All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trying to detect internal NMAP scans in SIEM homelab, not working.

joe2
New Member
‎02-06-2025 12:51 PM

Hello,

I have set up a home lab with splunk. I have splunk enterprise on my admin Windows vm where i make all the changes, and a second Windows vm that is the "Victim".  Then i have an attack machine that is kali linux. all machines are on the same network, i can ping each machine each way.

The idea is to simulate real world SOC experience.  I have splunk forwarder installed on the victim machine. I am forwarding all windows logs (Sytem, security, application, and setup).  I have ran multiple NMAP scans on the victim machine.

I have forward the logs to an Index called "wineventlog". and my machine is called "Victim". 

I have used the splunk guide on detecting port scanning and it yields no results, i have also use security essentials "internal horizontal scan". and it gives an error.

Ive also checked and i am getting logs sent, i can see them in the index. 

I have no idea why none of my searches are not working. I dont know where to begin, am i not getting the right data forwarded to splunk? am i not searching right? or have i missed a step? 

Please note i have absolutely no experience with splunk. Im from an IT background so im not too useless but im absolutely lost when it comes to splunk. 

Any helps or suggestions is much much much appreciated and needed. I am totally lost. Apologies if i have not provided enough information, can provide more if needed.  Pictures included in post. 

 

Screenshot 2025-02-06 203555.pngScreenshot 2025-02-06 202439.png

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2025 08:29 PM

@joe2- I would like to clarify few points and I think you will get the idea on how you can do something like that:

  • Your query-1 is not working, because it seems you are using the old query, that macro from old query does not exist anymore it seems.
  • For your query-2, again you are looking for source=firewall* data. And windows data contain contain that sourcetype that's why you are seeing no results.

 

Summary:

 

I hope this helps!!! Kindly upvote if it does!!!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...