Initial SOC memory POC implementation

2026-04-27 17:13:06 +08:00
parent fc68581198
commit e6b1520bce
89 changed files with 7610 additions and 1 deletions
--- a/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1001
+++ b/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1001
@ -0,0 +1,101 @@
+---
+case_id: CASE-2026-1001
+scenario: o365_suspicious_login
+alert_type: azuread_impossible_travel
+severity: high
+verdict: true_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-1001 Impossible travel login followed by MFA prompt fatigue
+
+## 基本信息
+
+- Case ID: CASE-2026-1001
+- 标题: Impossible travel login followed by MFA prompt fatigue
+- 告警类型: azuread_impossible_travel
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 真报
+- 严重等级: high
+
+## 告警摘要
+
+User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.
+
+## 关键实体
+
+- 用户: david@corp.example
+- 主机: WS-DAVID-01
+- 邮箱: david@corp.example
+- IP: 203.0.113.150, 198.51.100.61
+- 域名: 无
+- 文件 Hash: 无
+- 其他 IOC: 无
+
+## 关键证据
+
+- Two successful sign-ins from geographically impossible locations within 15 minutes.
+- MFA challenge volume increased abnormally before final success.
+- User confirmed they did not initiate overseas login.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：User account showed impossible travel between Shanghai and Amsterdam, followed by repeated MFA prompts and successful sign-in.
+2. 提取关键证据并交叉验证：Two successful sign-ins from geographically impossible locations within 15 minutes.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：真报。
+
+## 结论依据
+
+- 结论为真报。
+- 最关键依据：Two successful sign-ins from geographically impossible locations within 15 minutes.
+- 补充依据：MFA challenge volume increased abnormally before final success.
+
+## 处置建议
+
+- 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。
+- 若存在账号接管迹象，立即执行会话失效和凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_impossible_travel
+- 误报特征: 无
+- 需关注的变体: 相关标签：o365, login, impossible-travel, mfa-fatigue
+
+## 关联知识
+
+- 关联 Playbook: [[PB-O365-LOGIN-001]]
+- 关联 KB: [[KB-O365-IMPOSSIBLE-TRAVEL]], [[KB-O365-MFA-FATIGUE]]
+- 关联历史 Case: [[CASE-2026-1005]], [[CASE-2026-1004]]
+- 关联实体: [[david@corp.example]], [[WS-DAVID-01]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-1005]] (case score=0.687) This directory contains a single case record documenting a false positive alert triggered by Microsoft 365’s impossible travel detection sys...
+- [[CASE-2026-1004]] (case score=0.636) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...
+
+### 推荐知识条目
+
+- [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.69) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
+- [[PB-O365-LOGIN-001]] (knowledge score=0.63) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/o365_suspicious_login
+- #alert/azuread_impossible_travel
+- #verdict/true-positive
+- #o365
+- #login
+- #impossible-travel
+- #mfa-fatigue
--- a/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1002
+++ b/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1002
@ -0,0 +1,100 @@
+---
+case_id: CASE-2026-1002
+scenario: o365_suspicious_login
+alert_type: azuread_legacy_auth_attempt
+severity: medium
+verdict: false_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-1002 Legacy protocol sign-in from unfamiliar IP blocked by policy
+
+## 基本信息
+
+- Case ID: CASE-2026-1002
+- 标题: Legacy protocol sign-in from unfamiliar IP blocked by policy
+- 告警类型: azuread_legacy_auth_attempt
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 误报
+- 严重等级: medium
+
+## 告警摘要
+
+Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.
+
+## 关键实体
+
+- 用户: svc-migration@corp.example
+- 主机: 无
+- 邮箱: svc-migration@corp.example
+- IP: 192.0.2.24
+- 域名: 无
+- 文件 Hash: 无
+- 其他 IOC: 无
+
+## 关键证据
+
+- The account is a known migration service account.
+- Source IP matched approved cloud migration vendor range.
+- No successful sign-in occurred due to policy block.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Legacy authentication attempt from a cloud IP was blocked; investigation tied it to an approved migration tool test.
+2. 提取关键证据并交叉验证：The account is a known migration service account.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：误报。
+
+## 结论依据
+
+- 结论为误报。
+- 最关键依据：The account is a known migration service account.
+- 补充依据：Source IP matched approved cloud migration vendor range.
