SamuelCyberSec/splunk-linux-ssh-threat-hunting

# Linux SSH Brute-Force Detection and Threat Hunting using Splunk SIEM ## Project Overview This project demonstrates how Splunk SIEM can be used to detect, investigate, and report Linux SSH brute-force activity using authentication log data. The lab focuses on identifying failed SSH login attempts, extracting attacker source IP addresses, analyzing targeted usernames, reviewing attack timelines, and developing detection logic for brute-force behavior. This project simulates a realistic Security Operations Center (SOC) investigation workflow and demonstrates practical SIEM, threat hunting, and detection engineering skills. ## Scenario A Linux server exposed to the internet experiences repeated SSH authentication failures. Security logs reveal sustained failed password attempts from multiple external IP addresses. The objective is to investigate the activity using Splunk SIEM and determine: - Whether brute-force behavior exists - Which usernames are being targeted - Which source IP addresses are responsible - Whether suspicious authentication patterns emerge - How detections and alerts can be developed ## Objectives - Ingest Linux authentication logs into Splunk - Detect failed SSH login attempts - Extract source IP addresses and targeted usernames - Identify high-volume attacker IPs - Analyze attack activity over time - Develop brute-force detection logic - Create SIEM dashboards - Produce an incident investigation report ## Tools Used - Splunk Cloud - Linux authentication logs - SPL (Search Processing Language) - GitHub - Windows 11 ## Skills Demonstrated - SIEM investigation - Threat hunting - Log analysis - Detection engineering - SSH brute-force detection - IOC identification - Security monitoring - Incident reporting ## Project Status **Phase 1:** Project Architecture and Setup (In Progress) ## Planned Repository Structure data-ingestion/ splunk-queries/ screenshots/ detections/ incident-report/