# Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C

**Query window:** 2026-03-17 (today only)
**Total meaningful events (post rule-fix):** 199
**Data source:** OpenSearch index `wazuh-alerts-*` (filter: `rule.groups: soc_prod*`)

> **Note — Rule 110354 fix:** Rule 110354 (A4-13 DSRM) was found to be misconfigured — parent SID 60103
> is "Windows audit success event" (matches ALL `AUDIT_SUCCESS` events), and the rule had no `eventID`
> constraint. This caused ~313,000 false-positive fires today on events like 4624, 4634, 4688, 4793, etc.
> Fix applied: added `<field name="win.system.eventID">^4794$</field>`. Rule is now silent (0 events post-fix,
> confirmed correct). Pre-fix event count is excluded from the summary totals below.

---

## Appendix A — Threat Detection (FortiGate + Windows/AD)

### A1 — DNS / Firewall IOC  *(file: soc-a1-ioc-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110301 | A1-01 | DNS query to malicious domain (IOC traffic indicator) | T1071.004 | 0 |
| 110302 | A1-02 | DNS IOC domain match from threat intelligence feed | T1568 | 0 |

---

### A2 — FortiGate IPS/IDS & Firewall  *(file: soc-a2-fortigate-fw-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110311 | A2-01 | FortiGate: RDP (3389) traffic allowed | T1021.001 | 0 |
| 110312 | A2-02 | FortiGate: admin account password changed | T1098 | 0 |
| 110313 | A2-03 | FortiGate: new admin account created | T1136 | 0 |
| 110314 | A2-04 | FortiGate: alerting/notification disabled via config change | T1562 | 0 |
| 110315 | A2-05 | FortiGate: firewall configuration file downloaded | T1005 | 0 |
| 110316 | A2-06 | FortiGate IPS: multiple critical signatures triggered | T1595 | 0 |
| 110317 | A2-07 | FortiGate: TCP port scan from external IP | T1046 | 0 |
| 110318 | A2-08 | FortiGate IPS: IOC-based IP indicator detected | T1071.001 | 0 |
| 110319 | A2-09 | FortiGate: internal port scan from private source IP | T1046 | 0 |
| 110320 | A2-10 | FortiGate: traffic to known C2/malicious IP allowed | T1071.001 | 0 |

> No FortiGate syslog events received today.

---

### A3 — FortiGate VPN  *(file: soc-a3-fortigate-vpn-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110331 | A3-01 | VPN authentication success by guest account | T1078.001 | 0 |
| 110332 | A3-02 | VPN success from different country than last login | T1078 | 0 |
| 110333 | A3-03 | VPN success after multiple prior failures (brute-force indicator) | T1110.001 | 0 |
| 110334 | A3-04 | VPN multiple account failures from single source IP | T1110.003 | 0 |
| 110335 | A3-05 | VPN authentication success from outside Thailand | T1078 | 0 |

> VPN logs not yet forwarded to Wazuh.

---

### A4 — Windows / Active Directory  *(file: soc-a4-windows-ad-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110341 | A4-01 | Windows: privileged account name auth failure (4625) | T1110.001 | **1** |
| 110342 | A4-02 | Windows: service account auth failure (4625) | T1110.001 | **50** |
| 110343 | A4-03 | Windows AD: adfind enumeration tool executed (4688) | T1087.002 | 0 |
| 110346 | A4-06 | Windows: remote interactive auth success logon type 10 (4624) | T1021.001, T1078 | 0 |
| 110348 | A4-08 | Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) | T1550.002 | **46** |
| 110349 | A4-09 | Windows: guest account auth success (4624) | T1078.001 | 0 |
| 110350 | A4-10 | Windows: service account interactive logon type 2 (4624) | T1078.003 | 0 |
| 110352 | A4-12 | Windows: account added to privileged domain group (4728) | T1098.007 | 0 |
| 110353 | A4-11 | Windows: account added to privileged local group (4732) | T1098.007 | 0 |
| 110354 | A4-13 | Windows DC: DSRM account password set (4794) | T1098 | 0 ✅ fixed |
| 110359 | A4-19 | Windows: authentication failure (4625) — general | T1110.003 | **71** |
| 110361 | A4-21/23 | Windows: new user account created (4720) | T1136 | 0 |
| 110362 | A4-22/24 | Windows: user account re-enabled (4722) | T1078 | 0 |

> Rule 110354 now correctly requires `eventID=4794` and is silent (no genuine DSRM events today).
> Rule 110348 (NTLM/pass-the-hash) was previously masked by 110354 noise — now visible with 46 events.

---

## Appendix B — Expanded Monitoring

### B1 — VMware vCenter / ESXi  *(file: soc-b1-vmware-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110401 | B1-01 | vCenter: login failure detected (brute-force indicator) | T1110 | 0 |
| 110402 | B1-02 | ESXi: SSH service enabled on host | T1021.004 | 0 |
| 110403 | B1-03 | ESXi: SSH authentication event detected | T1021.004 | 0 |

> VMware logs not yet forwarded to Wazuh.

