Skip to content

PattonJL/splunk-siem-fundamentals

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
notes
notes
 
 
queries
queries
 
 
screenshots
screenshots
 
 
.gitattributes
.gitattributes
 
 
README.md
README.md
 
 

Repository files navigation

Windows Security Event Analysis Lab

This project demonstrates the collection, processing, ingestion, and analysis of Windows Security Event Logs using Splunk to simulate a SOC-style investigation workflow and produce detections and findings based on real endpoint telemetry.

Quick Links

Objectives

  • Collect Windows Security events from a monitored endpoint
  • Normalize and ingest log data into Splunk
  • Analyze authentication, privilege, and group activity
  • Build repeatable detections and document security findings

Lab Environment

  • Windows 10 virtual machine (endpoint under analysis)
  • Splunk Enterprise (SIEM)
  • PowerShell for data processing
  • VirtualBox for virtualization

Data Collection

Windows Security logs were exported from the endpoint in EVTX format and transferred to the analysis system.

Data Processing

The EVTX log file was converted to structured JSON before ingestion into Splunk. This was done to normalize the data into a format that is line-oriented, easy to parse, and compatible with Splunk’s JSON field extraction. This approach mirrors common incident response and forensic workflows where raw event logs are transformed into analysis-friendly formats.

Ingestion

The processed log data was ingested into Splunk using a dedicated index (security_lab) and a custom host value representing the monitored endpoint.

Analysis Outputs

  • notes/findings.md — Security findings and interpretations based on observed log patterns
  • notes/detections.md — SPL-based detections and explanations for what they identify and why they matter
  • queries/ — Screenshots of detection queries and results
  • screenshots/ — Supporting screenshots (event counts, raw examples, data processing steps)

Detection Summary (SOC-style)

  • Repeated Event ID 4625 failed logons consistent with brute-force or password guessing activity
  • Event ID 4624 successful authentication following multiple failures (potential compromise indicator)
  • Event ID 4720 creation of a new local user account (possible persistence mechanism)

Key Skills Demonstrated

  • Windows Security Event interpretation
  • Log normalization and transformation
  • Splunk SPL detection development
  • Security event correlation and analysis
  • Documentation and reporting

Disclaimer

This project uses lab-generated data for educational and portfolio purposes only.

About

SOC-style SIEM lab using Splunk to ingest and detect Windows security events.

Topics

windows security splunk siem soc securityplus

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 1