Security Detection & Threat Intelligence Enhancement Proposal-2.md 18KB
Security Detection & Threat Intelligence Enhancement Proposal
Security Architecture Overview
About Simplico Co., Ltd.
Simplico Co., Ltd. is a technology consulting and system integration company specializing in custom security, data, and automation solutions for enterprise and industrial environments.
We focus on designing and implementing practical, production-ready systems rather than generic or vendor-locked platforms. Our expertise covers security monitoring, SOC/MDR architecture, automation (SOAR), system integration, and long-term operational support.
We also have experience in developing mobile applications, e‑commerce platforms, large‑scale web applications, and factory automation systems.
More information about our company and services is available at: https://simplico.net/
1. Executive Summary
This proposal is prepared for บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject) and delivers advanced security detection use cases, continuously updated threat‑intelligence IOC detection, and VPN authentication anomaly monitoring using a modular, open, and extensible security architecture.
The solution avoids monolithic or vendor‑locked SOC platforms and instead uses best‑of‑breed components, each responsible for a specific role: detection, automation, investigation, and escalation.
Key Outcomes
- Improved visibility into malicious network activity and credential misuse
- Faster detection, investigation, and escalation of high‑risk security events
- Reduced operational risk through continuously updated threat intelligence
2. Selected Architecture
This architecture is designed to directly support the detection, automation, investigation, and escalation use cases described in Section 3 by ensuring each security function is handled by a dedicated, purpose-built component.
| Layer | Technology | Purpose |
|---|---|---|
| Detection | Wazuh | Log analysis, correlation, alerting |
| Automation / SOAR | Shuffle | IOC matching, enrichment, response logic |
| Case Management | DFIRTrack | Incident tracking, evidence, investigation timeline |
| Escalation | PagerDuty | On‑call alerting & SLA enforcement |
Why This Architecture
- Open and extensible (no vendor lock‑in)
- Designed for real SOC / MDR workflows
- Clear separation of responsibility
- Easy to maintain and scale
flowchart LR
A["Firewall / DNS / IDS / VPN Logs"] --> B["Wazuh
Detection & Correlation"]
B --> C["Shuffle
Automation & SOAR"]
C --> D["DFIRTrack
Incident Tracking"]
C --> E["PagerDuty
On-call Escalation"]
C -->|"IOC Match / Enrichment"| D
C -->|"SEV-1 / SEV-2"| E
3. Scope of Work
The scope of work is organized into three primary workstreams: (1) creation and tuning of detection rules tailored to the customer environment, (2) implementation of continuously updated threat‑intelligence IOC detection across network traffic, and (3) monitoring of VPN authentication anomalies based on geographic location. Together, these workstreams ensure comprehensive visibility, timely detection, and actionable response to security threats.
3.1 Create & Tune New Detection Rules / Use Cases
Activities
- Review firewall, DNS, IDS/IPS, VPN, and Windows log formats
- Onboard logs into Wazuh with proper parsing and normalization
- Implement the agreed detection use cases (see Appendix A: Use Case List)
- Tune thresholds, severities, and allowlists
- Reduce false positives using real traffic patterns
Output
- Stable, environment-specific detection rules
- Severity-aligned alerts suitable for automation and escalation
3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS-IPS)
Covered Use Cases
DNS Network Traffic
- Communication to malicious domain or IP
- Malicious domain / IP IOC detection
IDS / IPS Network Traffic
- Communication to malicious domain or IP
- IOC-based detection from IDS / IPS alerts
Technical Implementation
- IOC feed integration (domain & IP)
- Automated, scheduled IOC updates
- IOC matching and enrichment via automation workflows
- Incident creation and evidence tracking
- Escalation for high-severity matches
Outcome
- Continuously updated IOC detection
- Clear evidence trail for audit and investigation
3.3 VPN Authentication Success from Outside Thailand
Detection Logic
- Monitor VPN authentication success events
- Perform GeoIP lookup on source IP
- Detect successful logins originating outside Thailand
Enhancements
- Exception list for approved overseas users
- Risk scoring for admin accounts, first-time country access, and off-hours login
Response
- Incident creation and tracking
- On-call escalation for high-risk events
3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS‑IPS)
Covered Use Cases
DNS Network Traffic
- Communication to malicious domain or IP
- Malicious domain / IP IOC detection
IDS / IPS Network Traffic
- Communication to malicious domain or IP
- IOC‑based detection from IDS / IPS alerts
Technical Implementation
- IOC feed integration (domain & IP)
- Automated, scheduled IOC updates
- IOC matching and enrichment via automation workflows
- Incident creation and evidence tracking
- Escalation for high‑severity matches
Outcome
- Continuously updated IOC detection
- Clear evidence trail for audit and investigation
