soc_mvp_test=true SOC MVP synthetic test event detected soc_mvp_test,syslog, 100200 usecase_id=A Proposal Appendix A simulation event soc_mvp_test,proposal_appendix_a, 100200 usecase_id=B Proposal Appendix B simulation event soc_mvp_test,proposal_appendix_b, 100200 usecase_id=C Proposal Appendix C simulation event soc_mvp_test,proposal_appendix_c, 100210usecase_id=A1-01A1-01 DNS Network Traffic Communicate to Malicious Domainsoc_mvp_test,appendix_a,a1,ioc, 100210usecase_id=A1-02A1-02 DNS Network Traffic Malicious Domain IOCs Detectionsoc_mvp_test,appendix_a,a1,ioc, 100210usecase_id=A2-01A2-01 Allowed RDP from Public IPssoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-02A2-02 Firewall Account Admin Password Changesoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-03A2-03 Firewall Account Create Add Admin Accountsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-04A2-04 Firewall Configure Disabled Email Notificationsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-05A2-05 Firewall Configure Download Configure FWsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-06A2-06 IDS Alert Multiple Critical Highsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-07A2-07 Network Traffic Port Scanningsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-08A2-08 Network Traffic IOC Detectionsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-09A2-09 Port Scanning from Private IPsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A2-10A2-10 Communicate to Malicious IPsoc_mvp_test,appendix_a,a2,fortigate, 100210usecase_id=A3-01A3-01 VPN Authentication Success from Guest Accountsoc_mvp_test,appendix_a,a3,vpn, 100210usecase_id=A3-02A3-02 VPN Authentication Success from Multiple Countrysoc_mvp_test,appendix_a,a3,vpn, 100210usecase_id=A3-03A3-03 VPN Authentication Brute Force Successsoc_mvp_test,appendix_a,a3,vpn, 100210usecase_id=A3-04A3-04 VPN Authentication Multiple Fail Many Accounts from One Sourcesoc_mvp_test,appendix_a,a3,vpn, 100210usecase_id=A3-05A3-05 VPN Authentication Success from Outside Thailandsoc_mvp_test,appendix_a,a3,vpn, 100210usecase_id=A4-01A4-01 Windows Authentication Multiple Fail from Privileged Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-02A4-02 Windows Authentication Multiple Fail from Service Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-03A4-03 Windows AD Enumeration with Malicious Toolssoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-04A4-04 Windows Authentication Fail from Public IPssoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-05A4-05 Windows File Share Enumeration to Single Destinationsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-06A4-06 Windows Authentication Success from Public IPssoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-07A4-07 Windows Authentication Privileged Account Impersonationsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-08A4-08 Windows Authentication Successful Pass the Hash RDPsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-09A4-09 Windows Authentication Success from Guest Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-10A4-10 Windows Authentication Interactive Logon Success by Service Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-11A4-11 Windows Account Added to Privileged Custom Groupsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-12A4-12 Windows Account Added to Privileged Groupsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-13A4-13 Windows Domain Configure DSRM Password Resetsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-14A4-14 Windows Authentication Multiple Fail One Account from Many Sourcessoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-15A4-15 Windows Authentication Multiple Fail Many Accounts from One Sourcesoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-16A4-16 Windows Authentication Multiple Fail from Guest Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-17A4-17 Windows Authentication Multiple Fail One Account from One Sourcesoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-18A4-18 Windows Authentication Multiple Interactive Logon Deniedsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-19A4-19 Windows Authentication Password Spraysoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-20A4-20 Windows Authentication Attempt from Disabled Accountsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-21A4-21 Windows Domain Account Createdsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-22A4-22 Windows Local Account Re Enabledsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-23A4-23 Windows Local Account Createdsoc_mvp_test,appendix_a,a4,windows, 100210usecase_id=A4-24A4-24 Windows Domain Account Re Enabledsoc_mvp_test,appendix_a,a4,windows, 100220usecase_id=B1-01B1-01 vCenter GUI Login Failed 5 Times and Success 1 Timesoc_mvp_test,appendix_b,b1,vmware, 100220usecase_id=B1-02B1-02 ESXi Enable SSH on Hostssoc_mvp_test,appendix_b,b1,vmware, 100220usecase_id=B1-03B1-03 ESXi SSH Failed 5 Times and Success 1 Timesoc_mvp_test,appendix_b,b1,vmware, 100220usecase_id=B2-01B2-01 Log Monitor Logs Loss Detectionsoc_mvp_test,appendix_b,b2,logmonitor, 