SOC Splunk Project - This project is a hands-on Security Operations Center (SOC) lab built with Splunk to simulate real-world blue team monitoring and detection. It demonstrates SIEM setup, Sysmon-based log collection, SOC detections, automation scripts, and dashboards.

📌 Features Splunk Enterprise SIEM running on a Linux VM

Windows VM with Sysmon installed and event forwarding via Splunk Universal Forwarder

Full SwiftOnSecurity Sysmon Config for rich telemetry (process, network, registry events)

Automation scripts to ensure the Splunk Forwarder remains active

Pre-built Splunk detection queries for:

Brute-force login attempts

Suspicious PowerShell usage

Privilege escalation events

Outbound network connections

Ready-to-import Splunk dashboards for monitoring and triage

🛠️ Lab Setup Splunk Server (Linux VM):

Install Splunk Enterprise

Enable receiving on port 9997

Windows VM:

Install Splunk Universal Forwarder

Configure outputs.conf and inputs.conf to send Sysmon and Security logs

Install Sysmon with SwiftOnSecurity Sysmon Config

Automation:

Deploy scheduled task using /automation/Restart-SplunkForwarder.ps1 to ensure forwarder resiliency.