In this guide, we’ll dive into building a Security Information and Event Management (SIEM) setup with Splunk in a home lab environment—a valuable hands-on experience for anyone looking to sharpen their cybersecurity skills. Picture this: catching potential threats, analysing log data in real time, and observing simulated attacks as they unfold. By the end of this walkthrough, you’ll have a fully functioning SIEM lab that forwards logs from two Windows hosts to a centralized Splunk server for analysis and monitoring. For detailed logging on each Windows machine, we’ll use Sysmon, with Splunk Universal Forwarder handling log forwarding to the Slunk server. To see our detection capabilities in action, we’ll simulate attack scenarios using Atomic Red Team and also employ a Kali Linux machine to perform a brute-force attempt on a domain user account, testing our ability to catch unauthorised access attempts. This setup allows us to capture and analyse a variety of real-world attack patterns, all monitored through Splunk.

While these two Windows machines act as a domain controller and a domain user, we’ll keep the focus on the SIEM setup and won’t cover the Active Directory setup for now. Ready to get started? Let’s jump into the setup and bring your security lab to life.

Digram 1

Installing Ubuntu Server 24.04.01 LTS on Hyper-V

To kick off our SIEM setup, we’ll start by creating a virtual Ubuntu Server 24.04.01 LTS on Hyper-V. This will be the core machine running Splunk, where all our logs will be collected, stored, and analyzed. If you've worked with Hyper-V before, these steps should feel familiar, but we'll go through each in a clear, straightforward way to make sure no detail is missed.

1. Open Hyper-V Manager on your host machine. From the Actions panel, select New > Virtual Machine to launch the New Virtual Machine Wizard.

Hyper-V Manager is Microsoft's primary administrative tool for creating and managing virtual machines, providing a graphical interface to control virtualization settings and resources on Windows systems.

1. Name Your VM – Give it a clear, descriptive name, like "Splunk-Server". Choose a location for saving the VM files if you want to keep things organized.

In virtual machine setup, naming your VM means assigning a unique, identifiable label to your virtual machine that helps distinguish it from other VMs and indicates its purpose.

1. Choose Generation – Select Generation 1 to ensure broad compatibility with Ubuntu Server.

In Hyper-V virtualization, "Choose Generation" refers to selecting the virtual machine hardware version that determines the features and compatibility of the virtual machine. The generation choice affects which operating systems and capabilities will be supported by the virtual machine.

1. Assign Memory – Set at least 2GB of memory (2048 MB), but if your machine allows, consider allocating more for smoother operation.

In computer systems and virtual machines, "assign memory" refers to the process of allocating a specific amount of RAM (Random Access Memory) to a virtual machine or program, determining how much working memory it will have available for its operations.