about skills projects case studies detections mitre att&ck soulmatrix contact resume ↓
Open to SOC Analyst Roles
// soc_analyst_portfolio.init()

Manmath Swami

SOC Analyst  |  Security Monitoring & Threat Detection
B.Sc. Computer Science  |  Blue Team Operations  |  Founder @ SoulMatrix

Hands-on experience in security monitoring, log analysis, SIEM operations, and threat detection. I build labs, write detections, and investigate real attack patterns — not just theory.

View My Work SOC Case Studies Download Resume
SOC L1 SOC L2 Threat Hunter Security Engineer
00 // impact_metrics

By The Numbers

5000+
Security Events Analyzed
100+
SPL Queries Executed
20+
Threat Scenarios Investigated
3+
Security Labs Built
50+
Hours of Security Monitoring
7
Hands-On Security Projects
01 // about_me

Who I Am

I am a Bachelor of Computer Science graduate with hands-on experience in Security Monitoring, Log Analysis, Threat Detection, Incident Investigation, and SIEM technologies.

I have built and configured cybersecurity labs, analyzed Windows Security Logs, investigated authentication events, and worked with Splunk for security monitoring and incident detection.

I operate with a defender's mindset — I think in terms of attacker techniques, detection gaps, and incident timelines. My approach is always practical, lab-driven, and documentation-focused.

Beyond technical skills, I am the Founder of SoulMatrix, a cybersecurity startup with a vision to bring AI-powered security solution.

Hands-on SOC lab builder and threat investigator
Blue team focused — detection, monitoring, and response
Practical Splunk SPL and Windows Event Log experience
Founder of SoulMatrix — cybersecurity startup

// career_roadmap

Active Directory Security
MITRE ATT&CK Framework
Incident Response
Cloud Security

// education

Bachelor of Computer Science
Cybersecurity Self-Study & Practice
Hands-on Lab Practice
02 // core_skills

Technical Skills

// soc & blue team operations

Security MonitoringLog AnalysisThreat DetectionIncident InvestigationIncident Response BasicsSIEM FundamentalsThreat Hunting BasicsSecurity ReportingBrute Force DetectionPassword Spray DetectionRDP Activity MonitoringAuthentication MonitoringAccount Activity AnalysisSecurity Event CorrelationBlue Team OperationsSOC Fundamentals

// windows event log expertise

Windows Event Log AnalysisEvent ID 4624 — Successful LoginEvent ID 4625 — Failed LoginEvent ID 4672 — Special PrivilegesLogon Type 2 (Interactive)Logon Type 3 (Network)Logon Type 10 (RDP)User Activity MonitoringSecurity Event Correlation

// network & security fundamentals

TCP/IPOSI ModelLAN / WAN / PANFirewall ConceptsIDS / IPSSwitching / EthernetNetwork SecurityDefensive SecurityVulnerability Assessment BasicsRisk Assessment BasicsSecurity Documentation
03 // tools_&_technologies

Tools I Work With

Splunk EnterpriseActive
Splunk ForwarderActive
Windows Sec LogsActive
VirtualBoxActive
Burp SuiteActive
WiresharkActive
NmapActive
Kali LinuxActive
SysmonLearning
VelociraptorLearning
Currently Using
Actively Learning
04 // projects_&_labs

Hands-On Work

Splunk Brute Force Detection Lab

SIEM

Built a Splunk-based lab to monitor Windows Security Logs, detect brute force attacks, investigate suspicious login activity, and create SPL-based detections for authentication anomalies.

SplunkSPLEvent LogsThreat Detection
→ view on github

Windows Event Log Investigation

Log Analysis

Performed detailed analysis of Windows Security Events — successful logins, failed logins, RDP access, and privilege escalation events — to identify suspicious activity and document findings.

Event Log AnalysisIncident InvestigationWindows Security
→ view on github

Home SOC Lab

SOC Ops

Created a personal SOC lab using Windows systems, Splunk, and security monitoring tools to simulate real-world monitoring and incident detection workflows end-to-end.

SOC OperationsSIEMDetection Engineering
→ view on github

Vulnerability Assessment Project

VA

Conducted vulnerability assessments and documented findings, risk ratings, affected assets, and remediation recommendations in a structured professional report.

Vulnerability AssessmentRisk AnalysisReporting
→ view on github

Network Security Fundamentals Lab

Networking

Studied and practiced TCP/IP, OSI Model, MAC Addressing, Ethernet Communication, Switching, and Security Monitoring across a virtualized lab environment.

