Log Analysis for Network Anomalies Detection in Splunk

The rapid expansion of technology has resulted in a substantial rise in data generated by online applications, platforms, and digital services. This stream of information brings both advantages and challenges, specifically in the fields of data analysis and cybersecurity. This thesis focuses on using Splunk Enterprise and Splunk Infosec software and tools to further enhance network anomaly detection and security event analysis. Its primary objective is to develop a simple application that can be deployed within any Splunk infrastructure which allows to gain a general insights into network security as well as effective investigation of possible security threats. Splunk Enterprise is a powerful and versatile tool known for its capabilities in data analysis, visualization, and monitoring. It provides a platform for ingesting, searching, and analyzing diverse datasets from different sources, including log messages, network traffic data, and security event logs. Additionally, Splunk Infosec provides specialized features and configurations specifically for security applications, offering dashboards, alerts, and visualizations designed to assist security monitoring and incident response. To properly set up the infrastructure for ingesting, parsing, and normalizing relevant network data, this research explores into the essential tools offered by Splunk. This includes advanced analytics, real-time monitoring and alerting, and interactive visualization tools. By integrating various data sources and implementing risk-based alerting mechanisms, the aim is to establish a security monitoring solution capable of identifying patterns and behaviors suggestive of security breaches. The methodology adopted involves implementing and testing different detection techniques, including the detection of network scanning activities and command and control attacks. By simulating attack scenarios throughout an event generator tool and analyzing the effectiveness of the queries and algorithms implemented, the thesis aim to evaluate the performance and reliability of the proposed security monitoring solution. The customization and configuration options available within Splunk can also optimize the detection capabilities and enhance the usability of the solution in different environment and systems, depending on the size of the monitored infrastructure.