handy-be/SPLUNK-NETWORK-THREAT-HUNTING
GitHub: handy-be/SPLUNK-NETWORK-THREAT-HUNTING
Stars: 0 | Forks: 0
# Splunk Enterprise: Network Security Threat Hunting Lab
## Project Overview
This project demonstrates how to use **Splunk Enterprise** to ingest, parse, and analyze raw network traffic logs to identify and investigate malicious activities. By isolating the dataset into a dedicated security index, I simulated a real-world Security Operations Center (SOC) environment to hunt for automated attacks, isolate malicious actors, and document attacker tooling.
## 🛠️ Skills & Technologies Demonstrated
* **SIEM Management:** Data ingestion, index creation, and data isolation inside Splunk Enterprise.
* **Splunk Processing Language (SPL):** Writing transforming search commands (`stats`, `top`, `sort`) to aggregate raw logs into actionable intelligence.
* **Threat Hunting & Incident Analysis:** Identifying specific cyber attack vectors (BotAttacks, PortScans) and malicious user agents.
* **Security Visualization:** Creating dashboards, pie charts, and bar graphs to present technical data to stakeholders.
## 🔍 The Investigation: Core SPL Queries
### 1. The Threat Landscape (Intrusions vs. Normal Traffic)
To get a high-level view of our network's current threat level, I aggregated all incoming traffic by its scan classification.
index="network_security" | stats count by Scan_Type
### 2. Identifying Bad Actors (Top Attacking IPs)
Once malicious traffic was confirmed, I filtered the logs specifically for confirmed intrusions (`Intrusion=1`) to identify the top 5 most aggressive external IP addresses hitting the firewall.
index="network_security" Intrusion=1 | top limit=5 Source_IP
### 3. Malicious Tooling Detection (User-Agent Analysis)
To understand how the attackers were operating, I analyzed the HTTP User-Agents attached to confirmed intrusions to discover what automated frameworks were hitting our perimeter.
index="network_security" Intrusion=1 | stats count by User_Agent | sort - count
## 📊 Visualizations & Data Artifacts
### Attack Type Distribution
### Top Attacking IP Addresses
### Raw Ingested Log Data
### 🏁 Conclusion
By leveraging Splunk to parse through complex network telemetry, I was successfully able to isolate noise from actual malicious signal, profile active adversaries, and identify the automated scanning tools they used. This project highlights the core fundamentals of proactive threat hunting and SIEM data administration.
### Top Attacking IP Addresses
### Raw Ingested Log Data
### 🏁 Conclusion
By leveraging Splunk to parse through complex network telemetry, I was successfully able to isolate noise from actual malicious signal, profile active adversaries, and identify the automated scanning tools they used. This project highlights the core fundamentals of proactive threat hunting and SIEM data administration.