Wazuh Rule Match Summary — SOC Proposal Appendices A / B / C
Query window: 2026-03-17 (today only)
Total events matched across all SOC custom rules: 286,931
Data source: OpenSearch index wazuh-alerts-* (filter: rule.groups: soc_prod*)
Appendix A — Threat Detection (FortiGate + Windows/AD)
A1 — DNS / Firewall IOC (file: soc-a1-ioc-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110301 |
A1-01 |
DNS query to malicious domain (IOC traffic indicator) |
T1071.004 |
0 |
| 110302 |
A1-02 |
DNS IOC domain match from threat intelligence feed |
T1568 |
0 |
A2 — FortiGate IPS/IDS & Firewall (file: soc-a2-fortigate-fw-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110311 |
A2-01 |
FortiGate: RDP (3389) traffic allowed |
T1021.001 |
0 |
| 110312 |
A2-02 |
FortiGate: admin account password changed |
T1098 |
0 |
| 110313 |
A2-03 |
FortiGate: new admin account created |
T1136 |
0 |
| 110314 |
A2-04 |
FortiGate: alerting/notification disabled via config change |
T1562 |
0 |
| 110315 |
A2-05 |
FortiGate: firewall configuration file downloaded |
T1005 |
0 |
| 110316 |
A2-06 |
FortiGate IPS: multiple critical signatures triggered |
T1595 |
0 |
| 110317 |
A2-07 |
FortiGate: TCP port scan from external IP |
T1046 |
0 |
| 110318 |
A2-08 |
FortiGate IPS: IOC-based IP indicator detected |
T1071.001 |
0 |
| 110319 |
A2-09 |
FortiGate: internal port scan from private source IP |
T1046 |
0 |
| 110320 |
A2-10 |
FortiGate: traffic to known C2/malicious IP allowed |
T1071.001 |
0 |
A3 — FortiGate VPN (file: soc-a3-fortigate-vpn-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110331 |
A3-01 |
VPN authentication success by guest account |
T1078.001 |
0 |
| 110332 |
A3-02 |
VPN success from different country than last login |
T1078 |
0 |
| 110333 |
A3-03 |
VPN success after multiple prior failures (brute-force indicator) |
T1110.001 |
0 |
| 110334 |
A3-04 |
VPN multiple account failures from single source IP |
T1110.003 |
0 |
| 110335 |
A3-05 |
VPN authentication success from outside Thailand |
T1078 |
0 |
Note: A3 rules require FortiGate VPN syslogs (if_group=fortigate) with action=ssl-login-* events. No matching events today — VPN logs are not yet being forwarded to Wazuh.
A4 — Windows / Active Directory (file: soc-a4-windows-ad-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110341 |
A4-01 |
Windows: privileged account name auth failure (4625) |
T1110.001 |
1 |
| 110342 |
A4-02 |
Windows: service account auth failure (4625) |
T1110.001 |
46 |
| 110343 |
A4-03 |
Windows AD: adfind enumeration tool executed (4688) |
T1087.002 |
0 |
| 110346 |
A4-06 |
Windows: remote interactive auth success logon type 10 (4624) |
T1021.001, T1078 |
0 |
| 110348 |
A4-08 |
Windows: NTLM network logon type 3 — pass-the-hash indicator (4624) |
T1550.002 |
0 |
| 110349 |
A4-09 |
Windows: guest account auth success (4624) |
T1078.001 |
0 |
| 110350 |
A4-10 |
Windows: service account interactive logon type 2 (4624) |
T1078.003 |
0 |
| 110352 |
A4-12 |
Windows: account added to privileged domain group (4728) |
T1098.007 |
0 |
| 110353 |
A4-11 |
Windows: account added to privileged local group (4732) |
T1098.007 |
0 |
| 110354 |
A4-13 |
Windows DC: DSRM account password set (4794) |
T1098 |
285,769 ⚠️ |
| 110359 |
A4-19 |
Windows: authentication failure (4625) |
T1110.003 |
55 |
| 110361 |
A4-21/23 |
Windows: new user account created (4720) |
T1136 |
0 |
| 110362 |
A4-22/24 |
Windows: user account re-enabled (4722) |
T1078 |
0 |
⚠️ Rule 110354 (DSRM password set / event 4794) accounts for 285,769 of all events today — 99.6% of total volume. The parent rule is 60103 which fires on Windows Event ID 4794. The extremely high count warrants investigation: confirm whether these are genuine DSRM events or if the parent SID 60103 is matching a broader event set than intended.
Note: A4-04, A4-05, A4-07, A4-14 through A4-18, A4-20 have no production rules implemented.
