⚡ PowerWatch with Splunk

🧠 Overview

PowerWatch with Splunk is a security analytics project that leverages the powerful capabilities of Splunk to detect malicious PowerShell activity and anomalous application behavior in a Windows environment. This project demonstrates end-to-end security engineering — from building a detection lab, generating attack telemetry, to creating dashboards for real-time threat hunting.

PowerWatch was designed to showcase detection engineering skills and endpoint monitoring.

It includes:

• Custom SPL queries crafted for detecting obfuscated and encoded PowerShell execution.
• Behavioral analysis of parent-child process anomalies indicating lateral movement or execution abuse.
• Anomaly detection on application logs to surface deviations from known baselines.

🧪 Lab Setup

A dedicated detection lab was built to simulate an enterprise endpoint environment:

• Windows 10 VM configured as endpoint
• Splunk Universal Forwarder sending event logs to Splunk Enterprise
• Custom ingestion of WinEventLog sources for:
  • Microsoft-Windows-PowerShell/Operational
  • Windows PowerShell
  • Application, System, and Security channels
• PowerShell scripts executed to simulate real-world attack patterns (obfuscated commands, encoded payloads, hidden windows)
• Synthetic malicious telemetry intentionally generated for testing and validation

⚙️ This was a controlled home-lab, fully isolated and safe for testing.

🕵️ Detection Engineering

🔹 Suspicious PowerShell Command Detection

• Detects execution of encoded commands (-EncodedCommand)
• Flags hidden execution (-WindowStyle Hidden)
• Identifies process spawning anomalies (Start-Process spawning powershell.exe)
• Extracts command-line content using rex for investigation
• Provides sequence views of pipeline execution

🔹 Application Behavior Anomaly Detection

• Detects rare or unusual process execution sequences
• Flags applications launched by unexpected parent processes
• Surfaces suspicious spikes or noise from WinEventLog:Application
• Uses statistical anomaly detection SPL on application baselines

📊 Dashboards

Two fully functional, production-ready Splunk dashboards:

1. PowerShell Command Anomaly Dashboard

   • Timeline of suspicious executions
   • Command-line extraction panels
   • Heatmap of hosts vs frequency

2. Application Anomaly Dashboard

   • Shows unusual application usage patterns
   • Parent-child relationship analysis
   • Statistical deviation indicators

✅ Each detection was validated by generating real malicious-like telemetry and verifying its visibility on the dashboards.

📸 Screenshots

Please find in /screenshots folder.

📌 Features & Highlights

• Built custom SPL detections from scratch
• Local home-lab with Windows VM and Splunk forwarder
• Generated real security events to validate detections
• Clean, production-grade dashboards for SOC use
• Documented methodology

🧩 Tech Stack

• Splunk Enterprise & Universal Forwarder
• Windows Event Log (WinEventLog) ingestion
• Windows 10 Virtual Machine
• PowerShell (for attack simulation)
• SPL (Search Processing Language)

📁 Repository Structure

PowerWatch-with-Splunk/
│
├── README.md               # Project overview
├── Documentation.md        # Step-by-step build and detections
├── /screenshots            # Evidence of working dashboards
│   ├── Screenshot0.png
│   ├── Screenshot1.png
│   ├── Screenshot2.png
│   ├── Screenshot3.png
│   ├── Screenshot4.png
│   ├── Screenshot5.png

Thank You