Splunk Attack Range Local Notes

(In progress maybe)

Started to have a play with Splunk’s local implementation of attack range

By default some of the VMs are disabled – you can tweak the settings & enable them in attack_range_local.conf

If you want to enable phantom you’ll need to register at my.phantom.us and wait for them to approve your account (ugh) and then add them into the attack_range_local.conf file.

I guess my laptop wasn’t grunty enough as the default 4 CPU/4GB ram kept timing out installing the phantom software once the CentOS VM was built. It worked giving it 8CPU/8GB but this made my laptop crawl so I ended up editing the default async 600 timeout in ansible/roles/phantom/tasks/install_phantom.yml to 1200 and it eventually got there without affecting the other VM’s being built. Winner!