3.3 VPN Authentication Success from Outside Thailand
Detection Logic
- Monitor VPN authentication success events
- Perform GeoIP lookup on source IP
- Detect successful logins originating outside Thailand
Enhancements
- Exception list for approved overseas users
- Risk scoring for admin accounts, first‑time country access, and off‑hours login
Response
- Incident creation and tracking
- On‑call escalation for high‑risk events
4. End‑to‑End Workflow
- Firewall / DNS / IDS / VPN logs are collected
- Detection rules evaluate events
- Automation workflows enrich and classify alerts
- Incidents are tracked with evidence and timeline
- High‑severity events trigger on‑call escalation
4.1 Integration Deliverables
The implementation includes full integration with the automation and case management layers to ensure alerts are actionable and traceable:
- Integration with Shuffle for automated enrichment, IOC matching, and response workflows
- Integration with DFIRTrack for incident creation, evidence collection, and investigation timeline management
5. Deliverables
- Custom detection rules and tuning
- IOC detection workflows (DNS and IDS / IPS)
- Automated IOC update pipeline
- VPN geo‑anomaly detection
- Incident templates and investigation workflow
- Escalation logic
- Documentation and handover
6. Timeline
The timeline below includes all activities required for full integration across detection, automation, case management, and escalation layers, including Shuffle and DFIRTrack.
| Phase | Duration |
|---|---|
| Log onboarding & review | 1 week |
| Rule creation & tuning | 1–2 weeks |
| IOC pipeline & detection | 1–2 weeks |
| VPN geo-anomaly use case | 3–5 days |
| Integration & end-to-end testing (Shuffle / DFIRTrack / PagerDuty) | 1 week |
Total estimated duration: 5–6 weeks
7. Pricing
Payment Terms
- 50% of the total project value is payable upon project commencement.
- The remaining 50% is payable upon project completion and acceptance, as defined in this proposal.
Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
One‑Time Implementation
| Item | Cost (THB) |
|---|---|
| Security use‑case implementation | 320,000 |
Note: The above price includes full integration with the automation, case management, and escalation layers (Shuffle, DFIRTrack, and PagerDuty), including workflow configuration, API integration, and end‑to‑end testing.
VAT Disclaimer: All prices stated in this proposal are exclusive of 7% Value Added Tax (VAT), which will be charged separately in accordance with Thai tax regulations. |
Short Free Tuning Period
As part of this engagement, a short free tuning period is included after initial deployment to ensure detection rules and thresholds are well aligned with the production environment.
- Duration: 30 calendar days after go-live
- Delivery mode: Online / remote support only
- Scope: fine-tuning of existing rules, threshold adjustments, and false-positive reduction
- Excludes: new use-case development, new log sources, on-site support, or major logic changes
This tuning period helps stabilize the system and maximize detection quality without additional cost.
Complimentary Security Consultation
In addition to the implementation, a complimentary security consultation is included to support knowledge transfer and strategic alignment.
- Duration: 30 calendar days (remote only)
- Scope: architecture review, use-case clarification, and operational guidance
- Purpose: help internal teams better understand the system and plan future improvements
This consultation is advisory in nature and does not include additional implementation or configuration work.
Optional Ongoing Support
| Service | Cost (THB / month) |
|---|---|
| IOC feed maintenance & updates | 20,000 – 40,000 |
| Rule tuning & false‑positive reduction | Included |
8. Assumptions, Exclusions & Out-of-Scope
Assumptions
- Log sources are accessible and stable
- Required access is provided during implementation
- Log formats do not change significantly during the project timeline
Exclusions
- 24/7 SOC monitoring
- Incident response execution or forensic investigation
- Advanced UEBA or machine-learning analytics
Out-of-Scope (Unless Quoted Separately)
The following items are not included in this proposal and will require a separate quotation if requested:
- Major changes to log formats, vendors, or network architecture after project kickoff
- Onboarding of additional log sources beyond firewall, DNS, IDS/IPS, and VPN
- Development of custom dashboards beyond standard operational views
- Unlimited rule changes or ongoing rule development beyond the initial tuning period
- Integration with additional third-party systems not listed in this proposal
- Emergency or after-hours support outside agreed working hours
- Compliance certification, audit execution, or regulatory reporting
9. Value to Customer
- Practical, actionable security detection
- Continuously updated threat intelligence
- Reduced alert noise
- Clear investigation and audit trail
- Scalable foundation for future MDR services
10. Closing
This implementation provides enterprise-grade detection and response capability using open, well-architected components—without vendor lock-in or unnecessary complexity.
