{
  "id": "CASE-2026-0002",
  "memory_type": "case",
  "scenario": "phishing",
  "title": "Payroll notification email flagged but determined benign",
  "abstract": "Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.",
  "verdict": "false_positive",
  "severity": "medium",
  "entities": {
    "users": [
      "bob@corp.example"
    ],
    "hosts": [
      "HR-LAPTOP-03"
    ],
    "mailboxes": [
      "bob@corp.example"
    ]
  },
  "observables": {
    "sender_emails": [
      "notify@hr-vendor.example"
    ],
    "domains": [
      "hr-vendor.example"
    ],
    "urls": [
      "https://bit.ly/hr-portal-example"
    ],
    "ips": [],
    "hashes": []
  },
  "evidence": [
    "Sender domain aligned with SPF and DKIM.",
    "Destination domain matched approved supplier inventory.",
    "No credential prompt anomaly observed."
  ],
  "patterns": [
    "verdict:false_positive",
    "scenario:phishing",
    "alert_type:mail_suspicious_link"
  ],
  "related_refs": {
    "playbooks": [
      "PB-PHISH-001"
    ],
    "kb": [
      "KB-PHISH-HEADER-CHECK"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/phishing/CASE-2026-0002.json",
  "tags": [
    "phishing",
    "email",
    "false-positive",
    "vendor"
  ]
}