Initial SOC memory POC implementation

evaluation/datasets/normalized_kb/KB-CRED-HARVEST-PATTERNS.json

@@ -0,0 +1,34 @@
+{
+  "id": "KB-CRED-HARVEST-PATTERNS",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "phishing",
+  "title": "Credential Harvesting Indicators",
+  "abstract": "Common indicators that a phishing case involves credential harvesting rather than simple spam or benign mail.",
+  "key_points": [
+    "Landing page mimics Microsoft 365 or common SaaS login pages.",
+    "HTML attachment often acts as a redirector rather than containing malware.",
+    "Credential harvest campaigns frequently reuse branding and lures across tenants."
+  ],
+  "investigation_guidance": [
+    "Capture full redirect chain.",
+    "Look for post-click login anomalies in identity logs.",
+    "Search for same lure across multiple mailboxes."
+  ],
+  "decision_points": [
+    "User click plus sign-in anomaly greatly increases confidence.",
+    "Branding reuse can help link separate phishing cases into one campaign."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-PHISH-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-CRED-HARVEST-PATTERNS.json",
+  "tags": [
+    "kb",
+    "phishing",
+    "credential-harvest"
+  ]
+}