Home Esplora Aiuto
Accedi
tum
/
soc
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Pull Requests 0 Commit 34 Rilasci 0 Wiki

Nessuna descrizione

Albero (Tree): 05333224a3
Rami (Branch) Tag
soc
/
summary_rule...

summary_rule_match.md 9.3KB
Cronologia Originale

Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C

Query window: 2026-03-17 (today only) Total meaningful events (post rule-fix): 199 Data source: OpenSearch index wazuh-alerts-* (filter: rule.groups: soc_prod*)

Note — Rule 110354 fix: Rule 110354 (A4-13 DSRM) was found to be misconfigured — parent SID 60103 is "Windows audit success event" (matches ALL AUDIT_SUCCESS events), and the rule had no eventID constraint. This caused ~313,000 false-positive fires today on events like 4624, 4634, 4688, 4793, etc. Fix applied: added <field name="win.system.eventID">^4794$</field>. Rule is now silent (0 events post-fix, confirmed correct). Pre-fix event count is excluded from the summary totals below.

Appendix A — Threat Detection (FortiGate + Windows/AD)

A1 — DNS / Firewall IOC (file: soc-a1-ioc-rules.xml)

Rule ID Use Case Description MITRE Events
110301 A1-01 DNS query to malicious domain (IOC traffic indicator) T1071.004 0
110302 A1-02 DNS IOC domain match from threat intelligence feed T1568 0

A2 — FortiGate IPS/IDS & Firewall (file: soc-a2-fortigate-fw-rules.xml)

Rule ID Use Case Description MITRE Events
110311 A2-01 FortiGate: RDP (3389) traffic allowed T1021.001 0
110312 A2-02 FortiGate: admin account password changed T1098 0
110313 A2-03 FortiGate: new admin account created T1136 0
110314 A2-04 FortiGate: alerting/notification disabled via config change T1562 0
110315 A2-05 FortiGate: firewall configuration file downloaded T1005 0
110316 A2-06 FortiGate IPS: multiple critical signatures triggered T1595 0
110317 A2-07 FortiGate: TCP port scan from external IP T1046 0
110318 A2-08 FortiGate IPS: IOC-based IP indicator detected T1071.001 0
110319 A2-09 FortiGate: internal port scan from private source IP T1046 0
110320 A2-10 FortiGate: traffic to known C2/malicious IP allowed T1071.001 0

No FortiGate syslog events received today.

A3 — FortiGate VPN (file: soc-a3-fortigate-vpn-rules.xml)

Rule ID Use Case Description MITRE Events
110331 A3-01 VPN authentication success by guest account T1078.001 0
110332 A3-02 VPN success from different country than last login T1078 0
110333 A3-03 VPN success after multiple prior failures (brute-force indicator) T1110.001 0
110334 A3-04 VPN multiple account failures from single source IP T1110.003 0
110335 A3-05 VPN authentication success from outside Thailand T1078 0

VPN logs not yet forwarded to Wazuh.

A4 — Windows / Active Directory (file: soc-a4-windows-ad-rules.xml)

Rule ID Use Case Description MITRE Events
110341 A4-01 Windows: privileged account name auth failure (4625) T1110.001 1
110342 A4-02 Windows: service account auth failure (4625) T1110.001 50
110343 A4-03 Windows AD: adfind enumeration tool executed (4688) T1087.002 0
110346 A4-06 Windows: remote interactive auth success logon type 10 (4624) T1021.001, T1078 0
110348 A4-08 Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) T1550.002 46
110349 A4-09 Windows: guest account auth success (4624) T1078.001 0
110350 A4-10 Windows: service account interactive logon type 2 (4624) T1078.003 0
110352 A4-12 Windows: account added to privileged domain group (4728) T1098.007 0
110353 A4-11 Windows: account added to privileged local group (4732) T1098.007 0
110354 A4-13 Windows DC: DSRM account password set (4794) T1098 0 ✅ fixed
110359 A4-19 Windows: authentication failure (4625) — general T1110.003 71
110361 A4-21/23 Windows: new user account created (4720) T1136 0
110362 A4-22/24 Windows: user account re-enabled (4722) T1078 0

Rule 110354 now correctly requires eventID=4794 and is silent (no genuine DSRM events today). Rule 110348 (NTLM/pass-the-hash) was previously masked by 110354 noise — now visible with 46 events.

