update meeting

overall.md

 Updated: March 4, 2026
 
 Legend:
+
 - `[x]` Completed
 - `[~]` Partially completed / in progress
 - `[ ]` Not started
 ### 2.1 Create & Tune New Detection Rules / Use Cases
 
 - [x] Baseline rules/decoders for proposal use cases added
+  
   - Evidence:
     - `wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml`
     - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
     - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml`
     - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml`
     - `wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml`
+
 - [~] Tuning against real production traffic
+  
   - Status: simulator/UAT-oriented tuning done; production false-positive tuning remains
 
 ### 2.2 IOC Detection (DNS / Firewall / IDS-IPS)
 
 - [x] IOC enrichment/evaluation APIs implemented
+  
   - Evidence: `soc-integrator/app/main.py` (`/ioc/enrich`, `/ioc/evaluate`, `/ioc/history`)
+
 - [x] VirusTotal and AbuseIPDB integrations implemented
+  
   - Evidence: `soc-integrator/app/adapters/virustotal.py`, `soc-integrator/app/adapters/abuseipdb.py`
+
 - [x] IOC trace persistence implemented
+  
   - Evidence: `soc-integrator/app/repositories/mvp_repo.py` (`ioc_trace` methods)
+
 - [~] Scheduled IOC feed lifecycle hardening for production
+  
   - Status: core IOC workflow exists; production feed governance/SLAs still to finalize
 
 ### 2.3 VPN Authentication Success from Outside Thailand
 
 - [x] MVP VPN evaluate flow implemented
+  
   - Evidence: `soc-integrator/app/routes/mvp.py` (`/mvp/vpn/evaluate`), `soc-integrator/app/services/mvp_service.py`
+
 - [x] GeoIP enrichment capability implemented
+  
   - Evidence: `soc-integrator/app/adapters/geoip.py`, `soc-integrator/app/main.py` (`/geoip/{ip}`)
+
 - [~] Production exception list and policy hardening
+  
   - Status: policy framework exists; enterprise exception governance pending
 
 ## 3) End-to-End Workflow & Integration Deliverables (Section 4 / 4.1)
 ## 8.1) Latest Incremental Updates (March 4, 2026)
 
 - [x] Added production-profile simulator mode for proposal scripts
+  
   - Evidence:
     - `scripts/send-wazuh-proposal-required-events.sh` (`--profile=production`)
     - `scripts/send-wazuh-proposal-appendix-b-events.sh` (`--profile=production`)
+
 - [x] Expanded normalization test support in SOC Integrator
+  
   - Evidence:
     - `soc-integrator/app/main.py` (`GET /ingest/wazuh-alert/samples`)
     - `soc-integrator/app/main.py` (`POST /ingest/wazuh-alert` now includes `normalized_event`)
+
 - [x] C1 normalization aligned to production log characteristics
+  
   - Evidence:
     - `soc-integrator/app/services/mvp_service.py` (production-first C1 event typing)
+
 - [~] Production rule validation in Wazuh (`110xxx`) currently constrained by manager runtime instability during lab restarts
+  
   - Status: ingestion works; deterministic decoder/rule verification requires stable manager window.
 
