tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312
							<group name="soc_mvp_test,">
  <!-- Base marker for all synthetic SOC simulation events -->
  <rule id="100200" level="3">
    <match>soc_mvp_test=true</match>
    <description>SOC MVP synthetic test event detected</description>
    <group>soc_mvp_test,syslog,</group>
  </rule>

  <!-- Proposal-level grouping -->
  <rule id="100210" level="5">
    <if_sid>100200</if_sid>
    <match>usecase_id=A</match>
    <description>Proposal Appendix A simulation event</description>
    <group>soc_mvp_test,proposal_appendix_a,</group>
  </rule>

  <rule id="100220" level="5">
    <if_sid>100200</if_sid>
    <match>usecase_id=B</match>
    <description>Proposal Appendix B simulation event</description>
    <group>soc_mvp_test,proposal_appendix_b,</group>
  </rule>

  <rule id="100230" level="5">
    <if_sid>100200</if_sid>
    <match>usecase_id=C</match>
    <description>Proposal Appendix C simulation event</description>
    <group>soc_mvp_test,proposal_appendix_c,</group>
  </rule>

  <!-- Appendix A1 (Medium) -->
  <rule id="100301" level="8"><if_sid>100210</if_sid><match>usecase_id=A1-01</match><description>A1-01 DNS Network Traffic Communicate to Malicious Domain</description><group>soc_mvp_test,appendix_a,a1,ioc,</group></rule>
  <rule id="100302" level="8"><if_sid>100210</if_sid><match>usecase_id=A1-02</match><description>A1-02 DNS Network Traffic Malicious Domain IOCs Detection</description><group>soc_mvp_test,appendix_a,a1,ioc,</group></rule>

  <!-- Appendix A2 (FortiGate IPS/IDS & Firewall) -->
  <rule id="100311" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-01</match><description>A2-01 Allowed RDP from Public IPs</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100312" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-02</match><description>A2-02 Firewall Account Admin Password Change</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100313" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-03</match><description>A2-03 Firewall Account Create Add Admin Account</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100314" level="12"><if_sid>100210</if_sid><match>usecase_id=A2-04</match><description>A2-04 Firewall Configure Disabled Email Notification</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100315" level="5"><if_sid>100210</if_sid><match>usecase_id=A2-05</match><description>A2-05 Firewall Configure Download Configure FW</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100316" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-06</match><description>A2-06 IDS Alert Multiple Critical High</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100317" level="5"><if_sid>100210</if_sid><match>usecase_id=A2-07</match><description>A2-07 Network Traffic Port Scanning</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100318" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-08</match><description>A2-08 Network Traffic IOC Detection</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100319" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-09</match><description>A2-09 Port Scanning from Private IP</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>
  <rule id="100320" level="8"><if_sid>100210</if_sid><match>usecase_id=A2-10</match><description>A2-10 Communicate to Malicious IP</description><group>soc_mvp_test,appendix_a,a2,fortigate,</group></rule>

  <!-- Appendix A3 (FortiGate VPN) -->
  <rule id="100331" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-01</match><description>A3-01 VPN Authentication Success from Guest Account</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
  <rule id="100332" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-02</match><description>A3-02 VPN Authentication Success from Multiple Country</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
  <rule id="100333" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-03</match><description>A3-03 VPN Authentication Brute Force Success</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
  <rule id="100334" level="5"><if_sid>100210</if_sid><match>usecase_id=A3-04</match><description>A3-04 VPN Authentication Multiple Fail Many Accounts from One Source</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>
  <rule id="100335" level="12"><if_sid>100210</if_sid><match>usecase_id=A3-05</match><description>A3-05 VPN Authentication Success from Outside Thailand</description><group>soc_mvp_test,appendix_a,a3,vpn,</group></rule>

