summary rule

summary_rule_match.md

@@ -0,0 +1,174 @@
+# Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
+
+**Query window:** 2026-03-14 → 2026-03-17
+**Total events matched across all SOC custom rules:** 252,262
+**Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)
+
+---
+
+## Appendix A — Threat Detection (FortiGate + Windows/AD)
+
+### A1 — DNS / Firewall IOC  *(file: soc-a1-ioc-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110301 | A1-01 | DNS query to malicious domain (IOC traffic indicator) | T1071.004 | **32** |
+| 110302 | A1-02 | DNS IOC domain match from threat intelligence feed | T1568 | **32** |
+
+---
+
+### A2 — FortiGate IPS/IDS & Firewall  *(file: soc-a2-fortigate-fw-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110311 | A2-01 | FortiGate: RDP (3389) traffic allowed | T1021.001 | 0 |
+| 110312 | A2-02 | FortiGate: admin account password changed | T1098 | **32** |
+| 110313 | A2-03 | FortiGate: new admin account created | T1136 | **32** |
+| 110314 | A2-04 | FortiGate: alerting/notification disabled via config change | T1562 | 0 |
+| 110315 | A2-05 | FortiGate: firewall configuration file downloaded | T1005 | **32** |
+| 110316 | A2-06 | FortiGate IPS: multiple critical signatures triggered | T1595 | 0 |
+| 110317 | A2-07 | FortiGate: TCP port scan from external IP | T1046 | 0 |
+| 110318 | A2-08 | FortiGate IPS: IOC-based IP indicator detected | T1071.001 | 0 |
+| 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
+| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | **32** |
+
+---
+
+### A3 — FortiGate VPN  *(file: soc-a3-fortigate-vpn-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110331 | A3-01 | VPN authentication success by guest account | T1078.001 | 0 |
+| 110332 | A3-02 | VPN success from different country than last login | T1078 | 0 |
+| 110333 | A3-03 | VPN success after multiple prior failures (brute-force indicator) | T1110.001 | 0 |
+| 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
+| 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |
+
+> **Note:** A3 rules require FortiGate VPN syslogs (`if_group=fortigate`) with `action=ssl-login-*` events. No matching events in the query window suggests VPN logs are not yet being forwarded to Wazuh.
+
+---
+
+### A4 — Windows / Active Directory  *(file: soc-a4-windows-ad-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
+| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **38** |
+| 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
+| 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
+| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | 0 |
+| 110349 | A4-09 | Windows: guest account auth success (4624) | T1078.001 | 0 |
+| 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
+| 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
+| 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
+| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | **251,833** ⚠️ |
+| 110359 | A4-19 | Windows: authentication failure (4625) | T1110.003 | **54** |
+| 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
+| 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |
+
+> ⚠️ **Rule 110354** (DSRM password set / event 4794) accounts for 251,833 of all matched events — **99.8% of total volume**. The parent rule `60103` fires on Windows Event ID 4794. The extremely high count over 3 days warrants investigation: confirm whether these are genuine events or if the parent SID 60103 matches a broader event set than intended.
+
+> **Note:** A4-04, A4-05, A4-07, A4-14 through A4-18, A4-20 have no production rules implemented.
+
+---
+
+## Appendix B — Expanded Monitoring
+
+### B1 — VMware vCenter / ESXi  *(file: soc-b1-vmware-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110401 | B1-01 | vCenter: login failure detected (brute-force indicator) | T1110 | 0 |
+| 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
+| 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |
+
+> **Note:** B1 rules require VMware syslog (`if_group=vmware`). No matching events suggests VMware logs are not yet forwarded.