 ## 9) Quick Status Summary

progress-update.md

     C3 --> G
     G --> H[Optional Incident Pipeline<br/>IRIS case + Shuffle + PagerDuty stub]
 ```
+
 - `scripts/send-wazuh-endpoint-agent-test-events.sh`
 - additional simulation scripts under `scripts/` for firewall and endpoint scenarios with continuous mode enabled
 
 
 ### 11) SOC Integrator API Inventory
 
-| Group | Method | Endpoint | Notes |
-|---|---|---|---|
-| Core | GET | `/health` | Service health and target configuration |
-| Core | POST | `/ingest/wazuh-alert` | Normalize inbound Wazuh alert payload |
-| Core | POST | `/action/create-incident` | Create PagerDuty incident |
-| Core | POST | `/action/trigger-shuffle` | Trigger Shuffle workflow execution |
-| Core | POST | `/action/create-iris-case` | Create IRIS case (legacy action endpoint) |
-| IRIS | POST | `/iris/tickets` | Create IRIS ticket/case via soc-integrator |
-| IRIS | GET | `/iris/tickets` | List/query IRIS tickets/cases |
-| IOC | POST | `/ioc/enrich` | IOC enrichment from configured intel sources |
-| IOC | POST | `/ioc/evaluate` | IOC decisioning/verdict |
-| IOC | POST | `/ioc/upload-file` | Upload file to IOC backend (VirusTotal flow) |
-| IOC | GET | `/ioc/analysis/{analysis_id}` | Retrieve IOC analysis status/result |
-| IOC | POST | `/ioc/evaluate-file` | Evaluate file indicator or uploaded sample |
-| IOC | GET | `/ioc/history` | Retrieve stored IOC trace history |
-| Shuffle | GET | `/shuffle/health` | Shuffle service reachability check |
-| Shuffle | GET | `/shuffle/auth-test` | Validate Shuffle API key access |
-| Shuffle | POST | `/shuffle/login` | Login against Shuffle API |
-| Shuffle | POST | `/shuffle/generate-apikey` | Generate Shuffle API key from credentials |
-| Shuffle | GET | `/shuffle/workflows` | List workflows |
-| Shuffle | GET | `/shuffle/workflows/{workflow_id}` | Get workflow detail |
-| Shuffle | POST | `/shuffle/workflows/{workflow_id}/execute` | Execute specific workflow |
-| Shuffle | GET | `/shuffle/apps` | List installed/available Shuffle apps |
-| Shuffle | POST | `/shuffle/proxy` | Generic proxy request to Shuffle API |
-| Wazuh | GET | `/sync/wazuh-version` | Fetch Wazuh version information |
-| Wazuh | GET | `/wazuh/auth-test` | Validate Wazuh API authentication |
-| Wazuh | GET | `/wazuh/manager-info` | Manager information |
-| Wazuh | GET | `/wazuh/agents` | List Wazuh agents |
-| Wazuh | GET | `/wazuh/alerts` | Query recent Wazuh alerts |
-| Wazuh | GET | `/wazuh/manager-logs` | Read manager logs |
-| Wazuh | POST | `/wazuh/sync-to-mvp` | Sync Wazuh alerts into MVP pipeline |
-| Wazuh | GET | `/wazuh/auto-sync/status` | Auto-sync loop status |
-| MVP | POST | `/mvp/incidents/ingest` | Ingest incident into MVP flow |
-| MVP | POST | `/mvp/ioc/evaluate` | Evaluate IOC under MVP policy |
-| MVP | POST | `/mvp/vpn/evaluate` | Evaluate VPN event under MVP policy |
-| MVP | GET | `/mvp/config/policies` | Read MVP policy configuration |
-| MVP | PUT | `/mvp/config/policies` | Update MVP policy configuration |
-| MVP | GET | `/mvp/health/dependencies` | Dependency health snapshot |
+| Group   | Method | Endpoint                                   | Notes                                        |
+| ------- | ------ | ------------------------------------------ | -------------------------------------------- |
+| Core    | GET    | `/health`                                  | Service health and target configuration      |
+| Core    | POST   | `/ingest/wazuh-alert`                      | Normalize inbound Wazuh alert payload        |
+| Core    | POST   | `/action/create-incident`                  | Create PagerDuty incident                    |
+| Core    | POST   | `/action/trigger-shuffle`                  | Trigger Shuffle workflow execution           |
+| Core    | POST   | `/action/create-iris-case`                 | Create IRIS case (legacy action endpoint)    |
+| IRIS    | POST   | `/iris/tickets`                            | Create IRIS ticket/case via soc-integrator   |
+| IRIS    | GET    | `/iris/tickets`                            | List/query IRIS tickets/cases                |
+| IOC     | POST   | `/ioc/enrich`                              | IOC enrichment from configured intel sources |
+| IOC     | POST   | `/ioc/evaluate`                            | IOC decisioning/verdict                      |
+| IOC     | POST   | `/ioc/upload-file`                         | Upload file to IOC backend (VirusTotal flow) |
+| IOC     | GET    | `/ioc/analysis/{analysis_id}`              | Retrieve IOC analysis status/result          |
