This project is a complete Splunk-based anomaly detection solution that identifies suspicious behaviors using structured log data, lookup files, dashboards, and alerts.
- Detect failed login surges by IP
- Detect logins from new, unknown devices
- Flag logins at unusual times
- Visual dashboards for real-time monitoring
- Reusable lookup tables for behavioral baselining
- Alert rules for automated responses
LOG_ANOMALY_DETECTOR/
├── alerts/ # Alert configuration guides
├── dashboards/ # Splunk XML dashboards
├── datasets/ # Sample datasets and lookup tables
├── docs/ # (Optional) Architecture diagrams or documentation
├── queries/ # SPL detection queries
├── .gitignore # Git exclusions
├── LICENSE # Project license (MIT recommended)
└── README.md # Project overview and guide
| Filename | Description |
|---|---|
dummydata.csv |
Simulated user logins, statuses, and messages |
known_user_ips.csv |
Lookup of known User IP pairs for device tracking |
train.csv |
Training or behavioral baseline data |
sales_data.xlsx |
Transactional data for fraud analysis |
addtotalsData.csv |
Aggregated log behavior data |
homeworkdataset.csv |
Sample dataset for exercises |
World_Airports.csv |
IP geolocation enrichment via airport/country mapping |
- Upload Datasets
- Go to Settings > Add Data in Splunk
- Upload datasets from the
/datasetsfolder
- Run Detection Queries
- Copy
.splfiles from/queriesinto Splunk Search - Run and analyze results
- Copy
- Set Up Alerts
- Follow steps in
/alerts/*.mdto configure real-time alerts
- Follow steps in
- Import Dashboards
- Go to Dashboards > Create New > Import XML
- Paste content from
dashboards/anomaly_overview.xml
- Splunk Enterpries (or Splunk Cloud)
- Search & Reporting App (default in Splunk)
- Lookups enabled
Majaro Hassan
Cybersecurity Enthusiast | Certified Information Security Consultant (CISC) | SOC & SIEM Analyst
This project is licensed under the MIT License - see the LICENSE file for details.