| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 |
- # Appendix A - production-style sample logs
- # Sources: FortiGate traffic/event/vpn style fields, Windows Security event field shapes, SOC Integrator DNS IOC format
- # A1-01 DNS IOC traffic
- soc_event=dns_ioc event_type=ioc_dns_traffic src_ip=10.26.45.214 query=ioc-2294.malicious.example action=blocked severity=medium
- # A1-02 DNS IOC domain match
- soc_event=dns_ioc event_type=ioc_domain_match src_ip=10.26.45.214 query=bad-c2.example feed=internal_main confidence=high action=alert
- # A2-01 Allowed RDP from public IP
- date=2026-03-09 time=10:01:31 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079291 vd="root" logid="0000000013" type="traffic" subtype="forward" level="warning" srcip=91.190.63.84 srcport=55123 dstip=10.20.55.10 dstport=3389 proto=6 action="accept" policyid=3
- # A2-02 Firewall admin password changed
- date=2026-03-09 time=10:02:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079324 vd="root" logid="0100044547" type="event" subtype="system" level="warning" user="admin" action="password-change" ui="https(10.20.55.1)"
- # A2-03 Firewall admin account created
- date=2026-03-09 time=10:02:17 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079337 vd="root" logid="0100044548" type="event" subtype="system" level="warning" user="admin" action="create-admin" target_user="soc-backup-admin"
- # A2-04 Notification disabled via config
- date=2026-03-09 time=10:03:41 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079421 vd="root" logid="0100044551" type="event" subtype="system" level="warning" user="admin" action="config-change" config_path="system.alertemail" config_key="email-notify" config_value=disable
- # A2-05 Config downloaded
- date=2026-03-09 time=10:04:03 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079443 vd="root" logid="0100044552" type="event" subtype="system" level="notice" user="admin" action="download-config" dstip=10.20.50.33
- # A2-06 Multiple critical IPS signatures
- date=2026-03-09 time=10:05:14 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079514 vd="root" logid="0720018432" type="utm" subtype="ips" level="alert" srcip=185.220.101.44 dstip=10.20.55.20 attack="Multiple.Critical.Signatures" action="blocked"
- # A2-07 TCP external scan
- date=2026-03-09 time=10:05:50 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079550 vd="root" logid="0419016384" type="utm" subtype="anomaly" level="warning" srcip=45.148.10.9 dstip=10.20.55.20 attack="TCP.Port.Scan" action="detected"
- # A2-08 IOC IP indicator detected
- date=2026-03-09 time=10:06:23 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079583 vd="root" logid="0720018433" type="utm" subtype="ips" level="warning" srcip=10.20.55.12 dstip=198.51.100.77 ioc_type=ip ioc_value=198.51.100.77 action="blocked"
- # A2-09 Internal scan
- date=2026-03-09 time=10:07:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079632 vd="root" logid="0419016385" type="utm" subtype="anomaly" level="warning" srcip=10.20.55.11 dstip=10.20.55.0/24 attack="Internal.Port.Scan" action="detected"
- # A2-10 Traffic to known C2
- date=2026-03-09 time=10:07:59 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079679 vd="root" logid="0000000014" type="traffic" subtype="forward" level="warning" srcip=10.20.55.50 dstip=203.0.113.60 dstport=443 threat_label="known-c2" action="accept"
- # A3-01 VPN guest login success
- date=2026-03-09 time=10:10:11 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079811 vd="root" logid="0101037133" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="guest" srcip=203.0.113.17
- # A3-02 VPN success from different country than prior login
- date=2026-03-09 time=10:10:43 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079843 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="jane.doe" srcip=198.51.100.20 previous_country=TH current_country=DE
- # A3-03 VPN success after failures
- date=2026-03-09 time=10:11:12 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079872 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="ops.admin" srcip=198.51.100.42 failed_attempts_before_success=8
- # A3-04 Multiple account failures from one source
- date=2026-03-09 time=10:11:49 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079909 vd="root" logid="0101037134" type="event" subtype="vpn" tunneltype="ssl" level="notice" action="ssl-login-fail" srcip=198.51.100.42 failed_accounts=alice,bob,charlie
- # A3-05 VPN login from outside expected country
- date=2026-03-09 time=10:12:04 devname="FGT80F-Branch01" devid="FGT80FTK20000001" eventtime=1773079924 vd="root" logid="0101037135" type="event" subtype="vpn" tunneltype="ssl" level="warning" action="ssl-login-success" user="finance.user" srcip=203.0.113.71 expected_country=TH current_country=US
- # A4-01 Windows privileged account auth failure
- {"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"admin01"}}}
- # A4-02 Windows service account auth failure
- {"win":{"system":{"eventID":"4625"},"eventdata":{"targetUserName":"svc_backup$"}}}
- # A4-03 AD enumeration tool execution
- {"win":{"system":{"eventID":"4688"},"eventdata":{"newProcessName":"C:\\Tools\\adfind.exe"}}}
- # A4-06 Remote interactive auth success
- {"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"10","targetUserName":"helpdesk"}}}
- # A4-08 NTLM network logon (pass-the-hash indicator)
- {"win":{"system":{"eventID":"4624"},"eventdata":{"authenticationPackageName":"NTLM","logonType":"3","targetUserName":"it-admin"}}}
- # A4-09 Guest account auth success
- {"win":{"system":{"eventID":"4624"},"eventdata":{"targetUserName":"guest"}}}
- # A4-10 Service account interactive logon
- {"win":{"system":{"eventID":"4624"},"eventdata":{"logonType":"2","targetUserName":"service_sql"}}}
- # A4-12 Account added to privileged domain group
- {"win":{"system":{"eventID":"4728"},"eventdata":{"targetUserName":"new.user","groupName":"Domain Admins"}}}
- # A4-11 Account added to privileged local group
- {"win":{"system":{"eventID":"4732"},"eventdata":{"targetUserName":"new.user","groupName":"Administrators"}}}
- # A4-13 DSRM password set attempt
- {"win":{"system":{"eventID":"4794"},"eventdata":{"targetUserName":"Administrator"}}}
- # A4-21 Domain/local account created
- {"win":{"system":{"eventID":"4720"},"eventdata":{"targetUserName":"ops.newuser"}}}
- # A4-22 Domain/local account re-enabled
- {"win":{"system":{"eventID":"4722"},"eventdata":{"targetUserName":"legacy.disabled"}}}
|