  <!-- Appendix A4 (Windows/AD) -->
  <rule id="100341" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-01</match><description>A4-01 Windows Authentication Multiple Fail from Privileged Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100342" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-02</match><description>A4-02 Windows Authentication Multiple Fail from Service Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100343" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-03</match><description>A4-03 Windows AD Enumeration with Malicious Tools</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100344" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-04</match><description>A4-04 Windows Authentication Fail from Public IPs</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100345" level="8"><if_sid>100210</if_sid><match>usecase_id=A4-05</match><description>A4-05 Windows File Share Enumeration to Single Destination</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100346" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-06</match><description>A4-06 Windows Authentication Success from Public IPs</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100347" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-07</match><description>A4-07 Windows Authentication Privileged Account Impersonation</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100348" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-08</match><description>A4-08 Windows Authentication Successful Pass the Hash RDP</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100349" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-09</match><description>A4-09 Windows Authentication Success from Guest Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100350" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-10</match><description>A4-10 Windows Authentication Interactive Logon Success by Service Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100351" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-11</match><description>A4-11 Windows Account Added to Privileged Custom Group</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100352" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-12</match><description>A4-12 Windows Account Added to Privileged Group</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100353" level="12"><if_sid>100210</if_sid><match>usecase_id=A4-13</match><description>A4-13 Windows Domain Configure DSRM Password Reset</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100354" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-14</match><description>A4-14 Windows Authentication Multiple Fail One Account from Many Sources</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100355" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-15</match><description>A4-15 Windows Authentication Multiple Fail Many Accounts from One Source</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100356" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-16</match><description>A4-16 Windows Authentication Multiple Fail from Guest Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100357" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-17</match><description>A4-17 Windows Authentication Multiple Fail One Account from One Source</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100358" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-18</match><description>A4-18 Windows Authentication Multiple Interactive Logon Denied</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100359" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-19</match><description>A4-19 Windows Authentication Password Spray</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100360" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-20</match><description>A4-20 Windows Authentication Attempt from Disabled Account</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100361" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-21</match><description>A4-21 Windows Domain Account Created</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100362" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-22</match><description>A4-22 Windows Local Account Re Enabled</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100363" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-23</match><description>A4-23 Windows Local Account Created</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>
  <rule id="100364" level="5"><if_sid>100210</if_sid><match>usecase_id=A4-24</match><description>A4-24 Windows Domain Account Re Enabled</description><group>soc_mvp_test,appendix_a,a4,windows,</group></rule>

  <!-- Appendix B1 (VMware vCenter/ESXi) -->
  <rule id="100401" level="12"><if_sid>100220</if_sid><match>usecase_id=B1-01</match><description>B1-01 vCenter GUI Login Failed 5 Times and Success 1 Time</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>
  <rule id="100402" level="8"><if_sid>100220</if_sid><match>usecase_id=B1-02</match><description>B1-02 ESXi Enable SSH on Hosts</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>
  <rule id="100403" level="12"><if_sid>100220</if_sid><match>usecase_id=B1-03</match><description>B1-03 ESXi SSH Failed 5 Times and Success 1 Time</description><group>soc_mvp_test,appendix_b,b1,vmware,</group></rule>

  <!-- Appendix B2 (Log monitoring) -->
  <rule id="100411" level="5"><if_sid>100220</if_sid><match>usecase_id=B2-01</match><description>B2-01 Log Monitor Logs Loss Detection</description><group>soc_mvp_test,appendix_b,b2,logmonitor,</group></rule>

  <!-- Appendix B3 (Windows Sysmon) -->
  <rule id="100421" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-01</match><description>B3-01 Sysmon LSASS Dumping</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
  <rule id="100422" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-02</match><description>B3-02 Sysmon SQL Injection</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
  <rule id="100423" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-03</match><description>B3-03 Sysmon Webshell</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
  <rule id="100424" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-04</match><description>B3-04 Sysmon Uninstall</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
  <rule id="100425" level="12"><if_sid>100220</if_sid><match>usecase_id=B3-05</match><description>B3-05 Sysmon LSASS Dumping by Task Manager</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>
  <rule id="100426" level="8"><if_sid>100220</if_sid><match>usecase_id=B3-06</match><description>B3-06 Sysmon CertUtil Download</description><group>soc_mvp_test,appendix_b,b3,sysmon,</group></rule>

  <!-- Appendix C1 (Impossible travel) -->
  <rule id="100501" level="12"><if_sid>100230</if_sid><match>usecase_id=C1-01</match><description>C1-01 Impossible Travel Detection</description><group>soc_mvp_test,appendix_c,c1,identity,</group></rule>

  <!-- Appendix C2 (Credential abuse & privilege misuse) -->
  <rule id="100511" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-01</match><description>C2-01 Privileged Account Usage Outside Business Hours</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
  <rule id="100512" level="8"><if_sid>100230</if_sid><match>usecase_id=C2-02</match><description>C2-02 Dormant Account Activation</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
  <rule id="100513" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-03</match><description>C2-03 Service Account Interactive Logon</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>
  <rule id="100514" level="12"><if_sid>100230</if_sid><match>usecase_id=C2-04</match><description>C2-04 Rapid Privilege Escalation Followed by Sensitive Access</description><group>soc_mvp_test,appendix_c,c2,identity,</group></rule>

