Boss of the SOC v3 Dataset Released!

The tradition continues! We are happy to announce that the Boss of the SOC (BOTS) v3 dataset has been released under an open-source license and is available for download. The BOTSv3.0 questions, answers, and hints are available too! Just send an email to bots@splunk.com, and we'll provide the download link.

The BOTSv1 and BOTSv2 datasets remain available as well. You can read all about these past releases here and here.

Over the last year, BOTS has continued to grow. Since its inception, the program has now helped over 20,000 participants learn about the fundamentals of blue-team security and how to use Splunk security products to protect their organizations. Notable events over the last year include:

• North American BOTS Day
• Australia BOTS Day
• BOTSv4 Debut Event at Splunk .conf19
• Our successful first foray into contributing a Splunk BOTS-like scenario to the annual SANS Holiday Hack Challenge

What Are We Releasing?

BOTS 3.0! During the past year, BOTS 3.0, which debuted at .conf18, has been our workhorse event. BOTS 3.0 includes a Tools and Training scenario to help less experienced folks gain a foothold and to help everyone get familiar with the environment. The dataset also includes a cloud scenario that illustrates security issues that organizations commonly encounter when moving workloads to Amazon AWS and Microsoft Azure. And of course, BOTS would not be BOTS without a challenging APT scenario for participants to investigate.

Today, as BOTS 4.0 events become the new standard, we make good on our promise to release the BOTS 3.0 dataset along with a companion question and answer set.

BOSS Scoring App

The scoring app continues to dutifully (if not stylishly) power every BOTS and BOTN event, both big and small. As enhancements are made to the scoring app, they're released directly via GitHub. Some notable improvements made in the last year include:

• Refined user interface with Dark Mode
• Performance improvements

BOTS 3.0 Questions and Answers

As mentioned above, we're happy to send you a copy of the BOTS 3.0 questions and answers upon request! All you have to do is email us at bots@splunk.com.

What Can I Do with BOTS 3.0?

A whole lot! Over the past years, the BOTS 1.0 and 2.0 datasets have been downloaded hundreds of times and used for training, self-study, research, and of course, to recreate the BOTS CTF experience. Additionally, it has become common practice for security analysts and engineers to test new detection methods against the realistic BOTS datasets.

We'd love to hear how you use the data, so please feel free to tweet @splunk with #BossoftheSOC and share!

Is All This Stuff Really Free?

Yep, pretty much. The dataset, scoring apps, and questions are distributed with licenses based on Creative Commons CCO. Of course, you'll need a Splunk Enterprise instance to run all this on. If you have a Splunk license, great! If not, no worries — everything described in this post can be deployed on the free Splunk Enterprise trial version. The dataset is pre-indexed during packaging to avoid data ingest restrictions; packaging data in this way is unconventional, so please read the instructions carefully.

Those who have experienced a Splunk-run BOTS 3.0 event will recall that it included Splunk Enterprise Security (ES), Splunk User Behavior Analytics (UBA), and Splunk Phantom. Splunk ES, UBA, and Phantom are not included in this open-source release of the BOTS 3.0 dataset and questions, but if you'd like to experience BOTS 3.0 with these Splunk Premium products included, please reach out to your Splunk account team.

Thanks again for being part of this incredible journey!

Special Thanks

Special thanks to fellow Splunkers Tim Frazier, Lily Lee, and Ian Forrest for their help in preparing the BOTSv3 dataset and companion materials for release!

Sincerely,

Dave Herrald and Ryan Kovar

----------------------------------------------------
Thanks!
Dave Herrald