3.5 KiB
3.5 KiB
case_id, scenario, alert_type, severity, verdict, source, openviking_enriched
| case_id | scenario | alert_type | severity | verdict | source | openviking_enriched |
|---|---|---|---|---|---|---|
| CASE-2026-0001 | phishing | mail_suspicious_attachment | high | true_positive | soc-memory-poc | true |
CASE-2026-0001 Finance user received invoice-themed phishing email
基本信息
- Case ID: CASE-2026-0001
- 标题: Finance user received invoice-themed phishing email
- 告警类型: mail_suspicious_attachment
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 真报
- 严重等级: high
告警摘要
Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
关键实体
- 用户: alice@corp.example
- 主机: FIN-LAPTOP-12
- 邮箱: alice@corp.example
- IP: 198.51.100.20
- 域名: vendor-payments.com, vendor-payments-login.com
- 文件 Hash: sha256:phish0001
- 其他 IOC: https://vendor-payments-login.com/review, billing@vendor-payments.com
关键证据
- Sender domain was newly observed and failed DMARC.
- Attachment redirected to a fake Microsoft 365 login page.
- User clicked the link before mail quarantine completed.
研判过程摘要
- 确认告警场景与核心风险:Finance user received an invoice-themed phishing email containing a malicious HTML attachment that redirected to a credential harvesting page.
- 提取关键证据并交叉验证:Sender domain was newly observed and failed DMARC.
- 对照关联 playbook / KB 复核告警模式与处置路径。
- 基于关键证据与场景模式完成结论判定:真报。
结论依据
- 结论为真报。
- 最关键依据:Sender domain was newly observed and failed DMARC.
- 补充依据:Attachment redirected to a fake Microsoft 365 login page.
处置建议
- 隔离相同主题、发件人或 URL 的邮件样本。
- 核查用户是否点击或提交凭据,并按需执行凭据重置。
可复用模式
- 命中模式: scenario:phishing, alert_type:mail_suspicious_attachment
- 误报特征: 无
- 需关注的变体: 相关标签:phishing, email, credential-harvest, finance
关联知识
- 关联 Playbook: PB-PHISH-001
- 关联 KB: KB-PHISH-HEADER-CHECK, KB-CRED-HARVEST-PATTERNS
- 关联历史 Case: CASE-2026-0004, CASE-2026-0002
- 关联实体: alice@corp.example, FIN-LAPTOP-12
自动关联推荐
推荐历史 Case
- CASE-2026-0004 (case score=0.662) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
- CASE-2026-0002 (case score=0.631) This directory contains a single case record detailing the investigation of a suspicious payroll notification email flagged due to a shorten...
推荐知识条目
- KB-CRED-HARVEST-PATTERNS (knowledge score=0.656) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
- PB-PHISH-001 (knowledge score=0.639) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
Lessons Learned
- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
标签
- #case
- #scenario/phishing
- #alert/mail_suspicious_attachment
- #verdict/true-positive
- #phishing
- #credential-harvest
- #finance