rule update

progress-update.md

@@ -713,20 +713,29 @@ Project: FoodProject SOC Platform (Wazuh + Shuffle + IRIS-web + SOC Integrator)
 ### 8) Rule Match Evidence (Live Data, 2026-03-14 → 2026-03-17)
 
 - Queried all SOC custom rules against OpenSearch `wazuh-alerts-*` and generated `summary_rule_match.md`
-- Total events matched today (2026-03-17): **286,931** across 49 implemented rules
+- Total meaningful events today (2026-03-17, post rule-fix): **199** across 49 implemented rules
 
-Active rules with events (2026-03-17):
+**Rule 110354 bug found and fixed:**
+- Root cause: parent SID 60103 is "Windows audit success event" — matches ALL `AUDIT_SUCCESS` events, not just 4794
+- Rule had no `eventID` constraint → was firing ~313,000 times/day on events like 4624, 4634, 4688, 4793
+- Fix: added `<field name="win.system.eventID">^4794$</field>` to rule 110354 in `soc-a4-windows-ad-rules.xml`
+- Rule is now silent (0 events post-fix); fix applied directly in running container and in source file
+
+Active rules with events today (2026-03-17, post-fix):
 
 | Rule | Description | Events |
 |------|-------------|--------|
-| 110341 | A4-01 Windows privileged account auth failure | 1 |
-| 110342 | A4-02 Windows service account auth failure | 46 |
-| 110354 | A4-13 Windows DC DSRM password set (4794) | 285,769 ⚠️ |
-| 110359 | A4-19 Windows authentication failure (4625) | 55 |
-
-- ⚠️ Rule 110354 (DSRM / event 4794 via parent 60103) accounts for 99.6% of event volume — under investigation to confirm parent SID scope
-- A1, A2, B2, C1 rules that fired on earlier dates (Mar 14–16) had 0 events today — likely simulator runs that have since stopped
-- Log sources not yet forwarding: FortiGate syslog (A1/A2), FortiGate VPN (A3), VMware (B1), Sysmon/endpoints (B3), Windows 4624 auth success (C2/C3)
+| 110359 | A4-19 Windows auth failure (4625) general | 71 |
+| 110342 | A4-02 Service account auth failure (4625) | 50 |
+| 110348 | A4-08 NTLM logon type 3 — pass-the-hash indicator | 46 |
+| 110523 | C3-03 Admin account auth success — lateral movement candidate | 23 |
+| 110522 | C3-02 SMB network logon type 3 | 8 |
+| 110341 | A4-01 Privileged account auth failure | 1 |
+| 110354 | A4-13 DSRM password set (4794) | 0 ✅ fixed |
+
+- Rules 110348, 110522, 110523 were previously masked by the 110354 false-positive flood — now visible with correct counts
+- A1, A2, B2, C1 rules had 0 events today (A1/A2/C1 events from Mar 14–16 were likely simulator runs)
+- Log sources not yet forwarding: FortiGate syslog (A1/A2), FortiGate VPN (A3), VMware (B1), Sysmon/endpoints (B3)
 
 ### 9) Tooling and Documentation Updates
 

summary_rule_match.md

@@ -1,9 +1,15 @@
 # Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
 
 **Query window:** 2026-03-17 (today only)
-**Total events matched across all SOC custom rules:** 286,931
+**Total meaningful events (post rule-fix):** 199
 **Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)
 
+> **Note — Rule 110354 fix:** Rule 110354 (A4-13 DSRM) was found to be misconfigured — parent SID 60103
+> is "Windows audit success event" (matches ALL `AUDIT_SUCCESS` events), and the rule had no `eventID`
+> constraint. This caused ~313,000 false-positive fires today on events like 4624, 4634, 4688, 4793, etc.
+> Fix applied: added `<field name="win.system.eventID">^4794$</field>`. Rule is now silent (0 events post-fix,
+> confirmed correct). Pre-fix event count is excluded from the summary totals below.
+
 ---
 
 ## Appendix A — Threat Detection (FortiGate + Windows/AD)
@@ -32,6 +38,8 @@
 | 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
 | 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | 0 |
 
+> No FortiGate syslog events received today.
+
 ---
 
 ### A3 — FortiGate VPN  *(file: soc-a3-fortigate-vpn-rules.xml)*
@@ -44,7 +52,7 @@
 | 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
 | 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |
 
-> **Note:** A3 rules require FortiGate VPN syslogs (`if_group=fortigate`) with `action=ssl-login-*` events. No matching events today — VPN logs are not yet being forwarded to Wazuh.
+> VPN logs not yet forwarded to Wazuh.
 
