Trying to detect internal NMAP scans in SIEM homel...

joe2 · ‎02-06-2025

Hello,

I have set up a home lab with splunk. I have splunk enterprise on my admin Windows vm where i make all the changes, and a second Windows vm that is the "Victim". Then i have an attack machine that is kali linux. all machines are on the same network, i can ping each machine each way.

The idea is to simulate real world SOC experience. I have splunk forwarder installed on the victim machine. I am forwarding all windows logs (Sytem, security, application, and setup). I have ran multiple NMAP scans on the victim machine.

I have forward the logs to an Index called "wineventlog". and my machine is called "Victim".

I have used the splunk guide on detecting port scanning and it yields no results, i have also use security essentials "internal horizontal scan". and it gives an error.

Ive also checked and i am getting logs sent, i can see them in the index.

I have no idea why none of my searches are not working. I dont know where to begin, am i not getting the right data forwarded to splunk? am i not searching right? or have i missed a step?

Please note i have absolutely no experience with splunk. Im from an IT background so im not too useless but im absolutely lost when it comes to splunk.

Any helps or suggestions is much much much appreciated and needed. I am totally lost. Apologies if i have not provided enough information, can provide more if needed. Pictures included in post.

VatsalJagani

@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that:

Your query-1 is not working, because it seems you are using the old query, that macro from old query does not exist anymore it seems.
- The new query is based on firewall data.
- Here - https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/
- But because this is dependent on firewall traffic data, it only works when you have firewall between those two machines. It could be traditional firewall or AWS firewall or anything.
For your query-2, again you are looking for source=firewall* data. And windows data contain contain that sourcetype that's why you are seeing no results.

Summary:

If you have the traffic monitoring device in-between those two machines, use the traffic logs to detect it.
- https://research.splunk.com/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/
- https://research.splunk.com/network/3141a041-4f57-4277-9faa-9305ca1f8e5b/
But you don't then the only option is to have something on the Windows Victim device that logs all traffic to the machine, and use that traffic logs to build the query.

I hope this helps!!! Kindly upvote if it does!!!

Trying to detect internal NMAP scans in SIEM homelab, not working.

configuration

installation

search

troubleshooting

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability