project-progress.md 8.2KB
Project Progress Summary
Reference: Security Detection & Threat Intelligence Enhancement Proposal (Revised) Customer: บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject) Updated: 2026-03-25
Legend
- ✅ Complete
- 🔶 Partial / In Progress
- ❌ Not Started
1. Architecture & Platform
| Component | Status | Notes |
|---|---|---|
| Detection (Wazuh) | ✅ | Deployed, 55+ rules across A1–A4, B1–B3, C1–C3 |
| Automation / SOAR (Shuffle) | ✅ | Deployed, API-integrated, workflow execution via soc-integrator |
| Case Management (IRIS) | ✅ | Deployed (replaced proposal's DFIRTrack); API key stabilized |
| Escalation stub (PagerDuty) | ✅ | Stub implemented; production PagerDuty pending |
| Orchestration layer (soc-integrator) | ✅ | FastAPI service running, all major routes implemented |
Note: Proposal specified DFIRTrack; implementation uses IRIS Web (dfir-iris) — equivalent functionality.
2. Detection Rules (Appendix A — Initial Scope)
A1 · DNS / Firewall IOC (2 rules)
| ID | Use Case | Status |
|---|---|---|
| A1-01 | DNS query to malicious domain (FortiGate DNS log) | ✅ |
| A1-02 | DNS IOC domain match from threat intelligence feed | ✅ |
A2 · FortiGate IPS / Firewall (10 rules)
| ID | Use Case | Status |
|---|---|---|
| A2-01 | RDP (3389) allowed through firewall | ✅ |
| A2-02 | Admin account password changed | ✅ |
| A2-03 | New admin account created | ✅ |
| A2-04 | Alerting / notification disabled | ✅ |
| A2-05 | Firewall config file downloaded | ✅ |
| A2-06 | Multiple critical/high IDS alerts | ✅ |
| A2-07 | Port scan from public IP | ✅ |
| A2-08 | IOC traffic match (FW netflow) | ✅ |
| A2-09 | Port scan from private IP | ✅ |
| A2-10 | Communication to malicious IP | ✅ |
Fix applied (2026-03): OR-trap bug in A2/A3 multi-match replaced with single
<regex>lookaheads.
A3 · FortiGate VPN (5 rules)
| ID | Use Case | Status |
|---|---|---|
| A3-01 | VPN success from guest account | ✅ |
| A3-02 | VPN success from different country than last login | ✅ |
| A3-03 | VPN success after multiple prior failures (brute-force) | ✅ |
| A3-04 | VPN multiple auth failures (many accounts, 1 source) | ✅ |
| A3-05 | VPN tunnel connected from outside Thailand | ✅ |
A4 · Windows / Active Directory (16 rules)
| ID | Use Cases | Status |
|---|---|---|
| A4-01–A4-19 | Privileged/service/guest account failures and successes, Pass-the-Hash, account enumeration, group membership changes, DSRM reset, password spray, interactive logon by service accounts | ✅ All 16 implemented |
3. Detection Rules (Appendix B — Optional Add-On)
B1 · VMware vCenter / ESXi (3 rules)
| ID | Use Case | Status |
|---|---|---|
| B1-01 | vCenter login failure (brute-force indicator) | ✅ |
| B1-02 | ESXi SSH enabled on host | ✅ |
| B1-03 | ESXi SSH authentication events | ✅ |
B2 · Log Monitoring (1 rule)
| ID | Use Case | Status |
|---|---|---|
| B2-01 | Log ingestion loss detected | ✅ |
B3 · Windows Sysmon (6 rules)
| ID | Use Case | Status |
|---|---|---|
| B3-01 | LSASS process access (event 10) | ✅ |
| B3-02 | SQL keyword in process command line | ✅ |
| B3-03 | Webshell file creation (event 11) | ✅ |
| B3-04 | msiexec uninstall | ✅ |
| B3-05 | LSASS dump via Task Manager | ✅ |
| B3-06 | CertUtil download (event 1) | ✅ |
4. Future Enhancements (Appendix C)
| ID | Use Case | Status |
|---|---|---|
| C1-01 | Impossible Travel Detection (VPN/AD/Cloud) | ✅ Implemented in soc-integrator |
| C2-01 | Privileged account off-hours usage | ✅ |
| C2-02 | Dormant account activation | ✅ |
| C2-03 | Service account interactive logon | ✅ |
| C2-04 | Rapid privilege escalation → sensitive access | ✅ |
| C3-01 | Multi-host auth success (lateral movement) | ✅ |
| C3-02 | SMB/RDP access burst by source IP | ✅ |
| C3-04 | Internal scanning / enumeration burst | ✅ |
| C4 | Ransomware early warning indicators | ❌ Not started |
