3.3 KiB
3.3 KiB
case_id, scenario, alert_type, severity, verdict, source, openviking_enriched
| case_id | scenario | alert_type | severity | verdict | source | openviking_enriched |
|---|---|---|---|---|---|---|
| CASE-2026-0002 | phishing | mail_suspicious_link | medium | false_positive | soc-memory-poc | true |
CASE-2026-0002 Payroll notification email flagged but determined benign
基本信息
- Case ID: CASE-2026-0002
- 标题: Payroll notification email flagged but determined benign
- 告警类型: mail_suspicious_link
- 来源系统: SOC Memory POC Mock Dataset
- 时间范围: 待补充
- 研判人 / Agent: AI Agent Draft
- 最终结论: 误报
- 严重等级: medium
告警摘要
Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
关键实体
- 用户: bob@corp.example
- 主机: HR-LAPTOP-03
- 邮箱: bob@corp.example
- IP: 无
- 域名: hr-vendor.example
- 文件 Hash: 无
- 其他 IOC: https://bit.ly/hr-portal-example, notify@hr-vendor.example
关键证据
- Sender domain aligned with SPF and DKIM.
- Destination domain matched approved supplier inventory.
- No credential prompt anomaly observed.
研判过程摘要
- 确认告警场景与核心风险:Payroll update email was flagged due to a shortened URL, but the destination was the approved HR vendor portal.
- 提取关键证据并交叉验证:Sender domain aligned with SPF and DKIM.
- 对照关联 playbook / KB 复核告警模式与处置路径。
- 基于关键证据与场景模式完成结论判定:误报。
结论依据
- 结论为误报。
- 最关键依据:Sender domain aligned with SPF and DKIM.
- 补充依据:Destination domain matched approved supplier inventory.
处置建议
- 记录误报原因,并更新检测例外或抑制条件。
可复用模式
- 命中模式: scenario:phishing, alert_type:mail_suspicious_link
- 误报特征: 本案最终确认为误报,可用于补充抑制条件。
- 需关注的变体: 相关标签:phishing, email, false-positive, vendor
关联知识
- 关联 Playbook: PB-PHISH-001
- 关联 KB: KB-PHISH-HEADER-CHECK, KB-CRED-HARVEST-PATTERNS
- 关联历史 Case: CASE-2026-0004, CASE-2026-0001
- 关联实体: bob@corp.example, HR-LAPTOP-03
自动关联推荐
推荐历史 Case
- CASE-2026-0004 (case score=0.549) This directory contains a structured incident case report related to a phishing attack targeting a shared mailbox via a spoofed OneDrive not...
- CASE-2026-0001 (case score=0.532) This directory contains a structured case report detailing a high-severity phishing incident targeting a finance user via a malicious invoic...
推荐知识条目
- PB-PHISH-001 (knowledge score=0.514) This directory contains a phishing email investigation playbook designed to standardize incident response procedures for suspicious emails, ...
- KB-CRED-HARVEST-PATTERNS (knowledge score=0.494) This directory contains a structured knowledge base artifact focused on identifying and investigating credential harvesting campaigns, parti...
Lessons Learned
- 本案可沉淀为后续同类告警的快速判定参考。
- 若后续出现相同 lure、同类登录模式或相同关键证据,应优先联想本案与关联知识。
标签
- #case
- #scenario/phishing
- #alert/mail_suspicious_link
- #verdict/false-positive
- #phishing
- #false-positive
- #vendor