Phase Two: SIEM Fundamentals

Building SIEM Literacy: Log Ingestion to Baseline Understanding

Before detecting threats (Phase 4) or simulating attacks (Phase 3), I needed to verify my security monitoring infrastructure works and understand what "normal" looks like in enterprise logs. After installing Splunk + Sysmon and ensuring events are being forwarded, I set my sights on learning basic SPL queries, building my first dashboard, and reducing event noise where possible.

βœ“ STATUS: COMPLETE
πŸ’» Phase Two GitHub (Diagnostics, Splunk Dashboard XML)
πŸ“ Phase Two Medium (Technical Writeups)

My First Splunk Dashboard

Complete Splunk Security Dashboard

Complete Security Monitoring Dashboard

Real time visibility into log ingestion health, authentication activity, and endpoint behavior across the homelab environment.

Dashboard Quick Stats

Quick Stats: The "Is It Working?" Panel

Total events, active hosts, Sysmon activity, and Security log volume at a glance.

Host Validation Charts

Host Validation & Health Checks

Event volume by host over time + health status table. Identifies quiet endpoints and validates consistent log forwarding.

Event Code Distribution

Event Type Analysis

Top event codes across all sources + Sysmon-specific distribution.

Authentication Monitoring

Basic Security Monitoring

Failed logons (4625) vs. successful logons (4624) with filtering out network logons that clutter the view.

Core Learning Areas

πŸ”
Diagnostics & Validation
Foundation

Systematic Pipeline Verification

Before trusting SIEM data for security analysis, verify every layer works: endpoint logging β†’ forwarder collection β†’ network transmission β†’ SIEM indexing.

πŸ“Š
Windows Event Analysis
Core Skill

Security Event ID Literacy

Understanding Windows Security, System, Application, and Sysmon logsβ€”what events matter for threat detection and why.

πŸ”Ž
Exploratory Queries
SPL Practice

Progressive SPL Development

Building Splunk query proficiency through GUI usage. Start by clicking event details, filter accordingly, and be able to understand what is changing.

🎯
MITRE ATT&CK Mapping
Framework

Threat-Informed Defense

Connecting Phase 1 vulnerabilities to MITRE ATT&CK techniques and identifying which Windows events would detect each tactic.

πŸ“ˆ
Monitoring Dashboards
Visibility

Visual Security Monitoring

Simple dashboard providing real-time visibility into log ingestion health, authentication activity, and system behavior.

πŸ“š
Reference
Knowledge Base

Compiled Learning Resources

Completed Splunk free online training and referenced Microsoft's Windows Event appendix.

Technical Documentation

My First Splunk Dashboard

Visual security monitoring for lab environment

πŸ“ˆ

Diagnostic Scripts

Verification on Windows and Linux for event forwarding

πŸ’»

Splunk Basics: Homelab "SOC In A Box"

Validation scripts and baseline analysis

πŸ“

Splunk Homelab Noise Reduction β€” Part 1

Understanding the difference between benign and useful events

πŸ“

Windows + Sysmon Event ID Chaining

How event correlation translates to potentials indicators of compromise

πŸ“

Splunk Homelab Noise Reduction β€” Part 2

Filtering Sysmon's Process Creation event

πŸ“

Project Timeline

1
Phase 1
Vulnerable Foundation
Complete
2
Phase 2
SIEM Fundamentals
Complete
3
Phase 3
Red Team Ops
Planned
4
Phase 4
Detection Engineering
Planned
5
Phase 5
Purple Team Ops
Planned