Sign In
In this module

PT1.10 Secondary SIEM — Splunk Free

4-8 hours · Module 1 · Free
What you already know

You may or may not have used Splunk before. If you have, this sub gets you through the install quickly. If Splunk is new, every step is shown. If you'd prefer Elastic as your secondary SIEM, skip this sub and go to PT1.11 instead — you only need one.

Operational Objective
The course shows detection queries in three SIEM platforms: Sentinel KQL, Defender XDR KQL, and your secondary SIEM (Splunk SPL or Elastic KQL). This sub installs Splunk Free on the Linux VM, installs the Universal Forwarder on the Windows endpoint, configures it to send Sysmon and Security events, and verifies events arrive in Splunk. By the end, you'll have three SIEMs receiving endpoint telemetry from the same source.
Deliverable: A working Splunk Free instance receiving Sysmon and Security events from the Windows endpoint.
Estimated completion: 45–60 minutes

Step 1: Download Splunk Enterprise (Free licence)

Splunk Enterprise runs in "Free" mode when no licence key is applied. The free mode allows 500 MB/day of data ingestion — more than enough for lab use.

  1. Go to splunk.com/en_us/download/splunk-enterprise.html
  2. You'll need to create a free Splunk account if you don't have one
  3. After signing in, select Linux.deb package
  4. Copy the wget command provided (it includes an authentication token)

On PT-LINUX01:

# Download Splunk (paste the wget command from the download page)
# Example (your URL and token will differ):
wget -O /tmp/splunk.deb "https://download.splunk.com/products/splunk/releases/9.3.1/linux/splunk-9.3.1-amd64.deb"

# Verify the download
ls -lh /tmp/splunk.deb
# Should be approximately 500–600 MB

If wget fails (wrong URL, expired token), go back to the download page and copy the command again — the token is temporary.

Step 2: Install Splunk

# Install the .deb package
sudo dpkg -i /tmp/splunk.deb

# Start Splunk for the first time — accept the licence and set admin credentials
sudo /opt/splunk/bin/splunk start --accept-license --answer-yes \
    --seed-passwd "SplunkLab2026!"
Splunk> All batted up.

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking appserver port [8000]: open
        ...
The Splunk web interface is at http://pt-linux01:8000
# Enable Splunk to start on boot
sudo /opt/splunk/bin/splunk enable boot-start -user labadmin

Verification: open a browser on your host machine and navigate to http://10.0.0.20:8000. Log in with admin / SplunkLab2026!. You should see the Splunk home page.

Troubleshooting:

  • Can't reach port 8000 — check the Linux VM's firewall: sudo ufw status. If UFW is active, allow port 8000: sudo ufw allow 8000/tcp
  • "Splunk is not running" — start it: sudo /opt/splunk/bin/splunk start
  • Low memory warnings — Splunk recommends 4 GB RAM but runs on 2 GB for lab use. If you see performance issues, close other VMs while running Splunk.

Step 3: Enable a receiving port

The Universal Forwarder on the Windows endpoint sends data to Splunk over TCP. Enable a receiving port:

sudo /opt/splunk/bin/splunk enable listen 9997 -auth admin:SplunkLab2026!
Listening for Splunk data on TCP port 9997.

Verify:

sudo /opt/splunk/bin/splunk display listen -auth admin:SplunkLab2026!
Listening for data on TCP port 9997.

Step 4: Install the Universal Forwarder on the Windows endpoint

The Universal Forwarder (UF) is a lightweight agent that reads Windows event logs and sends them to Splunk.

On PT-WIN-ENDPOINT:

  1. Download the Universal Forwarder from splunk.com/en_us/download/universal-forwarder.html
  2. Select Windows64-bit MSI
  3. Save the MSI to C:\Tools\

Install via PowerShell:

# Install the Universal Forwarder silently
# RECEIVING_INDEXER tells it where to send data
Start-Process msiexec.exe -ArgumentList @(
    "/i", "C:\Tools\splunkforwarder-9.3.1-x64.msi",
    "RECEIVING_INDEXER=10.0.0.20:9997",
    "AGREETOLICENSE=yes",
    "SPLUNKUSERNAME=admin",
    "SPLUNKPASSWORD=changeme",
    "/quiet"
) -Wait

# Verify the service is installed and running
Get-Service SplunkForwarder | Select-Object Status, Name, StartType
Status  Name              StartType
------  ----              ---------
Running SplunkForwarder   Automatic

Troubleshooting:

  • Service not found — the MSI may not have installed. Check C:\Program Files\SplunkUniversalForwarder\ exists. If not, run the MSI installer manually (double-click) and follow the GUI wizard.
  • Service stopped — start it: Start-Service SplunkForwarder

