Home Esplora Aiuto
Accedi
tum
/
soc
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Commit 48 Rilasci 0 Wiki
Sfoglia il codice sorgente

project progress

Tum 1 giorno fa
parent
e5811a2fc9
commit
89670823d5
1 ha cambiato i file con 191 aggiunte e 0 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 191 0
      docs/project-progress.md

+ 191 - 0
docs/project-progress.md
Vedi File 

@@ -0,0 +1,191 @@
1 
+# Project Progress Summary
2 
+**Reference:** Security Detection & Threat Intelligence Enhancement Proposal (Revised)
3 
+**Customer:** บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject)
4 
+**Updated:** 2026-03-25
5 
+
6 
+---
7 
+
8 
+## Legend
9 
+- ✅ Complete
10 
+- 🔶 Partial / In Progress
11 
+- ❌ Not Started
12 
+
13 
+---
14 
+
15 
+## 1. Architecture & Platform
16 
+
17 
+| Component | Status | Notes |
18 
+|-----------|--------|-------|
19 
+| Detection (Wazuh) | ✅ | Deployed, 55+ rules across A1–A4, B1–B3, C1–C3 |
20 
+| Automation / SOAR (Shuffle) | ✅ | Deployed, API-integrated, workflow execution via soc-integrator |
21 
+| Case Management (IRIS) | ✅ | Deployed (replaced proposal's DFIRTrack); API key stabilized |
22 
+| Escalation stub (PagerDuty) | ✅ | Stub implemented; production PagerDuty pending |
23 
+| Orchestration layer (soc-integrator) | ✅ | FastAPI service running, all major routes implemented |
24 
+
25 
+> Note: Proposal specified DFIRTrack; implementation uses IRIS Web (dfir-iris) — equivalent functionality.
26 
+
27 
+---
28 
+
29 
+## 2. Detection Rules (Appendix A — Initial Scope)
30 
+
31 
+### A1 · DNS / Firewall IOC (2 rules)
32 
+| ID | Use Case | Status |
33 
+|----|----------|--------|
34 
+| A1-01 | DNS query to malicious domain (FortiGate DNS log) | ✅ |
35 
+| A1-02 | DNS IOC domain match from threat intelligence feed | ✅ |
36 
+
37 
+### A2 · FortiGate IPS / Firewall (10 rules)
38 
+| ID | Use Case | Status |
39 
+|----|----------|--------|
40 
+| A2-01 | RDP (3389) allowed through firewall | ✅ |
41 
+| A2-02 | Admin account password changed | ✅ |
42 
+| A2-03 | New admin account created | ✅ |
43 
+| A2-04 | Alerting / notification disabled | ✅ |
44 
+| A2-05 | Firewall config file downloaded | ✅ |
45 
+| A2-06 | Multiple critical/high IDS alerts | ✅ |
46 
+| A2-07 | Port scan from public IP | ✅ |
47 
+| A2-08 | IOC traffic match (FW netflow) | ✅ |
48 
+| A2-09 | Port scan from private IP | ✅ |
49 
+| A2-10 | Communication to malicious IP | ✅ |
50 
+
51 
+> Fix applied (2026-03): OR-trap bug in A2/A3 multi-match replaced with single `<regex>` lookaheads.
