Objective: The goal was to gain hands-on experience in Splunk administration, data onboarding, distributed architecture, and security event correlation—directly aligned with the Splunk Enterprise Certified Admin certification domains.
Environment:
Hosted Splunk Search Head in AWS, ingesting logs from hybrid sources:
- AWS CloudTrail (via Splunk AWS Add-on and S3 buckets)
- Azure Linux VMs (using Azure Event Hub and Splunk HTTP Event Collector)
- On-Premises Windows Security Events (via Universal Forwarders and Splunk Windows TA)
Project Activities:
- Configured Splunk Forwarders on Azure Linux VMs to send /var/log data (syslog, auth.log) to AWS-hosted Splunk, ensuring parity with Sentinel for cross-SIEM validation.
- Implemented Splunk AWS Add-on to ingest CloudTrail logs, filtering low-value API calls (e.g., List, Describe) using ingest actions to optimize storage and search performance.
- Deployed Splunk Universal Forwarders on on-prem Windows servers, filtering Security Event IDs (e.g., 4625 failed logins, 4688 process creation) to prioritize high-risk alerts.
- Built custom parsing rules for Azure Linux VM logs (syslog sourcetype) to normalize fields like user, source_ip, and action for correlation with Windows and AWS data.
- Designed dashboards to visualize cross-environment threats, including: * Unusual AWS API calls (e.g., AssumeRole from unfamiliar IPs)* Privilege escalation patterns in Windows Event Logs * Failed SSH/RDP attempts on Azure VMs
Key Skills Practised:
- Centralized log management and security monitoring using Splunk Enterprise, with Search Head hosted in AWS.
- Data onboarding and parsing from AWS CloudTrail, Azure Linux VMs, and on-premises Windows Active Directory servers using Splunk Forwarders and Add-ons.
- Development of custom alerts, dashboards, and correlation searches for cross-platform threat detection and incident response.