tum
/
soc


			
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
							<!--
  SOC Proposal Rules — Appendix A3: FortiGate VPN
  Simulation profile rule IDs : 100331-100335
  Production profile rule IDs : 110331-110335

  Severity mapping:
    High → level 12
    Low  → level 5
-->
<group name="soc_mvp,appendix_a,a3,vpn,fortigate,">

  <!-- ── Simulation profile ── -->


  <!-- ── Production profile (if_group=fortigate) ── -->

  <rule id="110331" level="12">
    <if_group>fortigate</if_group>
    <match>action="ssl-login-success"</match>
    <match>user="guest"</match>
    <description>A3-01 [PROD] VPN authentication success by guest account</description>
    <group>soc_prod,a3,vpn_guest,</group>
    <mitre><id>T1078.001</id></mitre>
  </rule>

  <rule id="110332" level="12">
    <if_group>fortigate</if_group>
    <match>action="ssl-login-success"</match>
    <match>previous_country=</match>
    <description>A3-02 [PROD] VPN success from different country than last login</description>
    <group>soc_prod,a3,vpn_geo,</group>
    <mitre><id>T1078</id></mitre>
  </rule>

  <rule id="110333" level="12">
    <if_group>fortigate</if_group>
    <match>action="ssl-login-success"</match>
    <match>failed_attempts_before_success=</match>
    <description>A3-03 [PROD] VPN success after multiple prior failures (brute-force indicator)</description>
    <group>soc_prod,a3,vpn_bruteforce,</group>
    <mitre><id>T1110.001</id></mitre>
  </rule>

  <rule id="110334" level="5">
    <if_group>fortigate</if_group>
    <match>action="ssl-login-fail"</match>
    <match>failed_accounts=</match>
    <description>A3-04 [PROD] VPN multiple account failures from single source IP</description>
    <group>soc_prod,a3,vpn_bruteforce,</group>
    <mitre><id>T1110.003</id></mitre>
  </rule>

  <rule id="110335" level="12">
    <if_group>fortigate</if_group>
    <match>action="ssl-login-success"</match>
    <match>expected_country=TH</match>
    <description>A3-05 [PROD] VPN authentication success from outside Thailand</description>
    <group>soc_prod,a3,vpn_geo,</group>
    <mitre><id>T1078</id></mitre>
  </rule>

</group>