+
+## 处置建议
+
+- 记录误报原因，并更新检测例外或抑制条件。
+
+## 可复用模式
+
+- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_legacy_auth_attempt
+- 误报特征: 本案最终确认为误报，可用于补充抑制条件。
+- 需关注的变体: 相关标签：o365, login, false-positive, legacy-auth
+
+## 关联知识
+
+- 关联 Playbook: [[PB-O365-LOGIN-001]]
+- 关联 KB: [[KB-O365-LEGACY-AUTH]], [[KB-O365-IMPOSSIBLE-TRAVEL]]
+- 关联历史 Case: [[CASE-2026-1001]], [[CASE-2026-1004]]
+- 关联实体: [[svc-migration@corp.example]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-1001]] (case score=0.651) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified...
+- [[CASE-2026-1004]] (case score=0.634) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...
+
+### 推荐知识条目
+
+- [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.626) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
+- [[PB-O365-LOGIN-001]] (knowledge score=0.61) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/o365_suspicious_login
+- #alert/azuread_legacy_auth_attempt
+- #verdict/false-positive
+- #o365
+- #login
+- #false-positive
+- #legacy-auth
--- a/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1003
+++ b/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1003
@ -0,0 +1,101 @@
+---
+case_id: CASE-2026-1003
+scenario: o365_suspicious_login
+alert_type: azuread_suspicious_inbox_rule_after_login
+severity: high
+verdict: true_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-1003 Suspicious inbox rule creation after successful foreign login
+
+## 基本信息
+
+- Case ID: CASE-2026-1003
+- 标题: Suspicious inbox rule creation after successful foreign login
+- 告警类型: azuread_suspicious_inbox_rule_after_login
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 真报
+- 严重等级: high
+
+## 告警摘要
+
+An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.
+
+## 关键实体
+
+- 用户: emma@corp.example
+- 主机: WS-EMMA-07
+- 邮箱: emma@corp.example
+- IP: 198.51.100.98
+- 域名: 无
+- 文件 Hash: 无
+- 其他 IOC: 无
+
+## 关键证据
+
+- Successful sign-in from untrusted ASN.
+- Inbox rule moved wire transfer emails to RSS Feeds folder.
+- Mailbox audit showed rule creation minutes after login.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：An overseas sign-in to Microsoft 365 was followed by inbox rule creation to hide finance-related emails.
+2. 提取关键证据并交叉验证：Successful sign-in from untrusted ASN.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：真报。
+
+## 结论依据
+
+- 结论为真报。
+- 最关键依据：Successful sign-in from untrusted ASN.
+- 补充依据：Inbox rule moved wire transfer emails to RSS Feeds folder.
+
+## 处置建议
+
+- 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。
+- 若存在账号接管迹象，立即执行会话失效和凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_suspicious_inbox_rule_after_login
+- 误报特征: 无
+- 需关注的变体: 相关标签：o365, login, inbox-rule, account-compromise
+
+## 关联知识
+
+- 关联 Playbook: [[PB-O365-LOGIN-001]]
+- 关联 KB: [[KB-O365-INBOX-RULE-ABUSE]], [[KB-O365-IMPOSSIBLE-TRAVEL]]
+- 关联历史 Case: [[CASE-2026-1005]], [[CASE-2026-1001]]
+- 关联实体: [[emma@corp.example]], [[WS-EMMA-07]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-1005]] (case score=0.667) This directory contains a single case record documenting a false positive alert triggered by Microsoft 365’s impossible travel detection sys...
+- [[CASE-2026-1001]] (case score=0.666) This document is a structured case report detailing a high-severity security incident involving suspicious login activity in an Office 365 e...
+
+### 推荐知识条目
+
+- [[PB-O365-LOGIN-001]] (knowledge score=0.653) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
+- [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.645) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/o365_suspicious_login
+- #alert/azuread_suspicious_inbox_rule_after_login
+- #verdict/true-positive
+- #o365
+- #login
+- #inbox-rule
+- #account-compromise
--- a/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1004
+++ b/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1004
@ -0,0 +1,101 @@
+---
+case_id: CASE-2026-1004
+scenario: o365_suspicious_login
+alert_type: azuread_password_spray_attempt
+severity: medium
+verdict: uncertain
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-1004 Multiple failed logins from residential proxy but no successful access
+
+## 基本信息
+
+- Case ID: CASE-2026-1004
+- 标题: Multiple failed logins from residential proxy but no successful access
+- 告警类型: azuread_password_spray_attempt
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: uncertain
+- 严重等级: medium
+
+## 告警摘要
+
+Repeated failed Microsoft 365 sign-in attempts targeted one user from a residential proxy network, with no successful authentication observed.
