SCENARIO 10 Splunk SIEM MITRE ATT&CK SOC 2

Identity Threat Detection Pipeline

The SOC had no centralized visibility into identity threats — MFA fatigue attacks went undetected for 4+ hours. Built an Entra ID → Splunk pipeline via Graph API HEC ingestor and deployed four MITRE-mapped detections: MFA fatigue, impossible travel (2,402-mile gap confirmed), after-hours PIM, and legacy auth spikes. Manual detection time reduced from 2–4 hours to zero.

Splunk Enterprise SPL Graph API Python HEC MITRE ATT&CK SOC 2 CC7.1/CC7.2

Business Problem

IDSentinel Solutions' SOC had no centralized visibility into identity-based threats. Sign-in risk events, MFA failures, legacy auth attempts, and privileged role activations were siloed across five separate Entra ID portal blades — analysts were checking them manually with no correlation, no alerting, and no audit trail proving events were reviewed.

A tabletop exercise surfaced the gap: when a simulated MFA fatigue attack was run against a test account, the analyst on duty did not detect it for over four hours. The push denial events were buried in the Entra sign-in logs with no alert, no dashboard, and no escalation path.

Risk

  • MFA fatigue attacks go undetected — no alerting on push denial volume
  • Impossible travel sign-ins create an undetected account compromise window
  • Privileged role activations at 2am are invisible without SIEM correlation
  • Legacy auth spike post-block-policy has no automated detection or alerting
  • Manual log review creates 2–4 hour detection gaps with no audit trail
  • Non-compliant with SOC 2 CC7.1 (threat monitoring) and CC7.2 (incident detection)

Scope

FieldDetail
Affected systemsMicrosoft Entra ID sign-in and audit logs → Splunk Enterprise
Ingestion methodPython OAuth2 HEC ingestor (primary), Splunk Add-on for Microsoft Security (documented alternative)
Detections covered4 — MFA fatigue, impossible travel, after-hours PIM, legacy auth spike
Detection frameworkMITRE ATT&CK — T1621, T1078, T1078.004, T1110.003
Polling interval5 minutes
Compliance targetSOC 2 Type II — CC7.1, CC7.2

Detections Deployed

DetectionAttack PatternThresholdSeverityMITRE
D-01: MFA FatiguePush denial storm>5 denials / user / 60minHIGHT1621
D-02: Impossible TravelTwo sign-ins 500+ miles apart in 2 hours500mi / 120minHIGHT1078
D-03: After-Hours PIMPrivileged role activated 10pm–6amAny activationMEDIUMT1078.004
D-04: Legacy Auth SpikePassword spray via SMTP/IMAP/POP3>10 attempts / IP / 60minHIGHT1110.003

Solution Design

Two ingestion methods implemented to demonstrate both the enterprise-grade approach and a fully scripted alternative:

METHOD A

Splunk Add-on for Microsoft Security

Official Microsoft add-on installed and configured with app registration credentials. Documents the enterprise credential configuration path — available for future native Entra sign-in log input support.

METHOD B

Custom Python HEC Ingestor (Primary)

Python script authenticating to Graph API via OAuth2 client credentials, pulling sign-in and audit log events, forwarding to Splunk via HTTP Event Collector. State tracking via last_run.json prevents duplicates. Scheduled via Windows Task Scheduler at 5-minute intervals. This is the primary ingestion method.

Design decision: Reused the existing Scenario 06 app registration — added IdentityRiskEvent.Read.All and RoleManagement.Read.All permissions. Dedicated Splunk index (idsentinel_identity) isolates identity logs. All four detections map to INC-TYPE-001 from Scenario 07 — no new runbook required.

// diagrams/pipeline-architecture.png — End-to-end pipeline architecture diagram expand
End-to-end pipeline architecture diagram

Implementation

Ingestion Pipeline

  • 01

    Ingestion — Method A (Splunk Add-on for Microsoft Security)

    The official Splunk Add-on for Microsoft Security installed and configured with the existing app registration credentials. Documents the enterprise credential configuration path for future native Entra sign-in log input support.

