Cybersecurity
Active Directory Project
Using a SIEM tool provided me with a valuable hands-on experience. Inspired by MyDFIR's YouTube video series, I set up a project involving Active Directory and Splunk, integrating automation with Shuffle and Slack. I learned to create a playbook for identifying and responding to cyber attacks.
I created a network diagram using draw.io to visualize the project setup. This diagram served as a reference to ensure objectives were implemented (i.e., send an alert if account has been disabled).
Using a cloud platform called Vultr, I was able to provision Windows Server and Ubuntu Server virtual machines to set up Active Directory and Splunk. I learned to configure firewall settings and set up a VPC (virtual private cloud) to ensure only authorized users can access the machines.
Active Directory was installed on one of the Windows Servers to act as a central database (domain controller) - users, groups, devices, and login credentials. Such entities in a related group is called a domain.
Splunk is a SIEM tool which collects and aggregates logs from multiple sources (i.e., computers), and create alerts for security events. I installed Splunk on the Ubuntu Server, and installed Splunk Universal Forwarders on the Domain Controller and Test Machine to forward telemetry data to the Ubuntu Server.
Shuffle is a SOAR automation solution which can be used to automate security playbooks and integrate with various services like Slack and Active Directory.
Slack is an instant messaging application. In this project, Slack is used to generate alerts to inform the SOC analyst about any potential security threats.
Here is the Shuffle workflow I created for this project, featuring an alert called Successful Unauthorized Login. A Splunk alert prompts Slack to notify the SOC Analyst, who assesses the situation. If malicious, the account is automatically disabled; otherwise, no action is taken. The SOC Analyst is then informed of the account's status.
Putting It All Together
Exploring Splunk and automating the security response process with Shuffle provided me with valuable hands-on experience in cybersecurity. Although I'm not an expert with these tools, I found this project intriguing and worth delving deeper. I believe that Splunk queries can be highly effective, and when configured correctly, automation for responding to security incidents can streamline the tasks of security analysts.