NetworkingNetwork SecurityTraffic Analysis
→ view on github

AI-Powered Threat Hunting Dashboard

AI + SOC

Building an AI-powered threat hunting dashboard that automates detection of suspicious patterns across security logs, correlates events intelligently, and presents actionable threat intelligence to SOC analysts in real time.

AI/MLThreat HuntingSIEMLog Correlation
⟳ In Development

Dark Web Exposure Monitor

Threat Intel

Developing a dark web exposure monitoring system that scans for leaked credentials, sensitive data, and organizational exposure — providing early warning alerts and structured risk reports.

Threat IntelligenceOSINTDark WebRisk Reporting
⟳ In Development
05 // soc_case_studies

Incident Investigations

Case #001 — RDP Brute Force Attack Investigation

HIGH SEVERITY

// scenario

  • 15 failed login attempts in under 2 minutes
  • All attempts from same source IP address
  • Logon Type 10 (RDP) observed across all events
  • Successful login detected after repeated failures
  • Event IDs 4625 (failed) and 4624 (success) correlated

// investigation process

  • Queried Splunk for Event ID 4625 with source IP filter
  • Correlated failed attempts with Event ID 4624 timeline
  • Identified Logon Type 10 confirming RDP vector
  • Checked Event ID 4672 for privilege escalation post-login
  • Documented full attack timeline and findings

// findings

Attacker conducted automated RDP brute force from a single IP. After 15 failed attempts, a successful authentication was achieved, indicating weak credentials. Post-login privilege escalation events (4672) were detected, suggesting elevated access was gained. Incident classified as confirmed unauthorized access.

// recommendations

  • Implement account lockout policy after 5 failed attempts
  • Restrict RDP access to VPN and trusted IPs only
  • Enable Multi-Factor Authentication (MFA) for all RDP sessions
  • Alert on Logon Type 10 events from external IPs
  • Review and rotate credentials for the compromised account

Case #002 — Password Spray Attack Detection

MEDIUM SEVERITY

// scenario

  • Single failed login attempt across multiple accounts
  • Same source IP targeting different usernames
  • Event ID 4625 spread across 30-minute window
  • Low failure count per account — evading lockout
  • Pattern consistent with password spray technique

// investigation process

  • SPL query grouped 4625 events by source IP and username
  • Identified single IP with failures against 10+ accounts
  • Checked time distribution to confirm spray pattern
  • Reviewed successful logins from same IP post-spray
  • Cross-referenced with user account activity baseline

// findings

A password spray attack was identified from a single IP targeting multiple accounts with minimal attempts per account to avoid lockout detection. No successful authentications were confirmed — early detection. Classified as attempted unauthorized access — contained.

// recommendations

  • Create SPL alert for single IP hitting 5+ different accounts
  • Implement geo-based login anomaly detection
  • Enforce MFA across all user accounts
  • Block identified attacker IP at firewall level
06 // detection_library

SPL Detection Rules

Brute Force Detection

Event ID 4625
| Detect 10+ failed logins from same IP within 5 minutes index=windows EventCode=4625 | stats count by Source_Network_Address, Account_Name | where count > 10 | sort - count | rename Source_Network_Address as "Attacker IP" | table "Attacker IP", Account_Name, count

Password Spray Detection

Multi-Account
| Detect single IP failing against multiple accounts index=windows EventCode=4625 | stats dc(Account_Name) as unique_accounts count by Source_Network_Address | where unique_accounts > 5 | sort - unique_accounts | table Source_Network_Address, unique_accounts, count

RDP Activity Monitoring

Logon Type 10
| Monitor all RDP authentication events index=windows EventCode=4624 Logon_Type=10 | stats count by Account_Name, Source_Network_Address, _time | sort - _time | table _time, Account_Name, Source_Network_Address, count

Failed Then Successful Login

Correlation
| Detect brute force success pattern index=windows EventCode IN (4624, 4625) | eval status=if(EventCode==4624, "success", "failed") | stats count(eval(status="failed")) as fails count(eval(status="success")) as success by Source_Network_Address | where fails > 5 AND success > 0
07 // mitre_att&ck_mapping

MITRE ATT&CK Coverage

TechniqueATT&CK IDTacticDetection MethodStatus
Brute ForceT1110Credential AccessEvent ID 4625 — Failed logins threshold✓ Detected
Password SprayingT1110.003Credential AccessMulti-account failure from single IP✓ Detected
Remote Services (RDP)T1021.001Lateral MovementLogon Type 10 — Event ID 4624✓ Detected
Valid AccountsT1078Defense EvasionSuccessful login after multiple failures✓ Detected
Privilege EscalationT1068Privilege EscalationEvent ID 4672 — Special Privileges✓ Detected
Network Service DiscoveryT1046DiscoveryUnusual network scanning patterns⟳ Learning
08 // splunk_dashboards

