| 12345678910111213141516171819202122232425262728 |
- # Appendix C1-C3 - production-style sample logs
- # C1-01 candidate impossible travel (FortiGate VPN success with geo context fields)
- date=2026-03-09 time=10:31:00 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773081060 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" action="ssl-login-success" user="analyst01" srcip=203.0.113.71 previous_country=TH current_country=US
- # C1-01 confirmed impossible travel from SOC Integrator correlation
- soc_event=correlation event_type=c1_impossible_travel user="analyst01" src_ip=203.0.113.71 prev_ip=203.0.113.11 prev_country=TH current_country=US distance_km=13890 travel_minutes=18
- # C2-01 privileged account auth success
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin.soc","logonType":"10"}}}
- # C2-02 dormant account activation
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"legacy_user01","logonType":"2"}}}
- # C2-03 service account remote interactive logon
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"svc_dbbackup$","logonType":"10"}}}
- # C2-04 privilege escalation via local group change
- {"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"john.ops","groupName":"Administrators"}}}
- # C3-01 lateral movement indicator (RDP type 10)
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"10"}}}
- # C3-02 lateral movement indicator (SMB type 3)
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"helpdesk01","logonType":"3"}}}
- # C3-03 admin account moving laterally
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"admin-core","logonType":"3"}}}
|
