65 lines
1.5 KiB
JSON
65 lines
1.5 KiB
JSON
{
|
|
"id": "CASE-2026-0001",
|
|
"memory_type": "case",
|
|
"scenario": "phishing",
|
|
"title": "Finance user received invoice-themed phishing email",
|
|
"abstract": "Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.",
|
|
"verdict": "true_positive",
|
|
"severity": "high",
|
|
"entities": {
|
|
"users": [
|
|
"alice@corp.example"
|
|
],
|
|
"hosts": [
|
|
"FIN-LAPTOP-12"
|
|
],
|
|
"mailboxes": [
|
|
"alice@corp.example"
|
|
]
|
|
},
|
|
"observables": {
|
|
"sender_emails": [
|
|
"billing@vendor-payments.com"
|
|
],
|
|
"domains": [
|
|
"vendor-payments.com",
|
|
"vendor-payments-login.com"
|
|
],
|
|
"urls": [
|
|
"https://vendor-payments-login.com/review"
|
|
],
|
|
"ips": [
|
|
"198.51.100.20"
|
|
],
|
|
"hashes": [
|
|
"sha256:phish0001"
|
|
]
|
|
},
|
|
"evidence": [
|
|
"Sender domain was newly observed and failed DMARC.",
|
|
"Attachment redirected to a fake Microsoft 365 login page.",
|
|
"User clicked the link before mail quarantine completed."
|
|
],
|
|
"patterns": [
|
|
"verdict:true_positive",
|
|
"scenario:phishing",
|
|
"alert_type:mail_suspicious_attachment"
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-PHISH-001"
|
|
],
|
|
"kb": [
|
|
"KB-PHISH-HEADER-CHECK",
|
|
"KB-CRED-HARVEST-PATTERNS"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_cases/phishing/CASE-2026-0001.json",
|
|
"tags": [
|
|
"phishing",
|
|
"email",
|
|
"credential-harvest",
|
|
"finance"
|
|
]
|
|
} |