Security Detection & Threat Intelligence Enhancement Proposal-revise.md 24KB
Security Detection & Threat Intelligence Enhancement Proposal
Security Architecture Overview
About Simplico Co., Ltd.
Simplico Co., Ltd. is a technology consulting and system integration company specializing in custom security, data, and automation solutions for enterprise and industrial environments.
We focus on designing and implementing practical, production-ready systems rather than generic or vendor-locked platforms. Our expertise covers security monitoring, SOC/MDR architecture, automation (SOAR), system integration, and long-term operational support.
We also have experience in developing mobile applications, e‑commerce platforms, large‑scale web applications, and factory automation systems.
More information about our company and services is available at: https://simplico.net/
1. Executive Summary
This proposal is prepared for บริษัท ฟู้ดโปรเจ็ค (สยาม) จำกัด (FoodProject) and delivers advanced security detection use cases, continuously updated threat‑intelligence IOC detection, and VPN authentication anomaly monitoring using a modular, open, and extensible security architecture.
The solution avoids monolithic or vendor‑locked SOC platforms and instead uses best‑of‑breed components, each responsible for a specific role: detection, automation, investigation, and escalation.
Key Outcomes
- Improved visibility into malicious network activity and credential misuse
- Faster detection, investigation, and escalation of high‑risk security events
- Reduced operational risk through continuously updated threat intelligence
2. Selected Architecture
This architecture is designed to directly support the detection, automation, investigation, and escalation use cases described in Section 3 by ensuring each security function is handled by a dedicated, purpose-built component.
| Layer | Technology | Purpose |
|---|---|---|
| Detection | Wazuh | Log analysis, correlation, alerting |
| Automation / SOAR | Shuffle | IOC matching, enrichment, response logic |
| Case Management | DFIRTrack | Incident tracking, evidence, investigation timeline |
| Escalation | PagerDuty | On‑call alerting & SLA enforcement |
Why This Architecture
- Open and extensible (no vendor lock‑in)
- Designed for real SOC / MDR workflows
- Clear separation of responsibility
- Easy to maintain and scale
flowchart LR
A["Firewall / DNS / IDS / VPN Logs"] --> B["Wazuh
Detection & Correlation"]
B --> C["Shuffle
Automation & SOAR"]
C --> D["DFIRTrack
Incident Tracking"]
C --> E["PagerDuty
On-call Escalation"]
C -->|"IOC Match / Enrichment"| D
C -->|"SEV-1 / SEV-2"| E
3. Scope of Work
The scope of work is organized into three primary workstreams: (1) creation and tuning of detection rules tailored to the customer environment, (2) implementation of continuously updated threat‑intelligence IOC detection across network traffic, and (3) monitoring of VPN authentication anomalies based on geographic location. Together, these workstreams ensure comprehensive visibility, timely detection, and actionable response to security threats.
3.1 Create & Tune New Detection Rules / Use Cases
Activities
- Review firewall, DNS, IDS/IPS, VPN, and Windows log formats
- Onboard logs into Wazuh with proper parsing and normalization
- Implement the agreed detection use cases (see Appendix A: Use Case List)
- Tune thresholds, severities, and allowlists
- Reduce false positives using real traffic patterns
Output
- Stable, environment-specific detection rules
- Severity-aligned alerts suitable for automation and escalation
3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS-IPS)
Covered Use Cases
DNS Network Traffic
- Communication to malicious domain or IP
- Malicious domain / IP IOC detection
IDS / IPS Network Traffic
- Communication to malicious domain or IP
- IOC-based detection from IDS / IPS alerts
Technical Implementation
- IOC feed integration (domain & IP)
- Automated, scheduled IOC updates
- IOC matching and enrichment via automation workflows
- Incident creation and evidence tracking
- Escalation for high-severity matches
Outcome
- Continuously updated IOC detection
- Clear evidence trail for audit and investigation
3.3 VPN Authentication Success from Outside Thailand
Detection Logic
- Monitor VPN authentication success events
- Perform GeoIP lookup on source IP
- Detect successful logins originating outside Thailand
Enhancements
- Exception list for approved overseas users
- Risk scoring for admin accounts, first-time country access, and off-hours login
Response
- Incident creation and tracking
- On-call escalation for high-risk events
3.2 Threat Intelligence IOC Detection (DNS / Firewall / IDS‑IPS)
Covered Use Cases
DN5S Network Traffic
- Communication to malicious domain or IP
- Malicious domain / IP IOC detection
IDS / IPS Network Traffic
- Communication to malicious domain or IP
- IOC‑based detection from IDS / IPS alerts
Technical Implementation
- IOC feed integration (domain & IP)
- Automated, scheduled IOC updates
- IOC matching and enrichment via automation workflows
- Incident creation and evidence tracking
- Escalation for high‑severity matches
Outcome
- Continuously updated IOC detection
- Clear evidence trail for audit and investigation
3.3 VPN Authentication Success from Outside Thailand
Detection Logic
- Monitor VPN authentication success events
