# Appendix C1-C3 - production-style sample logs

# C1-01 candidate impossible travel (FortiGate VPN success with geo context fields)
date=2026-03-09 time=10:31:00 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773081060 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" action="ssl-login-success" user="analyst01" srcip=203.0.113.71 previous_country=TH current_country=US

# C1-01 confirmed impossible travel from SOC Integrator correlation
soc_event=correlation event_type=c1_impossible_travel user="analyst01" src_ip=203.0.113.71 prev_ip=203.0.113.11 prev_country=TH current_country=US distance_km=13890 travel_minutes=18

# C2-01 privileged account auth success
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin.soc","logonType":"10"}}}

# C2-02 dormant account activation
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"legacy_user01","logonType":"2"}}}

# C2-03 service account remote interactive logon
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"svc_dbbackup$","logonType":"10"}}}

# C2-04 privilege escalation via local group change
{"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"john.ops","groupName":"Administrators"}}}

# C3-01 lateral movement indicator (RDP type 10)
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"10"}}}
# C3-02 lateral movement indicator (SMB type 3)
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"3"}}}

# C3-03 admin account moving laterally
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin-core","logonType":"3"}}}