Splunk CTF Lab

Overview

This lab provides hands-on practice with Splunk and its Search Processing Language (SPL). It is designed for users who already understand the fundamentals of Splunk but want to deepen their skills by generating logs, analyzing them, and simulating real-world SOC investigations.

Participants act as SOC analysts, using SPL to uncover hidden flags, identify attacker behaviors, and analyze intrusion logs. Two options are available for generating data (a realistic VM-based attack environment or a simplified static dataset).

By the end of this lab, you will be comfortable:

  • Investigating security incidents using real or simulated logs

  • Writing targeted SPL queries

  • Understanding common attacker patterns

  • Identifying flags hidden across different log fields

  • Building saved alerts

Lab Structure

You are provided access to a Splunk server where logs will be ingested from either virtual machines (Option 1) or imported datasets (Option 2).

Splunk Server: 192.168.1.112
Splunk UI: https://192.168.1.112:8000
Credentials:

  • user: splunklab

  • pass: splunk123

Virtual Machine Setup (Option 1)

Machine

Purpose

IP

Credentials

Splunk Server

Indexes logs & provides UI

192.168.1.112

splunk-server / splunk123

Web Server (Ubuntu)

Generates logs via attacks

192.168.1.113

client / soc123

Attacker (Kali)

Performs attacks

192.168.1.115

kali / kali123

Web logs are forwarded from Ubuntu to Splunk using the Universal Forwarder.

Dataset Import Setup (Option 2)

Only the Splunk server is required. Intrusion logs are imported manually into Splunk.

Option 1 - Simulated Attack Environment with Virtual Machines

Overview

This option provides a realistic SOC experience using a 3-VM attack environment. Participants use SPL to investigate attacks carried out by a Kali attacker against an Ubuntu web server.

What You Need

  • Kali Linux VM (attacker)

  • Ubuntu Web Server with Splunk Universal Forwarder

  • Splunk Enterprise Server

What Happens

  1. Kali launches attacks (bruteforce, scans, SQL injection, etc.).

  2. Ubuntu Web Server logs the activity.

  3. Logs are forwarded to Splunk.

  4. You investigate to find hidden CTF flags and answer questions.

Dataset Details

  • Data should be indexed under: index=web_log

CTF Challenge Questions (Option 1)

Easy Challenges

1) URI Flag

Many flags were placed in a query parameter and requested from the webserver by the attacker. However, only one is legit. Find it.

Hint Look for `update.flag` in the URI field.
Query 
index=web_log uri="*update.flag*" OR uri="*flag*"
Answer update.flag{TOTALLY_LEGIT_URI}

2) User-Agent Flag

Many flags were also hidden in the UserAgent field. Find the one that is the most suspicious.

Query 
index=web_log useragent="*flag*"
Answer update.flag{SUSPICIOUS_USERAGENT}

Medium Challenges

3) Brute Force / Credential Stuffing

Find the attacker IP with the most failed login attempts as well as the total count of failed attempts. Format the flag in the following format: flag{8.8.8.8_#####).

Hint Login and sign in attempts have a URI of “/login” and “/signin” respectively.
Query 
index=web_log (uri="/login" OR uri="/signin")
| stats count by clientip
Answer flag{192.168.1.115_76693}

4) Nikto Scan Detection

A Nikto scan was ran against the server. Find the unique evidence (a specific vulnerability it found) and list it. Format the flag in the following format: flag{VULNERABILITY.txt}.

Query 
index=web_log uri="*Nikto*" | stats count by uri
Answer flag{rfiinc.txt}

5) Hidden Referer Flag

While running an attack, the attacker left evidence of a Common Vulnerability (CVE) they were attempting to exploit. The vulnerability is seeded in the Referer header. Find it. Format the flag in the following format: flag{CVE-1234-5678}.

Query 
index=web_log referer="*CVE*"
Answer flag{CVE-2014-6278}

6) Web Scanner Identification

Identify the four scanning tools used against the server based on User-Agent strings. Furthermore, identify how many times each were utilized and list them in order from most used to least used. Format the flag in the following format: flag{tool1_tool2_tool3_tool4}.

Note:
Nikto was run 108 times but does not appear under User-Agent.

Query 
index=web_log 
| search useragent=* 
| stats count by useragent 
| sort - count
Answer flag{Hydra_Nikto_Nmap_SQLMap}

Hard Challenges

7) Encoded Flag (Hex/URL Encoding)

The attacker tried to hide a flag by URL encoding or hex-encoding it. Find the encoded hex string and decode the flag.

Note:
An external tool is necessary to decode the hex string.

Hint %75%70%64....
Query 
index=web_log uri="*%75%*"
Answer update.flag{URL_ENCODED}

8) Create a Saved Alert

Create a Splunk saved search that triggers when any update.flag string appears in any of uri, host, useragent, or referer. Include the time, clientip, uri, useragent, and referrer. On the attacker VM, try to trigger the alert and then rerun the search to see if a new event appears.

