Having fun while learning about and pivoting into the world of DFIR.
by ogmini
First and foremost, the June 2025 Public CTF from The DFIR Report was a very enlightening experience. It really highlighted a need to gain a deeper understanding of how to efficiently query Splunk or other SIEMs. I came into this with 0 prep and no experience beyond the theoretical and some classwork. The CTF centered around using your chosen SIEM which in my case was Splunk to investigate a cybersecurity incident. The DFIR Report classifies all their material as TLP:RED so I will only be speaking in generalities. I highly encourage anyone even remotely interested to try their Labs/CTFs. I had been on the fence about paying for their labs because it actually seemed to cheap. I was worried that it would provide no value or learning. If this CTF was any indication of the quality of their other labs. The value is immense.
For this CTF they had a mix of Easy/Medium/Hard challenges and all of them had hints available. I had to make extensive use of them. I really have minimal experience in using Splunk/SIEMs. Specifically, I knew what I wanted to check/look for but I had very little clue on how to write an efficient query to find the information hidden amongst the data. The few previous Splunk exercises I had done had too small of a dataset or so few hosts that it was rather trivial to find information. I was able to answer 78% of the Easy challenges, 30% of the Medium challenges, and I didn’t even attempt the Hard ones. Came 111 out of 158. If I hadn’t waste points on hints for two challenges I was unable to finish I would have cracked 100. Honestly, I’m pretty proud of how well I did considering 0 prep and only being able to spend 2 hours out of the alloted 4 hours. As I mentioned in my previous post, I won a free entry for this CTF and this was shoehorned into my schedule. When I do another in the future, I will be much better prepared.
In short, if you want to practice and improve your skills using SIEMs on very real data you can’t go wrong with the labs from The DFIR Report.
tags: CTF - Challenges