SIEM SOC Dashboard (Splunk)
Built SOC-style dashboards to quickly identify authentication anomalies and brute-force patterns, with a simple triage flow and validation steps.
Objective
Create dashboards that help an analyst spot suspicious login behavior fast, reduce noise, and support consistent triage decisions.
Environment
Splunk with authentication-style logs. Events include failed logins, user identifiers, source IP, timestamps, and outcome fields.
Detection or Task Logic
Focused on patterns commonly used for credential attacks: repeated failures from a single source, high failure counts for a user, and abnormal timing. Grouped and summarized by user and source to surface the highest-risk clusters first.
Investigation or Execution
Validated suspicious clusters by checking whether the activity was consistent with user mistakes versus automated attempts. Confirmed frequency, spread (one user vs many users), and whether the pattern persisted over time.
Outcome
Produced dashboards that highlight high-risk authentication behavior in a single view, making it easier to prioritize and document investigations.
Improvements
Add baselining per user and per subnet, enrich with GeoIP and reputation, and create alert rules with tuned thresholds based on observed normal behavior.