+| IOC     | POST   | `/ioc/evaluate-file`                       | Evaluate file indicator or uploaded sample   |
+| IOC     | GET    | `/ioc/history`                             | Retrieve stored IOC trace history            |
+| Shuffle | GET    | `/shuffle/health`                          | Shuffle service reachability check           |
+| Shuffle | GET    | `/shuffle/auth-test`                       | Validate Shuffle API key access              |
+| Shuffle | POST   | `/shuffle/login`                           | Login against Shuffle API                    |
+| Shuffle | POST   | `/shuffle/generate-apikey`                 | Generate Shuffle API key from credentials    |
+| Shuffle | GET    | `/shuffle/workflows`                       | List workflows                               |
+| Shuffle | GET    | `/shuffle/workflows/{workflow_id}`         | Get workflow detail                          |
+| Shuffle | POST   | `/shuffle/workflows/{workflow_id}/execute` | Execute specific workflow                    |
+| Shuffle | GET    | `/shuffle/apps`                            | List installed/available Shuffle apps        |
+| Shuffle | POST   | `/shuffle/proxy`                           | Generic proxy request to Shuffle API         |
+| Wazuh   | GET    | `/sync/wazuh-version`                      | Fetch Wazuh version information              |
+| Wazuh   | GET    | `/wazuh/auth-test`                         | Validate Wazuh API authentication            |
+| Wazuh   | GET    | `/wazuh/manager-info`                      | Manager information                          |
+| Wazuh   | GET    | `/wazuh/agents`                            | List Wazuh agents                            |
+| Wazuh   | GET    | `/wazuh/alerts`                            | Query recent Wazuh alerts                    |
+| Wazuh   | GET    | `/wazuh/manager-logs`                      | Read manager logs                            |
+| Wazuh   | POST   | `/wazuh/sync-to-mvp`                       | Sync Wazuh alerts into MVP pipeline          |
+| Wazuh   | GET    | `/wazuh/auto-sync/status`                  | Auto-sync loop status                        |
+| MVP     | POST   | `/mvp/incidents/ingest`                    | Ingest incident into MVP flow                |
+| MVP     | POST   | `/mvp/ioc/evaluate`                        | Evaluate IOC under MVP policy                |
+| MVP     | POST   | `/mvp/vpn/evaluate`                        | Evaluate VPN event under MVP policy          |
+| MVP     | GET    | `/mvp/config/policies`                     | Read MVP policy configuration                |
+| MVP     | PUT    | `/mvp/config/policies`                     | Update MVP policy configuration              |
+| MVP     | GET    | `/mvp/health/dependencies`                 | Dependency health snapshot                   |
 
 Additional FastAPI-generated endpoints:
 
 
 ### Appendix C Production Data Onboarding Checklist
 
-| Source | Log Path / Channel | Must-Have Fields | Use Cases | Verification Query (Wazuh/Indexer) |
-|---|---|---|---|---|
-| VPN Gateway (FortiGate/SSL-VPN) | Syslog export from firewall/VPN device | `timestamp`, `user`, `src_ip`, `action/result`, `event_id` (if mapped), `country` (optional) | C1, C2 | `full_log:*vpn* AND full_log:*user=*` |
-| Active Directory / Windows DC | Windows Security Event Log (agent/forwarder) | `event_id`, `timestamp`, `user/account`, `src_ip` (where present), `logon_type`, `success/failure` | C1, C2, C3 | `rule.id:* AND (data.win.system.eventID:4624 OR full_log:*event_id=4624*)` |
-| Cloud IdP (Entra/Okta/Google) | API export / SIEM connector -> syslog/json | `user`, `src_ip`, `event_time`, `outcome`, `geo.country` (if available), `app/service` | C1, C2 | `full_log:*source=*idp* OR full_log:*okta* OR full_log:*entra*` |
-| Windows Endpoints/Servers | Wazuh agent + Sysmon/Security logs | `event_id`, `user`, `src_ip`, `dst_host`, `dst_port`, `process/action` | C2, C3 | `full_log:*source=windows* AND rule.id:*` |
-| Linux Servers | auth.log / secure / sudo / sshd | `timestamp`, `user`, `src_ip`, `action`, `success` | C2, C3 | `full_log:*sshd* OR full_log:*sudo*` |
-| East-West Firewall | Internal traffic logs (allow/deny/flow) | `src_ip`, `dst_ip/dst_host`, `dst_port`, `action`, `timestamp` | C3 | `full_log:*src_ip=* AND full_log:*dst_port=*` |
-| IDS/NDR | IDS alerts / network detection logs | `src_ip`, `dst_ip/dst_host`, `dst_port`, `signature/category`, `timestamp` | C3 | `full_log:*scan* OR full_log:*lateral* OR full_log:*enumeration*` |