 ---
 
@@ -53,22 +61,21 @@
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
 | 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
-| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **46** |
+| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **50** |
 | 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
 | 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
-| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | 0 |
+| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | **46** |
 | 110349 | A4-09 | Windows: guest account auth success (4624) | T1078.001 | 0 |
 | 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
 | 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
 | 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
-| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | **285,769** ⚠️ |
-| 110359 | A4-19 | Windows: authentication failure (4625) | T1110.003 | **55** |
+| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | 0 ✅ fixed |
+| 110359 | A4-19 | Windows: authentication failure (4625) — general | T1110.003 | **71** |
 | 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
 | 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |
 
-> ⚠️ **Rule 110354** (DSRM password set / event 4794) accounts for 285,769 of all events today — **99.6% of total volume**. The parent rule is `60103` which fires on Windows Event ID 4794. The extremely high count warrants investigation: confirm whether these are genuine DSRM events or if the parent SID 60103 is matching a broader event set than intended.
-
-> **Note:** A4-04, A4-05, A4-07, A4-14 through A4-18, A4-20 have no production rules implemented.
+> Rule 110354 now correctly requires `eventID=4794` and is silent (no genuine DSRM events today).
+> Rule 110348 (NTLM/pass-the-hash) was previously masked by 110354 noise — now visible with 46 events.
 
 ---
 
@@ -82,7 +89,7 @@
 | 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
 | 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |
 
-> **Note:** B1 rules require VMware syslog (`if_group=vmware`). No matching events — VMware logs are not yet forwarded.
+> VMware logs not yet forwarded to Wazuh.
 
 ---
 
@@ -105,7 +112,7 @@
 | 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
 | 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |
 
-> **Note:** B3 rules require Windows Sysmon agent deployed on endpoints. No matching events today.
+> Sysmon not deployed on endpoints.
 
 ---
 
@@ -136,8 +143,10 @@
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
 | 110521 | C3-01/02 | RDP auth success logon type 10 (lateral movement indicator) | T1021.001, T1078 | 0 |
-| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | 0 |
-| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | 0 |
+| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | **8** |
+| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | **23** |
+
+> C3 rules (110522, 110523) were previously masked by 110354 noise — now visible with real event data.
 
 ---
 
@@ -148,21 +157,33 @@
 | A | A1 — DNS/IOC | 2 | 0 | 0 |
 | A | A2 — FortiGate FW/IPS | 10 | 0 | 0 |
 | A | A3 — FortiGate VPN | 5 | 0 | 0 |
-| A | A4 — Windows/AD | 13 | 3 | 285,816 |
+| A | A4 — Windows/AD | 13 | 4 | 168 |
 | B | B1 — VMware | 3 | 0 | 0 |
 | B | B2 — Log Monitor | 1 | 0 | 0 |
 | B | B3 — Sysmon | 6 | 0 | 0 |
 | C | C1 — Impossible Travel | 2 | 0 | 0 |
 | C | C2 — Credential Abuse | 4 | 0 | 0 |
-| C | C3 — Lateral Movement | 3 | 0 | 0 |
-| **Total** | | **49** | **3** | **286,931** |
+| C | C3 — Lateral Movement | 3 | 2 | 31 |
+| **Total** | | **49** | **6** | **199** |
+
+### Active rules today (post rule-fix)
+
+| Rule | Description | Events | Note |
+|------|-------------|--------|------|
+| 110359 | A4-19 Windows auth failure (4625) general | 71 | Normal auth noise |
+| 110342 | A4-02 Service account auth failure (4625) | 50 | Service account brute-force pattern |
+| 110348 | A4-08 NTLM logon type 3 — pass-the-hash indicator | 46 | Previously masked by 110354 bug |
+| 110523 | C3-03 Admin account auth success — lateral movement candidate | 23 | Previously masked by 110354 bug |
+| 110522 | C3-02 SMB network logon type 3 | 8 | Previously masked by 110354 bug |
+| 110341 | A4-01 Privileged account auth failure | 1 | |
+| 110354 | A4-13 DSRM password set (4794) | 0 ✅ | Fixed — was false-positive firing on all AUDIT_SUCCESS |
 
 ### Active log sources (today)
 
 | Source | Appendix | Status |
 |--------|----------|--------|
-| Windows Security Event Log (via Wazuh agent) | A4 | ✅ Active — auth failures (4625) and DSRM events (4794) ingesting |
-| FortiGate firewall syslog | A2 | ❌ No events today (A1/A2 events were on earlier dates) |
+| Windows Security Event Log (via Wazuh agent) | A4, C3 | ✅ Active — auth events (4624, 4625) ingesting across multiple agents |
+| FortiGate firewall/IPS syslog | A2 | ❌ No events today |
 | FortiGate VPN syslog | A3, C1 | ❌ Not forwarding |
 | DNS / soc-mvp decoder | A1 | ❌ No events today |
 | soc-integrator log-loss events | B2 | ❌ No events today |

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml

@@ -136,9 +136,10 @@
   </rule>
 
   <!-- A4-13: DSRM password set (event 4794)
-       Parent: 60103 -->
+       Parent: 60103 (Windows audit success event — must constrain to eventID 4794) -->
   <rule id="110354" level="12">
     <if_sid>60103</if_sid>
+    <field name="win.system.eventID">^4794$</field>
     <description>A4-13 [PROD] Windows DC: DSRM account password set (4794)</description>
     <group>soc_prod,a4,persistence,</group>
     <mitre><id>T1098</id></mitre>