Boss of the SOC Scoring Server, Questions and Answers, and Dataset! Open-Sourced and Ready for Download

Since we first ran Boss of the SOC at .conf2016, customers have asked if it was possible for customers to run BOTS themselves at their own site. We are proud to announce that we have released (almost) everything to do with BOTS to the world!

WHAT Are We Releasing?

Well... BOTS. Literally the entire Boss of the SOC (BOTS) from 2016. That includes the actual BOTS v1.0 dataset in various forms (Splunk index, json, and csv), the BOTS v1.0 questions and answers, and finally, the BOT(S|N) scoring app! Using this dataset, questions, answers and scoring app, partners and customers can run their own blue-team CTF competitions for fun, training or even research. Since we are still running BOTS 2.0 (BOTS 2017) events around the world, we are holding onto those for now (but don't worry...once BOTS 3.0 starts, we will release most of the 2.0 content to the world).

BOTS 1.0 Dataset

The BOTS 1.0 dataset records two attacks perpetrated by a fictitious hacktivist group called po1s0n1vy targeting Wayne Corp of Batman mythology. There are many comic book references in the data; from heroes and villains to “Batman’s” street addresses. Not only does the dataset have many different types of data—everything from Sysmon to Suricata—but there are even file hashes that can be found in Virustotal.com and domains/IPs to hunt for in OSINT tools like PassiveTotal and Robtex!

We published two indexes for you to choose from depending on your goals:

• • botsv1_data_set.tgz (6.1GB compressed)
  • – If you are running a BOTS event, you should use this dataset. It includes all our white noise. Many of the formal BOTS CTF questions depend on that white noise for users to correctly calculate answers
• • botsv1-attack-only.tgz (135MB compressed)
  • – If you just want to do training, research, or review consider this smaller dataset. It only contains the “signal” with no injected “noise”.
• • botsv1.json.gz (11GB compressed)
  • – The complete BOTSv1 dataset in json format if needed for alternative data analysis

BOT(S|N) Scoring App

The scoring app has been one of the most popular parts of the Boss of the SOC (or NOC) competition! It was something that many folks (mainly Ryan) said couldn't be done in Splunk! Dave decided to prove him wrong and show off some lesser-known features of Splunk in the process. The resulting scoring app offers the following major features:

1. User/Team management
2. Scoring management
3. Question/Answer management
4. Hint management
5. Comprehensive scoreboards, dashboards, and analytics

You can use the scoring app to run a BOTS (or BOTN) or to create your very own CTFs.

BOTS v1 Questions and Answers

We will release the questions and answers for BOTS 1.0 upon request!

WHAT Can I Do with All This BOTS Stuff?

It’s more of a question of what you can’t do. Data scientists at Microsoft recommend using the Boss of the SOC data to determine metrics on adversary actions and more. Others are using the bulk data to test their searches and refine their detection methods. One great use case is running/testing Sigma rules converted to Splunk searches. They find badness and are generally fantastic! Friends like Michael Haag have been using the dataset to test their Sysmon Splunk app. Finally—and the most obvious—is training.

Feel free to stand up this data in your environment and create your own CTF from it!

But I Want to Play with it NOW!

If you would like to get a sneak peek of what the Boss of the SOC v1.0 data looks like, check out the "Splunk Security Dataset Project." This project is a Splunk hosted instance of the BOTS v1.0 dataset (along with an ever-growing collection of OTHER datasets). Once you register, you are given access to not only the hosted dataset but a curated experience with a workshop of each dataset inside. You can try out BOTS without downloading a single bit of data!

We would love to hear how you use the data, so please feel free to tweet @splunk with #BossoftheSOC and share!

Ryan Kovar

Dave Herrald