---

### B2 — Log Monitoring  *(file: soc-b2-logmon-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110411 | B2-01 | Log Monitor: log ingestion loss detected on monitored stream | T1562.006 | 0 |

---

### B3 — Windows Sysmon  *(file: soc-b3-sysmon-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110421 | B3-01 | Sysmon: LSASS process access detected (event 10) | T1003.001 | 0 |
| 110422 | B3-02 | Sysmon: SQL keyword in process command line (event 1) | T1190 | 0 |
| 110423 | B3-03 | Sysmon: web script file created (possible webshell, event 11) | T1505.003 | 0 |
| 110424 | B3-04 | Sysmon: msiexec uninstall detected (event 1) | T1562.001 | 0 |
| 110425 | B3-05 | Sysmon: LSASS dump via Task Manager (event 10) | T1003.001 | 0 |
| 110426 | B3-06 | Sysmon: certutil.exe execution detected (event 1) | T1105 | 0 |

> Sysmon not deployed on endpoints.

---

## Appendix C — Advanced Detection (Correlation)

### C1 — Impossible Travel  *(file: soc-c1-c3-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110501 | C1-01 | VPN login success with geo context — impossible travel candidate | T1078 | 0 |
| 110502 | C1-01 | Impossible travel confirmed by soc-integrator correlation | T1078 | 0 |

---

### C2 — Advanced Credential Abuse & Privilege Misuse  *(file: soc-c1-c3-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110511 | C2-01 | Privileged account auth success (4624) | T1078.002 | 0 |
| 110512 | C2-02 | Dormant/legacy account auth success (4624) | T1078 | 0 |
| 110513 | C2-03 | Service account remote interactive logon type 10 (4624) | T1078.003 | 0 |
| 110514 | C2-04 | Privilege escalation: group membership change (4732) | T1098.007 | 0 |

---

### C3 — Lateral Movement & Internal Reconnaissance  *(file: soc-c1-c3-rules.xml)*

| Rule ID | Use Case | Description | MITRE | Events |
|---------|----------|-------------|-------|--------|
| 110521 | C3-01/02 | RDP auth success logon type 10 (lateral movement indicator) | T1021.001, T1078 | 0 |
| 110522 | C3-02 | SMB network logon type 3 (lateral movement indicator) | T1021.002, T1078 | **8** |
| 110523 | C3-03 | Admin account auth success — lateral movement candidate (4624) | T1021.001, T1078.002 | **23** |

> C3 rules (110522, 110523) were previously masked by 110354 noise — now visible with real event data.

---

## Summary

| Appendix | Section | Rules Implemented | Rules with Events | Total Events |
|----------|---------|:-----------------:|:-----------------:|:------------:|
| A | A1 — DNS/IOC | 2 | 0 | 0 |
| A | A2 — FortiGate FW/IPS | 10 | 0 | 0 |
| A | A3 — FortiGate VPN | 5 | 0 | 0 |
| A | A4 — Windows/AD | 13 | 4 | 168 |
| B | B1 — VMware | 3 | 0 | 0 |
| B | B2 — Log Monitor | 1 | 0 | 0 |
| B | B3 — Sysmon | 6 | 0 | 0 |
| C | C1 — Impossible Travel | 2 | 0 | 0 |
| C | C2 — Credential Abuse | 4 | 0 | 0 |
| C | C3 — Lateral Movement | 3 | 2 | 31 |
| **Total** | | **49** | **6** | **199** |

### Active rules today (post rule-fix)

| Rule | Description | Events | Note |
|------|-------------|--------|------|
| 110359 | A4-19 Windows auth failure (4625) general | 71 | Normal auth noise |
| 110342 | A4-02 Service account auth failure (4625) | 50 | Service account brute-force pattern |
| 110348 | A4-08 NTLM logon type 3 — pass-the-hash indicator | 46 | Previously masked by 110354 bug |
| 110523 | C3-03 Admin account auth success — lateral movement candidate | 23 | Previously masked by 110354 bug |
| 110522 | C3-02 SMB network logon type 3 | 8 | Previously masked by 110354 bug |
| 110341 | A4-01 Privileged account auth failure | 1 | |
| 110354 | A4-13 DSRM password set (4794) | 0 ✅ | Fixed — was false-positive firing on all AUDIT_SUCCESS |

### Active log sources (today)

| Source | Appendix | Status |
|--------|----------|--------|
| Windows Security Event Log (via Wazuh agent) | A4, C3 | ✅ Active — auth events (4624, 4625) ingesting across multiple agents |
| FortiGate firewall/IPS syslog | A2 | ❌ No events today |
| FortiGate VPN syslog | A3, C1 | ❌ Not forwarding |
| DNS / soc-mvp decoder | A1 | ❌ No events today |
| soc-integrator log-loss events | B2 | ❌ No events today |
| VMware vCenter/ESXi syslog | B1 | ❌ Not forwarding |
| Windows Sysmon (via Wazuh agent) | B3 | ❌ Not deployed |