Detection Engineering Case

SOC Automation with Splunk

End-to-end detection engineering lab covering brute-force credential attack identification, SPL-based alert logic, structured triage methodology, and repeatable SOC response workflow design.

View GitHub Repo Back to Labs

Objective

Turn authentication noise into analyst-ready signal.

Identify anomalous authentication patterns, reduce alert fatigue through threshold tuning, and convert raw event data into a structured, repeatable analyst response workflow.

1. Data Ingestion

Ingested and normalized Windows Security Event Logs (Event ID 4625) in Splunk Enterprise for structured analysis.

2. Detection Logic

Developed SPL queries to correlate failed logon volume by source IP, user account, and time window to surface brute-force indicators.

3. Triage and Validation

Reviewed correlated event data, applied threshold tuning to reduce false positive rates, and documented analyst decision points.

4. Response Framework

Defined structured analyst actions, escalation criteria, and reusable case notes for repeatable SOC incident handling.