|
|
|
|
|
|
1
|
# Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
|
1
|
# Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
|
|
2
|
|
2
|
|
|
3
|
**Query window:** 2026-03-17 (today only)
|
3
|
**Query window:** 2026-03-17 (today only)
|
|
4
|
-**Total events matched across all SOC custom rules:** 286,931
|
|
|
|
|
|
4
|
+**Total meaningful events (post rule-fix):** 199
|
|
5
|
**Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)
|
5
|
**Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)
|
|
6
|
|
6
|
|
|
|
|
7
|
+> **Note — Rule 110354 fix:** Rule 110354 (A4-13 DSRM) was found to be misconfigured — parent SID 60103
|
|
|
|
8
|
+> is "Windows audit success event" (matches ALL `AUDIT_SUCCESS` events), and the rule had no `eventID`
|
|
|
|
9
|
+> constraint. This caused ~313,000 false-positive fires today on events like 4624, 4634, 4688, 4793, etc.
|
|
|
|
10
|
+> Fix applied: added `<field name="win.system.eventID">^4794$</field>`. Rule is now silent (0 events post-fix,
|
|
|
|
11
|
+> confirmed correct). Pre-fix event count is excluded from the summary totals below.
|
|
|
|
12
|
+
|
|
7
|
---
|
13
|
---
|
|
8
|
|
14
|
|
|
9
|
## Appendix A — Threat Detection (FortiGate + Windows/AD)
|
15
|
## Appendix A — Threat Detection (FortiGate + Windows/AD)
|
|
|
|
|
|
|
32
|
| 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
|
38
|
| 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
|
|
33
|
| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | 0 |
|
39
|
| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | 0 |
|
|
34
|
|
40
|
|
|
|
|
41
|
+> No FortiGate syslog events received today.
|
|
|
|
42
|
+
|
|
35
|
---
|
43
|
---
|
|
36
|
|
44
|
|
|
37
|
### A3 — FortiGate VPN *(file: soc-a3-fortigate-vpn-rules.xml)*
|
45
|
### A3 — FortiGate VPN *(file: soc-a3-fortigate-vpn-rules.xml)*
|
|
|
|
|
|
|
44
|
| 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
|
52
|
| 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
|
|
45
|
| 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |
|
53
|
| 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |
|
|
46
|
|
54
|
|
|
47
|
-> **Note:** A3 rules require FortiGate VPN syslogs (`if_group=fortigate`) with `action=ssl-login-*` events. No matching events today — VPN logs are not yet being forwarded to Wazuh.
|
|
|
|
|
|
55
|
+> VPN logs not yet forwarded to Wazuh.
|
|
48
|
|
56
|
|
|
49
|
---
|
57
|
---
|
|
50
|
|
58
|
|
|
|
|
|
|
|
53
|
| Rule ID | Use Case | Description | MITRE | Events |
|
61
|
| Rule ID | Use Case | Description | MITRE | Events |
|
|
54
|
|---------|----------|-------------|-------|--------|
|
62
|
|---------|----------|-------------|-------|--------|
|
|
55
|
| 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
|
63
|
| 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
|
|
56
|
-| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **46** |
|
|
|
|
|
|
64
|
+| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **50** |
|
|
57
|
| 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
|
65
|
| 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
|
|
58
|
| 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
|
66
|
| 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
|
|
59
|
-| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | 0 |
|
|
|
|
|
|
67
|
+| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | **46** |
|
|
60
|
| 110349 | A4-09 | Windows: guest account auth success (4624) | T1078.001 | 0 |
|
68
|
| 110349 | A4-09 | Windows: guest account auth success (4624) | T1078.001 | 0 |
|
|
61
|
| 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
|
69
|
| 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
|
|
62
|
| 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
|
70
|
| 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
|
|
63
|
| 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
|
71
|
| 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
|
|
64
|
-| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | **285,769** ⚠️ |
|
|
|
|
65
|
-| 110359 | A4-19 | Windows: authentication failure (4625) | T1110.003 | **55** |
|
|
|
|
|
|
72
|
+| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | 0 ✅ fixed |
|
|
|
|
73
|
+| 110359 | A4-19 | Windows: authentication failure (4625) — general | T1110.003 | **71** |
|
|
66
|
| 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
|
74
|
| 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
|
|
67
|
| 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |
|
75
|
| 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |
|
|
68
|
|
76
|
|
|
69
|
-> ⚠️ **Rule 110354** (DSRM password set / event 4794) accounts for 285,769 of all events today — **99.6% of total volume**. The parent rule is `60103` which fires on Windows Event ID 4794. The extremely high count warrants investigation: confirm whether these are genuine DSRM events or if the parent SID 60103 is matching a broader event set than intended.