100220usecase_id=B3-01B3-01 Sysmon LSASS Dumpingsoc_mvp_test,appendix_b,b3,sysmon, 100220usecase_id=B3-02B3-02 Sysmon SQL Injectionsoc_mvp_test,appendix_b,b3,sysmon, 100220usecase_id=B3-03B3-03 Sysmon Webshellsoc_mvp_test,appendix_b,b3,sysmon, 100220usecase_id=B3-04B3-04 Sysmon Uninstallsoc_mvp_test,appendix_b,b3,sysmon, 100220usecase_id=B3-05B3-05 Sysmon LSASS Dumping by Task Managersoc_mvp_test,appendix_b,b3,sysmon, 100220usecase_id=B3-06B3-06 Sysmon CertUtil Downloadsoc_mvp_test,appendix_b,b3,sysmon, 100230usecase_id=C1-01C1-01 Impossible Travel Detectionsoc_mvp_test,appendix_c,c1,identity, 100230usecase_id=C2-01C2-01 Privileged Account Usage Outside Business Hourssoc_mvp_test,appendix_c,c2,identity, 100230usecase_id=C2-02C2-02 Dormant Account Activationsoc_mvp_test,appendix_c,c2,identity, 100230usecase_id=C2-03C2-03 Service Account Interactive Logonsoc_mvp_test,appendix_c,c2,identity, 100230usecase_id=C2-04C2-04 Rapid Privilege Escalation Followed by Sensitive Accesssoc_mvp_test,appendix_c,c2,identity, 100230usecase_id=C3-01C3-01 Multiple Authentication Success Across Hostssoc_mvp_test,appendix_c,c3,lateral_movement, 100230usecase_id=C3-02C3-02 SMB/RDP Lateral Burst Patternsoc_mvp_test,appendix_c,c3,lateral_movement, 100230usecase_id=C3-03C3-03 Admin Account Accessing Many Servers Rapidlysoc_mvp_test,appendix_c,c3,lateral_movement, 100230usecase_id=C3-04C3-04 Internal Scanning / Enumeration Behaviorsoc_mvp_test,appendix_c,c3,recon, SOC MVP production profile enabled soc_mvp_prod,baseline, soc-dns-ioc event_type=ioc_dns_traffic malicious.example A1 production: DNS query to malicious domain indicator soc_mvp_prod,appendix_a,a1,ioc,dns, soc-dns-ioc event_type=ioc_domain_match A1 production: DNS IOC domain match event soc_mvp_prod,appendix_a,a1,ioc,dns, vendor=fortinet dstport=3389 action="accept" A2 production: FortiGate allowed RDP traffic detected soc_mvp_prod,appendix_a,a2,fortigate, vendor=fortinet action="password-change" A2 production: FortiGate admin password change soc_mvp_prod,appendix_a,a2,fortigate, vendor=fortinet action="create-admin" A2 production: FortiGate admin account creation soc_mvp_prod,appendix_a,a2,fortigate, vendor=fortinet action="disable-email-notification" A2 production: FortiGate email notification disabled soc_mvp_prod,appendix_a,a2,fortigate, vendor=fortinet action="download-config" A2 production: FortiGate configuration download soc_mvp_prod,appendix_a,a2,fortigate, vendor=fortinet subtype="ips" severity="critical" A2 production: FortiGate critical IPS alert soc_mvp_prod,appendix_a,a2,fortigate,ips, vendor=fortinet event_type=port_scan A2 production: FortiGate port scanning indicator soc_mvp_prod,appendix_a,a2,fortigate,recon, vendor=fortinet event_type=ioc_detection A2 production: FortiGate IOC detection event soc_mvp_prod,appendix_a,a2,fortigate,ioc, vendor=fortinet event_type=malicious_ip_communication A2 production: Communication to malicious IP detected soc_mvp_prod,appendix_a,a2,fortigate,ioc, subtype="vpn" success=true guest A3 production: VPN success by guest account soc_mvp_prod,appendix_a,a3,vpn, subtype="vpn" event_type=vpn_bruteforce_success A3 production: VPN brute-force success indicator soc_mvp_prod,appendix_a,a3,vpn, subtype="vpn" success=true country= A3 production: VPN success with country context (geo-anomaly candidate) soc_mvp_prod,appendix_a,a3,vpn,geo, source=windows event_id=4625 is_admin=true A4 production: Privileged account authentication failures soc_mvp_prod,appendix_a,a4,windows,auth_fail, source=windows event_id=4625 is_service=true A4 production: Service account authentication failures soc_mvp_prod,appendix_a,a4,windows,auth_fail, source=windows event_id=4624 src_ip= A4 production: Windows successful authentication with source IP context soc_mvp_prod,appendix_a,a4,windows,auth_success, source=windows event_id=4728 target_group= A4 production: Account added to privileged group (domain scope) soc_mvp_prod,appendix_a,a4,windows,privilege, source=windows event_id=4732 target_group= A4 production: Account added to privileged group (local scope) soc_mvp_prod,appendix_a,a4,windows,privilege, soc-vmware-auth event_type=vmware_ _fail_success B1 production: vCenter login burst pattern soc_mvp_prod,appendix_b,b1,vmware, soc-vmware-auth event_type=vmware_esxi_enable_ssh B1 production: ESXi SSH enabled soc_mvp_prod,appendix_b,b1,vmware, soc-log-monitor event_type=log_loss_detection missing_stream= B2 production: Log loss detection signal soc_mvp_prod,appendix_b,b2,logmonitor, soc-windows-sysmon target_process=lsass.exe B3 production: LSASS dump behavior soc_mvp_prod,appendix_b,b3,sysmon,credential_access, soc-windows-sysmon process=certutil.exe B3 production: CertUtil download pattern soc_mvp_prod,appendix_b,b3,sysmon, event_type=c1_impossible_travel C1 production: Impossible travel correlated event soc_mvp_prod,appendix_c,c1,identity, event_type=c2_credential_abuse C2 production: Credential abuse correlated event soc_mvp_prod,appendix_c,c2,identity, event_type=c3_lateral_movement C3 production: Lateral movement correlated event soc_mvp_prod,appendix_c,c3,lateral_movement,