progress

progress-update.md

 ### 8) Rule Match Evidence (Live Data, 2026-03-14 → 2026-03-17)
 
 - Queried all SOC custom rules against OpenSearch `wazuh-alerts-*` and generated `summary_rule_match.md`
-- Total events matched: **252,262** across 49 implemented rules
+- Total events matched today (2026-03-17): **286,931** across 49 implemented rules
 
-Active rules with events:
+Active rules with events (2026-03-17):
 
 | Rule | Description | Events |
 |------|-------------|--------|
-| 110301 | A1-01 DNS query to malicious domain | 32 |
-| 110302 | A1-02 DNS IOC domain match | 32 |
-| 110312 | A2-02 FortiGate admin password changed | 32 |
-| 110313 | A2-03 FortiGate new admin account created | 32 |
-| 110315 | A2-05 FortiGate config file downloaded | 32 |
-| 110320 | A2-10 FortiGate traffic to known C2 | 32 |
 | 110341 | A4-01 Windows privileged account auth failure | 1 |
-| 110342 | A4-02 Windows service account auth failure | 38 |
-| 110354 | A4-13 Windows DC DSRM password set (4794) | 251,833 ⚠️ |
-| 110359 | A4-19 Windows authentication failure (4625) | 54 |
-| 110411 | B2-01 Log Monitor log loss detected | 16 |
-| 110501 | C1-01 VPN login geo context candidate | 97 |
-| 110502 | C1-01 Impossible travel confirmed | 31 |
-
-- ⚠️ Rule 110354 (DSRM / event 4794 via parent 60105) accounts for 99.8% of event volume — under investigation to confirm parent SID scope
-- Log sources not yet forwarding: FortiGate VPN (A3), VMware (B1), Sysmon/endpoints (B3), Windows 4624 auth success (C2/C3)
+| 110342 | A4-02 Windows service account auth failure | 46 |
+| 110354 | A4-13 Windows DC DSRM password set (4794) | 285,769 ⚠️ |
+| 110359 | A4-19 Windows authentication failure (4625) | 55 |
+
+- ⚠️ Rule 110354 (DSRM / event 4794 via parent 60103) accounts for 99.6% of event volume — under investigation to confirm parent SID scope
+- A1, A2, B2, C1 rules that fired on earlier dates (Mar 14–16) had 0 events today — likely simulator runs that have since stopped
+- Log sources not yet forwarding: FortiGate syslog (A1/A2), FortiGate VPN (A3), VMware (B1), Sysmon/endpoints (B3), Windows 4624 auth success (C2/C3)
 
 ### 9) Tooling and Documentation Updates
 

summary_rule_match.md

 # Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
 
-**Query window:** 2026-03-14 → 2026-03-17
-**Total events matched across all SOC custom rules:** 252,262
+**Query window:** 2026-03-17 (today only)
+**Total events matched across all SOC custom rules:** 286,931
 **Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)
 
 ---
 
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
-| 110301 | A1-01 | DNS query to malicious domain (IOC traffic indicator) | T1071.004 | **32** |
-| 110302 | A1-02 | DNS IOC domain match from threat intelligence feed | T1568 | **32** |
+| 110301 | A1-01 | DNS query to malicious domain (IOC traffic indicator) | T1071.004 | 0 |
+| 110302 | A1-02 | DNS IOC domain match from threat intelligence feed | T1568 | 0 |
 
 ---
 
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
 | 110311 | A2-01 | FortiGate: RDP (3389) traffic allowed | T1021.001 | 0 |
-| 110312 | A2-02 | FortiGate: admin account password changed | T1098 | **32** |
-| 110313 | A2-03 | FortiGate: new admin account created | T1136 | **32** |
+| 110312 | A2-02 | FortiGate: admin account password changed | T1098 | 0 |
+| 110313 | A2-03 | FortiGate: new admin account created | T1136 | 0 |
 | 110314 | A2-04 | FortiGate: alerting/notification disabled via config change | T1562 | 0 |
-| 110315 | A2-05 | FortiGate: firewall configuration file downloaded | T1005 | **32** |
+| 110315 | A2-05 | FortiGate: firewall configuration file downloaded | T1005 | 0 |
 | 110316 | A2-06 | FortiGate IPS: multiple critical signatures triggered | T1595 | 0 |
 | 110317 | A2-07 | FortiGate: TCP port scan from external IP | T1046 | 0 |
 | 110318 | A2-08 | FortiGate IPS: IOC-based IP indicator detected | T1071.001 | 0 |
 | 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
-| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | **32** |
+| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | 0 |
 
 ---
 
 | 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
 | 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |
 
-> **Note:** A3 rules require FortiGate VPN syslogs (`if_group=fortigate`) with `action=ssl-login-*` events. No matching events in the query window suggests VPN logs are not yet being forwarded to Wazuh.
+> **Note:** A3 rules require FortiGate VPN syslogs (`if_group=fortigate`) with `action=ssl-login-*` events. No matching events today — VPN logs are not yet being forwarded to Wazuh.
 