|
|
|
|
70
|
-
|
|
|
|
71
|
-> **Note:** A4-04, A4-05, A4-07, A4-14 through A4-18, A4-20 have no production rules implemented.
|
|
|
|
|
|
77
|
+> Rule 110354 now correctly requires `eventID=4794` and is silent (no genuine DSRM events today).
|
|
|
|
78
|
+> Rule 110348 (NTLM/pass-the-hash) was previously masked by 110354 noise — now visible with 46 events.
|
|
72
|
|
79
|
|
|
73
|
---
|
80
|
---
|
|
74
|
|
81
|
|
|
|
|
|
|
|
82
|
| 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
|
89
|
| 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
|
|
83
|
| 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |
|
90
|
| 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |
|
|
84
|
|
91
|
|
|
85
|
-> **Note:** B1 rules require VMware syslog (`if_group=vmware`). No matching events — VMware logs are not yet forwarded.
|
|
|
|
|
|
92
|
+> VMware logs not yet forwarded to Wazuh.
|
|
86
|
|
93
|
|
|
87
|
---
|
94
|
---
|
|
88
|
|
95
|
|
|
|
|
|
|
|
105
|
| 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
|
112
|
| 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
|
|
106
|
| 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |
|
113
|
| 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |
|
|
107
|
|
114
|
|
|
108
|
-> **Note:** B3 rules require Windows Sysmon agent deployed on endpoints. No matching events today.
|
|
|
|
|
|
115
|
+> Sysmon not deployed on endpoints.
|
|
109
|
|
116
|
|
|
110
|
---
|
117
|
---
|
|
111
|
|
118
|
|
|
|
|
|
|
|
136
|
| Rule ID | Use Case | Description | MITRE | Events |
|
143
|
| Rule ID | Use Case | Description | MITRE | Events |
|
|
137
|
|---------|----------|-------------|-------|--------|
|
144
|
|---------|----------|-------------|-------|--------|
|
|
138
|
| 110521 | C3-01/02 | RDP auth success logon type 10 (lateral movement indicator) | T1021.001, T1078 | 0 |
|
145
|
| 110521 | C3-01/02 | RDP auth success logon type 10 (lateral movement indicator) | T1021.001, T1078 | 0 |
|
|
139
|
-| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | 0 |
|
|
|
|
140
|
-| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | 0 |
|
|
|
|
|
|
146
|
+| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | **8** |
|
|
|
|
147
|
+| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | **23** |
|
|
|
|
148
|
+
|
|
|
|
149
|
+> C3 rules (110522, 110523) were previously masked by 110354 noise — now visible with real event data.
