🌐 HTTP Log Analysis using Splunk

A hands-on SIEM project for analyzing HTTP traffic, detecting anomalies, and identifying suspicious web activity using Splunk.

---

This project aims to:

• Ingest and analyze HTTP logs using Splunk
• Detect client-side (4xx) and server-side (5xx) HTTP errors
• Identify suspicious User-Agents and URI access attempts
• Detect large file transfers that may indicate data exfiltration
• Gain practical experience using Splunk SPL (Search Processing Language)

• SIEM Tool: Splunk Enterprise
• Log Format: Zeek-style HTTP logs (JSON)
• Index: http_lab
• Sourcetype: json or zeek:http

• Splunk installed and accessible via Splunk Web
• HTTP log file in JSON format (http_logs.json)

1. Open Splunk Web

2. Navigate to Settings → Add Data

3. Select Upload

4. Upload the file http_logs.json

5. Configure the following:
   • Source type: json (or create zeek:http)
   • Index: http_lab (recommended)

6. Complete the upload and confirm that data is indexed

index=http_lab
| stats count by "id.orig_h"
| sort -count
| head 10

Purpose: Identifies the most active client IPs generating HTTP traffic.

index=http_lab status_code>=500 status_code<600
| stats count as server_errors

Purpose: Detects backend or server-side application errors.

index=http_lab 
user_agent IN ("sqlmap/1.5.1", "curl/7.68.0", "python-requests/2.25.1", "botnet-checker/1.0")
| stats count by user_agent

Purpose: Identifies automated tools often used for scanning, exploitation, or bot activity.

index=http_lab resp_body_len>500000
| table ts "id.orig_h" "id.resp_h" uri resp_body_len
| sort -resp_body_len

Purpose: Helps identify abnormal data transfers that may indicate data leakage or exfiltration.

index=http_lab 
uri IN ("/admin","/shell.php","/etc/passwd")
| stats count by uri, "id.orig_h"

Purpose: Detects attempts to access sensitive files, admin panels, or web shells.

Using this lab, you can:

• Detect malicious web reconnaissance activity
• Identify brute-force or vulnerability scanning tools
• Monitor abnormal HTTP behavior
• Spot potential data exfiltration attempts
• Build detection logic used in real SOC environments

• Create Splunk alerts for:

  • Repeated HTTP 5xx errors
  • Large file transfers
  • Suspicious User-Agents

• Build dashboards for:

  • HTTP status trends
  • Top URIs and IPs

• Integrate threat intelligence feeds

By completing this project, you have:

• Learned how to ingest and analyze HTTP logs in Splunk
• Gained hands-on experience with SPL queries
• Improved skills in web traffic monitoring and threat detection
• Strengthened SIEM and SOC analyst fundamentals

This project demonstrates how Splunk can be used to analyze HTTP traffic and detect security anomalies using log data. It is ideal for students and professionals pursuing careers in Cybersecurity, SOC Analysis, and Blue Team Operations.

🚀 A strong portfolio project for cybersecurity and SIEM-focused roles.