🔐 SSH Log Analysis using Splunk

---

📌 Project Overview

This project demonstrates SSH authentication log analysis using Splunk SIEM to detect malicious activity such as brute-force attacks, unauthorized access attempts, and suspicious SSH behavior.

It simulates real-world SOC analyst workflows, including log ingestion, SPL queries, dashboards, and alerting.

---

🎯 Objectives

The project aims to detect and analyze:

• ✅ Successful SSH logins (source and destination analysis)
• ❌ Failed login attempts (password guessing & spraying)
• 🚨 Multiple failed authentication attempts (brute-force indicators)
• 🔍 Connections without authentication (SSH probing or scanning)

---

🧪 Lab Setup & Prerequisites

Prerequisites

• Splunk Enterprise / Splunk Free
• Basic understanding of SPL

Dataset

• ssh_log.json (JSON-formatted SSH authentication logs)

---

⚙️ Environment Setup

1. Log in to Splunk Web

2. Navigate to:

   Apps → Search & Reporting
   

   

3. Click:

   Add Data → Upload
   

   

4. Upload ssh_log.json

5. Configure:

   • Source type: _json
   • Index: ssh_logs

6. Click Start Searching

---

🧩 Step-by-Step Implementation

---

🔹 Task 1: Log Ingestion & Parsing

Extracted Fields

• event_type
• auth_success
• auth_attempts
• id.orig_h (Source IP)
• id.resp_h (Destination Host)

Validation Query

index=ssh_logs
| stats count by event_type

✔ Confirms successful ingestion and parsing.

---

🔹 Task 2: Failed Login Analysis

SPL Query

index=ssh_logs event_type="Failed SSH Login"
| stats count by id.orig_h
| sort - count
| head 10

Visualization

• 📊 Bar Chart
• Failed login attempts per source IP

📌 Purpose: Identify suspicious IPs attempting credential abuse.

---

🔹 Task 3: Brute-Force Detection

Multiple Failed Attempts Query

index=ssh_logs event_type="Multiple Failed Authentication Attempts"
| stats count by id.orig_h, id.resp_h
| where count > 5

🚨 Alert Configuration

• Trigger: > 5 failed attempts
• Time Window: 10 minutes
• Alert Type: Scheduled / Real-Time
• Action: SOC notification or email

📌 Purpose: Early detection of brute-force attacks.

---

🔹 Task 4: Successful SSH Login Tracking

SPL Query

index=ssh_logs event_type="Successful SSH Login"
| stats count by id.orig_h, id.resp_h

Security Correlation

• Compare IPs with prior failed attempts
• Detect possible compromised credentials

📊 Dashboard Panel:

• Top source IPs with successful SSH access

---

🔹 Task 5: Unauthenticated SSH Connections

Detection Query

index=ssh_logs event_type="Connection Without Authentication"
| stats count by id.orig_h

Time-Based Monitoring

index=ssh_logs event_type="Connection Without Authentication"
| timechart count by id.orig_h

📌 Purpose: Detect reconnaissance, SSH probing, or port scanning.

---

📊 Dashboards Implemented

• 🔐 SSH Successful Login Monitoring
• ❌ Failed Authentication Attempts
• 🚨 Brute-Force Detection
• 🔍 Unauthenticated SSH Connection Trends

---

🚨 Alerts Implemented

Alert Name	Condition	Time Window
Brute Force Detection	>5 failed attempts	10 minutes

---

🧠 Skills Demonstrated

• Splunk SIEM
• SPL Query Writing
• Log Parsing & Analysis
• Brute-force Detection
• Security Monitoring
• SOC Operations

---

✅ Project Outcomes

✔ Real-world SOC use cases implemented ✔ Actionable dashboards & alerts created ✔ Improved threat detection capability ✔ Portfolio-ready cybersecurity project

---

🚀 Portfolio Value

This project is ideal for showcasing:

• SOC Analyst readiness
• SIEM hands-on experience
• Log-based threat detection skills

---

💡 Want to enhance this further?

I can help you add:

• 📸 Dashboard screenshots
• 🧾 Resume bullet points
• 🛡️ Incident response mapping (MITRE ATT&CK)
• 🧩 Splunk alert screenshots
• 🏆 GitHub profile optimization

Just tell me 👍