20 lines
1.5 KiB
JSON
20 lines
1.5 KiB
JSON
{
|
|
"case_id": "CASE-2026-0002",
|
|
"title": "Payroll notification email flagged but determined benign",
|
|
"scenario": "phishing",
|
|
"alert_type": "mail_suspicious_link",
|
|
"severity": "medium",
|
|
"status": "false_positive",
|
|
"time_window": {"start": "2026-04-03T08:40:00+08:00", "end": "2026-04-03T09:20:00+08:00"},
|
|
"summary": "Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.",
|
|
"alert_source": "Secure Email Gateway",
|
|
"entities": {"users": ["bob@corp.example"], "hosts": ["HR-LAPTOP-03"], "mailboxes": ["bob@corp.example"]},
|
|
"observables": {"sender_emails": ["notify@hr-vendor.example"], "domains": ["hr-vendor.example"], "urls": ["https://bit.ly/hr-portal-example"], "ips": [], "hashes": []},
|
|
"evidence": ["Sender domain aligned with SPF and DKIM.", "Destination domain matched approved supplier inventory.", "No credential prompt anomaly observed."],
|
|
"investigation_steps": ["Expand shortened URL.", "Validate vendor domain against allowlist.", "Review prior communication pattern with HR users."],
|
|
"conclusion": {"verdict": "false_positive", "reason": "Trusted vendor communication with expected destination.", "recommended_actions": ["Tune mail rule to reduce noisy alerts for approved HR vendor."]},
|
|
"related_refs": {"playbooks": ["PB-PHISH-001"], "kb": ["KB-PHISH-HEADER-CHECK"], "cases": []},
|
|
"lessons_learned": ["Short URLs alone should not drive phishing conclusion without destination validation."],
|
|
"tags": ["phishing", "email", "false-positive", "vendor"]
|
|
}
|