 ---
 
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
 | 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
-| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **38** |
+| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **46** |
 | 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
 | 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
 | 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | 0 |
 | 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
 | 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
 | 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
-| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | **251,833** ⚠️ |
-| 110359 | A4-19 | Windows: authentication failure (4625) | T1110.003 | **54** |
+| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | **285,769** ⚠️ |
+| 110359 | A4-19 | Windows: authentication failure (4625) | T1110.003 | **55** |
 | 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
 | 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |
 
-> ⚠️ **Rule 110354** (DSRM password set / event 4794) accounts for 251,833 of all matched events — **99.8% of total volume**. The parent rule `60103` fires on Windows Event ID 4794. The extremely high count over 3 days warrants investigation: confirm whether these are genuine events or if the parent SID 60103 matches a broader event set than intended.
+> ⚠️ **Rule 110354** (DSRM password set / event 4794) accounts for 285,769 of all events today — **99.6% of total volume**. The parent rule is `60103` which fires on Windows Event ID 4794. The extremely high count warrants investigation: confirm whether these are genuine DSRM events or if the parent SID 60103 is matching a broader event set than intended.
 
 > **Note:** A4-04, A4-05, A4-07, A4-14 through A4-18, A4-20 have no production rules implemented.
 
 | 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
 | 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |
 
-> **Note:** B1 rules require VMware syslog (`if_group=vmware`). No matching events suggests VMware logs are not yet forwarded.
+> **Note:** B1 rules require VMware syslog (`if_group=vmware`). No matching events — VMware logs are not yet forwarded.
 
 ---
 
 
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
-| 110411 | B2-01 | Log Monitor: log ingestion loss detected on monitored stream | T1562.006 | **16** |
+| 110411 | B2-01 | Log Monitor: log ingestion loss detected on monitored stream | T1562.006 | 0 |
 
 ---
 
 | 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
 | 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |
 
-> **Note:** B3 rules require Windows Sysmon agent installed on endpoints and event forwarding via Wazuh agent. No matching events suggests Sysmon is not yet deployed.
+> **Note:** B3 rules require Windows Sysmon agent deployed on endpoints. No matching events today.
 
 ---
 
 
 | Rule ID | Use Case | Description | MITRE | Events |
 |---------|----------|-------------|-------|--------|
-| 110501 | C1-01 | VPN login success with geo context — impossible travel candidate | T1078 | **97** |
-| 110502 | C1-01 | Impossible travel confirmed by soc-integrator correlation | T1078 | **31** |
-
-> Rule 110501 collects VPN login candidates; 110502 fires when soc-integrator confirms the impossible travel pattern. 31 confirmed impossible travel events were generated over the window.
+| 110501 | C1-01 | VPN login success with geo context — impossible travel candidate | T1078 | 0 |
+| 110502 | C1-01 | Impossible travel confirmed by soc-integrator correlation | T1078 | 0 |
 
 ---
 
 | 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | 0 |
 | 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | 0 |
 
-> **Note:** C3-04 (WFP event 5156) has no production rule implemented — skipped to avoid rule-tree explosion from a generic Windows parent.
-
 ---
 
 ## Summary
 
 | Appendix | Section | Rules Implemented | Rules with Events | Total Events |
 |----------|---------|:-----------------:|:-----------------:|:------------:|
-| A | A1 — DNS/IOC | 2 | 2 | 64 |
-| A | A2 — FortiGate FW/IPS | 10 | 4 | 128 |
+| A | A1 — DNS/IOC | 2 | 0 | 0 |
+| A | A2 — FortiGate FW/IPS | 10 | 0 | 0 |
 | A | A3 — FortiGate VPN | 5 | 0 | 0 |
-| A | A4 — Windows/AD | 13 | 4 | 251,926 |
+| A | A4 — Windows/AD | 13 | 3 | 285,816 |
 | B | B1 — VMware | 3 | 0 | 0 |
-| B | B2 — Log Monitor | 1 | 1 | 16 |
+| B | B2 — Log Monitor | 1 | 0 | 0 |
 | B | B3 — Sysmon | 6 | 0 | 0 |
-| C | C1 — Impossible Travel | 2 | 2 | 128 |
+| C | C1 — Impossible Travel | 2 | 0 | 0 |
 | C | C2 — Credential Abuse | 4 | 0 | 0 |
 | C | C3 — Lateral Movement | 3 | 0 | 0 |
-| **Total** | | **49** | **13** | **252,262** |
+| **Total** | | **49** | **3** | **286,931** |
 
-### Active log sources
+### Active log sources (today)
 
 | Source | Appendix | Status |
 |--------|----------|--------|
-| DNS / soc-mvp decoder | A1 | ✅ Receiving events |
-| FortiGate firewall syslog | A2 | ✅ Receiving events |
-| FortiGate VPN syslog | A3, C1 | ⚠️ C1 active; A3 no events (VPN action types not seen) |
-| Windows Security Event Log (via Wazuh agent) | A4, C2, C3 | ✅ Partial — auth failures and DSRM events seen |
+| Windows Security Event Log (via Wazuh agent) | A4 | ✅ Active — auth failures (4625) and DSRM events (4794) ingesting |
+| FortiGate firewall syslog | A2 | ❌ No events today (A1/A2 events were on earlier dates) |
+| FortiGate VPN syslog | A3, C1 | ❌ Not forwarding |
+| DNS / soc-mvp decoder | A1 | ❌ No events today |
+| soc-integrator log-loss events | B2 | ❌ No events today |
 | VMware vCenter/ESXi syslog | B1 | ❌ Not forwarding |
-| soc-integrator log-loss events | B2 | ✅ Receiving events |
 | Windows Sysmon (via Wazuh agent) | B3 | ❌ Not deployed |