+
+## 关键实体
+
+- 用户: frank@corp.example
+- 主机: 无
+- 邮箱: frank@corp.example
+- IP: 203.0.113.201
+- 域名: 无
+- 文件 Hash: 无
+- 其他 IOC: 无
+
+## 关键证据
+
+- High-volume failed attempts over a short period.
+- Source IP attributed to a residential proxy provider.
+- No matching successful sign-in or MFA event found.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Repeated failed Microsoft 365 sign-in attempts targeted one user from a residential proxy network, with no successful authentication observed.
+2. 提取关键证据并交叉验证：High-volume failed attempts over a short period.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：uncertain。
+
+## 结论依据
+
+- 结论为uncertain。
+- 最关键依据：High-volume failed attempts over a short period.
+- 补充依据：Source IP attributed to a residential proxy provider.
+
+## 处置建议
+
+- 复核登录来源、MFA 事件和后续邮箱规则或 OAuth 变更。
+- 若存在账号接管迹象，立即执行会话失效和凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_password_spray_attempt
+- 误报特征: 无
+- 需关注的变体: 相关标签：o365, login, password-spray, pending
+
+## 关联知识
+
+- 关联 Playbook: [[PB-O365-LOGIN-001]]
+- 关联 KB: [[KB-O365-IMPOSSIBLE-TRAVEL]]
+- 关联历史 Case: [[CASE-2026-1001]], [[CASE-2026-1003]]
+- 关联实体: [[frank@corp.example]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-1001]] (case score=0.665) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified...
+- [[CASE-2026-1003]] (case score=0.627) This directory contains a structured incident case report focused on a confirmed Microsoft 365 account compromise involving suspicious login...
+
+### 推荐知识条目
+
+- [[PB-O365-LOGIN-001]] (knowledge score=0.614) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
+- [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.609) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/o365_suspicious_login
+- #alert/azuread_password_spray_attempt
+- #verdict/uncertain
+- #o365
+- #login
+- #password-spray
+- #pending
--- a/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1005
+++ b/obsidian-vault/02_Cases/o365_suspicious_login/CASE-2026-1005
@ -0,0 +1,100 @@
+---
+case_id: CASE-2026-1005
+scenario: o365_suspicious_login
+alert_type: azuread_impossible_travel
+severity: medium
+verdict: false_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-1005 Traveling executive triggered impossible travel but activity was legitimate
+
+## 基本信息
+
+- Case ID: CASE-2026-1005
+- 标题: Traveling executive triggered impossible travel but activity was legitimate
+- 告警类型: azuread_impossible_travel
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 误报
+- 严重等级: medium
+
+## 告警摘要
+
+Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.
+
+## 关键实体
+
+- 用户: grace@corp.example
+- 主机: VIP-LAPTOP-01
+- 邮箱: grace@corp.example
+- IP: 192.0.2.90, 203.0.113.77
+- 域名: 无
+- 文件 Hash: 无
+- 其他 IOC: 无
+
+## 关键证据
+
+- Approved travel request existed.
+- One login originated from corporate VPN exit node.
+- Device and user agent were consistent with known user profile.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Executive account triggered impossible travel due to corporate VPN exit node while the user was on an approved overseas trip.
+2. 提取关键证据并交叉验证：Approved travel request existed.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：误报。
+
+## 结论依据
+
+- 结论为误报。
+- 最关键依据：Approved travel request existed.
+- 补充依据：One login originated from corporate VPN exit node.
+
+## 处置建议
+
+- 记录误报原因，并更新检测例外或抑制条件。
+
+## 可复用模式
+
+- 命中模式: scenario:o365_suspicious_login, alert_type:azuread_impossible_travel
+- 误报特征: 本案最终确认为误报，可用于补充抑制条件。
+- 需关注的变体: 相关标签：o365, login, false-positive, travel
+
+## 关联知识
+
+- 关联 Playbook: [[PB-O365-LOGIN-001]]
+- 关联 KB: [[KB-O365-IMPOSSIBLE-TRAVEL]]
+- 关联历史 Case: [[CASE-2026-1001]], [[CASE-2026-1004]]
+- 关联实体: [[grace@corp.example]], [[VIP-LAPTOP-01]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-1001]] (case score=0.684) This directory contains a structured security incident case report related to a high-severity event in an Office 365 environment, identified...
