$ F5 to Active Directory Attack Path SIEM

This project explores how a SOC could investigate a realistic edge-to-identity intrusion path without using exploit code or real credentials. The scenario follows an exposed F5 BIG-IP appliance, privileged SSH activity toward a Linux host, internal discovery, suspicious Confluence behavior and authentication activity that creates Active Directory risk. The lab generates synthetic telemetry for assets, trust relationships, Linux authentication, process execution, file access, network connections and Windows authentication. A local detection runner processes those events and produces alerts that follow the attack chain from initial exposure to identity risk. The SIEM interface turns the data into an investigation workspace: overview metrics, event search, alert triage, timeline reconstruction, detection library, case notes, risk mapping and report generation. It is designed to show both the analyst workflow and the reasoning behind each alert. Detection content is written in several practical formats: Python for the local rule engine, KQL for Microsoft Sentinel-style hunting, Sigma for portable detection logic and Splunk SPL for SIEM searches. The goal is to make the project useful for SOC analysis, detection engineering and risk communication at the same time.