+| Source                          | Log Path / Channel                           | Must-Have Fields                                                                                   | Use Cases  | Verification Query (Wazuh/Indexer)                                         |
+| ------------------------------- | -------------------------------------------- | -------------------------------------------------------------------------------------------------- | ---------- | -------------------------------------------------------------------------- |
+| VPN Gateway (FortiGate/SSL-VPN) | Syslog export from firewall/VPN device       | `timestamp`, `user`, `src_ip`, `action/result`, `event_id` (if mapped), `country` (optional)       | C1, C2     | `full_log:*vpn* AND full_log:*user=*`                                      |
+| Active Directory / Windows DC   | Windows Security Event Log (agent/forwarder) | `event_id`, `timestamp`, `user/account`, `src_ip` (where present), `logon_type`, `success/failure` | C1, C2, C3 | `rule.id:* AND (data.win.system.eventID:4624 OR full_log:*event_id=4624*)` |
+| Cloud IdP (Entra/Okta/Google)   | API export / SIEM connector -> syslog/json   | `user`, `src_ip`, `event_time`, `outcome`, `geo.country` (if available), `app/service`             | C1, C2     | `full_log:*source=*idp* OR full_log:*okta* OR full_log:*entra*`            |
+| Windows Endpoints/Servers       | Wazuh agent + Sysmon/Security logs           | `event_id`, `user`, `src_ip`, `dst_host`, `dst_port`, `process/action`                             | C2, C3     | `full_log:*source=windows* AND rule.id:*`                                  |
+| Linux Servers                   | auth.log / secure / sudo / sshd              | `timestamp`, `user`, `src_ip`, `action`, `success`                                                 | C2, C3     | `full_log:*sshd* OR full_log:*sudo*`                                       |
+| East-West Firewall              | Internal traffic logs (allow/deny/flow)      | `src_ip`, `dst_ip/dst_host`, `dst_port`, `action`, `timestamp`                                     | C3         | `full_log:*src_ip=* AND full_log:*dst_port=*`                              |
+| IDS/NDR                         | IDS alerts / network detection logs          | `src_ip`, `dst_ip/dst_host`, `dst_port`, `signature/category`, `timestamp`                         | C3         | `full_log:*scan* OR full_log:*lateral* OR full_log:*enumeration*`          |
 
 #### Acceptance Checklist (Per Source)
 
 ### Major Progress Areas
 
 1. SOC Integrator Expansion
-
 - Added full admin UI stack:
   - `soc-integrator/app/ui/index.html`
   - `soc-integrator/app/ui/assets/app.js`
   - `soc-integrator/app/repositories/mvp_repo.py`
 - Added GeoIP adapter integration:
   - `soc-integrator/app/adapters/geoip.py`
-
 2. Wazuh Simulation and Dashboard Delivery
-
 - Added Appendix-specific event generators:
   - `scripts/send-wazuh-proposal-appendix-b-events.sh`
   - `scripts/send-wazuh-proposal-appendix-c-events.sh`
 ### Wazuh Custom Rules Added (Current Active Set)
 
 Active custom rules are currently defined in:
+
 - `wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml`
 
 Rule groups/ranges implemented:
+
 - Base and appendix classifiers:
   - `100200`: base marker for synthetic SOC events (`soc_mvp_test=true`)
   - `100210`: Appendix A classifier
   - `C3` Lateral movement/internal recon: `100521-100524`
 
 Operational note:
-- Split rule files under `wazuh_cluster/rules/soc-*.xml` exist as staging artifacts in this workspace; active detection content is loaded from `local_rules.xml`.
 
+- Split rule files under `wazuh_cluster/rules/soc-*.xml` exist as staging artifacts in this workspace; active detection content is loaded from `local_rules.xml`.
 3. Operations and Runtime Hardening
-
 - Updated orchestration and runtime configuration:
   - `run-combined-stack.sh`
   - `compose-overrides/soc-integrator.yml`

scripts/README.md

 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Scenarios:
+
 - `ioc_dns`
 - `ioc_ips`
 - `vpn_outside_th`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `WAZUH_TEST_SRC_IP`
 - `WAZUH_TEST_USER`
 
 Transport notes:
+
 - Uses `nc` if available.
 - Falls back to Bash UDP redirection (`/dev/udp/host/port`) when `nc` is unavailable.
 
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Scenarios:
+
 - `asa_acl_deny`
 - `asa_vpn_auth_fail`
 - `ios_login_fail`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `CISCO_DEVICE_HOST`
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Models:
+
 - `501E`
 - `80F`
 - `60F`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `FGT_SRC_IP`
 ```
 