Appendix B — Expanded Monitoring

B1 — VMware vCenter / ESXi (file: soc-b1-vmware-rules.xml)

Rule ID Use Case Description MITRE Events
110401 B1-01 vCenter: login failure detected (brute-force indicator) T1110 0
110402 B1-02 ESXi: SSH service enabled on host T1021.004 0
110403 B1-03 ESXi: SSH authentication event detected T1021.004 0

VMware logs not yet forwarded to Wazuh.

B2 — Log Monitoring (file: soc-b2-logmon-rules.xml)

Rule ID Use Case Description MITRE Events
110411 B2-01 Log Monitor: log ingestion loss detected on monitored stream T1562.006 0

B3 — Windows Sysmon (file: soc-b3-sysmon-rules.xml)

Rule ID Use Case Description MITRE Events
110421 B3-01 Sysmon: LSASS process access detected (event 10) T1003.001 0
110422 B3-02 Sysmon: SQL keyword in process command line (event 1) T1190 0
110423 B3-03 Sysmon: web script file created (possible webshell, event 11) T1505.003 0
110424 B3-04 Sysmon: msiexec uninstall detected (event 1) T1562.001 0
110425 B3-05 Sysmon: LSASS dump via Task Manager (event 10) T1003.001 0
110426 B3-06 Sysmon: certutil.exe execution detected (event 1) T1105 0

Sysmon not deployed on endpoints.

Appendix C — Advanced Detection (Correlation)

C1 — Impossible Travel (file: soc-c1-c3-rules.xml)

Rule ID Use Case Description MITRE Events
110501 C1-01 VPN login success with geo context — impossible travel candidate T1078 0
110502 C1-01 Impossible travel confirmed by soc-integrator correlation T1078 0

C2 — Advanced Credential Abuse & Privilege Misuse (file: soc-c1-c3-rules.xml)

Rule ID Use Case Description MITRE Events
110511 C2-01 Privileged account auth success (4624) T1078.002 0
110512 C2-02 Dormant/legacy account auth success (4624) T1078 0
110513 C2-03 Service account remote interactive logon type 10 (4624) T1078.003 0
110514 C2-04 Privilege escalation: group membership change (4732) T1098.007 0

C3 — Lateral Movement & Internal Reconnaissance (file: soc-c1-c3-rules.xml)

Rule ID Use Case Description MITRE Events
110521 C3-01/02 RDP auth success logon type 10 (lateral movement indicator) T1021.001, T1078 0
110522 C3-02 SMB network logon type 3 (lateral movement indicator) T1021.002, T1078 8
110523 C3-03 Admin account auth success — lateral movement candidate (4624) T1021.001, T1078.002 23

C3 rules (110522, 110523) were previously masked by 110354 noise — now visible with real event data.

Summary

Appendix Section Rules Implemented Rules with Events Total Events
A A1 — DNS/IOC 2 0 0
A A2 — FortiGate FW/IPS 10 0 0
A A3 — FortiGate VPN 5 0 0
A A4 — Windows/AD 13 4 168
B B1 — VMware 3 0 0
B B2 — Log Monitor 1 0 0
B B3 — Sysmon 6 0 0
C C1 — Impossible Travel 2 0 0
C C2 — Credential Abuse 4 0 0
C C3 — Lateral Movement 3 2 31
Total 49 6 199

Active rules today (post rule-fix)

Rule Description Events Note
110359 A4-19 Windows auth failure (4625) general 71 Normal auth noise
110342 A4-02 Service account auth failure (4625) 50 Service account brute-force pattern
110348 A4-08 NTLM logon type 3 — pass-the-hash indicator 46 Previously masked by 110354 bug
110523 C3-03 Admin account auth success — lateral movement candidate 23 Previously masked by 110354 bug
110522 C3-02 SMB network logon type 3 8 Previously masked by 110354 bug
110341 A4-01 Privileged account auth failure 1
110354 A4-13 DSRM password set (4794) 0 ✅ Fixed — was false-positive firing on all AUDIT_SUCCESS

Active log sources (today)

Source Appendix Status
Windows Security Event Log (via Wazuh agent) A4, C3 ✅ Active — auth events (4624, 4625) ingesting across multiple agents
FortiGate firewall/IPS syslog A2 ❌ No events today
FortiGate VPN syslog A3, C1 ❌ Not forwarding
DNS / soc-mvp decoder A1 ❌ No events today
soc-integrator log-loss events B2 ❌ No events today
VMware vCenter/ESXi syslog B1 ❌ Not forwarding
Windows Sysmon (via Wazuh agent) B3 ❌ Not deployed