# Project Progress Summary
**Reference:** Security Detection & Threat Intelligence Enhancement Proposal (Revised)
**Customer:** บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject)
**Updated:** 2026-03-25

---

## Legend
- ✅ Complete
- 🔶 Partial / In Progress
- ❌ Not Started

---

## 1. Architecture & Platform

| Component | Status | Notes |
|-----------|--------|-------|
| Detection (Wazuh) | ✅ | Deployed, 55+ rules across A1–A4, B1–B3, C1–C3 |
| Automation / SOAR (Shuffle) | ✅ | Deployed, API-integrated, workflow execution via soc-integrator |
| Case Management (IRIS) | ✅ | Deployed (replaced proposal's DFIRTrack); API key stabilized |
| Escalation stub (PagerDuty) | ✅ | Stub implemented; production PagerDuty pending |
| Orchestration layer (soc-integrator) | ✅ | FastAPI service running, all major routes implemented |

> Note: Proposal specified DFIRTrack; implementation uses IRIS Web (dfir-iris) — equivalent functionality.

---

## 2. Detection Rules (Appendix A — Initial Scope)

### A1 · DNS / Firewall IOC (2 rules)
| ID | Use Case | Status |
|----|----------|--------|
| A1-01 | DNS query to malicious domain (FortiGate DNS log) | ✅ |
| A1-02 | DNS IOC domain match from threat intelligence feed | ✅ |

### A2 · FortiGate IPS / Firewall (10 rules)
| ID | Use Case | Status |
|----|----------|--------|
| A2-01 | RDP (3389) allowed through firewall | ✅ |
| A2-02 | Admin account password changed | ✅ |
| A2-03 | New admin account created | ✅ |
| A2-04 | Alerting / notification disabled | ✅ |
| A2-05 | Firewall config file downloaded | ✅ |
| A2-06 | Multiple critical/high IDS alerts | ✅ |
| A2-07 | Port scan from public IP | ✅ |
| A2-08 | IOC traffic match (FW netflow) | ✅ |
| A2-09 | Port scan from private IP | ✅ |
| A2-10 | Communication to malicious IP | ✅ |

> Fix applied (2026-03): OR-trap bug in A2/A3 multi-match replaced with single `<regex>` lookaheads.

### A3 · FortiGate VPN (5 rules)
| ID | Use Case | Status |
|----|----------|--------|
| A3-01 | VPN success from guest account | ✅ |
| A3-02 | VPN success from different country than last login | ✅ |
| A3-03 | VPN success after multiple prior failures (brute-force) | ✅ |
| A3-04 | VPN multiple auth failures (many accounts, 1 source) | ✅ |
| A3-05 | VPN tunnel connected from outside Thailand | ✅ |

### A4 · Windows / Active Directory (16 rules)
| ID | Use Cases | Status |
|----|-----------|--------|
| A4-01–A4-19 | Privileged/service/guest account failures and successes, Pass-the-Hash, account enumeration, group membership changes, DSRM reset, password spray, interactive logon by service accounts | ✅ All 16 implemented |

---

## 3. Detection Rules (Appendix B — Optional Add-On)

### B1 · VMware vCenter / ESXi (3 rules)
| ID | Use Case | Status |
|----|----------|--------|
| B1-01 | vCenter login failure (brute-force indicator) | ✅ |
| B1-02 | ESXi SSH enabled on host | ✅ |
| B1-03 | ESXi SSH authentication events | ✅ |

### B2 · Log Monitoring (1 rule)
| ID | Use Case | Status |
|----|----------|--------|
| B2-01 | Log ingestion loss detected | ✅ |

### B3 · Windows Sysmon (6 rules)
| ID | Use Case | Status |
|----|----------|--------|
| B3-01 | LSASS process access (event 10) | ✅ |
| B3-02 | SQL keyword in process command line | ✅ |
| B3-03 | Webshell file creation (event 11) | ✅ |
| B3-04 | msiexec uninstall | ✅ |
| B3-05 | LSASS dump via Task Manager | ✅ |
| B3-06 | CertUtil download (event 1) | ✅ |

---

## 4. Future Enhancements (Appendix C)

| ID | Use Case | Status |
|----|----------|--------|
| C1-01 | Impossible Travel Detection (VPN/AD/Cloud) | ✅ Implemented in soc-integrator |
| C2-01 | Privileged account off-hours usage | ✅ |
| C2-02 | Dormant account activation | ✅ |
| C2-03 | Service account interactive logon | ✅ |
| C2-04 | Rapid privilege escalation → sensitive access | ✅ |
| C3-01 | Multi-host auth success (lateral movement) | ✅ |
| C3-02 | SMB/RDP access burst by source IP | ✅ |
| C3-04 | Internal scanning / enumeration burst | ✅ |
| C4 | Ransomware early warning indicators | ❌ Not started |
| C5 | Endpoint & server behavior anomalies | ❌ Not started |
| C6 | Cloud / SaaS security monitoring | ❌ Not started |
| C7 | SOC & operational maturity monitoring | ❌ Not started |

