> For the complete documentation index, see [llms.txt](https://binarylover.gitbook.io/ad-soc-automation-project/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://binarylover.gitbook.io/ad-soc-automation-project/active-directory-siem-and-soar.md).

# Active Directory SIEM & SOAR

<figure><img src="/files/2v9Rhd70qPkIPgEFKAIv" alt=""><figcaption></figcaption></figure>

#### Active Directory Project (SIEM & SOAR)

**Objective**: Build a cloud-based SOC environment to detect brute-force attacks in Active Directory and automate the response (account lockout) using SOAR.

***

**Phase 1: Architecture & Diagramming**

* Goal: Map out the logical flow of data before building.
* Tools: Lucidchart or Draw\.io.
* Workflow: Define how telemetry travels from the Windows Target → Splunk Forwarder → Splunk Server (Ubuntu) → Shuffle (SOAR) → Slack/Active Directory.

**Phase 2: Cloud Infrastructure Setup**

* Platform: Vultr (or preferred cloud provider) I will use GCP.
* Instances to Deploy:
  * Windows Server 2022: To act as the Domain Controller.
  * Windows 10/11: To act as the victim/client workstation.
  * Ubuntu Server: To host the Splunk instance and Shuffle.
* Networking: Configure cloud firewalls to allow RDP for management and specific ports for Splunk data ingestion (typically 9997).

**Phase 3: Active Directory Implementation**

* Server Setup: Install Active Directory Domain Services (AD DS) on the Windows Server.
* Promotion: Promote the server to a Domain Controller (creating a forest, e.g., `mujahid.local`).
* Client Integration: Join the Windows workstation to the new domain.
* User Creation: Create test users to simulate real-world activity and eventual account compromises.

**Phase 4: SIEM Integration & Telemetry (Splunk)**

* Server Side: Install Splunk Enterprise on the Ubuntu machine.
* Endpoint Side: \* Install Sysmon on Windows machines for deep visibility (process creation, network connections).
  * Install the Splunk Universal Forwarder to send logs to the Ubuntu server.
* Detection: Write Search Processing Language (SPL) queries to identify multiple failed login attempts (Event ID 4625).

**Phase 5: SOAR Automation (Shuffle & Slack)**

* Shuffle Workflow:
  * Trigger: When Splunk detects a brute-force attack, it sends a webhook to Shuffle.
  * Enrichment: Shuffle gathers details about the source IP and the targeted username.
  * Communication: Shuffle sends an automated alert to a Slack channel.
* Human-in-the-Loop:
  * The Slack message includes an interactive button: *"Disable User?"*
  * If the analyst clicks "Yes," Shuffle sends an API command back to the Domain Controller via a Shuffle Agent to instantly disable the compromised account.

***

Summary Workflow: `Attack Occurs` → `Sysmon captures event` → `Splunk detects pattern` → `Shuffle receives alert` → `Slack notifies Analyst` → `Analyst clicks button` → `User disabled in AD`.

{% hint style="info" %}

<p align="center"><strong>--------------------- Lets Get Started ---------------------</strong></p>
{% endhint %}
