All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to detect internal NMAP scans in SIEM homelab, not working.

joe2
New Member
‎02-06-2025 12:51 PM

Hello,

I have set up a home lab with splunk. I have splunk enterprise on my admin Windows vm where i make all the changes, and a second Windows vm that is the "Victim".  Then i have an attack machine that is kali linux. all machines are on the same network, i can ping each machine each way.

The idea is to simulate real world SOC experience.  I have splunk forwarder installed on the victim machine. I am forwarding all windows logs (Sytem, security, application, and setup).  I have ran multiple NMAP scans on the victim machine.

I have forward the logs to an Index called "wineventlog". and my machine is called "Victim". 

I have used the splunk guide on detecting port scanning and it yields no results, i have also use security essentials "internal horizontal scan". and it gives an error.

Ive also checked and i am getting logs sent, i can see them in the index. 

I have no idea why none of my searches are not working. I dont know where to begin, am i not getting the right data forwarded to splunk? am i not searching right? or have i missed a step? 

Please note i have absolutely no experience with splunk. Im from an IT background so im not too useless but im absolutely lost when it comes to splunk. 

Any helps or suggestions is much much much appreciated and needed. I am totally lost. Apologies if i have not provided enough information, can provide more if needed.  Pictures included in post. 

 

Screenshot 2025-02-06 203555.pngScreenshot 2025-02-06 202439.png

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2025 08:29 PM

@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that:

  • Your query-1 is not working, because it seems you are using the old query, that macro from old query does not exist anymore it seems.
  • For your query-2, again you are looking for source=firewall* data. And windows data contain contain that sourcetype that's why you are seeing no results.

 

Summary:

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top