Boss of the SOC 3.0 at .conf18


TL;DR BOTS at .conf18 on Monday, October 1st IS GONNA BE COOL! CLOUD! ENDPOINT! CLOUD! LINUX! Register here.

At .conf2017, Boss of the SOC (BOTS) went big! Over 350 people played simultaneously for over four hours, investigating five separate incidents faced by Frothly’s quirky security professional, Alice Bluebird. After a hard-fought battle, Martin Müller and Henry Grow from team Consist emerged victorious (but not before great fun was had by all). This year at .conf18, in the best of Splunk traditions, BOTS will be BIGGER, BOLDER and EVEN MOAR AWESOME, with exciting new datasets and BOTS education opportunities.

Don’t miss out! Once you’re registered for .conf18, sign up for BOTS in Orlando and mark October 1st on your calendars.

So What Is “BOTS”?

Boss of the SOC (otherwise known as BOTS) is a hands-on, self-paced, blue-team exercise which uses Splunk to defeat threats. It’s a jeopardy-style, capture-the-flag-esque (CTF) activity where participants answer a variety of questions about security incidents that have occurred in a realistic but fictitious enterprise environment. It's designed to emulate how real security incidents look in Splunk and the type of questions analysts have to answer.

We first developed Boss of the SOC because we were tired of showing up at security conferences and finding the CTFs to be entirely red-team oriented. There are other Blue Team CTFs out there—including the grandfather to them all, SANS DFIR NetWars—but few (or none) of them attempt to recreate the life of a security analyst facing down an adversary at all stages of an attack. BOTS, however, is designed not only for the seasoned Splunk security professional, but also for customers who want to try a new activity in a stress-free environment.

For those who wish to participate but not compete, there will be tables specifically set up to facilitate mentoring and coaching.

In the Boss of the SOC CTF, we work very hard to ask questions that not only require contestants to know Splunk, but also know how to research open source intelligence (OSINT) and think outside of the “Splunk” box.


You talked and we listened. Over the last several months of running local BOTS events for 3,000+ security professionals, our feedback was filled with many insistent requests: CLOUD, CLOUD, CLOUD, *NIX, and finally, CLOUD.  So, we figured...why not?!?

At .conf18, Boss of the SOC contestants will help Alice investigate three major incidents on AWS, Microsoft Cloud (Azure and Office365) and workstations/servers that include Linux and Windows. Don’t worry, BOTS 3.0 will still have all the wire-data* and Windows event logs you’re used to, but like the rest of the world, Frothly has moved most** of their infrastructure to the cloud. To make things easier and to help you find the bad guys faster, not only will you have access to Splunk Enterprise Security, we’re also introducing Splunk User Behavior Analytics and our newest addition to the Splunk product family, Phantom!


Cloud is still new to most security professionals (heck, it's new to almost everyone on the Splunk BOTS admin team!). As such, in the months before .conf18, we’re going to be releasing blogs and webinars to help level-up the Splunk security community to meet these new challenges. Follow @splunk on Twitter and subscribe to Splunk Blogs for updates and webinar announcements. These blogs will be VERY relevant to BOTS 3.0, so we highly recommend reading them if you’re not familiar with AWS and Microsoft Cloud Services.

On top of the educational webinars and blogs we'll drop before .conf18, we’re also planning a new category of BOTS participants! If you’d like to play but don’t want your name up on the board (as in work through the data and questions, but not be scored), you’re more than welcome to register and participate in the fun! We’ll have dedicated tables/area for people who wish to audit BOTS. Each table will have a Splunker present to help make the BOTS experience even more awesome.

And of course, don’t forget our handy dandy blog series, "Hunting with Splunk: the Basics,” which was inspired by the questions customers have asked at BOTS events all over the world!

Finally, you can try out or practice these new techniques using our cloud-hosted “Security Datasets Project” that has the BOTSv1 dataset and more. If you’d rather set up a home lab and really dig into BOTS data, try out our BOTSv1 open sourced dataset and CTF scoring server app.

Okay. Should I Play BOTS?

Probably! Seriously, if you’re reading this blog and you've gotten this far, you’re almost certainly a great fit for BOTS. To hold your own, we usually tell folks they need to know a little about Splunk and a little about security. However, all you really need is the desire to learn something new and the desire to have a lot of fun. Don’t forget, this year we’re introducing the BOTS newbie category, so there’s no need to compete—you can just play and learn with a table coach! Finally, BOTS is a team sport, so be sure to bring along your crew to join you in the fun!

Fine, you convinced me! How do I register?

It’s pretty easy. If you’ve already registered for .conf18, then go here to sign up for BOTS. Each team can be 1-4 people, so if you want to play on the same team as someone else, just make sure they put in the identical string. As mentioned above, BOTS is usually best played with a team, but you can register solo too. If you don’t know anyone, we’re also more than happy to play matchmaker and group you with a team!

Welp, after all that, I hope we’ve managed to convince you. If you have any questions feel free to email bots@splunk.com. We’re very excited to host you for the 3rd annual Boss of the SOC competition at .conf18 in Orlando, FL, and can’t wait to see you there! (And maybe you can win a cool trophy like Martin and Henry. ☺)

(First place trophies from .conf2017 in Martin and Henry’s office at https://www.consist.de/!)

* Don’t worry. We heard you on this too. We will be greatly reducing the number of wire-data/STREAM questions

** Does anyone ever move EVERYTHING over to the cloud? Of course not. ☺

Follow all the conversations coming out of #splunkconf18!

Ryan Kovar
Posted by

Ryan Kovar

NY. AZ. Navy. SOCA. KBMG. DARPA. Splunk.