Splunk Detection Engineering Labs

What you need before starting

The lab environment runs four virtual machines on your local machine. Make sure you have everything below installed and enough resources available.

📦

VirtualBox 7.0+

virtualbox.org/wiki/Downloads — free, all platforms
📦

Vagrant 2.3+

developer.hashicorp.com/vagrant/downloads
🐍

Python 3 + git + curl + jq + openssl

Usually pre-installed on Linux / macOS
🧠

16 GB RAM

Minimum 12 GB — 4 VMs run concurrently (attacker + 2 victims + Splunk)
💾

60 GB free disk space

VM images + Splunk data + snapshots
🖥️

Linux or macOS host

Windows: use WSL2 with VirtualBox installed on the Windows host

Quick-install missing dependencies on Ubuntu / Debian:

bash

sudo apt-get update && sudo apt-get install -y curl jq git python3 openssl

On macOS (Homebrew):

bash

brew install curl jq git python3 openssl

Download the lab bundle and run kickstart

No git required. Download everything directly from this portal.

Option A — One-liner (recommended):

Open a terminal and paste this command. It downloads and runs the kickstart script, which then downloads the full lab bundle automatically.

bash — paste in a terminal

detecting server URL…

Option B — Manual download:

Download the full lab bundle: ⬇ labs-bundle.tar.gz
Download the kickstart script: ⬇ kickstart.sh
Extract the bundle, then run kickstart:
bash
```
detecting server URL…
```

What the kickstart script does:

Checks OS, VirtualBox, Vagrant, Python3, disk & RAM
Downloads labs-bundle.tar.gz and extracts to ~/detection-labs/
Runs vagrant up in infra/vagrant/ (~3 GB, 10–20 min)
Polls Splunk REST API until it responds
Generates a TLS cert and opens the portal at https://localhost:8443/web/

Useful overrides:

bash

SKIP_VAGRANT=1 LABS_SERVER=https://server:8443 bash kickstart.sh
PORTAL_PORT=9443 LABS_SERVER=https://server:8443 bash kickstart.sh

Accessing the environment

After kickstart finishes, use these addresses. All traffic stays on a private network (192.168.56.0/24) — nothing is exposed to your LAN.

Lab Portal https://localhost:8443/web/ Splunk Web https://192.168.56.13:8000 Splunk API https://192.168.56.13:8089 Splunk creds admin / changeme ← lab only, never reuse Attacker VM 192.168.56.10 (Kali) Victim Linux 192.168.56.11 (Ubuntu 22.04) Victim Windows 192.168.56.12 (Windows Server 2022) Windows RDP 127.0.0.1:13389 (vagrant / vagrant)

SSH into VMs from the infra/vagrant/ directory:

bash — from infra/vagrant/

cd infra/vagrant
vagrant ssh attacker
vagrant ssh victim-linux
vagrant ssh victim-windows

Trust the self-signed portal certificate (optional, removes browser warning):

Ubuntu/Debian macOS Kali

bash

sudo cp web/.certs/cert.pem /usr/local/share/ca-certificates/lab-portal.crt
sudo update-ca-certificates

bash

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain web/.certs/cert.pem

bash

sudo cp web/.certs/cert.pem /usr/local/share/ca-certificates/lab-portal.crt
sudo update-ca-certificates

How to work through a lab

1

Pick a lab in the sidebar Read the Student Handout tab — it explains the technique, what log data to expect, and the detection goal.

2

Run the attack script on the attacker VM The Attack Script tab shows the exact command. SSH into the attacker VM and run it — the script logs every step to stdout.

3

Open Splunk and search Navigate to https://192.168.56.13:8000. Paste the SPL from the Detection SPL tab and set the time range to "Last 15 minutes".

4

Tune and improve the detection Check the Instructor Notes tab for the full solution SPL, false-positive guidance, and MITRE context.

5

Auto-verify and mark complete Run bash tools/verify_lab.sh NN-slug for automated end-to-end verification. When the detection fires, click Mark Complete.

6

Reset between labs Run bash tools/reset_lab.sh to restore all VMs to the clean baseline snapshot before starting the next lab.

bash — verify all labs at once

bash tools/verify_lab.sh --all

Select a lab to begin

Quick Start — Lab Environment Setup

What you need before starting

Download the lab bundle and run kickstart

Accessing the environment

How to work through a lab