SplunkSec

Splunk Dashboard

Inspiration - Identity-based attacks like brute-force and credential stuffing are among the most common causes of security breaches today. Many small organizations lack the real-time visibility and detection tools needed to identify these attacks as they happen. We wanted to create a simple yet powerful monitoring system using Splunk that visualizes suspicious login activity and helps detect early signs of compromise.

What it does - SplunkSec is a real-time identity monitoring dashboard built in Splunk Enterprise. It analyzes Windows Security Logs to detect abnormal authentication patterns, such as multiple failed logins or unusual success sequences, and automatically visualizes them in one centralized dashboard.

Key panels show - Active incidents with severity levels Failed logins over time Specific logs for each failed login Alerts categorized by type Login success vs failure ratios

How we built it - Collected Windows Security Logs (Event Viewer) data and forwarded them to Splunk Enterprise. Used SPL (Search Processing Language) to filter, correlate, and categorize events such as EventCode=4625 (failed logins). Built real-time dashboards with panels for incidents, event counts, and trends. Tuned alerts for repeated failures and created severity classifications (High, Medium).

Challenges we ran into - Configuring data forwarding between Windows and Splunk took time due to authentication issues. Getting predictive analytics and visualizations to populate correctly required testing SPL queries. Ensuring the dashboard updated in real time while keeping queries optimized.

Accomplishments that we're proud of - Successfully built a fully working Splunk security dashboard from raw Windows event logs. Detected and visualized multiple simulated brute-force and suspicious login attempts.

What we learned - We learned a lot, as we basically all had to learn Splunk configuration from the ground up, as well as how to search in SPL.

What's next for SplunkSec - Expand data sources to include logs from other software like MS Office. Integrate automated email notifications for alerts. Build a web-based visualization interface to make it more accessible. Geolocation-based alerts based on IP data. More types of alerts, such as for account lockouts.