fortigate action="ssl-login-success" C1-01 [PROD] VPN login success with geo context — impossible travel candidate soc_prod,c1,impossible_travel,identity, T1078 100260 event_type=c1_impossible_travel C1-01 [PROD] Impossible travel confirmed by soc-integrator correlation soc_prod,c1,impossible_travel,identity, T1078 60106 (?i)admin C2-01 [PROD] Privileged account auth success (4624) soc_prod,c2,credential_abuse,identity, T1078.002 60106 (?i)legacy C2-02 [PROD] Dormant/legacy account auth success (4624) soc_prod,c2,credential_abuse,identity, T1078 60106 ^10$ (?i)svc|service|\$$ C2-03 [PROD] Service account remote interactive logon type 10 (4624) soc_prod,c2,service_account,identity, T1078.003 60113 ^4732$ C2-04 [PROD] Privilege escalation: group membership change (4732) soc_prod,c2,privilege_escalation,identity, T1098.007 60106 ^10$ C3-01/02 [PROD] RDP auth success logon type 10 (lateral movement indicator) soc_prod,c3,lateral_movement,rdp, T1021.001 T1078 60106 ^3$ C3-02 [PROD] SMB network logon type 3 (lateral movement indicator) soc_prod,c3,lateral_movement,smb, T1021.002 T1078 60106 (?i)admin C3-03 [PROD] Admin account auth success — lateral movement candidate (4624) soc_prod,c3,lateral_movement,admin, T1021.001 T1078.002