{
  "sample_notice": "Synthetic demo-only incident evidence package. No real incident data, IP addresses, hostnames or customer identifiers.",
  "schema_version": "certisigma.sample.incident-pack.v1",
  "id": "sample-incident-evidence-package",
  "title": "Incident evidence package sample",
  "created_at": "2026-05-20T08:50:00Z",
  "positioning": "Evidential timeline support. This sample does not prove breach, exfiltration or attacker identity.",
  "timeline": [
    {
      "id": "event-log-export",
      "label": "Synthetic SIEM export manifest",
      "observed_at": "2026-05-20T06:15:00Z",
      "hash_hex": "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8",
      "evidence_level": "T1"
    },
    {
      "id": "forensic-note",
      "label": "Analyst note digest",
      "observed_at": "2026-05-20T06:45:00Z",
      "hash_hex": "a7f5f35426b927411fc9231b56382173f28ca5a6b40c6a7f2f5800fdf20a2c99",
      "evidence_level": "T0"
    },
    {
      "id": "remediation-record",
      "label": "Remediation ticket export digest",
      "observed_at": "2026-05-20T07:30:00Z",
      "hash_hex": "27ecd0a598e76f87a2f7aa847b05faaa272eaab41d9cb144594caf793a760e2f",
      "evidence_level": "T1"
    }
  ],
  "review_questions": [
    "Which evidence was collected and when?",
    "Which systems produced the source exports?",
    "Which links require analyst interpretation?"
  ],
  "explicit_limits": [
    "No proof of exfiltration.",
    "No attribution claim.",
    "No replacement for incident response procedure or chain-of-custody records."
  ]
}