A practical, hands-on SOC detection engineering project.
Covers log engineering, SIEM ingestion, detection logic, alert triage, and incident reporting.
- Overview
- Lab Architecture
- Day-by-Day Progress
- Repository Structure
- Skills Demonstrated
- Next Steps
- How to Use This Repo
- License
This project simulates an end-to-end SOC workflow:
- Windows audit policy + Sysmon baseline
- Splunk SIEM onboarding
- Detection engineering using SPL
- Alert triage with evidence collection
- Full SOC investigation report
- A polished, recruiter-ready portfolio project
It demonstrates real-world blue team and detection engineering capability.
flowchart LR
subgraph Endpoint["Windows Endpoint"]
A1["Windows Security Logs"]
A2["Sysmon Telemetry"]
end
subgraph Forwarding["Event Forwarding Layer"]
B["Forwarder"]
end
subgraph Splunk["Splunk SIEM"]
C1["Inputs - WinEventLog and Sysmon"]
C2["Indexing Layer (main index)"]
C3["Detection Rules - SPL"]
C4["Alert Triggering - Correlation"]
end
subgraph SOC["SOC Workflow"]
D1["Triage - Enrichment and Verdict"]
D2["Final SOC Report"]
end
A1 --> B
A2 --> B
B --> C1
C1 --> C2
C1 --> C3
C3 --> C4
C4 --> D1
D1 --> D2
- Enabled Windows Audit Policy
- Installed Sysmon with hardened config
- Verified 4624/4625 + Sysmon logs
Docs: day01-log-setup.md
Evidence: evidence/day01/
- Installed Splunk
- Ingested WinEventLog + Sysmon
- Verified indexing + sourcetypes
Docs: day02-siem-setup.md
Evidence: evidence/day02/
- Queried 7 days of authentication events
- Exported Sysmon Event ID 1
- Stored CSV datasets
Docs: day03-ingest.md
Evidence: evidence/day03/
- Excessive failed logons SPL
- Success-after-failure detection
- LOLBins behavior analysis
Docs: day04-detections.md
Evidence: evidence/day04/
- Triggered authentication anomaly
- Performed enrichment
- Correlated 4625 + Sysmon
- Determined false positive
- ATT&CK: T1110
Docs: day05-triage.md
Evidence: evidence/day05/
- Executive summary
- Findings
- Recommendations
- Evidence documentation
Docs: day06-report.md
Evidence: evidence/day06/
- Final README
- Mermaid + PNG diagrams
- Repo cleanup
Evidence: evidence/day07/
.
βββ README.md # Full lab overview and instructions
βββ LICENSE # MIT license
β
βββ day01-log-setup.md # Day 1 β Audit Policy + Sysmon
βββ day02-siem-setup.md # Day 2 β Splunk onboarding
βββ day03-ingest.md # Day 3 β Dataset exports
βββ day04-detections.md # Day 4 β Detection engineering
βββ day05-triage.md # Day 5 β Alert triage
βββ day06-report.md # Day 6 β SOC investigation report
β
βββ evidence/
βββ day01/ # Baseline configuration evidence
βββ day02/ # SIEM screenshots + inputs
βββ day03/ # CSV dataset exports
βββ day04/ # Detection evidence
βββ day05/ # Triage screenshots + raw events
βββ day06/ # Report visuals (optional)
βββ day07/ # Architecture PNG
- Windows Audit Policy tuning
- Sysmon configuration
- Event ID mapping
- Data ingestion pipelines
- Sourcetype validation
- SPL correlation + detections
- Authentication anomaly logic
- Success-after-failure correlation
- LOLBins detection logic
- Triage workflow
- Event enrichment
- ATT&CK mapping
- False positive analysis
- Executive summary creation
- Findings + recommendations
- Evidence-based conclusions
- Add lateral movement detections
- Add persistence detections
- Expand Sysmon telemetry
- Build Splunk dashboards
- Add Purple Team simulation
Use this project as:
- A SOC portfolio showcase
- A Splunk detection engineering lab
- A triage workflow reference
- A template for blue team documentation
MIT License β see LICENSE.