  <!-- Appendix C3 (Lateral movement & internal recon) -->
  <rule id="100521" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-01</match><description>C3-01 Multiple Authentication Success Across Hosts</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
  <rule id="100522" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-02</match><description>C3-02 SMB/RDP Lateral Burst Pattern</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
  <rule id="100523" level="12"><if_sid>100230</if_sid><match>usecase_id=C3-03</match><description>C3-03 Admin Account Accessing Many Servers Rapidly</description><group>soc_mvp_test,appendix_c,c3,lateral_movement,</group></rule>
  <rule id="100524" level="8"><if_sid>100230</if_sid><match>usecase_id=C3-04</match><description>C3-04 Internal Scanning / Enumeration Behavior</description><group>soc_mvp_test,appendix_c,c3,recon,</group></rule>
  <!-- ========================= -->
  <!-- Production profile rules -->
  <!-- ========================= -->
  <!--
    Production profile (second profile):
    - Does not depend on simulation marker fields (soc_mvp_test/usecase_id)
    - Uses source-like patterns that can appear in real logs
    - Rule IDs are separated from simulation profile in 110xxx range
  -->

  <rule id="110200" level="3">
    <description>SOC MVP production profile enabled</description>
    <group>soc_mvp_prod,baseline,</group>
  </rule>

  <!-- Appendix A1: DNS / Firewall IOC -->
  <rule id="110301" level="8">
    <decoded_as>soc-dns-ioc</decoded_as>
    <match>event_type=ioc_dns_traffic</match>
    <match>malicious.example</match>
    <description>A1 production: DNS query to malicious domain indicator</description>
    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
  </rule>
  <rule id="110302" level="8">
    <decoded_as>soc-dns-ioc</decoded_as>
    <match>event_type=ioc_domain_match</match>
    <description>A1 production: DNS IOC domain match event</description>
    <group>soc_mvp_prod,appendix_a,a1,ioc,dns,</group>
  </rule>

  <!-- Appendix A2: FortiGate IPS/IDS & Firewall -->
  <rule id="110311" level="12">
    <match>vendor=fortinet</match>
    <match>dstport=3389</match>
    <match>action="accept"</match>
    <description>A2 production: FortiGate allowed RDP traffic detected</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
  </rule>
  <rule id="110312" level="12">
    <match>vendor=fortinet</match>
    <match>action="password-change"</match>
    <description>A2 production: FortiGate admin password change</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
  </rule>
  <rule id="110313" level="12">
    <match>vendor=fortinet</match>
    <match>action="create-admin"</match>
    <description>A2 production: FortiGate admin account creation</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
  </rule>
  <rule id="110314" level="12">
    <match>vendor=fortinet</match>
    <match>action="disable-email-notification"</match>
    <description>A2 production: FortiGate email notification disabled</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
  </rule>
  <rule id="110315" level="5">
    <match>vendor=fortinet</match>
    <match>action="download-config"</match>
    <description>A2 production: FortiGate configuration download</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,</group>
  </rule>
  <rule id="110316" level="8">
    <match>vendor=fortinet</match>
    <match>subtype="ips"</match>
    <match>severity="critical"</match>
    <description>A2 production: FortiGate critical IPS alert</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,ips,</group>
  </rule>
  <rule id="110317" level="5">
    <match>vendor=fortinet</match>
    <match>event_type=port_scan</match>
    <description>A2 production: FortiGate port scanning indicator</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,recon,</group>
  </rule>
  <rule id="110318" level="8">
    <match>vendor=fortinet</match>
    <match>event_type=ioc_detection</match>
    <description>A2 production: FortiGate IOC detection event</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
  </rule>
  <rule id="110320" level="8">
    <match>vendor=fortinet</match>
    <match>event_type=malicious_ip_communication</match>
    <description>A2 production: Communication to malicious IP detected</description>
    <group>soc_mvp_prod,appendix_a,a2,fortigate,ioc,</group>
  </rule>

