This project turns a small, public macOS system.log sample into a complete
Splunk endpoint monitoring pack. It deliberately uses non-sensitive, plain-text data so you can
demonstrate the core SIEM workflow—ingest → parse → enrich → visualize → alert without touching
production systems or personal logs. The result is a dashboard and an alert that tell a
clear story about endpoint behavior, while showcasing practical Splunk skills employers expect.
A detailed, step-by-step guide with copy-paste SPL and screenshot captions is included here: PROJECT WALKTHROUGH.
| Phase | Description |
|---|---|
| Data Onboarding | Created index macos. Uploaded Mac_2k.log. Defined sourcetype macos_system_log_loghub,
one event per line, and explicit time format %b %d %H:%M:%S. |
| Parsing (Regex) | Extracted hostname, process, optional pid, and message from raw events.
Saved as a Field Extraction at the sourcetype. |
| Enrichment | Added a Calculated Field category via eval case(...) to bucket events into
Network / Hardware / Browser / Auth / Other. |
| Visualization | Built a four-panel Classic dashboard: Activity by Category, Noisiest Processes (Top 10), Network Link/Channel Events, Recent High-Signal Events. |
| Alerting | Implemented a single, low-impact weekly alert: Network Instability. Saved but can be disabled by default to avoid background use. |
| Verification | Validated results in Activity → Triggered Alerts and confirmed field objects under Settings → Fields. |
This repository uses a small, public sample. Findings illustrate the workflow rather than conditions in a live environment.
| Observation | What the Dashboard Shows | Notes |
|---|---|---|
| Network activity dominates | Spikes in Activity by Category and Network Link/Channel Events | Frequent AWDL / AirPort link / channel-change messages in the sample. |
| A few processes are very noisy | Noisiest Processes (Top 10) | kernel and a handful of Apple processes contribute most events. |
| High-signal events cluster | Recent High-Signal Events (Last 25) | Filtering out “Other” surfaces events worth triage first. |
| Recommendation | Purpose / Benefit |
|---|---|
| Forward live logs with Splunk Universal Forwarder | Real-time visibility instead of static samples. |
| Normalize via sourcetype-level extractions | Consistent fields across hosts for better dashboards/alerts. |
| Add lookups (process → owner/role/technique) | Richer panels and faster investigations. |
| Tune thresholds & throttles on alerts | Reduce noise; align to your environment’s baseline. |
| Separate indexes by platform/app | Cleaner retention and faster searches at scale. |
| Artifact | Name | Purpose |
|---|---|---|
| Index | macos |
Stores the dataset for this project. |
| Sourcetype | macos_system_log_loghub |
Normalizes event format/timestamps. |
| Field Extraction | macos_system_log_loghub_base_fields |
Regex extraction of hostname, process, pid, message. |
| Calculated Field | category |
eval case(...) → Network / Hardware / Browser / Auth / Other. |
| Dashboard (Classic) | macOS Endpoint Log Analysis | Four focused panels for triage and trends. |
| Alert (weekly) | Network Instability (≥3 in 10m per host) | Detects repeated Wi-Fi instability. Severity: Medium. Action: Triggered Alerts. |
Activity by Category
index=macos sourcetype=macos_system_log_loghub
| timechart span=30m count by category
Noisiest Processes (Top 10)
index=macos sourcetype=macos_system_log_loghub
| stats count by process category
| sort - count
| head 10
Network Link/Channel Events
index=macos sourcetype=macos_system_log_loghub
| eval event_type=case(
like(message,"%AirPort Link Down%"), "Wi-Fi Link Down",
like(message,"%Roamed or switched channel%"), "Channel Change",
like(message,"%AWDL%"), "AWDL")
| search event_type=*
| timechart span=30m count by event_type
Recent High-Signal Events (Last 25)
index=macos sourcetype=macos_system_log_loghub
| search category!="Other"
| table _time hostname process pid category message
| sort - _time
| head 25