Initial SOC memory POC implementation
This commit is contained in:
@ -0,0 +1,101 @@
|
||||
---
|
||||
case_id: CASE-2026-0001
|
||||
scenario: phishing
|
||||
alert_type: mail_suspicious_attachment
|
||||
severity: high
|
||||
verdict: true_positive
|
||||
source: soc-memory-poc
|
||||
openviking_enriched: true
|
||||
---
|
||||
|
||||
# CASE-2026-0001 Finance user received invoice-themed phishing email
|
||||
|
||||
## 基本信息
|
||||
|
||||
- Case ID: CASE-2026-0001
|
||||
- 标题: Finance user received invoice-themed phishing email
|
||||
- 告警类型: mail_suspicious_attachment
|
||||
- 来源系统: SOC Memory POC Mock Dataset
|
||||
- 时间范围: 待补充
|
||||
- 研判人 / Agent: AI Agent Draft
|
||||
- 最终结论: 真报
|
||||
- 严重等级: high
|
||||
|
||||
## 告警摘要
|
||||
|
||||
Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
|
||||
|
||||
## 关键实体
|
||||
|
||||
- 用户: alice@corp.example
|
||||
- 主机: FIN-LAPTOP-12
|
||||
- 邮箱: alice@corp.example
|
||||
- IP: 198.51.100.20
|
||||
- 域名: vendor-payments.com, vendor-payments-login.com
|
||||
- 文件 Hash: sha256:phish0001
|
||||
- 其他 IOC: https://vendor-payments-login.com/review, billing@vendor-payments.com
|
||||
|
||||
## 关键证据
|
||||
|
||||
- Sender domain was newly observed and failed DMARC.
|
||||
- Attachment redirected to a fake Microsoft 365 login page.
|
||||
- User clicked the link before mail quarantine completed.
|
||||
|
||||
## 研判过程摘要
|
||||
|
||||
1. 确认告警场景与核心风险:Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
|
||||
2. 提取关键证据并交叉验证:Sender domain was newly observed and failed DMARC.
|
||||
3. 对照关联 playbook / KB 复核告警模式与处置路径。
|
||||
4. 基于关键证据与场景模式完成结论判定:真报。
|
||||
|
||||
## 结论依据
|
||||
|
||||
- 结论为真报。
|
||||
- 最关键依据:Sender domain was newly observed and failed DMARC.
|
||||
- 补充依据:Attachment redirected to a fake Microsoft 365 login page.
|
||||
|
||||
## 处置建议
|
||||
|
||||
- 隔离相同主题、发件人或 URL 的邮件样本。
|
||||
- 核查用户是否点击或提交凭据,并按需执行凭据重置。
|
||||
|
||||
## 可复用模式
|
||||
|
||||
- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
|
||||
- 误报特征: 无
|
||||
- 需关注的变体: 相关标签:phishing, email, credential-harvest, finance
|
||||
|
||||
## 关联知识
|
||||
|
||||
- 关联 Playbook: [[PB-PHISH-001]]
|
||||
- 关联 KB: [[KB-PHISH-HEADER-CHECK]], [[KB-CRED-HARVEST-PATTERNS]]
|
||||
- 关联历史 Case: [[CASE-2026-0004]], [[CASE-2026-0002]]
|
||||
- 关联实体: [[alice@corp.example]], [[FIN-LAPTOP-12]]
|
||||
|
||||
## 自动关联推荐
|
||||
|
||||
### 推荐历史 Case
|
||||
|
||||
- [[CASE-2026-0004]] (case score=0.662) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
|
||||
- [[CASE-2026-0002]] (case score=0.631) This directory contains a single case record detailing the investigation of a suspicious payroll notification email flagged due to a shorten...
