tum
/
soc


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
							<!--
  SOC Proposal Rules — Appendix C1-C3
  C1: Impossible Travel
  C2: Advanced Credential Abuse & Privilege Misuse
  C3: Lateral Movement & Internal Reconnaissance

  Simulation profile rule IDs : 100501, 100511-100514, 100521-100524
  Production profile rule IDs : 110501, 110502, 110511-110514, 110521-110524

  C1 prod: if_sid=81622 (VPN tunnel-up / user connected) or if_sid=100260 (soc-integrator)
           Environment uses IPsec site-to-site VPN (no SSL-VPN observed in archives 2026-03-20)
           if_group=fortigate was broken in Wazuh 4.x → fixed to if_sid
  C2/C3 prod: specific built-in Wazuh SIDs to avoid N×M explosion:
    60106 → event 4624 (auth success / logon)
    60113 → events 4728/4732 (group membership change)
-->
<group name="soc_mvp,appendix_c,">

  <!-- ================================================================
       C1: Impossible Travel Detection
       ================================================================ -->


  <!-- C1-01 VPN candidate: fires on every VPN tunnel-up (IPsec) or SSL-VPN success
       Parent: 81622 (Fortigate: VPN user connected / action=tunnel-up)
       The srccountry field is present in real VPN events; soc-integrator handles
       geo correlation and emits c1_impossible_travel to trigger rule 110502.
       Fix 2026-03-19: if_group=fortigate broken → if_sid=81622;
                       action="ssl-login-success" → IPsec tunnel-up via 81622 -->
  <rule id="110501" level="12">
    <if_sid>81622</if_sid>
    <description>C1-01 [PROD] VPN tunnel connected — impossible travel geo candidate</description>
    <group>soc_prod,c1,impossible_travel,identity,</group>
    <mitre><id>T1078</id></mitre>
  </rule>

  <rule id="110502" level="15">
    <if_sid>100260</if_sid>
    <match>event_type=c1_impossible_travel</match>
    <description>C1-01 [PROD] Impossible travel confirmed by soc-integrator correlation</description>
    <group>soc_prod,c1,impossible_travel,identity,</group>
    <mitre><id>T1078</id></mitre>
  </rule>


  <!-- ================================================================
       C2: Advanced Credential Abuse & Privilege Misuse
       ================================================================ -->


  <!-- C2 production rules
       Parent: 60106 (event 4624 - logon success) for auth rules
               60113 (events 4728/4732 - group membership) for privilege rules -->

  <rule id="110511" level="12">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
    <description>C2-01 [PROD] Privileged account auth success (4624)</description>
    <group>soc_prod,c2,credential_abuse,identity,</group>
    <mitre><id>T1078.002</id></mitre>
  </rule>

  <rule id="110512" level="8">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">(?i)legacy</field>
    <description>C2-02 [PROD] Dormant/legacy account auth success (4624)</description>
    <group>soc_prod,c2,credential_abuse,identity,</group>
    <mitre><id>T1078</id></mitre>
  </rule>

  <rule id="110513" level="12">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">^10$</field>
    <field name="win.eventdata.targetUserName" type="pcre2">(?i)svc|service|\$$</field>
    <description>C2-03 [PROD] Service account remote interactive logon type 10 (4624)</description>
    <group>soc_prod,c2,service_account,identity,</group>
    <mitre><id>T1078.003</id></mitre>
  </rule>

  <rule id="110514" level="12">
    <if_sid>60113</if_sid>
    <field name="win.system.eventID">^4732$</field>
    <description>C2-04 [PROD] Privilege escalation: group membership change (4732)</description>
    <group>soc_prod,c2,privilege_escalation,identity,</group>
    <mitre><id>T1098.007</id></mitre>
  </rule>


  <!-- ================================================================
       C3: Lateral Movement & Internal Reconnaissance
       ================================================================ -->


  <!-- C3 production rules
       Parent: 60106 (event 4624 - logon success) -->

  <rule id="110521" level="12">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">^10$</field>
    <description>C3-01/02 [PROD] RDP auth success logon type 10 (lateral movement indicator)</description>
    <group>soc_prod,c3,lateral_movement,rdp,</group>
    <mitre><id>T1021.001</id></mitre>
    <mitre><id>T1078</id></mitre>
  </rule>

  <rule id="110522" level="12">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.logonType">^3$</field>
    <description>C3-02 [PROD] SMB network logon type 3 (lateral movement indicator)</description>
    <group>soc_prod,c3,lateral_movement,smb,</group>
    <mitre><id>T1021.002</id></mitre>
    <mitre><id>T1078</id></mitre>
  </rule>

  <rule id="110523" level="15">
    <if_sid>60106</if_sid>
    <field name="win.eventdata.targetUserName" type="pcre2">(?i)admin</field>
    <description>C3-03 [PROD] Admin account auth success — lateral movement candidate (4624)</description>
    <group>soc_prod,c3,lateral_movement,admin,</group>
    <mitre><id>T1021.001</id></mitre>
    <mitre><id>T1078.002</id></mitre>
  </rule>

  <!-- C3-04 PROD: WFP event 5156 has no specific built-in Wazuh parent SID.
       Skip prod rule to avoid N×M explosion from using a generic windows parent. -->


</group>