Query 
index=web_log (uri="*update.flag*" OR useragent="*update.flag*" OR referer="*update.flag*")
| table _time clientip uri useragent referer

Option 2 - Importing a Pre-Existing Dataset (Cisco Secure Firewall Threat Defense Intrusion Events)

Overview

This option uses a static dataset imported into Splunk. It is easier to set up but less dynamic than Option 1.

What You Need

  • Splunk Server 192.168.1.112

  • Cisco Secure Firewall Threat Defense Intrusion Event Logs.

Dataset Details

  • The dataset will be located in the home directory:

/home/splunk-server/intrusion_events.log

  • Import the data using Splunk Web and the “Add Data” option located in the home page.

  • Name the data: Sample_Data_Test

  • Data should be indexed under: index=main  sourcetype=Sample_Data_Test

CTF Challenge Questions (Option 2)

Basic Exploration — Easy

1) Total Intrusion Events

How many total intrusion events were recorded?

Query 
index=main sourcetype=Sample_Data_Test | stats count
Answer 447

2) List All Fields

Query 
index=main sourcetype=Sample_Data_Test | fieldsummary
Answer 85 Total Fields.

3) Most Common Protocol

What protocol is most commonly used in intrusion events?

Query 
index=main sourcetype=Sample_Data_Test | stats count by Protocol |
sort -count
Answer TCP

Counting & Classifying Intrusions — Medium

4) Top Intrusion Rule & Total Rules

What is the Top Intrusion Rule/How Many Different Intrusion Rules are there?

Query 
index=main sourcetype=Sample_Data_Test 
| stats count by IntrusionRuleMessage 
| sort - count
Answer `FILE-EXECUTABLE Portable Executable binary file magic detected` and 8 Different Intrusion Rules.

5) Top Classification & Total Classifications

What is the Top classification?/How many different Classifications are there?

Query 
index=main sourcetype=Sample_Data_Test 
| stats count by Classification 
| sort -count
Answer `Potential Corporate Policy Violation` and 5 different Classifications.

6) Level 5 Impact Events

How many Level 5 Impact Intrusion Event Categories do we have?

Query 
index=main sourcetype=Sample_Data_Test Impact>4 
| stats count by IntrusionRuleMessage Impact 
| sort -Impact
Answer 5.

Network Source / Destination — Medium

7) Attackers from Germany

What are the IPs of the external attackers from Germany?

Query 
index=main sourcetype=Sample_Data_Test InitiatorCountry = Germany
| stats count by InitiatorIP InitiatorCountry
Answer 192.168.1.100 and 3.124.41.193

8) Most Targeted Internal IP

What’s the IP of the most targeted internal IP?

Query 
index=main sourcetype=Sample_Data_Test 
| stats count by ResponderIP | sort -count
Answer 172.16.3.110

9) Most Active Attacker IP

What external/attacker IP had the highest number of intrusion attempts?

Query 
index=main sourcetype=Sample_Data_Test 
| stats count by InitiatorIP | sort -count
Answer 146.75.78.172

10) Port 4444 — Target Ports

Attackers are starting a connection and sending initial requests through port 4444. What are the two different corresponding ports that are receiving and responding to this connection?

Query 
index=main sourcetype=Sample_Data_Test InitiatorPort=4444
| stats count by InitiatorPort, ResponderPort | sort -count
Answer Ports: 58090 and 8342

Suspicious Activity Detection — Hard

11) Most Common Attack Pattern

What’s the most common attack pattern (Signature ID and Classification and in what country is it being deployed in?

Query 
index=main sourcetype=Sample_Data_Test
| stats count by InitiatorCountry, SignatureID, Classification 
| sort -count
Answer SignatureID: 15306

Classification: Potential_Corporate_Policy_Violation

Country: United_States

12) Web App Triggering Most Alerts

Which web application triggered the most intrusion alerts?

Query 
index=main sourcetype=Sample_Data_Test | stats count by WebApplication | sort -count
Answer Microsoft_Update

13) Hidden .txt File

Look for the event containing a hidden .txt file. The file is hidden in a field in reference to HTTP.

Query 
index=firewall sourcetype=intrusion_logs HTTP_URI="*.txt"
Answer FLAG{The_SOC_IS_AWESOME}

14) Flag Hidden in Hostname

Try filtering to find the flag hidden in the hostname.

Query 
index=firewall sourcetype=intrusion_logs HTTP_Hostname="*flag*"
Answer flag{SplunkHunters_HTTP_Challenge_2025}

15) Attacker with Most Unique Classifications

Which initiator/attacker IP is associated with the most unique classifications?

Query 
index=main sourcetype=Sample_Data_Test 
| stats dc(Classification) as unique_classes by InitiatorIP 
| sort -unique_classes
Answer 23.48.99.12

Conclusion

You now have hands-on experience with:

  • SPL fundamentals

  • Investigating attacker patterns

  • Identifying encoded/hidden data

  • Working with web, firewall, and intrusion logs

  • Building Splunk alerts

  • Performing SOC-style investigations

Feel free to expand the lab, create your own datasets, or build new challenges!

Author & Credits

This Splunk CTF Lab was created and maintained by Roman Arreguin. If you found this lab helpful or would like to collaborate on future SOC, Splunk, or cybersecurity projects feel free to reach out!