Splunk Dashboards

Failed Login Spikes

Failed Login Dashboard

4625 events over time — brute force visualization

Auth Events Timeline

Authentication Monitor

Successful vs failed login correlation

🌐
Source IP Heatmap

Brute Force Detection

IP-based attack source map and alerts

RDP Activity View

Investigation Dashboard

Full incident timeline — failure to resolution

09 // startup_venture

SoulMatrix

Founder — SoulMatrix

Cybersecurity Startup · AI-Powered Security Solutions

Building AI-powered cybersecurity solutions for small and medium businesses. SoulMatrix focuses on making enterprise-grade security monitoring and threat detection accessible and affordable — with smart automation at its core.

Security Monitoring
Threat Detection
Vulnerability Assessment
AI Security Assistant
Security Reporting

// active_ai_projects

⟳ IN DEVELOPMENT
RAV
AI-Powered Autonomous Security System

An advanced AI security system designed to autonomously monitor, detect, and respond to cyber threats in real time. RAW combines machine learning with SOC workflows to deliver intelligent threat analysis, automated incident handling, and proactive defense capabilities.

AI/ML Threat Detection Auto Response Security Ops Real-Time Analysis
⟳ IN DEVELOPMENT
NYREX
AI Personal Assistant · Dual Version

An intelligent AI personal assistant that understands context, assists with tasks, and adapts to user needs. NYREX comes in two powerful versions — one for everyday users and one built for enterprise-grade business use.

NYREX Personal

Smart personal assistant for everyday users — tasks, reminders, intelligent conversations, and productivity support.

NYREX Enterprise

Advanced version for companies — workflow automation, data insights, team integrations, and business-grade AI features.

AI Assistant NLP Automation Enterprise
10 // github_showcase

Open Source Work

SPL Queries

splunk-detection-rules

Collection of SPL detection queries for brute force, password spray, RDP monitoring, and authentication anomaly detection.

SPL→ github
Incident Reports

soc-investigation-reports

Documented incident investigation reports from hands-on lab environments — RDP brute force, password spray, and privilege escalation cases.

Markdown→ github
Lab Documentation

home-soc-lab-setup

Step-by-step documentation of building a personal SOC lab — Splunk configuration, forwarder setup, log collection, and monitoring workflows.

Markdown→ github
Security Notes

windows-event-log-notes

Windows Event Log reference notes — Event IDs, Logon Types, authentication analysis techniques, and investigation checklists.

Markdown→ github
11 // hands_on_experience

Practical Experience

// windows_event_log_experience

Event ID 4624 — Successful login analysis
Event ID 4625 — Failed login and brute force detection
Event ID 4672 — Special privileges assigned
Logon Type 2 (Interactive) investigation
Logon Type 3 (Network) access monitoring
Logon Type 10 (RDP) activity monitoring
Authentication event correlation and analysis
User activity monitoring and reporting

// splunk_experience

Splunk installation and configuration
Universal Forwarder deployment
Log collection and ingestion pipeline
Search Processing Language (SPL) queries
Dashboard creation and usage
Brute force detection with SPL
Authentication monitoring and alerting
Security investigations and incident analysis

// tool_experience

Burp Suite

Used for web application security testing — intercepting HTTP/S traffic, identifying vulnerabilities like XSS and injection flaws, and testing authentication mechanisms.

Wireshark

Performed packet-level network analysis — capturing live traffic, analyzing TCP/IP sessions, identifying suspicious communication patterns, and troubleshooting network issues.

Nmap

Conducted network reconnaissance — port scanning, service version detection, OS fingerprinting, and identifying open attack surfaces on target systems.

Kali Linux

Primary OS for security lab work — running penetration testing tools, configuring attack simulations, and practicing offensive techniques to better understand defensive gaps.

Splunk Enterprise

End-to-end SIEM experience — ingesting Windows security logs, writing SPL detection queries, building dashboards, and running security investigations.

VirtualBox

Built and managed isolated lab environments — running Windows VMs for attack simulations, Splunk servers for log collection, and multi-machine SOC lab setups.

12 // contact

Let's Connect

Open to SOC Analyst roles, cybersecurity internships, and blue team collaborations. Feel free to reach out.

📧 manmath1272@gmail.com 💼 LinkedIn 🐙 GitHub
test