[{"id":"ioc-001","source":"Open-source feed (LAB)","discovered_at":"2026-05-02T07:18:00Z","confidence_score":90,"severity":"high","affected_asset":"perimeter / SOC","type":"domain","evidence":"keensafe-secure-login.com (phishing landing)","recommended_action":"Block in proxy + DNS sinkhole; alert mail gateway.","mitre_mapping":["T1566.002"],"compliance_mapping":[]},{"id":"ioc-002","source":"AbuseIPDB-like (LAB)","discovered_at":"2026-05-02T07:05:00Z","confidence_score":88,"severity":"high","affected_asset":"perimeter","type":"ipv4","evidence":"198.51.100.42 — phishing kit C2","recommended_action":"Block at edge; add to deny list.","mitre_mapping":["T1071.001"],"compliance_mapping":[]},{"id":"ioc-003","source":"VirusTotal-like (LAB)","discovered_at":"2026-04-29T22:00:00Z","confidence_score":92,"severity":"high","affected_asset":"endpoint","type":"sha256","evidence":"f1e2d3c4b5a6978899aabbccddeeff00112233445566778899aabbccddeeff00 (FAKE) — banker payload","recommended_action":"EDR detection rule; block hash.","mitre_mapping":["T1204.002"],"compliance_mapping":[]},{"id":"ioc-004","source":"MISP-like (LAB)","discovered_at":"2026-04-28T14:50:00Z","confidence_score":80,"severity":"medium","affected_asset":"perimeter","type":"domain","evidence":"keensaffeglobalbank.com","recommended_action":"DNS sinkhole.","mitre_mapping":["T1583.001"],"compliance_mapping":[]},{"id":"ioc-005","source":"Open-source feed (LAB)","discovered_at":"2026-04-25T09:14:00Z","confidence_score":70,"severity":"medium","affected_asset":"perimeter","type":"ipv4","evidence":"203.0.113.66 — scanner / brute-force source","recommended_action":"Rate-limit at edge; add to fail2ban-equivalent.","mitre_mapping":["T1110.001"],"compliance_mapping":[]}]