Building a Unified Security Operations Centre with Splunk in India: Architecture, Tools, and Best Practices

Building a Security Operations Centre is one of the most consequential decisions an Indian enterprise can make. Done right, a SOC provides continuous visibility into your security posture, rapid incident detection and response, and the compliance evidence that regulators increasingly demand. Done poorly, it becomes an expensive monitoring room that generates alerts nobody investigates and reports nobody reads.

This guide covers the practical aspects of building a SOC in India using Splunk as the technology foundation — including architecture decisions, tool selection, staffing models, compliance alignment, and the managed SOC alternative for organisations that cannot justify a full in-house team.

Why Splunk as the SOC Foundation?

A SOC requires three core technology capabilities: detection (SIEM), response (SOAR), and analytics (UBA/UEBA). Splunk provides all three in an integrated platform:

• Splunk Enterprise Security (ES): The SIEM layer — ingests logs from all security-relevant sources, correlates events, generates risk-based alerts, maps detections to MITRE ATT&CK, and provides compliance dashboards
• Splunk SOAR: The response layer — automates incident response workflows via visual playbooks, orchestrates actions across 300+ security tools, and provides case management for incident tracking
• Splunk UBA: The analytics layer — uses machine learning to baseline normal user and entity behaviour, detects insider threats, compromised accounts, and lateral movement through behavioural anomaly detection

The integration between these three components is the key advantage. An ES correlation search detects suspicious activity, SOAR automatically triages and responds, and UBA surfaces the behavioural anomalies that rule-based detection misses. This is a unified TDIR (Threat Detection, Investigation, and Response) pipeline — not three separate products bolted together.

SOC Architecture with Splunk

Tier 1: Data Collection

The foundation of any SOC is comprehensive data collection. For an Indian enterprise SOC, the critical data sources include:

• Network perimeter: FortiGate, Palo Alto, Cisco ASA firewall logs; IPS/IDS alerts; VPN authentication logs
• Endpoints: CrowdStrike Falcon, Microsoft Defender, or SentinelOne EDR telemetry; Windows Event Logs; sysmon data
• Identity: Active Directory authentication logs; Azure AD/Entra ID sign-in logs; RADIUS/TACACS+ logs; privileged access management (PAM) logs
• Email: Exchange/O365 message trace logs; email gateway (Proofpoint, Mimecast) logs; phishing report submissions
• Cloud: AWS CloudTrail, Azure Activity Log, GCP Audit Log; cloud workload protection logs; SaaS audit logs (O365, Salesforce)
• Applications: Web server access/error logs; database audit logs; API gateway logs; custom application logs
• Vulnerability: Qualys, Nessus, or OpenVAS scan results; patch management status from WSUS/SCCM/Intune

Splunk Universal Forwarders are deployed on all log sources. Heavy Forwarders aggregate syslog from network devices and perform initial parsing. A Deployment Server centrally manages forwarder configurations and app distribution.

Tier 2: Processing and Storage

Indexer clusters receive, parse, and store data with configurable replication for high availability. For a mid-enterprise SOC ingesting 50-100 GB/day, a typical deployment uses 3-5 indexer nodes. SmartStore offloads warm and cold data to S3-compatible object storage (MinIO on-prem or cloud S3) to reduce local storage costs while maintaining searchability.

Tier 3: Analysis and Response

Search head cluster runs Splunk Enterprise Security, SOAR, and UBA. SOC analysts interact primarily with this tier — investigating notable events, running threat hunting queries, managing cases, and monitoring dashboards. SOAR playbooks execute automated response actions through API integrations with security tools.

SOC Staffing Models for Indian Enterprise

Staffing is the most challenging and expensive aspect of SOC operations. The three models we see in Indian enterprise:

Model 1: Full In-House SOC

Suitable for: large enterprises (5,000+ employees), banks, critical infrastructure operators.

• SOC Manager: Rs 25-40 LPA
• Tier-2/3 Analysts (2-3): Rs 12-20 LPA each
• Tier-1 Analysts (4-6 for 24x7): Rs 6-10 LPA each
• Splunk Administrator: Rs 15-25 LPA
• Threat Hunter (optional): Rs 18-30 LPA
• Total annual staffing: Rs 1.2-2.5 crore

Model 2: Hybrid SOC (In-House + Managed)

Suitable for: mid-enterprise (500-5,000 employees) with limited security headcount.

• In-house: SOC Lead + 1-2 Tier-2 analysts (business hours)
• Outsourced: 24x7 Tier-1 monitoring, after-hours coverage, and Splunk administration to a managed SOC provider (like Ogma)
• Total annual cost: Rs 60-90 lakhs (in-house staff + managed service contract)

Model 3: Fully Managed SOC

Suitable for: organisations that need SOC capabilities but cannot justify dedicated security staff.

• MSSP provides 24x7 monitoring, Splunk management, alert investigation, incident response, and compliance reporting
• Customer retains ownership of Splunk deployment and data
• Total annual cost: Rs 30-60 lakhs (depending on data volume and SLA requirements)

Compliance Alignment

For Indian regulated entities, the SOC must demonstrate compliance with multiple frameworks:

• RBI Cybersecurity Framework: Continuous monitoring, incident reporting, audit trails, SOC establishment
• SEBI CSCRF: Quarterly VAPT, cyber drills, remediation tracking, incident management
• CERT-In: 6-hour incident reporting, log retention, point of contact designation
• DPDPA 2023: Breach notification, reasonable security safeguards, data protection audit
• PCI DSS: Log monitoring (Req. 10), incident response (Req. 12), vulnerability management (Req. 5/6)

Splunk ES compliance dashboards, combined with SOAR-automated reporting workflows, provide the evidence generation and report production that these frameworks require.

Getting Started

Ogma provides end-to-end SOC design and deployment services using Splunk. Whether you are building a new SOC from scratch, migrating from a legacy SIEM, or augmenting your existing team with managed monitoring — we have the architecture expertise and Splunk certification to deliver.

Learn about our Splunk SIEM services | Splunk SOAR deployment | Contact us