A cloud-hosted Active Directory environment simulating real-world RDP brute force attacks, detected by Splunk SIEM, and automated through a Shuffle SOAR playbook that notifies the SOC analyst via Slack and requests a user disable decision via email.
Lab 6 of the SOC Home Lab Series — builds on Lab 1 (NSM) | Lab 2 (pfSense IPS) | Lab 3 (Windows Hardening) | Lab 4 (Linux Hardening) | Lab 5 (SOC Automation)
Active Directory is present in 90% of enterprise networks. This lab proves I can:
- Build and manage a real AD domain environment
- Detect unauthorized RDP logons using Splunk
- Automate analyst response decisions through a SOAR playbook
- Correlate Event ID 4624/4625 to identify credential-based attacks
Attacker Machine
↓ [Successful unauthorized RDP authentication]
Test Machine (TEST-MACHINE.venky.local)
↓ [Windows Security logs — Event ID 4624]
Domain Controller (venky-ADDC01.venky.local)
↓ [Telemetry forwarded via Splunk Universal Forwarder]
Splunk SIEM (Ubuntu Server)
↓ [Alert: Unauthorized-Successful-Login-RDP triggered]
Shuffle SOAR
↓ [Send alert to Slack #alerts channel]
↓ [Email SOC analyst — "Would you like to disable the user?"]
SOC Analyst
↓ [YES → Disable domain account]
↓ [NO → Do nothing]
| VM | OS | IP | Role |
|---|---|---|---|
| VENKY-ADDC01 | Windows Server 2025 | 139.84.154.69 | Domain Controller |
| TEST-MACHINE | Windows Server 2025 | 139.84.152.244 | Target Endpoint |
| VENKY-SPLUNK | Ubuntu 24.04 LTS | 139.84.147.40 | Splunk SIEM |
All hosted on Vultr Cloud — Bangalore, India (APAC)
| Setting | Value |
|---|---|
| Domain Name | venky.local |
| Domain Controller | venky-ADDC01.venky.local |
| Domain Mode | Windows 2025 Domain |
| NetBIOS Name | VENKY |
Domain user John Doe (JDoe@venky.local) created as a standard domain user — simulating a real enterprise employee account targeted in the attack.
- Computer Name: TEST-MACHINE
- Full Name: TEST-MACHINE.venky.local
- Domain: venky.local
- RDP: Enabled — allowing remote login simulation
Splunk Enterprise deployed on Ubuntu 24.04. Splunk Universal Forwarder installed on both Windows machines to ship Windows Security event logs in real time.
index="ad-project" | stats count by host
| Host | Events | % |
|---|---|---|
| venky-ADDC01 | 5,971 | 71.47% |
| TEST-MACHINE | 2,384 | 28.53% |
8,355 total events ingested — confirming both DC and endpoint telemetry flowing correctly.
An external attacker successfully authenticated to TEST-MACHINE via RDP from a public IP address .
Key fields from Splunk:
| Field | Value |
|---|---|
| EventCode | 4624 (Successful Logon) |
| Logon_Type | 7 (Unlock/Remote Interactive) |
| ComputerName | TEST-MACHINE.venky.local |
| Source_Network_Address | 139.84.154.69 |
| User | Administrator |
| Keywords | Audit Success |
index="ad-project" EventCode=4624
(Logon_Type=7 OR Logon_Type=10)
Source_Network_Address=*
Source_Network_Address!=127.*
Source_Network_Address!=10.*
Source_Network_Address!=192.168.*
| table _time, ComputerName, user, Source_Network_Address, Logon_Type
Alert "Unauthorized-Successful-Login-RDP" fired twice confirming the detection is working:
- 2026-07-06 20:59:00 IST
- 2026-07-06 20:58:00 IST
Playbook: Successful Unauthorized Login Response
Splunk Alert (Webhook)
↓
Alert Notification → Slack #alerts channel
↓
User Action → Email SOC Analyst
"Would you like to disable the user?"
↓
[YES] → Disable Domain Account
[NO] → Do Nothing
Shuffle automatically posted to #alerts channel in the AD-Project Slack workspace:
Alert: Unauthorized-Successful-Login-RDP
Time: 1783403329.308
User: Administrator
Source IP: 170.64.213.125
Shuffle sent an automated email to the SOC analyst asking:
"Would you like to disable the user?"
- If TRUE → Click link to disable domain account
- If FALSE → Click link to do nothing
This simulates a real interactive SOAR playbook where the analyst has final decision authority before automated action is taken.
| Stage | Tool | Result |
|---|---|---|
| AD domain built | Windows Server 2025 | ✅ venky.local domain live |
| Users created | Active Directory | ✅ John Doe domain user |
| Machine joined domain | TEST-MACHINE | ✅ TEST-MACHINE.venky.local |
| Logs flowing to Splunk | Universal Forwarder | ✅ 8,355 events ingested |
| RDP attack detected | Splunk — Event ID 4624 | ✅ Alert fired |
| Slack notification | Shuffle → Slack | ✅ Message in #alerts |
| Analyst decision email | Shuffle User Action | ✅ YES/NO disable user |
ad-splunk-lab/
├── README.md
├── splunk-queries/
│ └── detection-queries.spl # All Splunk SPL queries used
├── docs/
│ └── setup-notes.md # Infrastructure setup notes
└── screenshots/
├── 01-architecture.png
├── 02-vultr-instances.png
├── 03-ad-domain.png
├── 04-users-in-ad.png
├── 05-domain-joined.png
├── 06-splunk-dashboard.png
├── 07-splunk-events.png
├── 08-event-4624.png
├── 09-splunk-alert-triggered.png
├── 10-shuffle-workflow.png
├── 11-slack-alert.png
└── 12-email-user-action.png
- Active Directory domain deployment on cloud (Vultr)
- Windows Server 2025 domain controller configuration
- Domain user and OU management
- Domain join of Windows endpoints
- Splunk Enterprise deployment on Ubuntu
- Splunk Universal Forwarder configuration
- Windows Security event log ingestion
- SPL query writing for RDP attack detection
- Event ID correlation (4624, 4625 — logon events)
- Splunk scheduled alert configuration
- Shuffle SOAR playbook design
- Slack integration for real-time SOC notifications
- Interactive analyst decision workflow (User Action node)
- Cloud infrastructure management (Vultr)
| Event ID | Description | Relevance |
|---|---|---|
| 4624 | Successful account logon | Detects unauthorized RDP access |
| 4625 | Failed account logon | Detects brute force attempts |
| 4720 | User account created | Detects persistence via new accounts |
| 4732 | User added to security group | Detects privilege escalation |
| 4768 | Kerberos ticket requested | Detects Kerberoasting |
- Splunk Documentation
- Shuffle SOAR
- Microsoft Event ID 4624
- MITRE ATT&CK T1078 — Valid Accounts
- MyDFIR AD Project
| Lab | Project | Status |
|---|---|---|
| Lab 1 | NSM Stack — TShark + Zeek + Suricata IDS | ✅ Complete |
| Lab 2 | pfSense Firewall + Suricata IPS | ✅ Complete |
| Lab 3 | Windows 10 Endpoint Hardening | ✅ Complete |
| Lab 4 | Linux Server Hardening | ✅ Complete |
| Lab 5 | SOC Automation — Wazuh + Shuffle + TheHive | ✅ Complete |
| Lab 6 | Active Directory + Splunk (this repo) | ✅ Complete |