---

## 5. IOC Pipeline

| Capability | Status | Notes |
|------------|--------|-------|
| IOC feed ingestion (VirusTotal) | ✅ | `adapters/virustotal.py` |
| IOC feed ingestion (AbuseIPDB) | ✅ | `adapters/abuseipdb.py` |
| IOC CDB list management | ✅ | Wazuh CDB lists: malicious-ip, malicious-domains, malware-hashes |
| Automated IOC list refresh | ✅ | `_ioc_refresh_loop()` in soc-integrator; `/ioc-lists/refresh` API |
| IOC match via Wazuh CDB rules | ✅ | `soc-ioc-cdb-rules.xml` (3 rules) |
| IOC enrichment API | ✅ | `/ioc/enrich`, `/ioc/evaluate`, `/ioc/history` |
| IOC file upload & batch analysis | ✅ | `/ioc/upload`, `/ioc/evaluate-file` |
| IOC trace persistence (Postgres) | ✅ | `ioc_trace` table in mvp_repo |

---

## 6. Integration & Workflow

| Integration | Status | Notes |
|-------------|--------|-------|
| Wazuh → soc-integrator ingest | ✅ | `/ingest/wazuh-alert`, `/wazuh/sync-to-mvp` |
| Wazuh → IRIS alert sync (with severity filter) | ✅ | Auto-sync loop; configurable severity threshold |
| soc-integrator → IRIS case/ticket creation | ✅ | `/iris/tickets`, `/iris/cases` |
| soc-integrator → Shuffle workflow execution | ✅ | `/shuffle/workflows/{id}/execute` |
| soc-integrator → PagerDuty escalation | ✅ (stub) | `/action/create-incident`; real PD integration pending |
| GeoIP enrichment | ✅ | `adapters/geoip.py`, `/geoip/{ip}` API |
| Log loss monitoring | ✅ | `/monitor/log-loss/check`, auto-monitoring loop |

---

## 7. UI & Dashboards

| Feature | Status | Notes |
|---------|--------|-------|
| IRIS KPI dashboard (alerts tab) | ✅ | `/kpi-dashboard` with pagination, sorting, filters |
| IRIS KPI dashboard (cases tab) | ✅ | Clickable rows → `/case?cid=<id>` |
| SOC Integrator web UI | ✅ | Monitoring, sim controls, GeoIP, IOC tab |
| Wazuh dashboard import automation | ✅ | `scripts/import-wazuh-dashboard.sh` |
| ICT/UTC dual clock in IRIS navbar | ✅ | `ict-clock.js` widget, shows Asia/Bangkok alongside UTC |

---

## 8. Operations & Reliability

| Item | Status | Notes |
|------|--------|-------|
| Timezone (ICT/UTC+7) on all services | ✅ | Set across Wazuh, IRIS, Shuffle, soc-integrator, PagerDuty stub |
| IRIS admin API key — static (no rotation) | ✅ | `IRIS_ADM_API_KEY` set in `iris-web/.env`; documented in runbook |
| soc-integrator `.env` in sync | ✅ | `IRIS_API_KEY` matches DB value |
| Git: runtime IOC lists untracked | ✅ | Added to `.gitignore`; removed from git index |
| Ops runbook for IRIS API key | ✅ | `docs/ops-runbook-iris-api-key.md` |
| Wazuh decoder/rule documentation | ✅ | `docs/wazuh-decoders-rules.md` |

---

## 9. Remaining / In Progress

| Item | Priority | Notes |
|------|----------|-------|
| Production false-positive tuning on real traffic | High | Lab tuning done; production thresholds need real log baseline |
| PagerDuty stub → production PagerDuty | High | Requires production PD account and API key |
| Exception governance for VPN geo-anomaly | Medium | Policy framework exists; enterprise allowlist not finalized |
| C4–C7 use cases | Low | Future scope; not in original contract |
| Frontend CDN dependency hardening | Low | Some IRIS UI pages still reference external CDN scripts |

---

## 10. Summary

| Area | Coverage |
|------|----------|
| Appendix A (initial scope — 33 use cases) | **100%** rules implemented |
| Appendix B (optional add-on — 10 use cases) | **100%** rules implemented |
| Appendix C (future — 8 use cases shown) | **C1–C3 (8 sub-use-cases): done; C4–C7: pending** |
| Core integrations (Wazuh/IRIS/Shuffle/PD) | **Fully integrated** (PD as stub) |
| IOC pipeline | **Fully implemented** |
| Production hardening | **Pending** (tuning, governance, PD) |

> All deliverables from the initial contract scope (Sections 3–5 and Appendix A) are implemented and testable. Appendix B optional use cases are also implemented ahead of schedule. The primary remaining work is production hardening, real-traffic tuning, and PagerDuty go-live.