.png){kind=link}
Project Title: Splunk-Based SIEM Lab for Log Ingestion and Event Analysis
Description: Developed a security monitoring lab environment using Vultr virtual machines to simulate an enterprise SOC setup and analyze Windows event data for potential security incidents.
-
Infrastructure Setup:
- Deployed three virtual machines: a Windows target endpoint, a Windows Active Directory (AD) server, and an Ubuntu-based Splunk Enterprise server.
- Configured network connectivity between all machines with firewall rules restricting access to specific IPs for secure communication.
-
Active Directory Configuration:
- Installed and configured Windows AD services, created a test user, and joined the Windows target to the AD domain.
-
Splunk Deployment & Log Forwarding:
- Installed Splunk Enterprise on Ubuntu using PowerShell remote connection.
- Installed Splunk Universal Forwarders on both Windows machines to transmit security and system logs.
- Configured the
inputs.conffile and created a custom index (mydfir) to ingest Windows event logs.
-
Event Log Analysis:
- Queried and monitored key Windows Event IDs (e.g., 4624 – Successful Logon, 4625 – Failed Logon) to identify authentication activities and potential unauthorized login attempts.
- Verified successful ingestion and visualization of logs on Splunk dashboards.
Outcome: Built a self-contained SOC simulation capable of detecting and visualizing Windows logon events, demonstrating the ability to configure, forward, and analyze event logs within Splunk.
Tools & Technologies: Splunk Enterprise, Splunk Universal Forwarder, Windows Server (AD), Ubuntu Server, PowerShell, Vultr Cloud, Firewall Configuration, Windows Event Viewer.