Welcome. This is a hands-on cybersecurity and observability blog focused on forging raw security telemetry into actionable detections, threat hunting insights, and modern SOC engineering workflows.
Posts are written for security architects and engineers who want depth – not overviews. Every build documented here was done in a real lab against real data.
Most security teams have the same problem: data volume is growing faster than analyst capacity, and signature-based detection alone is not catching the sophisticated, low-and-slow attacks that matter most. Machine learning promises to help, but production ML in a SOC is genuinely hard to operationalize. The gap between a data science notebook and a running inference pipeline that feeds your SIEM is wider than most blog posts acknowledge. This series documents the end-to-end build of a working edge AI inference pipeline in a real security lab – not a cloud demo, not a toy dataset. The hardware is four NVIDIA Jetson Nano 4GB Developer Kit nodes. The SIEM is Splunk Enterprise 10.0 with Enterprise Security. The ML toolkit is Splunk’s own Deep Learning Toolkit (DSDL). The detection targets are real security data sources: Zeek connection logs, Splunk Stream DNS telemetry, and Windows Security event logs. ...
Introduction In Part 1, you learned why an edge AI inference pipeline is a compelling approach for security operations, and you understood the key constraints imposed by the Jetson Nano 4GB hardware and DSDL 5.2.3’s actual behavior. In this post, you will build the inference container – every file, every command, and every decision explained. The build covers four areas: the Dockerfile and its critical dependencies, the DSDL-native Flask application that implements the correct wire protocol, TLS certificate generation using a lab CA, and the distribution workflow for deploying the finished image to all four nodes. ...
Introduction In Part 2, you built four HTTPS inference containers running on Jetson Nano hardware. They are healthy, serving the DSDL-native protocol, and waiting for requests. In this post, you will wire everything together: Splunk DSDL installed on the search head, HEC configured on the indexer cluster, and the exact configuration files that make DSDL’s fit and apply commands route correctly to your containers. This is the most configuration-dense part of the series. It is also where most implementations break down – not because the concepts are complex, but because DSDL 5.2.3 has several undocumented behaviors that only become visible when you read its Python source code. This post documents those behaviors explicitly so you do not have to discover them through trial and error. ...
Introduction The first three parts of this series built the infrastructure. This final post uses it. You now have four Jetson Nano inference containers running HTTPS, DSDL wired to Splunk, and HEC delivering scored events back to your indexers. In this post, you will train three Isolation Forest models on real security data and build the ES correlation rules that turn AI-scored anomalies into actionable notable events. The three detection use cases are chosen for complementary coverage across the kill chain. Zeek connection log anomaly detection catches behavioral outliers in network traffic – the kinds of connections that do not match your environment’s normal patterns. DNS anomaly detection catches tunneling, command-and-control beaconing, and DGA callbacks that generate no network flow anomalies because they hide inside legitimate DNS traffic. Windows authentication anomaly detection catches credential abuse, brute force, and lateral movement patterns that look like legitimate events when examined individually but are anomalous in aggregate. ...