|
||||
|
||||
### 推荐知识条目
|
||||
|
||||
- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.656) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
|
||||
- [[PB-PHISH-001]] (knowledge score=0.639) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
|
||||
|
||||
## Lessons Learned
|
||||
|
||||
- 本案可沉淀为后续同类告警的快速判定参考。
|
||||
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
|
||||
|
||||
## 标签
|
||||
|
||||
- #case
|
||||
- #scenario/phishing
|
||||
- #alert/mail_suspicious_attachment
|
||||
- #verdict/true-positive
|
||||
- #phishing
|
||||
- #email
|
||||
- #credential-harvest
|
||||
- #finance
|
||||
@ -0,0 +1,100 @@
|
||||
---
|
||||
case_id: CASE-2026-0002
|
||||
scenario: phishing
|
||||
alert_type: mail_suspicious_link
|
||||
severity: medium
|
||||
verdict: false_positive
|
||||
source: soc-memory-poc
|
||||
openviking_enriched: true
|
||||
---
|
||||
|
||||
# CASE-2026-0002 Payroll notification email flagged but determined benign
|
||||
|
||||
## 基本信息
|
||||
|
||||
- Case ID: CASE-2026-0002
|
||||
- 标题: Payroll notification email flagged but determined benign
|
||||
- 告警类型: mail_suspicious_link
|
||||
- 来源系统: SOC Memory POC Mock Dataset
|
||||
- 时间范围: 待补充
|
||||
- 研判人 / Agent: AI Agent Draft
|
||||
- 最终结论: 误报
|
||||
- 严重等级: medium
|
||||
|
||||
## 告警摘要
|
||||
|
||||
Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
|
||||
|
||||
## 关键实体
|
||||
|
||||
- 用户: bob@corp.example
|
||||
- 主机: HR-LAPTOP-03
|
||||
- 邮箱: bob@corp.example
|
||||
- IP: 无
|
||||
- 域名: hr-vendor.example
|
||||
- 文件 Hash: 无
|
||||
- 其他 IOC: https://bit.ly/hr-portal-example, notify@hr-vendor.example
|
||||
|
||||
## 关键证据
|
||||
|
||||
- Sender domain aligned with SPF and DKIM.
|
||||
- Destination domain matched approved supplier inventory.
|
||||
- No credential prompt anomaly observed.
|
||||
|
||||
## 研判过程摘要
|
||||
|
||||
1. 确认告警场景与核心风险:Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
|
||||
2. 提取关键证据并交叉验证:Sender domain aligned with SPF and DKIM.
|
||||
3. 对照关联 playbook / KB 复核告警模式与处置路径。
|
||||
4. 基于关键证据与场景模式完成结论判定:误报。
|
||||
|
||||
## 结论依据
|
||||
|
||||
- 结论为误报。
|
||||
- 最关键依据:Sender domain aligned with SPF and DKIM.
|
||||
- 补充依据:Destination domain matched approved supplier inventory.
|
||||
|
||||
## 处置建议
|
||||
|
||||
- 记录误报原因,并更新检测例外或抑制条件。
|
||||
|
||||
## 可复用模式
|
||||
|
||||
- 命中模式: scenario:phishing, alert_type:mail_suspicious_link
|
||||
- 误报特征: 本案最终确认为误报,可用于补充抑制条件。
|
||||
- 需关注的变体: 相关标签:phishing, email, false-positive, vendor
|
||||
|
||||
## 关联知识
|
||||
|
||||
- 关联 Playbook: [[PB-PHISH-001]]
|
||||
- 关联 KB: [[KB-PHISH-HEADER-CHECK]], [[KB-CRED-HARVEST-PATTERNS]]
|
||||
- 关联历史 Case: [[CASE-2026-0004]], [[CASE-2026-0001]]
|
||||
- 关联实体: [[bob@corp.example]], [[HR-LAPTOP-03]]
|
||||
|
||||
## 自动关联推荐
|
||||
|
||||
### 推荐历史 Case
|
||||
|
||||
- [[CASE-2026-0004]] (case score=0.549) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
|
||||
- [[CASE-2026-0001]] (case score=0.532) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
|
||||
|
||||
### 推荐知识条目
|
||||
|
||||
- [[PB-PHISH-001]] (knowledge score=0.514) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
|
||||
- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.494) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
|
||||
|
||||
## Lessons Learned
|
||||
|
||||
- 本案可沉淀为后续同类告警的快速判定参考。
|
||||
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
|
||||
|
||||
## 标签
|
||||
|
||||
- #case
|
||||
- #scenario/phishing
|
||||
- #alert/mail_suspicious_link
|
||||
- #verdict/false-positive
|
||||
- #phishing
|
||||
- #email
|
||||
- #false-positive
|
||||
- #vendor
|
||||
@ -0,0 +1,101 @@
|
||||
---
|
||||
case_id: CASE-2026-0003
|
||||
scenario: phishing
|
||||
alert_type: mail_bec_impersonation
|
||||
severity: high
|
||||
verdict: true_positive
|
||||
source: soc-memory-poc
|
||||
openviking_enriched: true
|
||||
---
|
||||
|
||||
# CASE-2026-0003 Executive impersonation email requested urgent wire transfer
|
||||
|
||||
## 基本信息
|
||||
|
||||
- Case ID: CASE-2026-0003
|
||||
- 标题: Executive impersonation email requested urgent wire transfer
|
||||
- 告警类型: mail_bec_impersonation
|
||||
- 来源系统: SOC Memory POC Mock Dataset
|
||||
- 时间范围: 待补充
|
||||
- 研判人 / Agent: AI Agent Draft
|
||||
- 最终结论: 真报
|
||||
- 严重等级: high
|
||||
|
||||
## 告警摘要
|
||||
|
||||
An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.
