Home Lab Milestone Reached
I've recently connected my Splunk instance to Gmail. This has pushed my home lab to another level. This opens up a few doors that I've been wanting to walk through and I'm proud of what I've built and continue to build upon.
Now that my Splunk instance sends emails when alerts get triggered, its that much closer to operating like a real SOC. Prior to this wasn't aware of when alerts were triggered and had to intentionally look through a growing selection of alerts manually to check if anything fired off. Now I get email notifications that arrive on my phone as well is desktop notifications in the VM.
Not only does this solve the visibility issue, but adds more issues that Im looking forward to ironing out. I now have a clear view on the frequency of the alerts firing. So I will be able to further tune them to reduce noise as some of them go of more frequently than necessary. The benefit of this is understanding how to produce alerts better alerts as well as more hands on experience tuning them.
What Im mostly looking forward to is triaging them and especially writing reports on them. Being able to investigate alerts and perform a SOC analysis is an ability that Im looking forward to honing my skills further with. I wrote a few reports on TryHackMe's SIEM simulator rooms, but I prefer to practice what I learned from Tyler Wall and his SOC Method of investigation.
So now I perform adversary emulation in an Active Directory environment. Universal Forwarders send logs to Splunk to ingest. Any new VM added gets a UF installed and the Splunk Deployment server pushes apps to it as part of a Server Class. Log Analysis is performed in Splunk, detections are written in Sigma before being converted to SPL and kept in version control to prevent drift. Teraform automatically adds the converted SPL to the Splunk instance as Saved Searches. Then alerts get fine tuned for the the environment, and now investigations into the results of the alert can take place to produce an analysis report.
That is a high level summation of what I have built and operate thus far. There are a few details left out, notably my malware analysis environment, but that is because I have been focused on build out out everything mentioned above. I love building this stuff and look forward to its growth.
More to come soon!