- Perform GeoIP lookup on source IP
- Detect successful logins originating outside Thailand
Enhancements
- Exception list for approved overseas users
- Risk scoring for admin accounts, first‑time country access, and off‑hours login
Response
- Incident creation and tracking
- On‑call escalation for high‑risk events
4. End‑to‑End Workflow
- Firewall / DNS / IDS / VPN logs are collected
- Detection rules evaluate events
- Automation workflows enrich and classify alerts
- Incidents are tracked with evidence and timeline
- High‑severity events trigger on‑call escalation
4.1 Integration Deliverables
The implementation includes full integration with the automation and case management layers to ensure alerts are actionable and traceable:
- Integration with Shuffle for automated enrichment, IOC matching, and response workflows
- Integration with DFIRTrack for incident creation, evidence collection, and investigation timeline management
5. Deliverables
- Custom detection rules and tuning
- IOC detection workflows (DNS and IDS / IPS)
- Automated IOC update pipeline
- VPN geo‑anomaly detection
- Incident templates and investigation workflow
- Escalation logic
- Documentation and handover
6. Timeline
The timeline below includes all activities required for full integration across detection, automation, case management, and escalation layers, including Shuffle and DFIRTrack.
| Phase | Duration |
|---|---|
| Log onboarding & review | 1 week |
| Rule creation & tuning | 1–2 weeks |
| IOC pipeline & detection | 1–2 weeks |
| VPN geo-anomaly use case | 3–5 days |
| Integration & end-to-end testing (Shuffle / DFIRTrack / PagerDuty) | 1 week |
Total estimated duration: 5–6 weeks
7. Pricing
Payment Terms
- 50% of the total project value is payable upon project commencement.
- The remaining 50% is payable upon project completion and acceptance, as defined in this proposal.
Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
Project completion and acceptance are defined by the successful implementation of the agreed detection use cases, verified end-to-end workflows, and delivery of documentation as outlined in the Scope of Work and Deliverables sections.
One‑Time Implementation
| Item | Cost (THB) |
|---|---|
| Security use‑case implementation | 320,000 |
Note: The above price includes full integration with the automation, case management, and escalation layers (Shuffle, DFIRTrack, and PagerDuty), including workflow configuration, API integration, and end‑to‑end testing.
VAT Disclaimer: All prices stated in this proposal are exclusive of 7% Value Added Tax (VAT), which will be charged separately in accordance with Thai tax regulations. |
Short Free Tuning Period
As part of this engagement, a short free tuning period is included after initial deployment to ensure detection rules and thresholds are well aligned with the production environment.
- Duration: 30 calendar days after go-live
- Delivery mode: Online / remote support only
- Scope: fine-tuning of existing rules, threshold adjustments, and false-positive reduction
- Excludes: new use-case development, new log sources, on-site support, or major logic changes
This tuning period helps stabilize the system and maximize detection quality without additional cost.
Complimentary Security Consultation
In addition to the implementation, a complimentary security consultation is included to support knowledge transfer and strategic alignment.
- Duration: 30 calendar days (remote only)
- Scope: architecture review, use-case clarification, and operational guidance
- Purpose: help internal teams better understand the system and plan future improvements
This consultation is advisory in nature and does not include additional implementation or configuration work.
Optional Ongoing Support
| Service | Cost (THB / month) |
|---|---|
| IOC feed maintenance & updates | 20,000 – 40,000 |
| Rule tuning & false‑positive reduction | Included |
8. Assumptions, Exclusions & Out-of-Scope
Assumptions
- Log sources are accessible and stable
- Required access is provided during implementation
- Log formats do not change significantly during the project timeline
Exclusions
- 24/7 SOC monitoring
- Incident response execution or forensic investigation
- Advanced UEBA or machine-learning analytics
Out-of-Scope (Unless Quoted Separately)
The following items are not included in this proposal and will require a separate quotation if requested:
- Major changes to log formats, vendors, or network architecture after project kickoff
- Onboarding of additional log sources beyond firewall, DNS, IDS/IPS, and VPN
- Development of custom dashboards beyond standard operational views
- Unlimited rule changes or ongoing rule development beyond the initial tuning period
- Integration with additional third-party systems not listed in this proposal
- Emergency or after-hours support outside agreed working hours
- Compliance certification, audit execution, or regulatory reporting
9. Value to Customer
- Practical, actionable security detection
- Continuously updated threat intelligence
- Reduced alert noise
- Clear investigation and audit trail
- Scalable foundation for future MDR services
10. Closing
This implementation provides enterprise-grade detection and response capability using open, well-architected components—without vendor lock-in or unnecessary complexity.
