Update: This was my first SOC investigation project. For a more advanced investigation of the BOTSv3 dataset with full framework mappings (MITRE ATT&CK, NIST CSF, CIS Controls v8) and comprehensive query documentation, see Splunk-SIEM-Lab-v2
This project demonstrates an end-to-end security investigation within a self-hosted SIEM environment. I deployed Splunk Enterprise on an Ubuntu 24.04 LTS server to ingest, analyze, and visualize a simulated Advanced Persistent Threat (APT) attack from the Boss of the SOC (BOTS) v3 dataset.
To simulate an enterprise SOC environment, I provisioned a Splunk SIEM on Ubuntu and manually ingested over 300,000 events from the BOTS v3 dataset to practice real-world threat hunting.
- SIEM Deployment: Installed Splunk Enterprise via the command line on Ubuntu 24.04.
- Data Lifecycle: Ingested 300,000+ events from the BOTS v3 dataset, configuring indexes and sourcetypes for forensic accuracy.
| System Build | Data Ingestion |
|---|---|
 |
 |
Using Search Processing Language (SPL), I performed a multi-stage hunt to isolate the threat actor.
By looking at the HTTP traffic, I identified 192.168.3.130 as the main suspect because it had an unusually high volume of POST requests.
Analysis of HTTP status codes ("201 Created") confirmed that the attacker successfully uploaded or created resources on the target web server.
I analyzed the raw logs to get the full story behind the attack and see the actual commands the attacker sent.
- Target Endpoint: The attacker targeted the WordPress administrative backend ("/wp-admin/admin-ajax.php").
- Payload Analysis: Analyzing the
form_datarevealed attempts to exploit specific plugins (tptn_tracker,bloom) and unauthorized requests for security tokens (gdbcRetrieveToken).
The final step was putting everything into a Security Incident Dashboard. This helps monitor the attack as it happens by showing:
- Attack Velocity: Monitoring attack pattern over time.
- Exploitation Payloads: Chronological record of malicious commands for forensic evidence.
- SIEM Administration: Linux (Ubuntu) CLI, Splunk Installation, Index Management.
- Threat Hunting: Advanced SPL (stats, timechart, aggregation, filtering).
- Web Forensics: HTTP Method analysis, Payload decoding, URI path mapping.
- Data Visualization: Dashboard engineering and executive reporting.