Advanced Threat Detection with Active Directory and SIEM

As cyber threats become more sophisticated, traditional security mechanisms relying solely on Active Directory (AD)

for authentication and authorization lack real-time threat detection and response capabilities. This project enhances security by

integrating AD with Splunk, a Security Information and Event Management (SIEM) solution, within a virtualized environment

where Microsoft Server 2022 hosts AD services and a Domain Controller, while Splunk provides centralized security monitoring.

PowerShell scripting automates user management and event log monitoring, improving administrative efficiency. To evaluate

system effectiveness, a simulated password-cracking attack from a Linux machine (IP: 192.168.10.250) targets the AD server,

with Splunk monitoring security logs for real-time anomaly detection, automated threat alerts, and advanced analytics to identify

unauthorized access attempts, privilege escalation, and insider threats. The network setup includes grydsecurity, featuring an

Active Directory Server (192.168.10.7), a Splunk Server (192.168.10.10), and a DHCP-connected client PC, with RDP restricted

on client machines to prevent remote attacks but accessible on the server for administrative purposes. By integrating AD with

Splunk SIEM, this system strengthens IT infrastructure security, enhances incident response, ensures compliance with

regulatory frameworks such as HIPAA and GDPR, and leverages machine learning-based detection for proactive cyber defense.

This project demonstrates a scalable, intelligence-driven security model that combines automation, system administration, and

cybersecurity best practices to safeguard enterprise environments.