Homelab Learning: Building a Security Operations Center with Splunk
Hi, all. This is the sixth part in an ongoing series walking through the steps required to build my isolated homelab with a corporate environment, attack network, security operations center, and remote access VPN.
For greater context, take a look at my previous posts:
- Homelab Learning: General Overview
- Homelab Learning: Configuring Proxmox VE
- Homelab Learning: Configuring pfSense
- Homelab Learning: Building a Corporate Environment
- Homelab Learning: Building a Kali Attack Network
Let’s get started on this installment!
After performing various attacks on the corporate environment, it is important to review and analyze logs from the exploited network to determine if any of my red team techniques are observable. With that knowledge, I can implement compensating firewall controls or deploy an Intrusion Prevention System (IPS) to prevent attacks. To obtain these logs, I installed Splunk Enterprise in a Ubuntu VM on my SOC network. On the Ubuntu VM, I configured a Splunk agent that receives data and indexes, enabling efficient search and analysis.
After spinning up a Ubuntu VM, I downloaded Splunk Enterprise, then installed and configured it as my Splunk agent. I’ve attached a link in the references below showing how to do this.
Once the Splunk agent was setup, I installed a universal forwarder on the systems that I want to receive logs from. In my case, because I am receiving logs from an Active Directory domain, I only needed to install the universal forwarder on my Windows Server 2019 VM. I’ve attached a tutorial on how to set this up in the references below.
In an actual enterprise environment, this would be a bit light, and I have seen others go for a Security Onion install for a more comprehensive SIEM framework. Due to hardware limitations, I had to keep this network simple (KISS!) for now. Again, it is important to emphasize that we are building the foundation of a cybersecurity homelab. Over time, your lab will grow along with your knowledge and expertise.
In the next installment in this series, we’ll have a brief rundown of my setup for an optional python development subnet.
References:
- Splunk Enterprise install: From Zero to Splunk: How to Install Splunk on a Linux VM in Minutes
- Splunk Universal Forwarder setup: Cybersecurity Detection Lab: Forwarding Windows Event Logs to Splunk Using Universal Forwarder
- Splunk Documentation: Install the universal forwarder on Linux
