{
  "id": "PB-PHISH-001",
  "memory_type": "knowledge",
  "doc_type": "playbook",
  "scenario": "phishing",
  "title": "Phishing Email Investigation Playbook",
  "abstract": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
  "key_points": [
    "Validate sender authentication results.",
    "Inspect landing URL and attachment behavior.",
    "Check whether the user clicked or submitted credentials."
  ],
  "investigation_guidance": [
    "Query email telemetry for same sender, subject, or URL.",
    "Review mailbox click logs and endpoint browser artifacts.",
    "Reset credentials if submission is suspected."
  ],
  "decision_points": [
    "If sender auth fails and user interaction exists, treat as likely phishing.",
    "If destination is allowlisted and communication pattern is expected, investigate false positive path."
  ],
  "related_refs": {
    "kb": [
      "KB-PHISH-HEADER-CHECK",
      "KB-CRED-HARVEST-PATTERNS"
    ],
    "cases": []
  },
  "source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json",
  "tags": [
    "playbook",
    "phishing",
    "email"
  ]
}