Appendix A: Use Case List (Initial Implementation Scope)
The following use cases will be implemented and tuned as part of the initial project scope. Final severity and thresholds will be confirmed during log review and tuning.
A1. DNS / Firewall (IOC)
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| DNS | Firewall/DNS logs | DNS Network Traffic – Communicate to Malicious Domain | Medium |
| DNS | Firewall/DNS logs | DNS Network Traffic – Malicious Domain IOCs Detection | Medium |
A2. FortiGate IPS/IDS & Firewall
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| IPS | FortiGate | IPS&IDS Network Traffic – Allowed RDP from Public IPs | High |
| IPS | FortiGate | IPS&IDS Firewall Account – Admin Password Change | High |
| IPS | FortiGate | IPS&IDS Firewall Account – Create/Add Admin Account | High |
| IPS | FortiGate | IPS&IDS Firewall Configure – Disabled Email Notification | High |
| IPS | FortiGate | IPS&IDS Firewall Configure – Download Configure FW | Low |
| IPS | FortiGate | IPS&IDS IDS Alert – Multiple Critical/High | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Port Scanning | Low |
| IPS | FortiGate | IPS&IDS Network Traffic – IOC Detection | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Port Scanning from Private IP | Medium |
| IPS | FortiGate | IPS&IDS Network Traffic – Communicate to Malicious IP | Medium |
A3. FortiGate VPN
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| VPN | FortiGate | VPN – Authentication Success from Guest Account | High |
| VPN | FortiGate | VPN – Authentication Success from Multiple Country | High |
| VPN | FortiGate | VPN – Authentication Brute Force Success | High |
| VPN | FortiGate | VPN – Authentication Multiple Fail (Many Accounts from 1 Source) | Low |
| VPN | FortiGate | VPN – Authentication Success from Outside Thailand | High |
A4. Windows / Active Directory
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Privileged Account | Medium |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Service Account | Medium |
| Windows | Windows AD Logs | Windows AD – Enumeration with Malicious Tools | Medium |
| Windows | Windows Security Logs | Windows Authentication – Fail from Public IPs | Medium |
| Windows | Windows Security Logs | Windows File Share – Enumeration to Single Destination | Medium |
| Windows | Windows Security Logs | Windows Authentication – Success from Public IPs | High |
| Windows | Windows Security Logs | Windows Authentication – Privileged Account Impersonation | High |
| Windows | Windows Security Logs | Windows Authentication – Successful Pass the Hash RDP | High |
| Windows | Windows Security Logs | Windows Authentication – Success from Guest Account | High |
| Windows | Windows Security Logs | Windows Authentication – Interactive Logon Success by Service Account | High |
| Windows | Windows Security Logs | Windows Account – Added to Privileged Custom Group | High |
| Windows | Windows Security Logs | Windows Account – Added to Privileged Group | High |
| Windows | Windows Domain Configure | Windows Domain Configure – DSRM Password Reset | High |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (1 Account from Many Sources) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (Many Accounts from 1 Source) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail from Guest Account | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Fail (1 Account from 1 Source) | Low |
| Windows | Windows Security Logs | Windows Authentication – Multiple Interactive Logon Denied | Low |
| Windows | Windows Security Logs | Windows Authentication – Password Spray | Low |
| Windows | Windows Security Logs | Windows Authentication – Attempt from Disabled Account | Low |
| Windows | Windows Security Logs | Windows Domain Account – Created | Low |
| Windows | Windows Security Logs | Windows Local Account – Re-Enabled | Low |
| Windows | Windows Security Logs | Windows Local Account – Created | Low |
| Windows | Windows Security Logs | Windows Domain Account – Re-Enabled | Low |
Appendix B: Additional Use Cases (Optional / Add-On Scope)
The following use cases require additional log sources or integrations and are not included in the initial implementation scope. They can be implemented as an optional add-on or Phase 2 enhancement.