+- [[CASE-2026-1004]] (case score=0.63) This directory contains a single incident case file related to a suspicious Microsoft 365 login attempt, identified as CASE-2026-1004. The c...
+
+### 推荐知识条目
+
+- [[KB-O365-IMPOSSIBLE-TRAVEL]] (knowledge score=0.703) This directory contains a knowledge base artifact focused on analyzing and validating Microsoft 365 impossible travel alerts—security events...
+- [[PB-O365-LOGIN-001]] (knowledge score=0.626) This directory contains a security playbook focused on detecting and responding to suspicious Microsoft Entra ID sign-in activities within M...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/o365_suspicious_login
+- #alert/azuread_impossible_travel
+- #verdict/false-positive
+- #o365
+- #login
+- #false-positive
+- #travel
--- a/obsidian-vault/02_Cases/phishing/CASE-2026-0001
+++ b/obsidian-vault/02_Cases/phishing/CASE-2026-0001
@ -0,0 +1,101 @@
+---
+case_id: CASE-2026-0001
+scenario: phishing
+alert_type: mail_suspicious_attachment
+severity: high
+verdict: true_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-0001 Finance user received invoice-themed phishing email
+
+## 基本信息
+
+- Case ID: CASE-2026-0001
+- 标题: Finance user received invoice-themed phishing email
+- 告警类型: mail_suspicious_attachment
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 真报
+- 严重等级: high
+
+## 告警摘要
+
+Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
+
+## 关键实体
+
+- 用户: alice@corp.example
+- 主机: FIN-LAPTOP-12
+- 邮箱: alice@corp.example
+- IP: 198.51.100.20
+- 域名: vendor-payments.com, vendor-payments-login.com
+- 文件 Hash: sha256:phish0001
+- 其他 IOC: https://vendor-payments-login.com/review, billing@vendor-payments.com
+
+## 关键证据
+
+- Sender domain was newly observed and failed DMARC.
+- Attachment redirected to a fake Microsoft 365 login page.
+- User clicked the link before mail quarantine completed.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
+2. 提取关键证据并交叉验证：Sender domain was newly observed and failed DMARC.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：真报。
+
+## 结论依据
+
+- 结论为真报。
+- 最关键依据：Sender domain was newly observed and failed DMARC.
+- 补充依据：Attachment redirected to a fake Microsoft 365 login page.
+
+## 处置建议
+
+- 隔离相同主题、发件人或 URL 的邮件样本。
+- 核查用户是否点击或提交凭据，并按需执行凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
+- 误报特征: 无
+- 需关注的变体: 相关标签：phishing, email, credential-harvest, finance
+
+## 关联知识
+
+- 关联 Playbook: [[PB-PHISH-001]]
+- 关联 KB: [[KB-PHISH-HEADER-CHECK]], [[KB-CRED-HARVEST-PATTERNS]]
+- 关联历史 Case: [[CASE-2026-0004]], [[CASE-2026-0002]]
+- 关联实体: [[alice@corp.example]], [[FIN-LAPTOP-12]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-0004]] (case score=0.662) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
+- [[CASE-2026-0002]] (case score=0.631) This directory contains a single case record detailing the investigation of a suspicious payroll notification email flagged due to a shorten...