|
||||
|
||||
## 关键实体
|
||||
|
||||
- 用户: carol@corp.example
|
||||
- 主机: FIN-LAPTOP-08
|
||||
- 邮箱: carol@corp.example
|
||||
- IP: 203.0.113.45
|
||||
- 域名: c0rp-example.com
|
||||
- 文件 Hash: 无
|
||||
- 其他 IOC: ceo@c0rp-example.com
|
||||
|
||||
## 关键证据
|
||||
|
||||
- Lookalike domain used numeric substitution.
|
||||
- Language pressure matched prior BEC pattern.
|
||||
- No historical communication from sender domain.
|
||||
|
||||
## 研判过程摘要
|
||||
|
||||
1. 确认告警场景与核心风险:An executive impersonation email targeted finance staff with an urgent wire transfer request from a lookalike domain.
|
||||
2. 提取关键证据并交叉验证:Lookalike domain used numeric substitution.
|
||||
3. 对照关联 playbook / KB 复核告警模式与处置路径。
|
||||
4. 基于关键证据与场景模式完成结论判定:真报。
|
||||
|
||||
## 结论依据
|
||||
|
||||
- 结论为真报。
|
||||
- 最关键依据:Lookalike domain used numeric substitution.
|
||||
- 补充依据:Language pressure matched prior BEC pattern.
|
||||
|
||||
## 处置建议
|
||||
|
||||
- 隔离相同主题、发件人或 URL 的邮件样本。
|
||||
- 核查用户是否点击或提交凭据,并按需执行凭据重置。
|
||||
|
||||
## 可复用模式
|
||||
|
||||
- 命中模式: scenario:phishing, alert_type:mail_bec_impersonation
|
||||
- 误报特征: 无
|
||||
- 需关注的变体: 相关标签:phishing, bec, executive-impersonation
|
||||
|
||||
## 关联知识
|
||||
|
||||
- 关联 Playbook: [[PB-PHISH-001]]
|
||||
- 关联 KB: [[KB-CRED-HARVEST-PATTERNS]], [[KB-PHISH-HEADER-CHECK]]
|
||||
- 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0004]]
|
||||
- 关联实体: [[carol@corp.example]], [[FIN-LAPTOP-08]]
|
||||
|
||||
## 自动关联推荐
|
||||
|
||||
### 推荐历史 Case
|
||||
|
||||
- [[CASE-2026-0001]] (case score=0.572) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
|
||||
- [[CASE-2026-0004]] (case score=0.566) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
|
||||
|
||||
### 推荐知识条目
|
||||
|
||||
- [[PB-PHISH-001]] (knowledge score=0.538) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
|
||||
- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.522) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
|
||||
- [[KB-PHISH-HEADER-CHECK]] (knowledge score=0.512) This directory contains a structured knowledge base document focused on validating phishing emails through detailed analysis of email header...
