tum
/
soc


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879
							# Appendix A - production-style sample logs
# Sources: FortiGate traffic/event/vpn style fields, Windows Security event field shapes, SOC Integrator DNS IOC format

# A1-01 DNS IOC traffic
soc_event=dns_ioc event_type=ioc_dns_traffic src_ip=10.26.45.214 query=ioc-2294.malicious.example action=blocked severity=medium

# A1-02 DNS IOC domain match
soc_event=dns_ioc event_type=ioc_domain_match src_ip=10.26.45.214 query=bad-c2.example feed=internal_main confidence=high action=alert

# A2-01 Allowed RDP from public IP
date=2026-03-09 time=10:01:31 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079291 vd="root" logid="0000000013" type="traffic" subtype="forward" level="warning" srcip=91.190.63.84 srcport=55123 dstip=10.20.55.10 dstport=3389 proto=6 action="accept" policyid=3

# A2-02 Firewall admin password changed
date=2026-03-09 time=10:02:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079324 vd="root" logid="0100044547" type="event" subtype="system" level="warning" user="admin" action="password-change" ui="https(10.20.55.1)"

# A2-03 Firewall admin account created
date=2026-03-09 time=10:02:17 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079337 vd="root" logid="0100044548" type="event" subtype="system" level="warning" user="admin" action="create-admin" target_user="soc-backup-admin"

# A2-04 Notification disabled via config
date=2026-03-09 time=10:03:41 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079421 vd="root" logid="0100044551" type="event" subtype="system" level="warning" user="admin" action="config-change" config_path="system.alertemail" config_key="email-notify" config_value=disable

# A2-05 Config downloaded
date=2026-03-09 time=10:04:03 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079443 vd="root" logid="0100044552" type="event" subtype="system" level="notice" user="admin" action="download-config" dstip=10.20.50.33

# A2-06 Multiple critical IPS signatures
date=2026-03-09 time=10:05:14 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079514 vd="root" logid="0720018432" type="utm" subtype="ips" level="alert" srcip=185.220.101.44 dstip=10.20.55.20 attack="Multiple.Critical.Signatures" action="blocked"

# A2-07 TCP external scan
date=2026-03-09 time=10:05:50 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079550 vd="root" logid="0419016384" type="utm" subtype="anomaly" level="warning" srcip=45.148.10.9 dstip=10.20.55.20 attack="TCP.Port.Scan" action="detected"

# A2-08 IOC IP indicator detected
date=2026-03-09 time=10:06:23 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079583 vd="root" logid="0720018433" type="utm" subtype="ips" level="warning" srcip=10.20.55.12 dstip=198.51.100.77 ioc_type=ip ioc_value=198.51.100.77 action="blocked"

# A2-09 Internal scan
date=2026-03-09 time=10:07:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079632 vd="root" logid="0419016385" type="utm" subtype="anomaly" level="warning" srcip=10.20.55.11 dstip=10.20.55.0/24 attack="Internal.Port.Scan" action="detected"

# A2-10 Traffic to known C2
date=2026-03-09 time=10:07:59 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079679 vd="root" logid="0000000014" type="traffic" subtype="forward" level="warning" srcip=10.20.55.50 dstip=203.0.113.60 dstport=443 threat_label="known-c2" action="accept"

# A3-01 VPN guest login success
date=2026-03-09 time=10:10:11 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079811 vd="root" logid="0101037133" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="guest" srcip=203.0.113.17

# A3-02 VPN success from different country than prior login
date=2026-03-09 time=10:10:43 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079843 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="jane.doe" srcip=198.51.100.20 previous_country=TH current_country=DE

# A3-03 VPN success after failures
date=2026-03-09 time=10:11:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079872 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="ops.admin" srcip=198.51.100.42 failed_attempts_before_success=8

# A3-04 Multiple account failures from one source
date=2026-03-09 time=10:11:49 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079909 vd="root" logid="0101037134" type="event" subtype="vpn" tunneltype="ssl" level="notice" action="ssl-login-fail" srcip=198.51.100.42 failed_accounts=alice,bob,charlie

# A3-05 VPN login from outside expected country
date=2026-03-09 time=10:12:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079924 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="finance.user" srcip=203.0.113.71 expected_country=TH current_country=US

# A4-01 Windows privileged account auth failure
{"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"admin01"}}}
# A4-02 Windows service account auth failure
{"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"svc_backup$"}}}
# A4-03 AD enumeration tool execution
{"win":{"system":{"eventID":"4688"},"eventdata":{"newProcessName":"C:\\Tools\\adfind.exe"}}}
# A4-06 Remote interactive auth success
{"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"10","targetUserName":"helpdesk"}}}
# A4-08 NTLM network logon (pass-the-hash indicator)
{"win":{"system":{"eventID":"4624"},"eventdata":{"authenticationPackageName":"NTLM","logonType":"3","targetUserName":"it-admin"}}}
# A4-09 Guest account auth success
{"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"guest"}}}
# A4-10 Service account interactive logon
{"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"2","targetUserName":"service_sql"}}}
# A4-12 Account added to privileged domain group
{"win":{"system":{"eventID":"4728"},"eventdata":{"targetUserName":"new.user","groupName":"Domain Admins"}}}
# A4-11 Account added to privileged local group
{"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"new.user","groupName":"Administrators"}}}
# A4-13 DSRM password set attempt
{"win":{"system":{"eventID":"4794"},"eventdata":{"targetUserName":"Administrator"}}}
# A4-21 Domain/local account created
{"win":{"system":{"eventID":"4720"},"eventdata":{"targetUserName":"ops.newuser"}}}
# A4-22 Domain/local account re-enabled
{"win":{"system":{"eventID":"4722"},"eventdata":{"targetUserName":"legacy.disabled"}}}