Building a Custom SIEM: Threat Detection with Splunk
Project Overview
I was tasked with building a custom security monitoring environment using Splunk for Virtual Space Industries (VSI). VSI, a company specializing in virtual-reality programs, suspected potential cyberattacks from their competitor, JobeCorp. My objective was to monitor VSI’s systems, detect threats, and respond to simulated attacks.
A full presentation which was shared with senior management is available at the end of this post.
Building the Defensive Solution
I developed a defensive solution using Splunk tools, created baselines from past logs, and set up alerts, reports, and dashboards. I also add the Website Monitoring App for Splunk. This app provides real-time visibility into the health and performance of web services. It’s monitors metrics like response times, HTTP errors, and unusual traffic patterns and then integrates insights into VSI’s SIEM for proactive threat detection.
Log Analysis
I uploaded historical Windows and Apache Logs into Splunk. I analysed the logs to create baselines and then design custom alerts, reports, and dashboards for VSI.
Reports Created
| Report Name | Description |
|---|---|
| Signature ID Overview | Lists unique Windows activity signatures for quick identification. |
| Severity Levels Overview | Displays count/percentage of each severity level to assess security posture. |
| Success vs. Failure Analysis | Compares success/failure rates of activities to detect anomalies. |
| HTTP Methods Activity Overview | Shows HTTP request types used on VSI’s web server. |
| Top Referring Domains Analysis | Identifies top domains sending traffic to VSI. |
| HTTP Response Codes Summary | Highlights response code trends to detect anomalies. |
Alerts Created
| Alert Name | Description | Baseline | Threshold |
|---|---|---|---|
| Failed Windows Activity | Triggers when failed login attempts exceed threshold. This alert helps detect potential brute-force attacks, allowing the SOC to respond quickly to suspicious activities and enhance VSI’s security. | 6 | 9 |
| Deleted User | Detects excessive user account deletions. A threshold of 20 indicates a significant increase in logins, suggesting potential security risks like brute-force attacks. | 13 | 20 |
| Successful Logins | Identifies unusual spikes in successful logins. A threshold of 20 signifies a notable increase in account deletions, which may indicate malicious activity or policy violations. | 13 | 20 |
| Non-U.S. Traffic | Detects unusual international activity spikes. A threshold of 130 is important for identifying spikes in international traffic, which could suggest potential security threats or unauthorised access attempts. Monitoring this alert enables the SOC to respond promptly to any suspicious activity. | 120 | 130 |
| HTTP POST Volume | Identifies potential web application attacks. A threshold of 10 is critical for detecting potential security incidents, such as data exfiltration or web application attacks. By monitoring this alert, the SOC can quickly investigate any spikes in POST activity. | 7 | 10 |
Attack Analysis
VSI recently suffered multiple cyberattacks, likely from adversary JobeCorp, disrupting several systems. Fortunately, newly implemented monitoring solutions helped identify the targeted systems — Windows and Apache servers.
Management provided additional logs covering the attack period. My task was to analyze these “attack logs”. This analysis will assess the effectiveness of my security solution and inform future mitigation strategies.
Attack Summary: Report Findings and Alert Analysis
| Report Name | Findings | Alert Triggered | Threshold Review |
|---|---|---|---|
| Failed Windows Activity | Peak of 25 failed activities, 6 related to password resets | Yes | No changes needed |
| Successful Logins | 1,970 successful logins between 01:00 - 03:00, peak at 09:00 - 11:00 | Yes | No changes needed |
| Deleted Accounts | No significant outliers detected | No | N/A |
| HTTP Methods Activity | GET surged to 729, POST spiked to 1,296 | Yes | No changes needed |
| HTTP Response Codes | 404 errors increased by 190%, 200 responses dropped by 58% | No | N/A |
| International Activity | 937 requests from Ukraine, exceeding threshold | Yes | No changes needed |
Summary and Future Mitigations
Overall Findings from the Attack
| Activity | Conclusion |
|---|---|
| Windows - User A | Multiple failed login attempts, possible brute force attack |
| Windows - User K | Unusual access times, potential unauthorized access |
| Windows - Login Anomalies | Spikes in login attempts during peak hours |
| Apache - HTTP Methods | POST requests surged to 1,296; GET requests rose to 729; HEAD increased to 8 (possible reconnaissance) |
| Apache - International Activity | 937 requests from Ukraine (Kiev: 440, Kharkiv: 432), indicating targeted attack |
Recommended Future Mitigations
- Account Lockout Policies: Lock accounts after multiple failed login attempts, especially for User A.
- Enhanced Monitoring: Use real-time monitoring for unusual patterns, focusing on User K.
- Rate Limiting: Set thresholds to control excessive requests from single sources.
- Web Application Firewall (WAF): Deploy to filter malicious requests and protect sensitive URIs.
Full Presesntation
For a detailed breakdown of the findings, reports, alerts, and splunk dashboards, view the full VSI Security Monitoring Environment Presentation here: