Back to Projects // P-01 · SOC Automation · Threat Detection

AI-Driven SOC Automation Pipeline

Splunk n8n Claude Sonnet 4.6 VirusTotal AbuseIPDB Slack SOAR MITRE ATT&CK Sysmon

Project Overview

Modern SOC teams face an overwhelming volume of daily security alerts, making manual triage slow, inconsistent, and prone to analyst fatigue. This project addresses that challenge by building a fully autonomous SOC triage pipeline that detects security events, enriches them with live threat intelligence, and uses Claude Sonnet 4.6 as an AI Senior SOC Analyst to produce structured, MITRE ATT&CK-mapped incident reports — all without human intervention.

The pipeline ingests Windows Security and Sysmon event logs from a Windows 10 VM into a Splunk Enterprise server running on Ubuntu. Four custom SPL detection rules fire webhook alerts into n8n, which acts as the SOAR layer — routing each alert type through the appropriate enrichment path (AbuseIPDB for IP reputation, VirusTotal for file hash analysis) before forwarding the enriched context to Claude. The final triage report is delivered to a dedicated Slack channel, formatted as a structured incident ticket with verdict, MITRE ATT&CK mappings, and remediation steps.

Pipeline Architecture

Detection Rules (Splunk SPL)

Four custom SPL detection rules cover the most common Windows attack patterns. Each rule appends an alert_type field used by n8n to route the alert through the correct enrichment and triage path.

RULE 01 Brute Force Detection EventCode 4625

Triggers when more than 5 failed login attempts occur within a 5-minute window on the Windows VM, indicating a potential brute force or password spray attack.

brute_force.spl SPL 
index="moazzz-project" EventCode=4625
| bin _time span=5m
| stats count by _time, host, Account_Name, Source_Network_Address
| rename host AS workstation, Account_Name AS user,
         Source_Network_Address AS attacker_ip
| where count > 5
| eval alert_type="brute_force"
RULE 02 Suspicious Process Execution Sysmon EID 1

Detects process execution from high-risk directories (Temp, Downloads, Public) — common staging locations for malware droppers and LOLBins.

suspicious_process.spl SPL 
index="moazzz-project"
  source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  EventCode=1
  (Image="*\\Users\\Public\\*"
    OR Image="*\\AppData\\Local\\Temp\\*"
    OR Image="*\\Downloads\\*")
| rename host AS workstation, Image AS process_path,
         CommandLine AS full_command, ParentImage AS parent_process,
         Hashes AS hash, User AS user
| table _time, workstation, user, process_path,
        full_command, parent_process, hash
| eval alert_type="suspicious_process"
RULE 03 Scheduled Task Creation EventCode 4698

Flags new scheduled task creation — a common persistence mechanism used by attackers to maintain access across reboots (MITRE ATT&CK T1053.005).

scheduled_task.spl SPL 
index="moazzz-project" EventCode=4698
| xmlkv Message
| rename host AS workstation, Account_Name AS user,
         Task_Name AS task_name, Command AS run_command,
         Arguments AS run_args
| table _time, workstation, user, task_name, run_command, run_args
| eval alert_type="scheduled_task"
RULE 04 Log Clearing EventCode 1102 / 104

Detects audit log and system log clearing — a strong indicator of post-compromise cleanup activity used to destroy forensic evidence (MITRE ATT&CK T1070.001).

log_clearing.spl SPL 
index="moazzz-project"
  (EventCode=1102 OR EventCode=104)
| rename host AS workstation, Account_Name AS user
| table _time, workstation, user, Message
| eval alert_type="log_clearing"

n8n SOAR Workflow

n8n acts as the orchestration layer between Splunk and Claude. A Switch node reads the alert_type field from the Splunk webhook payload and routes execution through the appropriate enrichment path before reaching the AI triage stage.

01 · INGEST
Webhook Receiver
Splunk sends a POST request to the n8n webhook on alert trigger. All alert fields arrive nested under body.result.* — all downstream node references must account for this structure.
02 · ROUTE
Switch Node
Routes on $json.body.result.alert_type to one of four paths: brute_force → AbuseIPDB, suspicious_process → VirusTotal, scheduled_task and log_clearing → directly to Claude.
03 · ENRICH
Threat Intelligence Enrichment
AbuseIPDB queries /api/v2/check with the attacker_ip field for IP reputation scoring. VirusTotal queries /api/v3/files/{hash} using the SHA256 extracted from Sysmon's concatenated hash string via:

{{ $json.body.result.hash.split(',').find(h => h.startsWith('SHA256=')).split('=')[1] }}
04 · TRIAGE
Claude Sonnet 4.6 — AI SOC Analyst
Alert context is always pulled from $('Webhook').item.json.body.result.* to ensure original Splunk fields remain available regardless of which enrichment path was taken. Claude is prompted as a Senior SOC Analyst and produces: Executive Verdict, Detection Analysis, MITRE ATT&CK Mapping, and Remediation Steps. Mandatory Critical escalation is enforced when enrichment scores indicate malicious activity.
05 · DELIVER
Slack Output
The Slack node sends the report to #alerts prefixed with a *NEW SOC TRIAGE REPORT* header. Claude's response is accessed via $json.content[0].text (Anthropic API returns the response as an array, not a flat string).

Pipeline Test — Mimikatz.exe

A live test was conducted by executing mimikatz.exe from the Downloads folder on the Windows 10 VM, triggering the Suspicious Process Execution detection rule. Below are the Splunk alert and the resulting Claude triage report delivered to Slack.

Splunk alert showing mimikatz.exe detected in Downloads folder
// Splunk alert — Suspicious Process Execution (mimikatz.exe · Downloads)
Claude Sonnet triage report delivered to Slack
// Claude Sonnet 4.6 triage report — Slack #alerts output

Technologies Used

Splunk Enterprise Splunk Universal Forwarder SPL Sysmon n8n Claude Sonnet 4.6 Anthropic API VirusTotal API AbuseIPDB API Slack API MITRE ATT&CK VirtualBox Ubuntu Server Windows 10