Creating A Splunk Alert [SOC Automation with AI Implementation]

Goal: To create a Splunk alert that the n8n hook can catch it.

Alert Setup:

I will be setting up an alert to catch failed login attempts on my Windows VM. This will help catch any brute force attempts. To do this I need to make a rule that detects Events with an ID of 4625. One way to artificially create alerts for the sake of testing is by using RDP and purposely failing to connect. To do this I had to make sure the RDP port (3389) was open for my host machine to attempt to connect.








Attempting to connect using this rule was not working. I was using RDP to attempt to connect using "localhost:3389" but I believe this was making the computer try to RDP to itself. To fix this I am changing the rule so the host port is now "3390".









After changing the Host Port, RDP started working correctly (localhost:3390) and I was now able to continue with triggering the Events.















After creating the events, I navigated back to the web UI for Splunk and made sure I installed "Splunk Addon for Microsoft Windows". Then afterwards all that was left was to filter to check for the events to have be captured (I did this by filtering out the event log with "index=caser-project EventCode=4625 | stats count by _time,ComputerName,user,src_ip").











To create the alert, I click on "save as" on the top right and save it as "Brute-Force". I then changed it to "Run on Cron Schedule" and changed the Cron Expression to "* * * * *" so that it runs every minute for testing purposes. 
















Under Triger Actions, I added a triggered alert, as well as a Webhook. For the Webhook URL I will be using the n8n Webhook to catch the alert.










To get the URL I had to log into the n8n Web UI, "start from scratch", "add first step", and then searched for "Webhook". Then on the window that popped up, I changed the HTTP Method to "POST" and copied the POST URL. I then pasted the URL and saved the new Splunk Alert.

















































The last thing to do is to make sure that n8n can hook in the alert. For this I simply went back to the n8n server and selected "Listen for Test Event". Then after a short while, it received the test output, notifying me that the system is working properly.













Summary and Reflection:
Everything is starting to come together now and I didn't really feel like there were too many issues with this part. Setting up the RDP was probably what took the longest because for a short while I wasn't sure why it wasn't letting me connect to the VM until it occurred to me that I hadn't port forwarded the proper port for it to be listening on. I thought about changing it to a Bridged network, but I don't want it to appear on my home network since this is going to be a testing environment. This was a very fun way to get back into things after my 2 week vacation. I will be finishing this project up very soon and then I can get to implementing other components like active directory.

Comments

Post a Comment

Popular posts from this blog

About Me

A Quick Introduction: Hello, my name is Erick and I'm an aspiring SOC Analyst who's trying to turn close to two decades of tech experience and passion into a career. I've been the tech guy among my friends and family for almost two decades and have experience troubleshooting and solving hardware, software, and network related computer problems. I've built PCs, hosted game servers, and troubleshoot computer problems both in person and over the phone. Over the years, I've not only learned to solve technical problems quickly, but also how to explain them to both technical and non technical users. What was originally a hobby of mine turned into a deep and growing interest in cybersecurity and IT operations. In pursuit of becoming a SOC Analyst, I have earned my CompTIA Security+ Certificate in September of 2025, strengthening my foundational knowledge in network defense, threat detection, and incident response. Technical Background: Troubleshooting and System Setup: I h...
Read more

VM Setup [SOC Automation with AI Implementation]

Image
Project Overview: Build an automated workflow using n8n. Splunk will ingest logs, create an alert and send it to n8n where ChatGPT can process the alert and output the information on to slack. Required Files: VM Environment Software: Oracle VirtualBox (https://www.virtualbox.org/) OS ISOs: Kali Linux ISO (https://www.kali.org/get-kali/#kali-virtual-machines) Ubuntu Server ISO (https://ubuntu.com/download/server) Windows 10 ISO (https://www.microsoft.com/en-us/software-download/windows10) VM Setup: Before I can begin automating anything, I must first set up the Virtual Machine environments that will be used to run the n8n Server, the Splunk Server, the Ubuntu Client, and the Windows Client. I generally prefer to allocate enough resources so as to give the VMs more headroom to allow them to deal with more stress. Windows Client: For the installation of the Windows Client, I set the Base Memory to 4GB, the core count to 2, and the Disk Size to 50GB. The installation if fairly straight for...
Read more

Implementing Slack and Putting it all together [SOC Automation with AI Implementation]

Image
  Goal:  To fully integrate ChatGPT using n8n and piece everything together. Workflow Setup: First it's important to disable the Splunk alert for now because we are done with the current test. Then on the n8n server, going back to canvas, we can pin the output so that we don't need to keep triggering the workflow. Before continuing, I created an API Platform account on openai.com. I clicked on "start building" to set it up, naming my organization "Caser" and the API key name "Caser-SOC-Project", and then generated an API key. Once I had this copied it was time to go back and start setting up the workflow. This is where I encountered my first major issue. I went on vacation and during that time I wasn't able to work on the project. This led to my session being timed out, and when I logged back in I was no longer able to pin the webhook trigger event. I spent some time looking to see if there was a way to simply revert it or to see if there was a...
Read more