  <!-- Appendix A3: FortiGate VPN -->
  <rule id="110331" level="12">
    <match>subtype="vpn"</match>
    <match>success=true</match>
    <match>guest</match>
    <description>A3 production: VPN success by guest account</description>
    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
  </rule>
  <rule id="110333" level="12">
    <match>subtype="vpn"</match>
    <match>event_type=vpn_bruteforce_success</match>
    <description>A3 production: VPN brute-force success indicator</description>
    <group>soc_mvp_prod,appendix_a,a3,vpn,</group>
  </rule>
  <rule id="110335" level="12">
    <match>subtype="vpn"</match>
    <match>success=true</match>
    <match>country=</match>
    <description>A3 production: VPN success with country context (geo-anomaly candidate)</description>
    <group>soc_mvp_prod,appendix_a,a3,vpn,geo,</group>
  </rule>

  <!-- Appendix A4: Windows / Active Directory -->
  <rule id="110341" level="8">
    <match>source=windows</match>
    <match>event_id=4625</match>
    <match>is_admin=true</match>
    <description>A4 production: Privileged account authentication failures</description>
    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
  </rule>
  <rule id="110342" level="8">
    <match>source=windows</match>
    <match>event_id=4625</match>
    <match>is_service=true</match>
    <description>A4 production: Service account authentication failures</description>
    <group>soc_mvp_prod,appendix_a,a4,windows,auth_fail,</group>
  </rule>
  <rule id="110346" level="12">
    <match>source=windows</match>
    <match>event_id=4624</match>
    <match>src_ip=</match>
    <description>A4 production: Windows successful authentication with source IP context</description>
    <group>soc_mvp_prod,appendix_a,a4,windows,auth_success,</group>
  </rule>
  <rule id="110352" level="12">
    <match>source=windows</match>
    <match>event_id=4728</match>
    <match>target_group=</match>
    <description>A4 production: Account added to privileged group (domain scope)</description>
    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
  </rule>
  <rule id="110353" level="12">
    <match>source=windows</match>
    <match>event_id=4732</match>
    <match>target_group=</match>
    <description>A4 production: Account added to privileged group (local scope)</description>
    <group>soc_mvp_prod,appendix_a,a4,windows,privilege,</group>
  </rule>

  <!-- Appendix B1: VMware -->
  <rule id="110401" level="12">
    <decoded_as>soc-vmware-auth</decoded_as>
    <match>event_type=vmware_</match>
    <match>_fail_success</match>
    <description>B1 production: vCenter login burst pattern</description>
    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
  </rule>
  <rule id="110402" level="8">
    <decoded_as>soc-vmware-auth</decoded_as>
    <match>event_type=vmware_esxi_enable_ssh</match>
    <description>B1 production: ESXi SSH enabled</description>
    <group>soc_mvp_prod,appendix_b,b1,vmware,</group>
  </rule>

  <!-- Appendix B2: Log monitoring -->
  <rule id="110411" level="5">
    <decoded_as>soc-log-monitor</decoded_as>
    <match>event_type=log_loss_detection</match>
    <match>missing_stream=</match>
    <description>B2 production: Log loss detection signal</description>
    <group>soc_mvp_prod,appendix_b,b2,logmonitor,</group>
  </rule>

  <!-- Appendix B3: Sysmon -->
  <rule id="110421" level="12">
    <decoded_as>soc-windows-sysmon</decoded_as>
    <match>target_process=lsass.exe</match>
    <description>B3 production: LSASS dump behavior</description>
    <group>soc_mvp_prod,appendix_b,b3,sysmon,credential_access,</group>
  </rule>
  <rule id="110426" level="8">
    <decoded_as>soc-windows-sysmon</decoded_as>
    <match>process=certutil.exe</match>
    <description>B3 production: CertUtil download pattern</description>
    <group>soc_mvp_prod,appendix_b,b3,sysmon,</group>
  </rule>

  <!-- Appendix C1-C3: future enhancement (production-prep heuristics) -->
  <rule id="110501" level="12">
    <match>event_type=c1_impossible_travel</match>
    <description>C1 production: Impossible travel correlated event</description>
    <group>soc_mvp_prod,appendix_c,c1,identity,</group>
  </rule>
  <rule id="110511" level="12">
    <match>event_type=c2_credential_abuse</match>
    <description>C2 production: Credential abuse correlated event</description>
    <group>soc_mvp_prod,appendix_c,c2,identity,</group>
  </rule>
  <rule id="110521" level="12">
    <match>event_type=c3_lateral_movement</match>
    <description>C3 production: Lateral movement correlated event</description>
    <group>soc_mvp_prod,appendix_c,c3,lateral_movement,</group>
  </rule>
</group>