+
+### 推荐知识条目
+
+- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.656) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
+- [[PB-PHISH-001]] (knowledge score=0.639) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/phishing
+- #alert/mail_suspicious_attachment
+- #verdict/true-positive
+- #phishing
+- #email
+- #credential-harvest
+- #finance
--- a/obsidian-vault/02_Cases/phishing/CASE-2026-0002
+++ b/obsidian-vault/02_Cases/phishing/CASE-2026-0002
@ -0,0 +1,100 @@
+---
+case_id: CASE-2026-0002
+scenario: phishing
+alert_type: mail_suspicious_link
+severity: medium
+verdict: false_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-0002 Payroll notification email flagged but determined benign
+
+## 基本信息
+
+- Case ID: CASE-2026-0002
+- 标题: Payroll notification email flagged but determined benign
+- 告警类型: mail_suspicious_link
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 误报
+- 严重等级: medium
+
+## 告警摘要
+
+Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
+
+## 关键实体
+
+- 用户: bob@corp.example
+- 主机: HR-LAPTOP-03
+- 邮箱: bob@corp.example
+- IP: 无
+- 域名: hr-vendor.example
+- 文件 Hash: 无
+- 其他 IOC: https://bit.ly/hr-portal-example, notify@hr-vendor.example
+
+## 关键证据
+
+- Sender domain aligned with SPF and DKIM.
+- Destination domain matched approved supplier inventory.
+- No credential prompt anomaly observed.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
+2. 提取关键证据并交叉验证：Sender domain aligned with SPF and DKIM.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：误报。
+
+## 结论依据
+
+- 结论为误报。
+- 最关键依据：Sender domain aligned with SPF and DKIM.
+- 补充依据：Destination domain matched approved supplier inventory.
+
+## 处置建议
+
+- 记录误报原因，并更新检测例外或抑制条件。
+
+## 可复用模式
+
+- 命中模式: scenario:phishing, alert_type:mail_suspicious_link
+- 误报特征: 本案最终确认为误报，可用于补充抑制条件。
+- 需关注的变体: 相关标签：phishing, email, false-positive, vendor
+
+## 关联知识
+
+- 关联 Playbook: [[PB-PHISH-001]]
+- 关联 KB: [[KB-PHISH-HEADER-CHECK]], [[KB-CRED-HARVEST-PATTERNS]]
+- 关联历史 Case: [[CASE-2026-0004]], [[CASE-2026-0001]]
+- 关联实体: [[bob@corp.example]], [[HR-LAPTOP-03]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-0004]] (case score=0.549) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
+- [[CASE-2026-0001]] (case score=0.532) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
+
+### 推荐知识条目
+
+- [[PB-PHISH-001]] (knowledge score=0.514) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
+- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.494) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/phishing
+- #alert/mail_suspicious_link
+- #verdict/false-positive
+- #phishing
+- #email
+- #false-positive
+- #vendor
--- a/obsidian-vault/02_Cases/phishing/CASE-2026-0003
+++ b/obsidian-vault/02_Cases/phishing/CASE-2026-0003
@ -0,0 +1,101 @@
+---
+case_id: CASE-2026-0003
+scenario: phishing
+alert_type: mail_bec_impersonation
+severity: high
+verdict: true_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-0003 Executive impersonation email requested urgent wire transfer
+
+## 基本信息
+
+- Case ID: CASE-2026-0003
+- 标题: Executive impersonation email requested urgent wire transfer
+- 告警类型: mail_bec_impersonation
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 真报
+- 严重等级: high
+
+## 告警摘要
+
+An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.
+
+## 关键实体
+
+- 用户: carol@corp.example
+- 主机: FIN-LAPTOP-08
+- 邮箱: carol@corp.example
+- IP: 203.0.113.45
+- 域名: c0rp-example.com
+- 文件 Hash: 无
+- 其他 IOC: ceo@c0rp-example.com
+
+## 关键证据
+
+- Lookalike domain used numeric substitution.
+- Language pressure matched prior BEC pattern.
+- No historical communication from sender domain.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.
+2. 提取关键证据并交叉验证：Lookalike domain used numeric substitution.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：真报。
+
+## 结论依据
+
+- 结论为真报。
+- 最关键依据：Lookalike domain used numeric substitution.
+- 补充依据：Language pressure matched prior BEC pattern.
