SECURITY

Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download

tl;dr: Click here to register and get access to open sourced BOTS 2.0 dataset!

It's hard to believe a year has passed since we released the Boss of the SOC (BOTS) Scoring Server, Questions and Answers, along with the BOTS 1.0 Dataset. During that time, BOTS has continued to grow at a breakneck pace. Last October, we hosted one of the largest single in-person capture the flag (CTF) events ever with over 700 participants joining us in Orlando, Florida to compete in the debut of BOTS 3.0. We also ran the largest-ever cybersecurity challenge in Australia, along with dozens of smaller events around the globe. All this helped drive the program to surpass the 10,000 participant mark overall since its inception.

WHAT Are We Releasing?

BOTS 2.0! During the past year, BOTS 2.0 (debuted at .conf in September 2017) has been our workhorse event, and became so popular that our team had to write a second question set (and then a third) to satisfy demand. BOTS 2.0 marked a dramatic expansion in scope over its predecessor, including five scenarios covering topics like advanced persistent threat, endpoint security, web application security, fraud and insider threat. It was created with the same attention to detail and commitment to realism that made BOTS 1.0 so popular.

Today, as BOTS 3.0 events become the new standard, we make good on our promise to release the BOTS 2.0 dataset along with its original question and answer set.

BOTS 2.0 Dataset

The BOTS 2.0 dataset is hosted on Github and Amazon S3 and comes in one of two forms:

  • The Full BOTSv2 Dataset
    It’s "the whole enchilada." The dataset weighs in at around 16GB and is an exact copy of what was included in Splunk-hosted BOTS events throughout 2018 and early 2019.
  • The BOTSv2 "Attack Only" Dataset
    The "Attack only" dataset is a pared-down version which eliminates the bulk of the "background noise" in return for a much more manageable total size of 3.2GB. In short, it's everything you need, and nothing you don't!

BOSS Scoring App

The scoring app continues to dutifully (if not stylishly) power every BOTS and BOTN event both big and small. As enhancements are made to the scoring app, they're released directly via GitHub. Some notable improvements made in the last year include:

  • Anonymous mode
  • Privacy notice/user agreement enforcement
  • Refined user interface with Dark Mode
  • Performance improvements

BOTS 2.0 Questions and Answers

We're happy to send you a copy of the BOTS 2.0 questions and answers upon request! All you have to do is register here.

What Can I Do with BOTS 2.0?

A whole lot! Over the past year, the BOTS 1.0 dataset has been downloaded hundreds of times and used for training, self-study, research, and of course, to recreate the BOTS CTF experience. Additionally, it has become common practice for security analysts and engineers to test new detection methods against the realistic BOTS dataset.

We'd love to hear how you use the data, so please feel free to tweet @splunk with #BossoftheSOC and share!

Is All This Stuff Really Free?

Yep, pretty much. The dataset, scoring apps and questions are distributed with licenses based on Creative Commons CCO. Of course, you’ll need a Splunk Enterprise instance to run all this on. If you have a Splunk license, great! If not, no worries—everything described in this post can be deployed on the free Splunk Enterprise trial version. The dataset is pre-indexed during packaging to avoid data ingest restrictions; packaging data in this way is unconventional, so please read the instructions carefully.

Those who have experienced a Splunk-run BOTS 2.0 event will recall that it included Splunk Enterprise Security (ES). Splunk ES is not included in the open source release of the BOTS 2.0 dataset and questions, but if you’d like to experience BOTS 2.0 with Splunk Enterprise Security, please reach out to your Splunk account team.

Thanks again for being part of this incredible journey!

Sincerely, 

Dave Herrald Ryan Kovar
Dave Herrald
Posted by

Dave Herrald

Dave is a technical security professional with 20+ years of experience. Dave currently works as Principal Security Strategist for Splunk where he focuses on the Boss of the SOC (BOTS), engaging the security community, training technical teams around the globe, and working directly with Splunk customers. Dave has worked in various roles including strategic security consultant, penetration tester, security engineer, and chief information security officer. Dave holds many security certifications including GIAC Security Expert (GSE) #79.

TAGS

Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download

Show All Tags
Show Less Tags

Join the Discussion