🔍 Splunk SIEM Lab — Brute Force Detection & Response Dashboard

📌 Project Overview

This project demonstrates how to use Splunk Cloud as a SIEM to ingest Linux authentication logs, detect brute-force attack patterns, and visualize findings on a real-time SOC dashboard.

The objective was to simulate a real-world SOC analyst workflow — from raw log ingestion to detection, investigation, and dashboard reporting.

---

🛠️ Lab Environment

Component	Details
SIEM Platform	Splunk Cloud (Free Trial)
Operating System	Ubuntu Linux
Log Source	/var/log/auth.log
Attack Type	SSH Brute Force
Target User	attackeruser
Source IP	192.168.0.168

---

⚙️ Lab Setup

Auth logs were exported from Ubuntu Linux using:

sudo cat /var/log/auth.log > ~/brute-force-logs.txt

The log file was then uploaded to Splunk Cloud via Settings → Add Data → Upload with source type set to syslog.

---

🔎 Detection Queries (SPL)

Detection 1 — Failed Login Events

index=main sourcetype=syslog "Failed password"

Detection 2 — Failed Logins by Host

index=main sourcetype=syslog "Failed password" | stats count by host

Detection 3 — Attack Timeline

index=main sourcetype=syslog "Failed password" | timechart count

Detection 4 — Full Event Table

index=main sourcetype=syslog "Failed password" | table _time, host, source

---

📊 Investigation Findings

Field	Details
Total Failed Attempts	7
Targeted Host	user-HP-EliteBook-x360-1030-G2
Attack Dates	March 29-30, 2026
Peak Attack Time	12:44 — 12:46 PM (5 attempts in 2 minutes)
Log Source	brute-force-logs.txt

---

🖥️ Dashboard

A Brute Force Detection & Response Dashboard was built in Splunk with 4 panels:

• Failed Login Attempts by Host — Bar chart
• Total Failed Login Attempts — Single value counter (7)
• Attack Timeline — Column chart showing attack burst
• Failed Login Events — Full event table with timestamps

---

📸 Screenshots

Detection Query — Failed Password Events

Failed Logins by Host — Bar Chart

Attack Timeline

Brute Force Detection & Response Dashboard

---

🎯 MITRE ATT&CK Mapping

Tactic	Technique	Description
Credential Access	T1110 — Brute Force	Repeated failed SSH login attempts
Credential Access	T1110.001 — Password Guessing	Multiple password attempts against single account
Discovery	T1078	Valid account targeted during attack

---

🔒 NIST & CIS Controls Mapping

Finding	NIST Control	CIS Control
Brute Force Detected	AC-7 — Unsuccessful Login Attempts	CIS 4.10
Auth Log Monitored	AU-2 — Event Logging	CIS 8.2
Attack Timeline Captured	SI-4 — System Monitoring	CIS 8.11

---

⚠️ Risk Impact

The detected brute-force activity represents a significant authentication threat. If successful, an attacker could gain unauthorized access leading to data compromise, privilege escalation, or lateral movement across the network.

---

🛡️ Recommended Actions

• Implement Fail2Ban to auto-block repeated failed attempts
• Enforce strong password policies and MFA
• Restrict SSH access to trusted IP addresses only
• Set up real-time Splunk alerts for failed login thresholds
• Monitor authentication logs continuously

---

🎯 Skills Demonstrated

• Splunk Cloud SIEM configuration
• Log ingestion and parsing
• SPL (Search Processing Language) queries
• Dashboard creation and visualization
• Threat detection and investigation
• MITRE ATT&CK mapping
• NIST & CIS compliance mapping
• Incident documentation

---

🔗 Related Projects

• SSH Brute Force Detection Lab
• Enterprise SIEM Lab — PAM Brute Force Detection

---

👨‍💻 Author

Alex Ojo Cybersecurity Student | SOC Analyst Trainee