Appendix A: Use Case List (Initial Implementation Scope)
The following use cases will be implemented and tuned as part of the initial project scope. Final severity and thresholds will be confirmed during log review and tuning.
A1. DNS / Firewall (IOC)
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| DNS | Firewall/DNS logs | DNS Network Traffic – Communicate to Malicious Domain | Medium |
| DNS | Firewall/DNS logs | DNS Network Traffic – Malicious Domain IOCs Detection | Medium |
A2. FortiGate IPS/IDS & Firewall
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| IPS | FortiGate | IPS&IDS Network Traffic – Allowed RDP from Public IPs | High |
| IPS | FortiGate | IPS&IDS Firewall Account – Admin Password Change | High |
| IPS | FortiGate | IPS&IDS Firewall Account – Create/Add Admin Account | High |
| IPS | FortiGate | IPS&IDS Firewall Configure – Disabled Email Notification | High |
| IPS | FortiGate | IPS&IDS Firewall Configure – Download Configure FW | Low |
| IPS | FortiGate | IPS&IDS IDS Alert – Multiple Critical/High | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Port Scanning | Low |
| IPS | FortiGate | IPS&IDS Network Traffic – IOC Detection | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Port Scanning from Private IP | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Communicate to Malicious IP | Medium |
A3. FortiGate VPN
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| VPN | FortiGate | VPN – Authentication Success from Guest Account | High |
| VPN | FortiGate | VPN – Authentication Success from Multiple Country | High |
| VPN | FortiGate | VPN – Authentication Brute Force Success | High |
| VPN | FortiGate | VPN – Authentication Multiple Fail (Many Accounts from 1 Source) | Low |
| VPN | FortiGate | VPN – Authentication Success from Outside Thailand | High |
A4. Windows / Active Directory
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Privileged Account | Medium |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Service Account | Medium |
| Windows | Windows AD Logs | Windows AD – Enumeration with Malicious Tools | Medium |
| Windows | Windows Security Logs | Windows Authentication – Fail from Public IPs | Medium |
| Windows | Windows Security Logs | Windows File Share – Enumeration to Single Destination | Medium |
| Windows | Windows Security Logs | Windows Authentication – Success from Public IPs | High |
| Windows | Windows Security Logs | Windows Authentication – Privileged Account Impersonation | High |
| Windows | Windows Security Logs | Windows Authentication – Successful Pass the Hash RDP | High |
| Windows | Windows Security Logs | Windows Authentication – Success from Guest Account | High |
| Windows | Windows Security Logs | Windows Authentication – Interactive Logon Success by Service Account | High |
| Windows | Windows Security Logs | Windows Account – Added to Privileged Custom Group | High |
| Windows | Windows Security Logs | Windows Account – Added to Privileged Group | High |
| Windows | Windows Domain Configure | Windows Domain Configure – DSRM Password Reset | High |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (1 Account from Many Sources) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (Many Accounts from 1 Source) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Guest Account | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (1 Account from 1 Source) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Interactive Logon Denied | Low |
| Windows | Windows Security Logs | Windows Authentication – Password Spray | Low |
| Windows | Windows Security Logs | Windows Authentication – Attempt from Disabled Account | Low |
| Windows | Windows Security Logs | Windows Domain Account – Created | Low |
| Windows | Windows Security Logs | Windows Local Account – Re-Enabled | Low |
| Windows | Windows Security Logs | Windows Local Account – Created | Low |
| Windows | Windows Security Logs | Windows Domain Account – Re-Enabled | Low |
Notes
- IOC-based detections require an IOC feed and update schedule. IOC matching and enrichment will be implemented via the automation layer.
- Geo-based VPN detections require GeoIP enrichment and an exception list for approved overseas users.