    // 01-addon-install expand
    Splunk Add-on for Microsoft Security installed
    // 02-addon-credentials expand
    Add-on credentials configured with app registration
  • 02

    Ingestion — Method B (Python HEC Ingestor — Primary)

    HEC token created in Splunk. Python script configured with token and Graph API credentials — authenticates via OAuth2 client credentials, pulls sign-in and audit logs since last run, forwards to HEC in batch format with timestamps preserved. State tracking via last_run.json prevents duplicates. Scheduled via Windows Task Scheduler at 5-minute intervals. Ingestion confirmed — sign-in events confirmed in idsentinel_identity index with real user and application data.

    // 05-hec-token expand
    HEC token created in Splunk Enterprise
    // 06-hec-script-output expand
    Python HEC ingestor script output
    // 07-task-scheduler expand
    Task Scheduler — 5-minute polling configured
    // 04-ingestion-verified expand
    Ingestion confirmed — events in idsentinel_identity index

Detection Deployment

  • 03

    D-01 — MFA Fatigue (T1621)

    SPL query filters for sign-ins matching MFA failure error codes (500121, 500082) and aggregates per user over a 60-minute rolling window. Alert fires when a single user exceeds 5 push denials. Throttled to once per user per hour. Alert fired against test data — confirmed in Triggered Alerts with HIGH severity badge.

    // 08a-mfa-fatigue-alert expand
    D-01 MFA fatigue alert triggered
    // 08b-mfa-fatigue-alert expand
    D-01 MFA fatigue alert results — HIGH severity confirmed
  • 04

    D-02 — Impossible Travel (T1078)

    SPL uses streamstats to compare consecutive successful sign-ins per user, then applies the Haversine formula to calculate great-circle distance. Known corporate VPN egress IPs excluded. Alert fired — New York to Seattle, 2,402 miles apart, 25-minute gap. Result set confirmed locations, IPs, distance, MITRE technique, response SLA, and runbook reference.

    // 09a-impossible-travel-alert expand
    D-02 impossible travel alert triggered
    // 09b-impossible-travel-alert expand
    D-02 alert results — NY to Seattle, 2,402 miles, 25-min gap confirmed
  • 05

    D-03 — After-Hours PIM (T1078.004)

    SPL filters Entra audit logs for PIM activation events (loggedByService = PIM, result = success), converts UTC to local time, flags activations between 22:00–06:00. UTC offset configurable. Scheduled every 60 minutes. All four alerts confirmed enabled and scheduled.

    // 12-identity-threat-alerts expand
    All four detections configured and enabled in Splunk
  • 06

    D-04 — Legacy Auth Spike (T1110.003) + Identity Threat Dashboard

    SPL filters for legacy clientAppUsed values, aggregates by source IP over 60 minutes, alerts when any IP exceeds 10 attempts. Dashboard confirmed 36 legacy auth attempts from 185.220.101.55 (NL) across Exchange ActiveSync, IMAP, SMTP, POP3. Dashboard deployed with live data — 66 sign-ins, 21 MFA denials, 3 PIM activations, and 36 legacy auth attempts visible. SOC achieves full identity threat visibility without a single Entra portal login.

    // 13-identity-threat-dashboard expand
    Identity Threat Dashboard — all four detection categories visible

Outcome

Entra ID sign-in and audit logs streaming into Splunk via Python HEC ingestor at 5-minute intervals
D-01 and D-02 validated end-to-end with synthetic test events — alert fired, result set confirmed
D-02 confirmed 2,402-mile gap — Haversine calculation, MITRE attribution, and IR runbook all in result set
D-03 and D-04 confirmed via dashboard — events flowing through pipeline
Identity Threat Dashboard deployed — full SOC visibility without a single Entra portal login
Manual detection time reduced from 2–4 hours to zero — all detection automated and alert-driven

Detection Coverage Summary

DetectionScheduleSeverityMITREValidated
D-01 MFA Fatigue15minHIGHT1621✅ Alert fired
D-02 Impossible Travel30minHIGHT1078✅ 2,402mi confirmed
D-03 After-Hours PIM60minMEDIUMT1078.004✅ Dashboard confirmed
D-04 Legacy Auth Spike15minHIGHT1110.003✅ 36 attempts confirmed

Files