This project simulates a small-scale Security Operations Center (SOC) using Splunk, Sysmon, Splunk Universal Forwarder, and Atomic Red Team. The lab demonstrates real-world threat detection, alerting, and correlation of attacker behavior mapped to the MITRE ATT&CK framework.
In this lab, a Windows 10 virtual machine was configured to simulate the victim machine and the attacker behavior in it, while an Ubuntu Server VM hosted Splunk Enterprise to ingest logs for detection. Logs were forwarded using Splunk Universal Forwarder, and deep telemetry was collected via Sysmon. Atomic Red Team was used to safely simulate adversary techniques such as:
- Brute force login attempts
- Suspicious PowerShell execution
- Registry-based persistence
Multiple Splunk Reports, dashboard, alerts, and correlation rules were implemented to detect these behaviors in real time.
- Splunk Enterprise
- Splunk Universal Forwarder
- Sysmon (SwiftOnSecurity config)
- Atomic Red Team (Invoke-AtomicRedTeam)
- Windows 10 VM (Victim Machine)
- Ubuntu Server 22.04 VM (SIEM Server)
- VirtualBox
| Use Case | Technique ID | Technique Name |
|---|---|---|
| Suspicious PowerShell Execution | T1059.001 | Command & Scripting Interpreter: PowerShell |
| Brute Force Login Attempts | T1110.001 | Brute Force: Password Guessing |
| Registry Key Persistence | T1547.001 | Boot/Logon Autostart Execution: Registry Keys |
| Brute Force Followed by Successful Login | T1110 + T1078 | Valid Accounts Used After Brute Force |
| PowerShell Followed by Registry Persistence | T1059.001 + T1547.001 | Multi-Stage Persistence with Scripting |
- β Real-time dashboards with visual panels
- β Alerts triggered by detection logic
- β Correlation rules for multi-stage attack detection
- β Reports saved for correlation use cases
- Set up VMs with VirtualBox: Windows 10 (Victim machine) and Ubuntu Server (Splunk)
- Install Splunk Enterprise on Ubuntu Server
- Install Splunk Universal Forwarder + Sysmon on Windows 10 VM
- Ingest logs into Splunk, verify via search
- Simulate attacks using Atomic Red Team on Windows
- Visualize detections in dashboards
- Set alerts for real-time detection
- Run correlation SPL queries and save as reports
- Configured log forwarding & Sysmon for visibility
- Simulated MITRE ATT&CK-mapped attacks using Atomic Red Team
- Developed a dashboard, alerts, and multi-event correlation SPL reports
- Strengthened SIEM analysis and detection engineering skills
You can find screenshots of the dashboard panels, alerts, reports, and test results in the /screenshots/ folder.