THREAT DETECTION & RESPONSE

Overview

I built a centralized log analysis workflow to surface signs of intrusion across systems, applications, and network devices. Using the ELK Stack and optional Splunk, I collected, parsed, visualized, and alerted on events that indicate brute force, lateral movement, and data exfiltration.
(How to Perform Log Analysis for Intrusions)

Objectives

Stand up a reliable log pipeline and dashboarding layer
Ingest system, application, network, and security tool logs
Detect suspicious patterns such as spikes in failed logins or unusual outbound traffic
Document findings with clear evidence and recommended actions

Prerequisites

Basic cybersecurity and logging concepts
A workstation with internet access
One analysis platform: ELK Stack or Splunk

Tools and technologies

ELK Stack or Splunk
Syslog forwarding and file collectors
Field extraction with Grok and date processors

Implementation

1. Environment setup

Deployed Elasticsearch, Logstash, Kibana or installed Splunk as an alternative.
Verified service health, storage paths, and index lifecycle or retention settings.

2. Collection and parsing

Configured Logstash inputs for files and syslog.
Wrote Grok patterns and date parsing to normalize timestamps and fields.
Enabled forwarding from servers, web apps, firewalls, and IDS tools.

3. Visualization

Created Kibana index patterns and built baseline dashboards:
- Failed login attempts by source Internet Protocol and username over time
- Outbound traffic volumes by destination Internet Protocol and port
- IDS alert trends and top signatures

4. Alerting

Set threshold alerts for high risk behaviors:
- 5 or more failed logins from the same Internet Protocol within 10 minutes
- Outbound transfer above a daily baseline to a non-approved destination
Routed alerts to email or chat for rapid investigation.

5. Investigation

Drilled into spikes to correlate usernames, hosts, and source Internet Protocols.
Traced unusual egress to destination, protocol, and bytes transferred.
Captured screenshots and raw event samples as evidence.

6. Reporting

Wrote an incident note with scope, indicators, timeline, and actions.
Preserved evidence and restricted access when activity looked real.

Outcomes

Central visibility across hosts and network edges
Faster detection of brute force and suspicious egress
Repeatable dashboards and alerts the team can reuse

Skills demonstrated

Log pipeline engineering and parsing
Detection content design and tuning
Incident documentation and evidence handling

← Exploit Forge

SIEM Command →

Google Sites

Report abuse