Initial SOC memory POC implementation

evaluation/datasets/normalized_kb/KB-PHISH-HEADER-CHECK.json

@@ -0,0 +1,34 @@
+{
+  "id": "KB-PHISH-HEADER-CHECK",
+  "memory_type": "knowledge",
+  "doc_type": "kb",
+  "scenario": "phishing",
+  "title": "Phishing Header Validation Checklist",
+  "abstract": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
+  "key_points": [
+    "Review SPF, DKIM, and DMARC alignment.",
+    "Compare display name, envelope sender, and reply-to anomalies.",
+    "Check domain age and known-good communication history."
+  ],
+  "investigation_guidance": [
+    "Use message trace and header parser.",
+    "Compare sender domain with vendor allowlist.",
+    "Escalate lookalike domains even when content appears business-relevant."
+  ],
+  "decision_points": [
+    "Newly observed domains with failed auth are high-risk.",
+    "Benign vendor mail often has consistent historical sending patterns."
+  ],
+  "related_refs": {
+    "playbooks": [
+      "PB-PHISH-001"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json",
+  "tags": [
+    "kb",
+    "phishing",
+    "email-header"
+  ]
+}