52 
+
53 
+### A3 · FortiGate VPN (5 rules)
54 
+| ID | Use Case | Status |
55 
+|----|----------|--------|
56 
+| A3-01 | VPN success from guest account | ✅ |
57 
+| A3-02 | VPN success from different country than last login | ✅ |
58 
+| A3-03 | VPN success after multiple prior failures (brute-force) | ✅ |
59 
+| A3-04 | VPN multiple auth failures (many accounts, 1 source) | ✅ |
60 
+| A3-05 | VPN tunnel connected from outside Thailand | ✅ |
61 
+
62 
+### A4 · Windows / Active Directory (16 rules)
63 
+| ID | Use Cases | Status |
64 
+|----|-----------|--------|
65 
+| A4-01–A4-19 | Privileged/service/guest account failures and successes, Pass-the-Hash, account enumeration, group membership changes, DSRM reset, password spray, interactive logon by service accounts | ✅ All 16 implemented |
66 
+
67 
+---
68 
+
69 
+## 3. Detection Rules (Appendix B — Optional Add-On)
70 
+
71 
+### B1 · VMware vCenter / ESXi (3 rules)
72 
+| ID | Use Case | Status |
73 
+|----|----------|--------|
74 
+| B1-01 | vCenter login failure (brute-force indicator) | ✅ |
75 
+| B1-02 | ESXi SSH enabled on host | ✅ |
76 
+| B1-03 | ESXi SSH authentication events | ✅ |
77 
+
78 
+### B2 · Log Monitoring (1 rule)
79 
+| ID | Use Case | Status |
80 
+|----|----------|--------|
81 
+| B2-01 | Log ingestion loss detected | ✅ |
82 
+
83 
+### B3 · Windows Sysmon (6 rules)
84 
+| ID | Use Case | Status |
85 
+|----|----------|--------|
86 
+| B3-01 | LSASS process access (event 10) | ✅ |
87 
+| B3-02 | SQL keyword in process command line | ✅ |
88 
+| B3-03 | Webshell file creation (event 11) | ✅ |
89 
+| B3-04 | msiexec uninstall | ✅ |
90 
+| B3-05 | LSASS dump via Task Manager | ✅ |
91 
+| B3-06 | CertUtil download (event 1) | ✅ |
92 
+
93 
+---
94 
+
95 
+## 4. Future Enhancements (Appendix C)
96 
+
97 
+| ID | Use Case | Status |
98 
+|----|----------|--------|
99 
+| C1-01 | Impossible Travel Detection (VPN/AD/Cloud) | ✅ Implemented in soc-integrator |
100 
+| C2-01 | Privileged account off-hours usage | ✅ |
101 
+| C2-02 | Dormant account activation | ✅ |
102 
+| C2-03 | Service account interactive logon | ✅ |
103 
+| C2-04 | Rapid privilege escalation → sensitive access | ✅ |
104 
+| C3-01 | Multi-host auth success (lateral movement) | ✅ |
105 
+| C3-02 | SMB/RDP access burst by source IP | ✅ |
106 
+| C3-04 | Internal scanning / enumeration burst | ✅ |
107 
+| C4 | Ransomware early warning indicators | ❌ Not started |
108 
+| C5 | Endpoint & server behavior anomalies | ❌ Not started |
109 
+| C6 | Cloud / SaaS security monitoring | ❌ Not started |
110 
+| C7 | SOC & operational maturity monitoring | ❌ Not started |
111 
+
112 
+---
113 
+
114 
+## 5. IOC Pipeline
115 
+
116 
+| Capability | Status | Notes |
117 
+|------------|--------|-------|
118 
+| IOC feed ingestion (VirusTotal) | ✅ | `adapters/virustotal.py` |
119 
+| IOC feed ingestion (AbuseIPDB) | ✅ | `adapters/abuseipdb.py` |
120 
+| IOC CDB list management | ✅ | Wazuh CDB lists: malicious-ip, malicious-domains, malware-hashes |
121 
+| Automated IOC list refresh | ✅ | `_ioc_refresh_loop()` in soc-integrator; `/ioc-lists/refresh` API |
122 
+| IOC match via Wazuh CDB rules | ✅ | `soc-ioc-cdb-rules.xml` (3 rules) |
123 
+| IOC enrichment API | ✅ | `/ioc/enrich`, `/ioc/evaluate`, `/ioc/history` |
124 
+| IOC file upload & batch analysis | ✅ | `/ioc/upload`, `/ioc/evaluate-file` |
125 
+| IOC trace persistence (Postgres) | ✅ | `ioc_trace` table in mvp_repo |
126 
+
127 
+---
128 
+
129 
+## 6. Integration & Workflow
130 
+
131 