| C5 | Endpoint & server behavior anomalies | ❌ Not started |
| C6 | Cloud / SaaS security monitoring | ❌ Not started |
| C7 | SOC & operational maturity monitoring | ❌ Not started |
5. IOC Pipeline
| Capability | Status | Notes |
|---|---|---|
| IOC feed ingestion (VirusTotal) | ✅ | adapters/virustotal.py |
| IOC feed ingestion (AbuseIPDB) | ✅ | adapters/abuseipdb.py |
| IOC CDB list management | ✅ | Wazuh CDB lists: malicious-ip, malicious-domains, malware-hashes |
| Automated IOC list refresh | ✅ | _ioc_refresh_loop() in soc-integrator; /ioc-lists/refresh API |
| IOC match via Wazuh CDB rules | ✅ | soc-ioc-cdb-rules.xml (3 rules) |
| IOC enrichment API | ✅ | /ioc/enrich, /ioc/evaluate, /ioc/history |
| IOC file upload & batch analysis | ✅ | /ioc/upload, /ioc/evaluate-file |
| IOC trace persistence (Postgres) | ✅ | ioc_trace table in mvp_repo |
6. Integration & Workflow
| Integration | Status | Notes |
|---|---|---|
| Wazuh → soc-integrator ingest | ✅ | /ingest/wazuh-alert, /wazuh/sync-to-mvp |
| Wazuh → IRIS alert sync (with severity filter) | ✅ | Auto-sync loop; configurable severity threshold |
| soc-integrator → IRIS case/ticket creation | ✅ | /iris/tickets, /iris/cases |
| soc-integrator → Shuffle workflow execution | ✅ | /shuffle/workflows/{id}/execute |
| soc-integrator → PagerDuty escalation | ✅ (stub) | /action/create-incident; real PD integration pending |
| GeoIP enrichment | ✅ | adapters/geoip.py, /geoip/{ip} API |
| Log loss monitoring | ✅ | /monitor/log-loss/check, auto-monitoring loop |
7. UI & Dashboards
| Feature | Status | Notes |
|---|---|---|
| IRIS KPI dashboard (alerts tab) | ✅ | /kpi-dashboard with pagination, sorting, filters |
| IRIS KPI dashboard (cases tab) | ✅ | Clickable rows → /case?cid=<id> |
| SOC Integrator web UI | ✅ | Monitoring, sim controls, GeoIP, IOC tab |
| Wazuh dashboard import automation | ✅ | scripts/import-wazuh-dashboard.sh |
| ICT/UTC dual clock in IRIS navbar | ✅ | ict-clock.js widget, shows Asia/Bangkok alongside UTC |
8. Operations & Reliability
| Item | Status | Notes |
|---|---|---|
| Timezone (ICT/UTC+7) on all services | ✅ | Set across Wazuh, IRIS, Shuffle, soc-integrator, PagerDuty stub |
| IRIS admin API key — static (no rotation) | ✅ | IRIS_ADM_API_KEY set in iris-web/.env; documented in runbook |
soc-integrator .env in sync |
✅ | IRIS_API_KEY matches DB value |
| Git: runtime IOC lists untracked | ✅ | Added to .gitignore; removed from git index |
| Ops runbook for IRIS API key | ✅ | docs/ops-runbook-iris-api-key.md |
| Wazuh decoder/rule documentation | ✅ | docs/wazuh-decoders-rules.md |
9. Remaining / In Progress
| Item | Priority | Notes |
|---|---|---|
| Production false-positive tuning on real traffic | High | Lab tuning done; production thresholds need real log baseline |
| PagerDuty stub → production PagerDuty | High | Requires production PD account and API key |
| Exception governance for VPN geo-anomaly | Medium | Policy framework exists; enterprise allowlist not finalized |
| C4–C7 use cases | Low | Future scope; not in original contract |
| Frontend CDN dependency hardening | Low | Some IRIS UI pages still reference external CDN scripts |
10. Summary
| Area | Coverage |
|---|---|
| Appendix A (initial scope — 33 use cases) | 100% rules implemented |
| Appendix B (optional add-on — 10 use cases) | 100% rules implemented |
| Appendix C (future — 8 use cases shown) | C1–C3 (8 sub-use-cases): done; C4–C7: pending |
| Core integrations (Wazuh/IRIS/Shuffle/PD) | Fully integrated (PD as stub) |
| IOC pipeline | Fully implemented |
| Production hardening | Pending (tuning, governance, PD) |
All deliverables from the initial contract scope (Sections 3–5 and Appendix A) are implemented and testable. Appendix B optional use cases are also implemented ahead of schedule. The primary remaining work is production hardening, real-traffic tuning, and PagerDuty go-live.