."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-PHISH-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json",
+  "tags": [
+    "kb",
+    "phishing",
+    "email-header"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/PB-O365-LOGIN-001.json
+++ b/evaluation/datasets/normalized_kb/PB-O365-LOGIN-001.json
@ -0,0 +1,36 @@
+{
+  "id": "PB-O365-LOGIN-001",
+  "memory_type": "knowledge",
+  "doc_type": "playbook",
+  "scenario": "o365_suspicious_login",
+  "title": "O365 Suspicious Login Investigation Playbook",
+  "abstract": "Standard investigation steps for suspicious Entra ID sign-ins, impossible travel, MFA abuse, and follow-on mailbox abuse.",
+  "key_points": [
+    "Confirm user travel and business context.",
+    "Review sign-in logs, device IDs, and user agents.",
+    "Inspect downstream actions such as inbox rules, app consent, and forwarding."
+  ],
+  "investigation_guidance": [
+    "Correlate MFA telemetry with sign-in sequence.",
+    "Check risky sign-ins and risky users views.",
+    "Revoke sessions and reset credentials when compromise is confirmed."
+  ],
+  "decision_points": [
+    "Impossible travel alone is insufficient without corroborating evidence.",
+    "Inbox rule creation after foreign login strongly increases confidence of compromise."
+  ],
+  "related_refs": {
+    "kb": [
+      "KB-O365-IMPOSSIBLE-TRAVEL",
+      "KB-O365-MFA-FATIGUE",
+      "KB-O365-INBOX-RULE-ABUSE"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-O365-LOGIN-001.json",
+  "tags": [
+    "playbook",
+    "o365",
+    "login"
+  ]
+}
--- a/evaluation/datasets/normalized_kb/PB-PHISH-001.json
+++ b/evaluation/datasets/normalized_kb/PB-PHISH-001.json
@ -0,0 +1,35 @@
+{
+  "id": "PB-PHISH-001",
+  "memory_type": "knowledge",
+  "doc_type": "playbook",
+  "scenario": "phishing",
+  "title": "Phishing Email Investigation Playbook",
+  "abstract": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
+  "key_points": [
+    "Validate sender authentication results.",
+    "Inspect landing URL and attachment behavior.",
+    "Check whether the user clicked or submitted credentials."
+  ],
+  "investigation_guidance": [
+    "Query email telemetry for same sender, subject, or URL.",
+    "Review mailbox click logs and endpoint browser artifacts.",
+    "Reset credentials if submission is suspected."
+  ],
+  "decision_points": [
+    "If sender auth fails and user interaction exists, treat as likely phishing.",
+    "If destination is allowlisted and communication pattern is expected, investigate false positive path."
+  ],
+  "related_refs": {
+    "kb": [
+      "KB-PHISH-HEADER-CHECK",
+      "KB-CRED-HARVEST-PATTERNS"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json",
+  "tags": [
+    "playbook",
+    "phishing",
+    "email"
+  ]
+}