35-Day Break, WHY? Should I need to STOP?
Muhammad Bilal Akhtar
What Happened in the Last 35 Days?
Before diving into this Splunk project, I had a 35-day gap in my learning journey. The first 8 days were spent celebrating Eid-ul-Azha with family, followed by a trip to another city to attend my cousin’s wedding, which lasted about 10 days. After returning home, I focused on revising previous cybersecurity topics to refresh my memory. Then came a 10-day break dedicated to completing urgent college assignments. Finally, over the past 3 days, I’ve fully resumed my learning and have been focusing intensely on Splunk and practical SOC skills — which led to this project!
Why I Started Learning Splunk
As an aspiring SOC (Security Operations Center) Analyst, I knew that log analysis and real-time monitoring are core responsibilities. That's why I decided to dive deep into Splunk — one of the most widely-used SIEM (Security Information and Event Management) tools in the industry.
My goal was simple:
✅ Learn how to ingest logs
✅ Detect attacks like brute-force login attempts
✅ Build a dashboard to visualize real threats
Understanding Splunk: Core Concepts
Before jumping into detection, I made sure I understood some key Splunk theory:
| Concept | Description |
| Index | Storage location for events |
| Sourcetype | Tells Splunk how to interpret data |
| Search Processing Language (SPL) | The language used to query logs |
| Events | Single record or log line |
| Fields | Extracted pieces of info like IP, UserName, EventId |
Data Source: Windows Security Logs
For this project, I worked with Windows Event Logs, especially:
EventId=4625— Failed login attemptsThese logs simulate brute-force attacks, which are common and critical to detect in any organization.
I exported the logs from my own system and also tested with sample datasets in .csv format for more flexibility.
Step-by-Step: Building the Brute-Force Detection Dashboard
Data Ingestion
I uploaded win_security_logs.csv into Splunk using:
Index:
brute_froceSourcetype: Custom manual setting
File contained simulated failed login attempts
Field Identification
While analyzing the logs, I found:
UserNameexisted as a clear fieldEventId=4625was the primary code for failed loginsIPAddresswasn’t extracted by default, but I usedrexto pull it from raw logs.
splCopyEdit| rex field=_raw "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
SPL Queries I Used
Failed Logins by User
splCopyEditindex="brute_froce" EventId=4625
| stats count by UserName
| sort - count
Brute-Force Detection (users with > 3 attempts)
splCopyEditindex="brute_froce" EventId=4625
| stats count by UserName
| where count > 3
Top Source IPs (if extracted)
splCopyEditindex="brute_froce" EventId=4625
| rex field=_raw "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| stats count by src_ip
Creating the Dashboard
I created a custom dashboard titled:
Brute-force Detection Dashboard
It includes the following panels:
| Panel Name | Type |
| Top Failed Login Users | Bar Chart |
| Users with >3 failures | Table |
| Top Attacker IPs | Pie Chart |
| Login Failures Over Time | Line Chart |
Pro Features I Added
✅ Alert Rule:
If any user has more than 5 failed login attempts, the alert gets triggered.
✅ Header Panel:
Explains what the dashboard does and how it helps in detecting brute-force behavior.
What I Learned
Hands-on log ingestion & parsing
SPL commands and regex extraction
Building interactive dashboards for Blue Team
Thinking like a SOC Analyst and not just a Splunk user
Follow me on LinkedIn: Bilal
Subscribe to my newsletter
Read articles from Muhammad Bilal Akhtar directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by