16 lines
1.1 KiB
JSON
16 lines
1.1 KiB
JSON
{
|
|
"doc_id": "PB-PHISH-001",
|
|
"doc_type": "playbook",
|
|
"title": "Phishing Email Investigation Playbook",
|
|
"scenario": "phishing",
|
|
"summary": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
|
|
"applicability": ["mail_suspicious_attachment", "mail_suspicious_link", "mail_bec_impersonation"],
|
|
"key_points": ["Validate sender authentication results.", "Inspect landing URL and attachment behavior.", "Check whether the user clicked or submitted credentials."],
|
|
"investigation_guidance": ["Query email telemetry for same sender, subject, or URL.", "Review mailbox click logs and endpoint browser artifacts.", "Reset credentials if submission is suspected."],
|
|
"decision_points": ["If sender auth fails and user interaction exists, treat as likely phishing.", "If destination is allowlisted and communication pattern is expected, investigate false positive path."],
|
|
"related_entities": {"ttps": ["T1566"], "iocs": []},
|
|
"related_refs": {"kb": ["KB-PHISH-HEADER-CHECK", "KB-CRED-HARVEST-PATTERNS"], "cases": []},
|
|
"tags": ["playbook", "phishing", "email"],
|
|
"updated_at": "2026-04-10T09:00:00+08:00"
|
|
}
|