Step 5: Configure inputs — Sysmon and Security logs

Tell the forwarder which event logs to send:

# Navigate to the Splunk forwarder bin directory
cd "C:\Program Files\SplunkUniversalForwarder\bin"

# Add Sysmon event log as an input
.\splunk.exe add monitor "WinEventLog://Microsoft-Windows-Sysmon/Operational" `
    -index main `
    -sourcetype "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" `
    -auth admin:changeme

# Add Windows Security event log (for 4624, 4625, 4768, 4769)
.\splunk.exe add monitor "WinEventLog://Security" `
    -index main `
    -sourcetype "WinEventLog:Security" `
    -auth admin:changeme

# Restart the forwarder to apply
Restart-Service SplunkForwarder
Added monitor of 'WinEventLog://Microsoft-Windows-Sysmon/Operational'.
Added monitor of 'WinEventLog://Security'.

If the add monitor command fails with "already exists" — the input was configured during installation. That's fine — proceed to verification.

Step 6: Verify events arrive in Splunk

Wait 2–3 minutes for events to start flowing. Open Splunk web (http://10.0.0.20:8000) and go to Search & Reporting.

Run this search:

index=main sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| head 10
| table _time, Computer, EventCode, Message

You should see Sysmon events from PT-WIN-ENDPOINT. If the search returns no results:

  1. Check the forwarder is running: Get-Service SplunkForwarder on the endpoint
  2. Check network connectivity: Test-NetConnection 10.0.0.20 -Port 9997 on the endpoint — should return TcpTestSucceeded: True
  3. Check the receiving port: on the Linux VM, sudo /opt/splunk/bin/splunk display listen should show port 9997
  4. Check forwarder logs: Get-Content "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log" -Tail 20 — look for connection errors

Now verify Security events:

index=main sourcetype="WinEventLog:Security" EventCode=4624
| head 5
| table _time, Computer, Account_Name, Logon_Type

Step 7: Run a detection query

Here's the SPL equivalent of the LSASS access detection from PT0.1:

index=main sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    EventCode=10 TargetImage="*\\lsass.exe"
| where NOT match(SourceImage, "^C:\\\\Windows\\\\System32\\\\")
| where NOT match(SourceImage, "^C:\\\\Program Files\\\\Windows Defender\\\\")
| table _time, Computer, SourceImage, TargetImage, GrantedAccess, SourceUser
| sort - _time

This query runs against the same Sysmon events that Sentinel queries via KQL. Same telemetry source, different query language, same detection logic. When you fire credential dumping techniques in Module 7, you'll check this query alongside the KQL versions.

Verification checklist

☐ Splunk Enterprise installed on PT-LINUX01
☐ Splunk web accessible at http://10.0.0.20:8000
☐ Receiving port 9997 enabled
☐ Universal Forwarder installed on PT-WIN-ENDPOINT
☐ SplunkForwarder service running on endpoint
☐ Sysmon events configured as forwarder input
☐ Security events configured as forwarder input
☐ Endpoint can reach Linux VM on port 9997
☐ Sysmon events visible in Splunk search
☐ Security events visible in Splunk search
☐ SPL detection query (LSASS access) runs without error
Next
PT1.11 — Secondary SIEM: Elastic. If you chose Splunk, skip to PT1.12. If you chose Elastic, this sub installs the Elastic Stack and configures Winlogbeat for Sysmon ingestion.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the lab and understand the validation gap.

Module 0 showed you why detection rules fail silently — vendor schema changes, attacker tool evolution, environment divergence, tuning drift. Module 1 gave you a working four-environment, three-SIEM purple-team lab. From here, you walk the kill chain technique by technique.

  • 61 ATT&CK techniques across 12 tactic modules — Initial Access through Impact, each walked end-to-end with attack commands, annotated telemetry, and multi-SIEM detection rules
  • Every detection in four formats — Sigma rule (canonical), Sentinel KQL, Defender XDR Advanced Hunting KQL, and Splunk SPL or Elastic. Tabbed side-by-side in every technique sub
  • Module 14 Capstone — CHAIN-HARVEST — full purple-team exercise on an AiTM credential-phishing chain. Multi-stage attack, detection results across all three SIEMs, coverage gaps, tuning recommendations
  • Programme template — coverage matrix, MTTD per technique, FP rates, detection quality scores, remediation backlog. Populated as you work, presentable to leadership by Module 14
  • Public Sigma rule repo — every detection rule in a GitHub repository. Alumni contribute via PR. The artefacts outlive the course
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →