A defensive security project focused on monitoring Windows and Apache logs using Splunk, building baseline-driven alerts and dashboards, and analyzing attack activity through log correlation and behavioral deviation.
Modern attacks often blend into normal system and network activity, making detection difficult when relying solely on static thresholds or isolated alerts.
The goal of this project was to design a defensive monitoring workflow that could distinguish malicious behavior from normal operational noise using log-based analysis.
The solution needed to support baseline establishment, alert tuning, and analyst-friendly visualization across both host and web server telemetry.
I approached this project from a SOC and detection engineering perspective rather than a purely academic exercise.
Instead of focusing on individual events, I emphasized baseline behavior and behavioral deviation to identify suspicious activity.
Dashboards, alerts, and reports were designed to mirror how real-world security teams monitor, investigate, and validate potential incidents.
Ingested and analyzed Windows security logs to monitor authentication events, privilege escalation, and account changes
Parsed Apache web server logs to track HTTP methods, response codes, URI access patterns, and traffic volume
Built baseline reports to establish normal behavior for users, hosts, and web traffic
Developed SPL-based alerts for failed login anomalies, privilege escalation attempts, account deletion events, and HTTP POST spikes
Created analyst-focused dashboards to visualize alerts, trends, and attack indicators
Compared baseline activity against attack-period telemetry to identify deviations and escalation patterns
Documented findings and conclusions based on multi-source log correlation
This project emphasized detection accuracy, signal-to-noise reduction, and analyst usability.
Alerts were designed around behavioral patterns rather than single indicators of compromise.
Windows and Apache telemetry were correlated to provide layered visibility into attack activity.
The workflow reinforces real-world defensive practices such as baseline-driven monitoring, alert validation, and incident triage.
Successfully identified anomalous authentication, privilege escalation, and web traffic patterns during simulated attack periods.
Demonstrated how baseline comparison improves detection fidelity and reduces false positives.
Delivered clear dashboards and alerts suitable for SOC-style monitoring and investigation.
Produced documented analysis artifacts that mirror real-world incident reporting and detection engineering workflows.
This project is fully documented on GitHub, including notes, commits, and future ideas.
