Play Now with BOTS Partner Experiences: Corelight

In December 2019, a small team met at the Splunk office in Boulder to figure out how we could provide a 24x7x365 experience for Boss of the SOC (BOTS). As we started brainstorming, this broadened to include workshops to provide an opportunity to learn in addition to a place to play.

So we had a good idea and a plan… But something was missing… You see, while we incorporate a number of data sets into these gamified and learning experiences, like operating system logs, wire data and the like, we know that we don’t come close to covering every solution an organization might field.

Well, we now have a way to expose you, our reader, to more data sets and this is with the help of some of our wonderful technology partners!

With the official launch of, we are pleased to announce what we are calling Partner Experiences. These Partner Experiences are capture the flag (CTF) on-demand challenges, built by a Splunk technology partner, running in Splunk, hosted on the BOTS platform and are available at no cost, as in free! We are proud to announce that our first partner experience has been provided by Corelight!

Corelight provides security teams with network evidence so they can close investigations quickly, even when incidents go back years. Corelight is built on Zeek, an open-source, global standard technology. Zeek provides rich, structured, security-relevant data to your entire SOC, making everyone from Tier 1 analysts to seasoned threat hunters far more effective. Corelight has also integrated Suricata and a Smart PCAP feature into their sensors which can be deployed in physical, virtual, cloud, and software form factors.

Users that are unfamiliar with Corelight can find a brief introductory module under Learn on You will also find not one, but two Play Now scenarios that utilize Zeek and Suricata to identify suspicious traffic and malware. Inside of the events, you can see HTTP, DNS, SSL and X.509.'re not very familiar with Zeek, Suricata or Corelight? Luckily there are hints for each question!

In total, there are over 40 questions across the scenarios that will take between 1.5 to 3 hours to answer them all. I know, now you are concerned that you don’t have enough time. No worries, you can play and come back later and play again, after all it’s on demand! 

We hope you take the opportunity to check out the Corelight Partner Experience on and try your hand at their challenges. The team did a great job and highlighted some very cool capabilities that Corelight can bring to your blue team.

BTW, did you know that everything on the BOTS Platform is free? As in free! Go check it out, and learn and play now with Splunk and all the goodness already on the site!

John Stoner

Posted by


Show All Tags
Show Less Tags