+
+---
+
+### B2 — Log Monitoring  *(file: soc-b2-logmon-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110411 | B2-01 | Log Monitor: log ingestion loss detected on monitored stream | T1562.006 | **16** |
+
+---
+
+### B3 — Windows Sysmon  *(file: soc-b3-sysmon-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110421 | B3-01 | Sysmon: LSASS process access detected (event 10) | T1003.001 | 0 |
+| 110422 | B3-02 | Sysmon: SQL keyword in process command line (event 1) | T1190 | 0 |
+| 110423 | B3-03 | Sysmon: web script file created (possible webshell, event 11) | T1505.003 | 0 |
+| 110424 | B3-04 | Sysmon: msiexec uninstall detected (event 1) | T1562.001 | 0 |
+| 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
+| 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |
+
+> **Note:** B3 rules require Windows Sysmon agent installed on endpoints and event forwarding via Wazuh agent. No matching events suggests Sysmon is not yet deployed.
+
+---
+
+## Appendix C — Advanced Detection (Correlation)
+
+### C1 — Impossible Travel  *(file: soc-c1-c3-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110501 | C1-01 | VPN login success with geo context — impossible travel candidate | T1078 | **97** |
+| 110502 | C1-01 | Impossible travel confirmed by soc-integrator correlation | T1078 | **31** |
+
+> Rule 110501 collects VPN login candidates; 110502 fires when soc-integrator confirms the impossible travel pattern. 31 confirmed impossible travel events were generated over the window.
+
+---
+
+### C2 — Advanced Credential Abuse & Privilege Misuse  *(file: soc-c1-c3-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110511 | C2-01 | Privileged account auth success (4624) | T1078.002 | 0 |
+| 110512 | C2-02 | Dormant/legacy account auth success (4624) | T1078 | 0 |
+| 110513 | C2-03 | Service account remote interactive logon type 10 (4624) | T1078.003 | 0 |
+| 110514 | C2-04 | Privilege escalation: group membership change (4732) | T1098.007 | 0 |
+
+---
+
+### C3 — Lateral Movement & Internal Reconnaissance  *(file: soc-c1-c3-rules.xml)*
+
+| Rule ID | Use Case | Description | MITRE | Events |
+|---------|----------|-------------|-------|--------|
+| 110521 | C3-01/02 | RDP auth success logon type 10 (lateral movement indicator) | T1021.001, T1078 | 0 |
+| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | 0 |
+| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | 0 |
+
+> **Note:** C3-04 (WFP event 5156) has no production rule implemented — skipped to avoid rule-tree explosion from a generic Windows parent.
+
+---
+
+## Summary
+
+| Appendix | Section | Rules Implemented | Rules with Events | Total Events |
+|----------|---------|:-----------------:|:-----------------:|:------------:|
+| A | A1 — DNS/IOC | 2 | 2 | 64 |
+| A | A2 — FortiGate FW/IPS | 10 | 4 | 128 |
+| A | A3 — FortiGate VPN | 5 | 0 | 0 |
+| A | A4 — Windows/AD | 13 | 4 | 251,926 |
+| B | B1 — VMware | 3 | 0 | 0 |
+| B | B2 — Log Monitor | 1 | 1 | 16 |
+| B | B3 — Sysmon | 6 | 0 | 0 |
+| C | C1 — Impossible Travel | 2 | 2 | 128 |
+| C | C2 — Credential Abuse | 4 | 0 | 0 |
+| C | C3 — Lateral Movement | 3 | 0 | 0 |
+| **Total** | | **49** | **13** | **252,262** |
+
+### Active log sources
+
+| Source | Appendix | Status |
+|--------|----------|--------|
+| DNS / soc-mvp decoder | A1 | ✅ Receiving events |
+| FortiGate firewall syslog | A2 | ✅ Receiving events |
+| FortiGate VPN syslog | A3, C1 | ⚠️ C1 active; A3 no events (VPN action types not seen) |
+| Windows Security Event Log (via Wazuh agent) | A4, C2, C3 | ✅ Partial — auth failures and DSRM events seen |
+| VMware vCenter/ESXi syslog | B1 | ❌ Not forwarding |
+| soc-integrator log-loss events | B2 | ✅ Receiving events |
+| Windows Sysmon (via Wazuh agent) | B3 | ❌ Not deployed |