 Profiles:
+
 - `normal` (mostly allowed traffic, occasional admin/vpn/webfilter)
 - `incident` (higher IPS/webfilter/vpn anomalies)
 - `mixed` (balanced baseline + anomalies)
 
 Models:
+
 - `501E`
 - `80F`
 - `60F`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `SIM_MAX_EVENTS` (default `0`, which means run forever)
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Selectors:
+
 - `all` (all Appendix A use cases)
 - `a1`, `a2`, `a3`, `a4` (by section)
 - specific use case id, e.g. `A2-01`, `A3-05`, `A4-24`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `EVENT_DELAY` (default `0.05`)
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Selectors:
+
 - `all` (all Appendix B use cases)
 - `b1`, `b2`, `b3` (by section)
 - specific use case id, e.g. `B1-01`, `B2-01`, `B3-06`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `EVENT_DELAY` (default `0.05`)
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Selectors:
+
 - `all` (all Appendix C use cases)
 - `c1`, `c2`, `c3` (by section)
 - specific use case id, e.g. `C1-01`, `C2-03`, `C3-04`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `EVENT_DELAY` (default `0.05`)
 ```
 
 Optional flag:
+
 - `--forever` (ignore `count` and run continuously until Ctrl+C)
 
 Platforms:
+
 - `windows`
 - `mac`
 - `linux`
 - `all`
 
 Scenarios:
+
 - `auth`
 - `process`
 - `persistence`
 ```
 
 Environment overrides:
+
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
 - `DRY_RUN` (default `0`)
 ```
 
 This creates:
+
 - `MVP - IOC Enrichment and Case Routing`
 - `MVP - VPN Geo Anomaly Triage`
 
 Dashboard saved objects are stored in `scripts/events/*.ndjson`.
 
 - `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
+  
   - Title: `SOC FortiGate Simulation Overview`
   - Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity).
   - Typical data source: `scripts/send-wazuh-fortigate-test-events.sh`
 
 - `scripts/events/wazuh-client-agents-dashboard.ndjson`
+  
   - Title: `SOC Client Agent Simulation Overview`
   - Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs.
   - Typical data source: `scripts/send-wazuh-endpoint-agent-test-events.sh`
 
 - `scripts/events/wazuh-proposal-required-dashboard.ndjson`
+  
   - Title: `SOC Proposal Required Logs Overview`
   - Purpose: Appendix A required-scope logs (A1-A4).
   - Typical data source: `scripts/send-wazuh-proposal-required-events.sh`
 
 - `scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson`
+  
   - Title: `SOC Proposal Appendix A+B Overview`
   - Purpose: Combined Appendix A and B overview, including use-case table.
   - Typical data sources:
     - `scripts/send-wazuh-proposal-appendix-b-events.sh`
 
 - `scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson`
+  
   - Title: `SOC Proposal Appendix C Overview`
   - Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage).
   - Typical data source: `scripts/send-wazuh-proposal-appendix-c-events.sh`
 
 - `scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson`
+  
   - Title: `SOC Proposal Custom Rules Overview`
   - Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions.
   - Typical data source: Any simulation script that triggers proposal custom rules.