{
  "case_id": "CASE-2026-0002",
  "title": "Payroll notification email flagged but determined benign",
  "scenario": "phishing",
  "alert_type": "mail_suspicious_link",
  "severity": "medium",
  "status": "false_positive",
  "time_window": {"start": "2026-04-03T08:40:00+08:00", "end": "2026-04-03T09:20:00+08:00"},
  "summary": "Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.",
  "alert_source": "Secure Email Gateway",
  "entities": {"users": ["bob@corp.example"], "hosts": ["HR-LAPTOP-03"], "mailboxes": ["bob@corp.example"]},
  "observables": {"sender_emails": ["notify@hr-vendor.example"], "domains": ["hr-vendor.example"], "urls": ["https://bit.ly/hr-portal-example"], "ips": [], "hashes": []},
  "evidence": ["Sender domain aligned with SPF and DKIM.", "Destination domain matched approved supplier inventory.", "No credential prompt anomaly observed."],
  "investigation_steps": ["Expand shortened URL.", "Validate vendor domain against allowlist.", "Review prior communication pattern with HR users."],
  "conclusion": {"verdict": "false_positive", "reason": "Trusted vendor communication with expected destination.", "recommended_actions": ["Tune mail rule to reduce noisy alerts for approved HR vendor."]},
  "related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK"], "cases": []},
  "lessons_learned": ["Short URLs alone should not drive phishing conclusion without destination validation."],
  "tags": ["phishing", "email", "false-positive", "vendor"]
}