Embedded Files
In response to recent cyberattacks linked to JobeCorp, our team rapidly deployed Splunk to fortify VSI Corporation's defenses. Our mission centered on creating an extensive log monitoring and analysis system for Apache and Windows servers, encompassing phases such as log integration, Splunk add-on installation, and the development of reports, alerts, and dashboards to enhance VSI's security posture. Throughout the week-long project, I applied my Defensive Security skills to design a custom monitoring environment for VSI, utilizing Splunk to conduct thorough research and create a tailored solution. Rigorous testing through simulated attack scenarios culminated in a presentation showcasing the strategic approach and outcomes, highlighting the practical application of Defensive Security skills in real-world contexts.
Project Phases:
Windows Server Log Integration and Analysis
Apache Web Server Log Integration and Analysis
Development of Reports, Alerts, and Dashboards for Windows and Apache Servers
Deployment of Comprehensive Reporting Mechanisms
Installation of Splunk Add-On for Enhanced Monitoring Capabilities
Windows Server Log Activity
Visual comparison of both normal and attack logs side by side helps in identifying anomalies. Windows Security Logs capture routine activities on VSI's Windows system pre-security event, while logs from Windows Server Attacks document suspicious or abnormal activities post-event, signaling potential threats.
Windows Normal Log Activity
Windows Incident Log Activity
Windows Alerts
Three alerts were devised and assessed for potentially suspicious activities within the Windows Attack logs:
The first alert, the Failed Windows Activity Alert, did not trigger for suspicious failed activity despite a set threshold of 1-10 events per hour. This indicates a need to reassess the threshold for better sensitivity to potential threats.
The second alert, the Successful Logins Alert, effectively identified a suspicious volume of logins surpassing the threshold. This confirms its ability to detect potential security risks, highlighting the importance of adjusting thresholds based on ongoing threat analysis.
The third alert, the Deleted Accounts Alert, successfully detected abnormal activity, promptly triggering the alert. Continuous monitoring and potential threshold adjustments are essential for adapting to evolving threats and maintaining robust detection capabilities.
Below is an example of one of the alerts:
Windows Interactive Dashboards
For the "Windows Server Monitoring" dashboard, I created multiple visualizations to analyze logs from Windows servers. By adjusting the data source from "windows_server_logs.csv" to "windows_server_attack_logs.csv," I focused on identifying potential threats. Each panel underwent individual editing to ensure the updated data source was applied accurately. After saving the entire dashboard, I set the time range to "All Time" to conduct thorough analysis.
Windows Normal Activity Dashboard
Windows Incident Activity Dashboard
Apache Log Activity
Visual comparison of both normal and attack logs side by side aids in detecting irregularities. Apache Web Server Logs document typical or routine activities on VSI's web server pre-security event, while logs from Apache Server Attacks record suspicious or unusual activities post-event, potentially indicating a security threat.
Apache Normal Log Activity
Apache Incident Log Activity
Apache Alerts
Two alerts were created and evaluated for suspicious activity on an Apache web server:
The first alert, targeting abnormal international activity, detected a significant volume of such activity. The count of events in the hour(s) met the threshold, triggering the alert. It suggests a review and potential adjustment of the threshold for future detections to enhance accuracy.
The second alert, focused on HTTP POST activity, identified an abnormal surge in such activity. The count of events in the hour(s) surpassed the set threshold, triggering the alert. It recommends a reassessment of the threshold to improve the accuracy of future alerts.
Below is an example of one of the reports:
Apache Interactive Dashboards
For the "Apache Web Server Monitoring" dashboard, I established several visualizations to track activity, adapting the source from "apache_logs.txt" to "apache_attack_logs.txt" for analysis of attack logs. Following setup, each panel was individually edited to apply this change. The entire dashboard was saved, and the time range was adjusted to "All Time" for comprehensive analysis.
Apache Normal Dashboard
Apache Incident Dashboard
Splunk add-on Application: GreyNoise
The Splunk tool GreyNoise integrates IP reputation data into Splunk, allowing security analysts to identify and monitor traffic from IPs with suspicious reputations. This integration enables the creation of alerts to trigger on such activity and facilitates the visualization of traffic from different IP reputation categories through dashboards.
Key Features:
Collects, analyzes, and labels data on IPs that saturate security tools with noise.
Helps analyst waste less time on irrelevant activity and more time focused on emerging threats.
Provides multiple dashboards to effectively analyze and visualize data.
Includes custom commands and alert actions that can be used along side splunk searches.
Project Accomplishments
Loaded and analyzed Windows server logs.
Created reports, alerts, and dashboards for Windows server logs.
Loaded and analyzed Apache server logs.
Created reports, alerts, and dashboards for Apache server logs.
Loaded and analyzed Windows attack logs.
Loaded and analyzed Apache attack logs.
Installed an add-on Splunk application for additional monitoring.
Acquired skills in log analysis, report creation, and alert generation for Windows and Apache logs.
Developed and delivered a comprehensive reports.
Project 3 Presentation 
Steven Dubose Project 3: Review QuestionsGoogle Sites
Report abuse