SIEM • Telemetry • Threat Hunting

Detection Engineering Pipeline

Splunk Enterprise • Sysmon • PowerShell • SPL

Created a full-stack detection pipeline to surface malicious behavior within the lab using high-fidelity endpoint and network logs.

Architecture & Components

Core components

—Splunk Enterprise (SIEM)
—Sysmon (Telemetry)
—Atomic Red Team (Simulation)
—SPL (Query Language)

Project Visuals

Splunk Enterprise dashboard with security telemetry — Splunk dashboard used to review authentication activity, endpoint telemetry, and suspicious behavior patterns across the lab.

Challenges & Engineering Decisions

Log Volume & Noise

Problem

Standard Sysmon logging was creating too many events for the Splunk free license tier.

Solution

Refined the sysmon-config.xml file to filter out benign noise at the source.

Outcome

—Stabilized log ingestion rates
—Improved search performance and clarity

Reflection

Detection engineering is a balancing act between visibility and performance, and this project helped me learn how to tune telemetry for useful signal rather than raw volume.