+| Integration | Status | Notes |
132 
+|-------------|--------|-------|
133 
+| Wazuh → soc-integrator ingest | ✅ | `/ingest/wazuh-alert`, `/wazuh/sync-to-mvp` |
134 
+| Wazuh → IRIS alert sync (with severity filter) | ✅ | Auto-sync loop; configurable severity threshold |
135 
+| soc-integrator → IRIS case/ticket creation | ✅ | `/iris/tickets`, `/iris/cases` |
136 
+| soc-integrator → Shuffle workflow execution | ✅ | `/shuffle/workflows/{id}/execute` |
137 
+| soc-integrator → PagerDuty escalation | ✅ (stub) | `/action/create-incident`; real PD integration pending |
138 
+| GeoIP enrichment | ✅ | `adapters/geoip.py`, `/geoip/{ip}` API |
139 
+| Log loss monitoring | ✅ | `/monitor/log-loss/check`, auto-monitoring loop |
140 
+
141 
+---
142 
+
143 
+## 7. UI & Dashboards
144 
+
145 
+| Feature | Status | Notes |
146 
+|---------|--------|-------|
147 
+| IRIS KPI dashboard (alerts tab) | ✅ | `/kpi-dashboard` with pagination, sorting, filters |
148 
+| IRIS KPI dashboard (cases tab) | ✅ | Clickable rows → `/case?cid=<id>` |
149 
+| SOC Integrator web UI | ✅ | Monitoring, sim controls, GeoIP, IOC tab |
150 
+| Wazuh dashboard import automation | ✅ | `scripts/import-wazuh-dashboard.sh` |
151 
+| ICT/UTC dual clock in IRIS navbar | ✅ | `ict-clock.js` widget, shows Asia/Bangkok alongside UTC |
152 
+
153 
+---
154 
+
155 
+## 8. Operations & Reliability
156 
+
157 
+| Item | Status | Notes |
158 
+|------|--------|-------|
159 
+| Timezone (ICT/UTC+7) on all services | ✅ | Set across Wazuh, IRIS, Shuffle, soc-integrator, PagerDuty stub |
160 
+| IRIS admin API key — static (no rotation) | ✅ | `IRIS_ADM_API_KEY` set in `iris-web/.env`; documented in runbook |
161 
+| soc-integrator `.env` in sync | ✅ | `IRIS_API_KEY` matches DB value |
162 
+| Git: runtime IOC lists untracked | ✅ | Added to `.gitignore`; removed from git index |
163 
+| Ops runbook for IRIS API key | ✅ | `docs/ops-runbook-iris-api-key.md` |
164 
+| Wazuh decoder/rule documentation | ✅ | `docs/wazuh-decoders-rules.md` |
165 
+
166 
+---
167 
+
168 
+## 9. Remaining / In Progress
169 
+
170 
+| Item | Priority | Notes |
171 
+|------|----------|-------|
172 
+| Production false-positive tuning on real traffic | High | Lab tuning done; production thresholds need real log baseline |
173 
+| PagerDuty stub → production PagerDuty | High | Requires production PD account and API key |
174 
+| Exception governance for VPN geo-anomaly | Medium | Policy framework exists; enterprise allowlist not finalized |
175 
+| C4–C7 use cases | Low | Future scope; not in original contract |
176 
+| Frontend CDN dependency hardening | Low | Some IRIS UI pages still reference external CDN scripts |
177 
+
178 
+---
179 
+
180 
+## 10. Summary
181 
+
182 
+| Area | Coverage |
183 
+|------|----------|
184 
+| Appendix A (initial scope — 33 use cases) | **100%** rules implemented |
185 
+| Appendix B (optional add-on — 10 use cases) | **100%** rules implemented |
186 
+| Appendix C (future — 8 use cases shown) | **C1–C3 (8 sub-use-cases): done; C4–C7: pending** |
187 
+| Core integrations (Wazuh/IRIS/Shuffle/PD) | **Fully integrated** (PD as stub) |
188 
+| IOC pipeline | **Fully implemented** |
189 
+| Production hardening | **Pending** (tuning, governance, PD) |
190 
+
191 
+> All deliverables from the initial contract scope (Sections 3–5 and Appendix A) are implemented and testable. Appendix B optional use cases are also implemented ahead of schedule. The primary remaining work is production hardening, real-traffic tuning, and PagerDuty go-live.