34 lines
1.1 KiB
JSON
34 lines
1.1 KiB
JSON
{
|
|
"id": "KB-PHISH-HEADER-CHECK",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "kb",
|
|
"scenario": "phishing",
|
|
"title": "Phishing Header Validation Checklist",
|
|
"abstract": "Checklist for validating sender identity, domain reputation, and authentication results in suspected phishing emails.",
|
|
"key_points": [
|
|
"Review SPF, DKIM, and DMARC alignment.",
|
|
"Compare display name, envelope sender, and reply-to anomalies.",
|
|
"Check domain age and known-good communication history."
|
|
],
|
|
"investigation_guidance": [
|
|
"Use message trace and header parser.",
|
|
"Compare sender domain with vendor allowlist.",
|
|
"Escalate lookalike domains even when content appears business-relevant."
|
|
],
|
|
"decision_points": [
|
|
"Newly observed domains with failed auth are high-risk.",
|
|
"Benign vendor mail often has consistent historical sending patterns."
|
|
],
|
|
"related_refs": {
|
|
"playbooks": [
|
|
"PB-PHISH-001"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/kb/KB-PHISH-HEADER-CHECK.json",
|
|
"tags": [
|
|
"kb",
|
|
"phishing",
|
|
"email-header"
|
|
]
|
|
} |