Emilee Clements

Entry-Level IT & Cybersecurity Professional

Personal Portfolio

Security Monitoring Environment (Splunk, SIEM) Project

Objective

Design and implement a custom security monitoring environment for a fictional organization using Splunk. The goal was to track Windows server activity through reports, alerts, and dashboards to detect suspicious behavior and provide actionable insights for protecting critical systems.

Tools & Technologies

Splunk, Docker container, Windows Server logs, SPL (Search Processing Language), reports, alerts, dashboards, baseline analysis, anomaly detection, event correlation, email notifications, log management and monitoring utilities, Splunk add-on application (e.g., Whois XML IP Geolocation API)

Implementation Process

Data Ingestion & Initial Analysis – Loaded Windows server logs into Splunk and performed an initial review to identify key fields and establish a baseline of normal activity.

Tools/Skills: Splunk, Windows Server logs, SPL (Search Processing Language), Docker, time-range analysis, log field identification

  • Uploaded provided Windows server logs into Splunk using the “Add Data → Upload” workflow.
  • Set source type and host name for proper log identification.
  • Verified data ingestion by checking for successful file upload messages and ensuring logs were searchable.
  • Analyzed key fields including signature_id, signature, user, status, and severity.
  • Established baseline metrics for normal activity to identify anomalies during simulated attacks.
Reports Creation – Developed reports to summarize Windows server activity, allowing quick detection of unusual patterns and events.

Tools/Skills: Splunk reports, SPL, tables, aggregations, filtering, data visualization

  • Created a report mapping Windows activity signatures to their corresponding signature_id.
  • Developed a severity report showing counts and percentages of different severity levels.
  • Built a success/failure report to monitor Windows activity status over time.
  • Removed duplicate values in reports to ensure accurate aggregation.
  • Took screenshots of reports for documentation and review.

Report output examples:

Alerts & Notifications – Configured alerts to notify the SOC team of suspicious activity based on thresholds derived from baseline analysis.

Tools/Skills: Splunk alerts, SPL, thresholds, email notifications, anomaly detection, SOC monitoring

  • Determined baseline and threshold for failed Windows login attempts and created a corresponding alert.
  • Configured alerts for suspicious volumes of successful logins and deleted accounts.
  • Alerts were designed to send email notifications to the SOC team when thresholds were exceeded.
  • Used signature_id for consistency across Windows updates, ensuring alerts remained accurate.
  • Tested alert configurations theoretically against attack logs to verify effectiveness.
Dashboards & Visualizations – Built dashboards to visualize Windows server activity trends and identify suspicious users or events in real time.

Tools/Skills: Splunk dashboards, visualizations (line charts, bar/pie charts, gauges), SPL, panel customization, time-range filters

  • Designed line charts tracking different signature and user values over time.
  • Created bar, pie, and custom visualizations for counts of signatures and users.
  • Developed a single-value panel (e.g., radial gauge) to highlight critical metrics.
  • Configured dashboard with time-range filters for flexible analysis.
  • Labeled and organized panels for clarity, enabling efficient SOC monitoring.
  • Reviewed dashboard outputs against attack logs to assess detection capability.

Visualization examples:

Dashboard examples:

Server Logs
Server Logs p.2
Attack Logs
Attack Logs p.2
Results – Successfully implemented a Windows server monitoring solution in Splunk, creating actionable reports, alerts, and dashboards to detect and visualize suspicious activity.
  • Successfully ingested and analyzed Windows server logs in Splunk.
  • Developed reports summarizing signatures, severity levels, and success/failure activity.
  • Configured alerts for failed logins, successful logins, and deleted accounts, with thresholds set based on baseline activity.
  • Built dashboards with line charts, bar/pie charts, and single-value panels to visualize user and signature activity over time.
  • Detected suspicious activity in the attack logs, including spikes in high-severity events, excessive logins by specific users, and abnormal signature counts.

Key Takeaways

  • Strengthened proficiency with Splunk for log ingestion, searching, and monitoring.
    Gained hands-on experience creating custom reports and dashboards for Windows server activity.
  • Learned how to define and apply baseline metrics to identify anomalies in server activity.
    Developed skills in configuring alerts with thresholds and notifications for real-time SOC monitoring.
  • Practiced interpreting log data to detect suspicious behavior and correlate events to potential attacks.
  • Enhanced understanding of Windows server security events, including login failures, account deletions, and signature analysis.
  • Built experience with visualizing data effectively to support operational decision-making in a security monitoring context.