1. What is this lab for?
This lab teaches you how to:
- Monitor security logs
- Detect cyberattacks (e.g., brute force)
- Analyze events in a SIEM
- Create automated alerts
- Understand the role of a SOC analyst (L1)
In short:
You learn how to detect cyber threats in real time like a SOC
analyst.
---
2. Learning objectives
By the end of this lab, you will be able to:
- Use Splunk effectively
- Ingest and manage logs (Windows/Linux)
- Search and investigate suspicious activity
- Detect brute force attacks
- Create security alerts
- Build SOC dashboards
---
3. Tools used
Main tool:
- Splunk (SIEM platform)
Log sources:
- Windows Event Logs
- Linux auth.log
- Apache / SSH logs
SOC concepts:
- SIEM (Security Information & Event Management)
- Log analysis
- Alerting
- Correlation rules
---
4. Splunk interface – key tabs
When you open Splunk, you’ll see:
1. Search & Reporting
The core of the SIEM
- Search logs
- Investigate events
- Detect attacks
2. Dashboards
Data visualization
- Attack trends
- Failed login graphs
- User activity
3. Alerts
Automated detection
- Brute force alerts
- Email/SOC notifications
4. Settings
System configuration
- Add data sources
- Manage indexing
5. Apps
Splunk extensions
- Security content
- Enterprise Security (ES)
---
5. Splunk installation (step by step)
Step 1: Download Splunk
- Go to the official website
- Download Splunk Enterprise
Step 2: Install
- Double-click installer
- Click: Next → Next → Install
- Create admin account:
- Username: admin
- Password: ********
Step 3: Launch Splunk
Open your browser:
http://localhost:8000
You will access the Splunk dashboard
---
6. Log ingestion (VERY IMPORTANT)
Step 1: Add Data
- Go to: Settings → Add Data
Step 2: Choose source
- Select “Upload files”
- Or “Monitor”
Step 3: Select logs
Examples:
- Linux auth.log
- Windows Security logs
Step 4: Indexing
- Create index: security
---
7. Detecting a brute force attack (real SOC
case)
Scenario:
An attacker tries multiple SSH passwords
Step 1: Go to Search
Open: Search & Reporting
Step 2: SPL query
```
index=security sourcetype=linux_secure "Failed password"
```
Step 3: Analysis
You will observe:
- Multiple failed logins
- Same IP repeating
- Same user targeted
Brute force indicator:
Too many failed logins in a short time
Step 4: Identify suspicious IP
```
index=security "Failed password"
| stats count by src_ip
| sort -count
```
Result:
- IP with high number of attempts = suspicious
---
8. Creating a SOC alert
Step 1: Save as Alert
In Search:
- Click “Save As → Alert”
Step 2: Configure
- Name: Brute Force SSH Detection
- Condition:
- Number of results > 10
- Time range: 5 minutes
Step 3: Actions
- Send email
- Trigger script
- Create SOC ticket
---
9. Creating a SOC dashboard
Step 1: Dashboards
- Go to “Dashboards”
- Click “Create New Dashboard”
Step 2: Add panels
Panel 1:
- Failed logins over time
Panel 2:
- Top attacking IPs
Panel 3:
- Targeted users
---
10. Final lab outcome
At the end of the lab, you will have:
- Detected a brute force attack
- Identified a malicious IP
- Configured a SOC alert
- Built a monitoring dashboard
- Understood SOC L1 workflow
---
11. Prevention (SOC best practices)
- Block suspicious IPs (firewall)
- Enable MFA
- Limit login attempts
- Continuous SIEM monitoring
- Use tools like Fail2ban (Linux)
---
Conclusion
This Splunk lab simulates a real SOC environment:
- Log collection
- Threat detection
- Investigation
- Response
- Automation
Copyright © All rights reserved.