Guide: Build your own blueteam lab

Hi guys,

I intend this piece to be constantly improving with me adding tools and software to build the ultimate test / dev lab. For now this guide will focus on Splunk being the tool used for log collection and analysis (as its what I have the most experience with) but I plan to add more options in the future. The environment will be Windows based, with an Active Directory domain controller, a Windows 10 host and a Linux box. There will be tools to help with investigations, and tools to help simulate malicious behaviour.

There is some presumed knowledge with this setup. First is that I expect someone completing this to be familiar with building the virtual machines required to stand up the software and tools being used. Additionally ill presume knowledge of using basic tools such as putty, RDP etc.

With that, choose a chapter and get stuck in!


  1. Splunk
    1.1. Installing Splunk (Single Instance)
    1.2. Installing Splunk (Distributed Environment)
    1.3. Configuring Splunk
  2. Windows & Active Directory
    2.1. Installing Active Directory
  3. Unix

1. Splunk

Splunk is arguably one of the best tools ever made (seriously). From Big data, security, machine learning , monitoring, to alerting, visualisations, script execution and user behaviour analytics. These are just some of the amazing use-cases Splunk can fulfil.
This section of the guide will get you through standing up Splunk, either on a single machine, or in a distributed environment. Whatever instance type you choose, you’ll get the same system. However, the distributed setup will have some extra steps for configuring apps and data ingestion, but allows for a deeper understanding of Splunk infrastructure.

We will be installing Splunk on Ubuntu server. You can install Splunk on Windows but this is not always the best use of resource.

1.1. Installing Splunk (Single Instance)

1.2. Installing Splunk (Distributed Environment)

Note for this deployment you require a decent amount of hardware