What is the best way to simulate Attacks in Splunk?


Hi All,

I would like to know what is the best way to simulate attacks within my organisation. 

I cannot use Virtualbox due to a licensing issue but I do have vmware. 

All the tutorials online show how to use the attack range on virtaulbox but not on vmware.

Any help is much appreciated as this is vital to test our detections.

Thank all

Labels (1)
0 Karma


This is complicate. You must understand what your detection are looking for. After you understand then look for corresponding CVE or TTP to compare with the detection and use isolate lab environment to monitor and test detection. Can be dangerous because CVE or TTP may be real.

0 Karma


Thank you for your comment.

I fully understand the detection I am trying to test as it is based on off the MITREATT&CK TTP's.

I will be using Atomic Red to choose what TTP's I will be testing and the attack_range from github.

I can then forward the logs to our own Splunk instance to view them. The issue we have is with the license's.

Do I need a virtaulbox commercial license to run these tests as it will be used in a commercial environment, I am presuming yes as it seems obvious but I am not 100% sure, if this is case what is the best alternative solution.


0 Karma



Thank you for your response.

So by simulating attacks I mean to test my detections, testing the SPL rules I have in Splunk to detect anomoly's from the logs.

What I have been looking at so far is the splunk attack_range from github along with Atomic Red to test certain MITREATT&CK TTP's.

It will have to be a test environment that is totally on prem as we don't cloud access.

The tutorials I am referring to are the ones I have see on youtube where you install virtualbox on ubuntu and then test labs are automatically set up and destroyed for each ttp you are testing.

Yes I thought it would be easy enough to change from Virtualbox to VMWare but I can't find one video

I do have a VSphere where this can be run from as multiple people from our team need to have access to this lab

Please let me know what you would suggest as the best way to set this up

0 Karma



can you elaborate what you are meaning  with "simulate attacks"?

And what are those tutorials which you are referring?

Usually it's quite easy/doable to change virtual box to VMware or something else which offer the same capabilities.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...