|
|
141
|
|
150
|
|
|
142
|
---
|
151
|
---
|
|
143
|
|
152
|
|
|
|
|
|
|
|
148
|
| A | A1 — DNS/IOC | 2 | 0 | 0 |
|
157
|
| A | A1 — DNS/IOC | 2 | 0 | 0 |
|
|
149
|
| A | A2 — FortiGate FW/IPS | 10 | 0 | 0 |
|
158
|
| A | A2 — FortiGate FW/IPS | 10 | 0 | 0 |
|
|
150
|
| A | A3 — FortiGate VPN | 5 | 0 | 0 |
|
159
|
| A | A3 — FortiGate VPN | 5 | 0 | 0 |
|
|
151
|
-| A | A4 — Windows/AD | 13 | 3 | 285,816 |
|
|
|
|
|
|
160
|
+| A | A4 — Windows/AD | 13 | 4 | 168 |
|
|
152
|
| B | B1 — VMware | 3 | 0 | 0 |
|
161
|
| B | B1 — VMware | 3 | 0 | 0 |
|
|
153
|
| B | B2 — Log Monitor | 1 | 0 | 0 |
|
162
|
| B | B2 — Log Monitor | 1 | 0 | 0 |
|
|
154
|
| B | B3 — Sysmon | 6 | 0 | 0 |
|
163
|
| B | B3 — Sysmon | 6 | 0 | 0 |
|
|
155
|
| C | C1 — Impossible Travel | 2 | 0 | 0 |
|
164
|
| C | C1 — Impossible Travel | 2 | 0 | 0 |
|
|
156
|
| C | C2 — Credential Abuse | 4 | 0 | 0 |
|
165
|
| C | C2 — Credential Abuse | 4 | 0 | 0 |
|
|
157
|
-| C | C3 — Lateral Movement | 3 | 0 | 0 |
|
|
|
|
158
|
-| **Total** | | **49** | **3** | **286,931** |
|
|
|
|
|
|
166
|
+| C | C3 — Lateral Movement | 3 | 2 | 31 |
|
|
|
|
167
|
+| **Total** | | **49** | **6** | **199** |
|
|
|
|
168
|
+
|
|
|
|
169
|
+### Active rules today (post rule-fix)
|
|
|
|
170
|
+
|
|
|
|
171
|
+| Rule | Description | Events | Note |
|
|
|
|
172
|
+|------|-------------|--------|------|
|
|
|
|
173
|
+| 110359 | A4-19 Windows auth failure (4625) general | 71 | Normal auth noise |
|
|
|
|
174
|
+| 110342 | A4-02 Service account auth failure (4625) | 50 | Service account brute-force pattern |
|
|
|
|
175
|
+| 110348 | A4-08 NTLM logon type 3 — pass-the-hash indicator | 46 | Previously masked by 110354 bug |
|
|
|
|
176
|
+| 110523 | C3-03 Admin account auth success — lateral movement candidate | 23 | Previously masked by 110354 bug |
|
|
|
|
177
|
+| 110522 | C3-02 SMB network logon type 3 | 8 | Previously masked by 110354 bug |
|
|
|
|
178
|
+| 110341 | A4-01 Privileged account auth failure | 1 | |
|
|
|
|
179
|
+| 110354 | A4-13 DSRM password set (4794) | 0 ✅ | Fixed — was false-positive firing on all AUDIT_SUCCESS |
|
|
159
|
|
180
|
|
|
160
|
### Active log sources (today)
|
181
|
### Active log sources (today)
|
|
161
|
|
182
|
|
|
162
|
| Source | Appendix | Status |
|
183
|
| Source | Appendix | Status |
|
|
163
|
|--------|----------|--------|
|
184
|
|--------|----------|--------|
|
|
164
|
-| Windows Security Event Log (via Wazuh agent) | A4 | ✅ Active — auth failures (4625) and DSRM events (4794) ingesting |
|
|
|
|
165
|
-| FortiGate firewall syslog | A2 | ❌ No events today (A1/A2 events were on earlier dates) |
|
|
|
|
|
|
185
|
+| Windows Security Event Log (via Wazuh agent) | A4, C3 | ✅ Active — auth events (4624, 4625) ingesting across multiple agents |
|
|
|
|
186
|
+| FortiGate firewall/IPS syslog | A2 | ❌ No events today |
|
|
166
|
| FortiGate VPN syslog | A3, C1 | ❌ Not forwarding |
|
187
|
| FortiGate VPN syslog | A3, C1 | ❌ Not forwarding |
|
|
167
|
| DNS / soc-mvp decoder | A1 | ❌ No events today |
|
188
|
| DNS / soc-mvp decoder | A1 | ❌ No events today |
|
|
168
|
| soc-integrator log-loss events | B2 | ❌ No events today |
|
189
|
| soc-integrator log-loss events | B2 | ❌ No events today |
|
