This project documents the creation of a Security Operations Center (SOC) lab using Splunk Enterprise, Windows Security Event Logs, and Sysmon.
The goal of this lab is to simulate basic SOC analyst activities including:
- Log collection
- Event monitoring
- Threat hunting
- Security investigations
- Detection engineering
- Alert creation
- Dashboard creation
- Windows Security Event analysis
- Sysmon event monitoring
| Component | Details |
|---|---|
| SIEM | Splunk Enterprise 10.4 |
| Endpoint | Windows 11 |
| Data Source | Windows Security Event Logs |
| Additional Telemetry | Sysmon |
| Log Type | WinEventLog:Security |
| Sysmon Sourcetype | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Security Event Logs were ingested into Splunk using Local Event Log monitoring.
Collected Windows Security Events include:
- Successful Logons (4624)
- Failed Logons (4625)
- Privileged Logons (4672)
- User Account Creation (4720)
- Security Auditing Events
Additionally, Sysmon was deployed to provide enhanced endpoint visibility for:
- Process Creation
- Network Connections
- File Creation
- Process Relationships
- Command Line Monitoring
Detects unsuccessful authentication attempts.
index=* sourcetype="WinEventLog:Security" EventCode=4625
| stats count by Account_Name
| sort -count
MITRE ATT&CK: T1110 - Brute Force
Detects accounts generating multiple failed authentication attempts.
index=* sourcetype="WinEventLog:Security" EventCode=4625
| stats count as FailedAttempts by Account_Name
| where FailedAttempts > 5
MITRE ATT&CK: T1110 - Brute Force
Displays successful authentication events by account.
index=* sourcetype="WinEventLog:Security" EventCode=4624
| stats count by Account_Name
| sort - count
MITRE ATT&CK: T1078 - Valid Accounts
Detects creation of new local user accounts.
index=* EventCode=4720
MITRE ATT&CK: T1136 - Create Account
Detects logons receiving elevated privileges.
index=* EventCode=4672
| stats count by Account_Name
| sort -count
| head 10
MITRE ATT&CK: T1078 - Valid Accounts
Displays the most common Windows Security Events.
index=* sourcetype="WinEventLog:Security"
| stats count by EventCode
| sort -count
| head 10
Sysmon was deployed to enhance endpoint visibility and provide advanced process, file, and network monitoring capabilities.
| Component | Details |
|---|---|
| Source | Microsoft-Windows-Sysmon/Operational |
| Sourcetype | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Collection Method | Local Event Log Collection |
| Index | main |
This search extracts Sysmon Event IDs from XML logs and summarizes the most common Sysmon events.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex "<EventID>(?<SysmonEventID>\d+)</EventID>"
| stats count by SysmonEventID
| sort SysmonEventID
Monitor newly created processes using Sysmon Event ID 1.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex "<EventID>(?<SysmonEventID>\d+)</EventID>"
| search SysmonEventID=1
MITRE ATT&CK: T1059 - Command and Scripting Interpreter
Detect execution of PowerShell commands.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "powershell.exe"
MITRE ATT&CK: T1059.001 - PowerShell
Detect execution of cmd.exe.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "cmd.exe"
MITRE ATT&CK: T1059.003 - Windows Command Shell
Monitor outbound network connections using Sysmon Event ID 3.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex "<EventID>(?<SysmonEventID>\d+)</EventID>"
| search SysmonEventID=3
MITRE ATT&CK: T1049 - System Network Connections Discovery
Detect file creation activity using Sysmon Event ID 11.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex "<EventID>(?<SysmonEventID>\d+)</EventID>"
| search SysmonEventID=11
MITRE ATT&CK: T1105 - Ingress Tool Transfer
A scheduled Splunk alert was created to detect PowerShell execution events.
- Alert Type: Scheduled
- Schedule: Hourly
- Trigger Condition: Number of Results > 0
- Action: Add to Triggered Alerts
- Severity: Medium
A scheduled Splunk alert was created to detect command prompt execution events.
- Alert Type: Scheduled
- Schedule: Hourly
- Trigger Condition: Number of Results > 0
- Action: Add to Triggered Alerts
A custom Splunk dashboard was created to centralize Windows Security and Sysmon monitoring.
Dashboard panels include:
- Sysmon Event Distribution
- PowerShell Execution Detection
- CMD Execution Detection
- Network Connection Monitoring
- File Creation Monitoring
- Failed Logons Detection
- Successful Logon Monitoring
- User Account Creation Detection
- Install Splunk Enterprise.
- Configure Windows Security Event Log collection.
- Install Sysmon and enable Sysmon event logging.
- Configure Splunk to ingest Sysmon Operational logs.
- Execute the SPL queries provided in this repository.
- Review detections, dashboards, and alerts.
- Generate test activity to validate detections.
Example test activities:
- Failed logons
- PowerShell execution
- CMD execution
- Network connections
- User account creation
The lab can be extended with additional detections, Sigma rules, and attack simulations.
- Splunk Enterprise Administration
- Windows Event Log Analysis
- Sysmon Deployment and Monitoring
- SPL (Search Processing Language)
- Security Monitoring
- Threat Hunting
- Detection Engineering
- Alert Creation
- Dashboard Development
- SIEM Operations
- MITRE ATT&CK Mapping
- Incident Detection
- Create additional Sysmon-based detection rules
- Develop correlation searches across multiple event sources
- Integrate Sigma detection rules into Splunk
- Build advanced SOC dashboards
- Create phishing detection use cases
- Develop brute-force detection playbooks
- Add MITRE ATT&CK coverage matrix
- Simulate adversary behavior using Atomic Red Team
- Implement incident response workflows
- Build risk-based alerting use cases
- Integrate threat intelligence feeds