Appendix B — Expanded Monitoring
B1 — VMware vCenter / ESXi (file: soc-b1-vmware-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110401 |
B1-01 |
vCenter: login failure detected (brute-force indicator) |
T1110 |
0 |
| 110402 |
B1-02 |
ESXi: SSH service enabled on host |
T1021.004 |
0 |
| 110403 |
B1-03 |
ESXi: SSH authentication event detected |
T1021.004 |
0 |
Note: B1 rules require VMware syslog (if_group=vmware). No matching events — VMware logs are not yet forwarded.
B2 — Log Monitoring (file: soc-b2-logmon-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110411 |
B2-01 |
Log Monitor: log ingestion loss detected on monitored stream |
T1562.006 |
0 |
B3 — Windows Sysmon (file: soc-b3-sysmon-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110421 |
B3-01 |
Sysmon: LSASS process access detected (event 10) |
T1003.001 |
0 |
| 110422 |
B3-02 |
Sysmon: SQL keyword in process command line (event 1) |
T1190 |
0 |
| 110423 |
B3-03 |
Sysmon: web script file created (possible webshell, event 11) |
T1505.003 |
0 |
| 110424 |
B3-04 |
Sysmon: msiexec uninstall detected (event 1) |
T1562.001 |
0 |
| 110425 |
B3-05 |
Sysmon: LSASS dump via Task Manager (event 10) |
T1003.001 |
0 |
| 110426 |
B3-06 |
Sysmon: certutil.exe execution detected (event 1) |
T1105 |
0 |
Note: B3 rules require Windows Sysmon agent deployed on endpoints. No matching events today.
Appendix C — Advanced Detection (Correlation)
C1 — Impossible Travel (file: soc-c1-c3-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110501 |
C1-01 |
VPN login success with geo context — impossible travel candidate |
T1078 |
0 |
| 110502 |
C1-01 |
Impossible travel confirmed by soc-integrator correlation |
T1078 |
0 |
C2 — Advanced Credential Abuse & Privilege Misuse (file: soc-c1-c3-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110511 |
C2-01 |
Privileged account auth success (4624) |
T1078.002 |
0 |
| 110512 |
C2-02 |
Dormant/legacy account auth success (4624) |
T1078 |
0 |
| 110513 |
C2-03 |
Service account remote interactive logon type 10 (4624) |
T1078.003 |
0 |
| 110514 |
C2-04 |
Privilege escalation: group membership change (4732) |
T1098.007 |
0 |
C3 — Lateral Movement & Internal Reconnaissance (file: soc-c1-c3-rules.xml)
| Rule ID |
Use Case |
Description |
MITRE |
Events |
| 110521 |
C3-01/02 |
RDP auth success logon type 10 (lateral movement indicator) |
T1021.001, T1078 |
0 |
| 110522 |
C3-02 |
SMB network logon type 3 (lateral movement indicator) |
T1021.002, T1078 |
0 |
| 110523 |
C3-03 |
Admin account auth success — lateral movement candidate (4624) |
T1021.001, T1078.002 |
0 |
Summary
| Appendix |
Section |
Rules Implemented |
Rules with Events |
Total Events |
| A |
A1 — DNS/IOC |
2 |
0 |
0 |
| A |
A2 — FortiGate FW/IPS |
10 |
0 |
0 |
| A |
A3 — FortiGate VPN |
5 |
0 |
0 |
| A |
A4 — Windows/AD |
13 |
3 |
285,816 |
| B |
B1 — VMware |
3 |
0 |
0 |
| B |
B2 — Log Monitor |
1 |
0 |
0 |
| B |
B3 — Sysmon |
6 |
0 |
0 |
| C |
C1 — Impossible Travel |
2 |
0 |
0 |
| C |
C2 — Credential Abuse |
4 |
0 |
0 |
| C |
C3 — Lateral Movement |
3 |
0 |
0 |
| Total |
|
49 |
3 |
286,931 |
Active log sources (today)
| Source |
Appendix |
Status |
| Windows Security Event Log (via Wazuh agent) |
A4 |
✅ Active — auth failures (4625) and DSRM events (4794) ingesting |
| FortiGate firewall syslog |
A2 |
❌ No events today (A1/A2 events were on earlier dates) |
| FortiGate VPN syslog |
A3, C1 |
❌ Not forwarding |
| DNS / soc-mvp decoder |
A1 |
❌ No events today |
| soc-integrator log-loss events |
B2 |
❌ No events today |
| VMware vCenter/ESXi syslog |
B1 |
❌ Not forwarding |
| Windows Sysmon (via Wazuh agent) |
B3 |
❌ Not deployed |