+
+## 处置建议
+
+- 隔离相同主题、发件人或 URL 的邮件样本。
+- 核查用户是否点击或提交凭据，并按需执行凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:phishing, alert_type:mail_bec_impersonation
+- 误报特征: 无
+- 需关注的变体: 相关标签：phishing, bec, executive-impersonation
+
+## 关联知识
+
+- 关联 Playbook: [[PB-PHISH-001]]
+- 关联 KB: [[KB-CRED-HARVEST-PATTERNS]], [[KB-PHISH-HEADER-CHECK]]
+- 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0004]]
+- 关联实体: [[carol@corp.example]], [[FIN-LAPTOP-08]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-0001]] (case score=0.572) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
+- [[CASE-2026-0004]] (case score=0.566) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
+
+### 推荐知识条目
+
+- [[PB-PHISH-001]] (knowledge score=0.538) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
+- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.522) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
+- [[KB-PHISH-HEADER-CHECK]] (knowledge score=0.512) This directory contains a structured knowledge base document focused on validating phishing emails through detailed analysis of email header...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/phishing
+- #alert/mail_bec_impersonation
+- #verdict/true-positive
+- #phishing
+- #bec
+- #executive-impersonation
--- a/obsidian-vault/02_Cases/phishing/CASE-2026-0004
+++ b/obsidian-vault/02_Cases/phishing/CASE-2026-0004
@ -0,0 +1,100 @@
+---
+case_id: CASE-2026-0004
+scenario: phishing
+alert_type: mail_suspicious_attachment
+severity: medium
+verdict: true_positive
+source: soc-memory-poc
+openviking_enriched: true
+---
+
+# CASE-2026-0004 Shared mailbox received OneDrive lure with HTML attachment
+
+## 基本信息
+
+- Case ID: CASE-2026-0004
+- 标题: Shared mailbox received OneDrive lure with HTML attachment
+- 告警类型: mail_suspicious_attachment
+- 来源系统: SOC Memory POC Mock Dataset
+- 时间范围: 待补充
+- 研判人 / Agent: AI Agent Draft
+- 最终结论: 真报
+- 严重等级: medium
+
+## 告警摘要
+
+Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
+
+## 关键实体
+
+- 用户: shared-finance@corp.example
+- 主机: 无
+- 邮箱: shared-finance@corp.example
+- IP: 198.51.100.87
+- 域名: sharepoint-notify.com
+- 文件 Hash: sha256:phish0004
+- 其他 IOC: https://onedrive-review-login.example, noreply@sharepoint-notify.com
+
+## 关键证据
+
+- Attachment rendered a fake Microsoft sign-in page.
+- Landing page hosted outside Microsoft IP space.
+- Mail body reused branding from previous phishing campaign.
+
+## 研判过程摘要
+
+1. 确认告警场景与核心风险：Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
+2. 提取关键证据并交叉验证：Attachment rendered a fake Microsoft sign-in page.
+3. 对照关联 playbook / KB 复核告警模式与处置路径。
+4. 基于关键证据与场景模式完成结论判定：真报。
+
+## 结论依据
+
+- 结论为真报。
+- 最关键依据：Attachment rendered a fake Microsoft sign-in page.
+- 补充依据：Landing page hosted outside Microsoft IP space.
+
+## 处置建议
+
+- 隔离相同主题、发件人或 URL 的邮件样本。
+- 核查用户是否点击或提交凭据，并按需执行凭据重置。
+
+## 可复用模式
+
+- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
+- 误报特征: 无
+- 需关注的变体: 相关标签：phishing, email, onedrive-lure
+
+## 关联知识
+
+- 关联 Playbook: [[PB-PHISH-001]]
+- 关联 KB: [[KB-CRED-HARVEST-PATTERNS]]
+- 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0003]]
+- 关联实体: [[shared-finance@corp.example]]
+
+## 自动关联推荐
+
+### 推荐历史 Case
+
+- [[CASE-2026-0001]] (case score=0.675) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
+- [[CASE-2026-0003]] (case score=0.606) This directory contains a structured incident report for a high-severity phishing attack involving executive impersonation, classified under...
+
+### 推荐知识条目
+
+- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.652) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
+- [[PB-PHISH-001]] (knowledge score=0.608) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
+
+## Lessons Learned
+
+- 本案可沉淀为后续同类告警的快速判定参考。
+- 若后续出现相同 lure、同类登录模式或相同关键证据，应优先联想本案与关联知识。
+
+## 标签
+
+- #case
+- #scenario/phishing
+- #alert/mail_suspicious_attachment
+- #verdict/true-positive
+- #phishing
+- #email
+- #onedrive-lure
--- a/obsidian-vault/05_Templates/case-note-template.md
+++ b/obsidian-vault/05_Templates/case-note-template.md
@ -0,0 +1,76 @@
+# Case Note Template
+
+## 基本信息
+
+- Case ID:
+- 标题:
+- 告警类型:
+- 来源系统:
+- 时间范围:
+- 研判人 / Agent:
+- 最终结论:
+- 严重等级:
+
+## 告警摘要
+
+一句话概述这次 case 的核心问题。
+
+## 关键实体
+
+- 用户:
+- 主机:
+- 邮箱:
+- IP:
+- 域名:
+- 文件 Hash:
+- 其他 IOC:
+
+## 关键证据
+
+- 证据 1:
+- 证据 2:
+- 证据 3:
+
+## 研判过程摘要
+
+只保留对后续复用有价值的关键步骤，不记录所有原始过程。
+
+1. 
