This repo contains hands-on blue team projects focused on building detections, analyzing Windows logs, and simulating adversary techniques using Splunk, Sigma, and MITRE ATT&CK.
| Detection Name | Tool | Log Type | MITRE Technique |
|---|---|---|---|
| Suspicious PowerShell Use | Splunk | WinEventLog:Security | T1059.001 |
| Multiple Failed Logins (4625) | Splunk | Security.evtx | T1110.001 |
| Encoded PowerShell Command | Sigma | Sysmon + EVTX | T1059, T1140 |
detections/→ SPL and Sigma ruleslogs/→ Sample.evtxlogs from public data setsdashboards/→ Exported JSON dashboards from Splunkscreenshots/→ Visuals from successful detectionsplaybooks/→ Markdown guides for detection and validation
- Splunk Enterprise (Free)
- Sigma (with sigmac converter)
- MITRE ATT&CK Navigator
- EVTX Sample Logs (from public GitHub repos)
- How to detect real-world TTPs from public log data
- How to convert threat intel into detections
- How to tune false positives and write meaningful alerts
#splunk #mitre-att&ck #bluetream #detection #soc #evtx #sigma #windows-logs #cybersecurity