B1. VMware vCenter / ESXi
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| VMware | vCenter / ESXi | vCenter GUI – Login Failed 5 Times and Success 1 Time | High |
| VMware | vCenter / ESXi | ESXi – Enable SSH on Hosts | Medium |
| VMware | vCenter / ESXi | ESXi – SSH Failed 5 Times and Success 1 Time | High |
B2. Log Monitoring
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| SIEM | LogMonitor | Log Monitor – Logs Loss Detection | Low |
B3. Windows Sysmon
| Category | Source | Use Case | Target Severity |
|---|---|---|---|
| Sysmon | Windows | Sysmon – LSASS Dumping | High |
| Sysmon | Windows | Sysmon – SQL Injection | High |
| Sysmon | Windows | Sysmon – Webshell | High |
| Sysmon | Windows | Sysmon – Uninstall | High |
| Sysmon | Windows | Sysmon – LSASS Dumping by Task Manager | High |
| Sysmon | Windows | Sysmon – CertUtil Download | Medium |
Notes
- IOC-based detections require an IOC feed and update schedule. IOC matching and enrichment will be implemented via the automation layer.
- Geo-based VPN detections require GeoIP enrichment and an exception list for approved overseas users.
Appendix C: Future Enhancement Use Cases (Post-Implementation)
The following use cases are not included in the current project scope. They are provided to illustrate additional high-value security capabilities that can be implemented in future phases after the initial deployment is stabilized.
C1. Impossible Travel Detection (VPN / AD / Cloud)
Description
Impossible Travel detects potential credential compromise by identifying authentication events where the same user account logs in from geographically distant locations within a time window that is physically impossible for normal human travel.
How It Works
- Correlate authentication events for the same user across VPN, Active Directory, and cloud services
- Enrich source IP addresses with GeoIP location data
- Calculate distance and time between consecutive login events
- Trigger an alert when the required travel speed exceeds realistic human limits
Typical Scenarios
- VPN login from Thailand followed shortly by a VPN or cloud login from another country
- Active Directory login from an internal office network followed by an external or overseas login
- Cloud or SaaS login from two distant regions within a short time window
Risk & Value
- Strong indicator of stolen or shared credentials
- High signal with low false-positive rate when properly tuned
- Effective for detecting attacks that bypass malware-based controls
Response Examples
- Create an incident record for investigation
- Enrich with user role, account type, and asset criticality
- Optional actions such as password reset, MFA enforcement, or account lockout
**Implementation Notes
- Known VPN exit IPs and office locations are allowlisted to reduce false positives
- Service and automation accounts are excluded by default
- Time windows and thresholds are tuned based on operational patterns
C2. Advanced Credential Abuse & Privilege Misuse
Example Use Cases
- Privileged account usage outside business hours
- Dormant accounts becoming active unexpectedly
- Service accounts used for interactive logon
- Rapid privilege escalation followed by sensitive access
Value
- Detects early-stage attacker activity
- High audit and compliance relevance
- Low operational noise when tuned correctly
C3. Lateral Movement & Internal Reconnaissance
Example Use Cases
- Multiple authentication successes across different hosts in a short time
- SMB or RDP access patterns indicating lateral movement
- Admin account accessing many servers rapidly
- Internal scanning or enumeration behavior
Value
- Identifies attacker movement after initial compromise
- Difficult to detect without correlation
- Strong indicator of real intrusion activity
C4. Ransomware Early Warning Indicators
Example Use Cases
- Mass file rename or encryption behavior
- Shadow copy deletion
- Backup or recovery service stopped unexpectedly
- High-risk process execution prior to file access
Value
- Detects ransomware before full impact
- High business risk reduction
- Strong executive-level interest
C5. Endpoint & Server Behavior Anomalies
Example Use Cases
- Unusual process execution on critical servers
- Command-line anomaly detection
- Creation of scheduled tasks or persistence mechanisms
- Unexpected software installation
Value
- Complements EDR detections
- Detects living-off-the-land techniques
- Useful for threat hunting and incident investigation
C6. Cloud & SaaS Security Monitoring (If Applicable)
Example Use Cases
- Cloud administrator role changes
- API key misuse or abnormal API usage
- Suspicious SaaS login behavior
- Large or unusual data download activity
Value
- Extends visibility beyond on-prem systems
- Important for hybrid and cloud environments
- Often required by security audits
C7. SOC & Operational Maturity Monitoring
Example Use Cases
- Alert fatigue and recurring alert patterns
- Incidents exceeding SLA targets
- Detection coverage gaps
- Log ingestion health and drift detection
Value
- Improves SOC efficiency and effectiveness
- Provides management-level insight
- Supports continuous security improvement