LEGO, Raspberry Pi, and Splunk: Automating security, one block at a time

At the recent Splunk Gov Summit, we created a unique and engaging insider threat demonstration using a fully interactive LEGO office - complete with moving parts, lights, and real facial recognition and swipe card systems. The goal was to showcase how Splunk can integrate both cyber and physical security systems, even in creative environments like this.

While some of the setup was built on Raspberry Pi (including the facial recognition system using OpenCV), the core Splunk environment - along with Splunk SOAR - was hosted in the cloud. This combination allowed us to demonstrate that Splunk doesn’t have to rely solely on enterprise-level systems to deliver powerful insights.

Here’s how the demo worked: RFID swipe card logs were sent to Splunk, capturing details such as time, door, card ID, and the name on the card. Simultaneously, the facial recognition system would scan the person using the card. If the swipe and the face didn’t match, Splunk’s Enterprise Security would flag the event.

Once flagged, Splunk SOAR took action, automatically locking both the swipe card and the Active Directory account associated with it. The Raspberry Pi also lit up a red LED in our LEGO office to show that the account had been locked and security was on the way. This real-time response demonstrated how Splunk can automate threat detection and responses across both digital and physical security layers.

This demo illustrated that Splunk can work seamlessly with various systems, from small-scale Raspberry Pi setups to full cloud-hosted solutions, making it a flexible tool for any security operation.

Curious about how Splunk can be used to strengthen your organisation’s security? Reach out, and let’s discuss how we can make it happen for you!

Legal Disclaimer:

The information provided in this post regarding Splunk is based on Hyperion 3's own experiences and research. It reflects our opinions and is not officially endorsed by or affiliated with Splunk. This content is intended for informational purposes only and does not constitute official Splunk best practices or recommendations. For official guidance, please refer to Splunk’s documentation or consult with a Splunk representative.