In this guide, I will walk you through how I built my SOC L3 home lab from scratch using Splunk and created 15 enterprise-grade detection dashboards mapped to MITRE ATT&CK.
This is not theoretical learning. Each dashboard represents a real-world attack technique used by adversaries and detected using Windows Security Logs (EventCode 4688 and others).
- Introduction
The goal of this lab was to:
– Understand attacker behavior
– Build detection engineering skills
– Create executive-level dashboards
– Prepare for SOC L3 roles in enterprise environments
By the end of this guide, you will be able to replicate the same setup step by step.
:::
2. LAB SETUP (KEEP SIMPLE)
Lab Components:
– SIEM: Splunk Enterprise
– Data Source: Windows Event Logs (WinEventLog:Security)
– Dataset: Botsv3
– Key Event Codes Used:
– 4688 (Process Creation)
– 4657 (Registry Changes)
– 4663 (File Access)
This lab focuses primarily on EventCode 4688, which captures process execution and is the backbone of most SOC detections.
3.CORE CONCEPTS
Before building detections, it is important to understand the key concepts:
1. Parent Process:
The process that started another process.
2. Child Process:
The newly created process.
3. Command Line:
The exact command used to execute the process. This is where most malicious behavior is visible.
4. Why EventCode 4688?
It logs process creation and is the most important log for detecting attacker behavior.
5. MITRE ATT&CK Mapping:
Each detection is mapped to a known attack technique used by real adversaries.
⚙️ 4. HOW TO BUILD ONE DASHBOARD (STEP-BY-STEP TEMPLATE)
Step 1: Open Splunk Search & Reporting
Step 2: Run the SPL query
Step 3: Verify results in the Statistics tab
Step 4: Click “Save As” → “Dashboard Panel”
Step 5: Choose:
– Dashboard Type: Dashboard Studio
– Layout: Grid
Step 6: Add Panel Details:
– Panel Title (MITRE formatted)
– Description (attack explanation)
Step 7: Choose Visualization:
– Statistics Table (clean + executive-friendly)
Step 8: Save to Dashboard
Step 9: Export to PDF (optional for reporting)
5. EXPLAIN ONE DETECTION
Detection #1 — Rundll32 Abuse (MITRE T1218.011)
What it detects:
This dashboard identifies suspicious use of rundll32.exe, a legitimate Windows binary often abused by attackers to execute malicious code.
Why attackers use it:
Rundll32 allows execution of DLL files, making it a common LOLBIN (Living Off The Land Binary) used to evade detection.
SPL Logic:
– Detect process creation (EventCode 4688)
– Filter rundll32 execution
– Analyze command-line arguments
MITRE Mapping:
T1218.011 — Signed Binary Proxy Execution
SOC Value:
This detection helps identify fileless malware and defense evasion techniques.
📊 6. MY 15 DETECTIONS LIST
List of Implemented Detections:
1. T1218.011 – Rundll32 Execution
2. T1059.001 – PowerShell Abuse
3. T1053.005 – Scheduled Task Creation
4. T1047 – WMI Execution
5. T1055 – Process Injection
6. T1218.005 – Mshta Abuse
7. T1059.003 – Command Shell Execution
8. T1547.001 – Run Key Persistence
9. T1218.010 – Regsvr32 Abuse
10. T1047 – WMI Remote Execution
11. T1547.001 – Startup Folder Persistence
12. T1562.001 – Disable Security Tools
13. T1021 – Lateral Movement
14. T1566 – Phishing Initial Access
15. T1070 – Log Clearing / Defense Evasion
📊 7. DASHBOARD DESIGN EXPLANATION
All dashboards follow a consistent structure:
– Naming Format:
“SOC L3 – Windows Attack Technique Detections — MITRE TXXXX”
– Visualization:
Statistics Table for clarity and readability
– Layout:
Grid-based layout using Dashboard Studio
– Goal:
Make dashboards understandable for both technical analysts and executives
8.FINAL SECTION
Conclusion:
Building these 15 detection dashboards helped me understand how real attackers operate and how SOC L3 analysts detect threats in enterprise environments.
This lab is not just about writing SPL queries, but about:
– Thinking like an attacker
– Detecting behavior instead of signatures
– Mapping detections to MITRE ATT&CK
– Presenting findings in a professional and structured way
This project reflects practical, real-world SOC L3 skills.
Comments are closed