Initial SOC memory POC implementation

evaluation/datasets/normalized_kb/PB-PHISH-001.json

@@ -0,0 +1,35 @@
+{
+  "id": "PB-PHISH-001",
+  "memory_type": "knowledge",
+  "doc_type": "playbook",
+  "scenario": "phishing",
+  "title": "Phishing Email Investigation Playbook",
+  "abstract": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
+  "key_points": [
+    "Validate sender authentication results.",
+    "Inspect landing URL and attachment behavior.",
+    "Check whether the user clicked or submitted credentials."
+  ],
+  "investigation_guidance": [
+    "Query email telemetry for same sender, subject, or URL.",
+    "Review mailbox click logs and endpoint browser artifacts.",
+    "Reset credentials if submission is suspected."
+  ],
+  "decision_points": [
+    "If sender auth fails and user interaction exists, treat as likely phishing.",
+    "If destination is allowlisted and communication pattern is expected, investigate false positive path."
+  ],
+  "related_refs": {
+    "kb": [
+      "KB-PHISH-HEADER-CHECK",
+      "KB-CRED-HARVEST-PATTERNS"
+    ],
+    "cases": []
+  },
+  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json",
+  "tags": [
+    "playbook",
+    "phishing",
+    "email"
+  ]
+}