35 lines
1.1 KiB
JSON
35 lines
1.1 KiB
JSON
{
|
|
"id": "PB-PHISH-001",
|
|
"memory_type": "knowledge",
|
|
"doc_type": "playbook",
|
|
"scenario": "phishing",
|
|
"title": "Phishing Email Investigation Playbook",
|
|
"abstract": "Standard investigation steps for suspicious email, credential harvesting, and BEC-like cases.",
|
|
"key_points": [
|
|
"Validate sender authentication results.",
|
|
"Inspect landing URL and attachment behavior.",
|
|
"Check whether the user clicked or submitted credentials."
|
|
],
|
|
"investigation_guidance": [
|
|
"Query email telemetry for same sender, subject, or URL.",
|
|
"Review mailbox click logs and endpoint browser artifacts.",
|
|
"Reset credentials if submission is suspected."
|
|
],
|
|
"decision_points": [
|
|
"If sender auth fails and user interaction exists, treat as likely phishing.",
|
|
"If destination is allowlisted and communication pattern is expected, investigate false positive path."
|
|
],
|
|
"related_refs": {
|
|
"kb": [
|
|
"KB-PHISH-HEADER-CHECK",
|
|
"KB-CRED-HARVEST-PATTERNS"
|
|
],
|
|
"cases": []
|
|
},
|
|
"source_path": "/home/tom/soc_memory_poc/evaluation/datasets/mock_kb/playbooks/PB-PHISH-001.json",
|
|
"tags": [
|
|
"playbook",
|
|
"phishing",
|
|
"email"
|
|
]
|
|
} |