|
||||
|
||||
## Lessons Learned
|
||||
|
||||
- 本案可沉淀为后续同类告警的快速判定参考。
|
||||
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
|
||||
|
||||
## 标签
|
||||
|
||||
- #case
|
||||
- #scenario/phishing
|
||||
- #alert/mail_bec_impersonation
|
||||
- #verdict/true-positive
|
||||
- #phishing
|
||||
- #bec
|
||||
- #executive-impersonation
|
||||
@ -0,0 +1,100 @@
|
||||
---
|
||||
case_id: CASE-2026-0004
|
||||
scenario: phishing
|
||||
alert_type: mail_suspicious_attachment
|
||||
severity: medium
|
||||
verdict: true_positive
|
||||
source: soc-memory-poc
|
||||
openviking_enriched: true
|
||||
---
|
||||
|
||||
# CASE-2026-0004 Shared mailbox received OneDrive lure with HTML attachment
|
||||
|
||||
## 基本信息
|
||||
|
||||
- Case ID: CASE-2026-0004
|
||||
- 标题: Shared mailbox received OneDrive lure with HTML attachment
|
||||
- 告警类型: mail_suspicious_attachment
|
||||
- 来源系统: SOC Memory POC Mock Dataset
|
||||
- 时间范围: 待补充
|
||||
- 研判人 / Agent: AI Agent Draft
|
||||
- 最终结论: 真报
|
||||
- 严重等级: medium
|
||||
|
||||
## 告警摘要
|
||||
|
||||
Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
|
||||
|
||||
## 关键实体
|
||||
|
||||
- 用户: shared-finance@corp.example
|
||||
- 主机: 无
|
||||
- 邮箱: shared-finance@corp.example
|
||||
- IP: 198.51.100.87
|
||||
- 域名: sharepoint-notify.com
|
||||
- 文件 Hash: sha256:phish0004
|
||||
- 其他 IOC: https://onedrive-review-login.example, noreply@sharepoint-notify.com
|
||||
|
||||
## 关键证据
|
||||
|
||||
- Attachment rendered a fake Microsoft sign-in page.
|
||||
- Landing page hosted outside Microsoft IP space.
|
||||
- Mail body reused branding from previous phishing campaign.
|
||||
|
||||
## 研判过程摘要
|
||||
|
||||
1. 确认告警场景与核心风险:Shared finance mailbox received a fake OneDrive notification with an HTML attachment that led to credential collection.
|
||||
2. 提取关键证据并交叉验证:Attachment rendered a fake Microsoft sign-in page.
|
||||
3. 对照关联 playbook / KB 复核告警模式与处置路径。
|
||||
4. 基于关键证据与场景模式完成结论判定:真报。
|
||||
|
||||
## 结论依据
|
||||
|
||||
- 结论为真报。
|
||||
- 最关键依据:Attachment rendered a fake Microsoft sign-in page.
|
||||
- 补充依据:Landing page hosted outside Microsoft IP space.
|
||||
|
||||
## 处置建议
|
||||
|
||||
- 隔离相同主题、发件人或 URL 的邮件样本。
|
||||
- 核查用户是否点击或提交凭据,并按需执行凭据重置。
|
||||
|
||||
## 可复用模式
|
||||
|
||||
- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
|
||||
- 误报特征: 无
|
||||
- 需关注的变体: 相关标签:phishing, email, onedrive-lure
|
||||
|
||||
## 关联知识
|
||||
|
||||
- 关联 Playbook: [[PB-PHISH-001]]
|
||||
- 关联 KB: [[KB-CRED-HARVEST-PATTERNS]]
|
||||
- 关联历史 Case: [[CASE-2026-0001]], [[CASE-2026-0003]]
|
||||
- 关联实体: [[shared-finance@corp.example]]
|
||||
|
||||
## 自动关联推荐
|
||||
|
||||
### 推荐历史 Case
|
||||
|
||||
- [[CASE-2026-0001]] (case score=0.675) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
|
||||
- [[CASE-2026-0003]] (case score=0.606) This directory contains a structured incident report for a high-severity phishing attack involving executive impersonation, classified under...
|
||||
|
||||
### 推荐知识条目
|
||||
|
||||
- [[KB-CRED-HARVEST-PATTERNS]] (knowledge score=0.652) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
|
||||
- [[PB-PHISH-001]] (knowledge score=0.608) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
|
||||
|
||||
## Lessons Learned
|
||||
|
||||
- 本案可沉淀为后续同类告警的快速判定参考。
|
||||
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
|
||||
|
||||
## 标签
|
||||
|
||||
- #case
|
||||
- #scenario/phishing
|
||||
- #alert/mail_suspicious_attachment
|
||||
- #verdict/true-positive
|
||||
- #phishing
|
||||
- #email
|
||||
- #onedrive-lure
|
||||
Reference in New Issue
Block a user