+2. 
+3. 
+
+## 结论依据
+
+- 为什么判定为真报 / 误报 / 可疑待定
+- 哪些信号最关键
+
+## 处置建议
+
+- 
+- 
+
+## 可复用模式
+
+- 命中模式:
+- 误报特征:
+- 需关注的变体:
+
+## 关联知识
+
+- 关联 Playbook:
+- 关联 KB:
+- 关联历史 Case:
+- 关联实体:
+
+## Lessons Learned
+
+- 本案新增了什么可复用经验
+- 哪些规则、知识或流程应更新
+
+## 标签
+
+- `#case`
+- `#alert/...`
+- `#verdict/true-positive`
+- `#verdict/false-positive`
+- `#ttp/...`
--- a/obsidian-vault/05_Templates/playbook-template.md
+++ b/obsidian-vault/05_Templates/playbook-template.md
@ -0,0 +1,59 @@
+# Playbook Template
+
+## 基本信息
+
+- 名称:
+- 适用告警类型:
+- 场景:
+- 最近更新时间:
+- 负责人:
+
+## 场景描述
+
+这个 playbook 解决什么问题，适用于哪些前置条件。
+
+## 输入信号
+
+- 必要信号:
+- 可选信号:
+- 常见数据源:
+
+## 调查步骤
+
+1. 
+2. 
+3. 
+
+## 关键判断点
+
+- 什么情况下倾向真报
+- 什么情况下倾向误报
+- 哪些证据最关键
+
+## 常见误报模式
+
+- 
+- 
+
+## 常见真报模式
+
+- 
+- 
+
+## 升级 / 处置建议
+
+- 
+- 
+
+## 关联内容
+
+- 相关 Case:
+- 相关 KB:
+- 相关 IOC:
+- 相关 TTP:
+
+## 标签
+
+- `#playbook`
+- `#alert/...`
+- `#ttp/...`
--- a/obsidian-vault/05_Templates/report-summary-template.md
+++ b/obsidian-vault/05_Templates/report-summary-template.md
@ -0,0 +1,52 @@
+# Report Summary Template
+
+## 基本信息
+
+- 标题:
+- 来源:
+- 日期:
+- 作者 / 团队:
+- 类型:
+
+## 核心摘要
+
+用 3 到 5 句话总结对 SOC 研判最有帮助的内容。
+
+## 关键发现
+
+- 发现 1:
+- 发现 2:
+- 发现 3:
+
+## 关键实体
+
+- 攻击者:
+- 工具:
+- 域名 / IP:
+- Hash:
+- 邮件主题 / 发件特征:
+
+## 对 SOC 的实际价值
+
+- 对哪些告警类型有帮助
+- 对哪些 playbook 需要更新
+- 对哪些规则或研判路径有启发
+
+## 可沉淀记忆
+
+- 哪些内容适合作为 Knowledge Memory
+- 哪些内容适合作为 Case Pattern
+
+## 关联内容
+
+- 关联 KB:
+- 关联 Playbook:
+- 关联 Case:
+- 关联 TTP:
+
+## 标签
+
+- `#report`
+- `#intel`
+- `#ttp/...`
+- `#campaign/...`
--- a/obsidian-vault/README.md
+++ b/obsidian-vault/README.md
@ -0,0 +1,15 @@
+# Obsidian Vault
+
+这个目录用于保存 Obsidian Vault 的推荐骨架。
+
+原则：
+
+- 只存高价值、可人工维护的沉淀
+- 不存全量原始资料
+- 不把 ticket 原文、报告全文直接塞进 Vault
+
+建议优先建设：
+
+- `01_Knowledge/`
+- `02_Cases/`
+- `05_Templates/`