Splunk BOTS 4.0: A New Hope

TL;DR BOTS at .conf19 on Monday, October 21st IS GONNA BE COOL! CLOUD! ENDPOINT! CLOUD! ICS/SCADA!

At .conf18, Boss of the SOC (BOTS) got supersized! Over 725 people played simultaneously for over four hours, investigating two separate incidents faced by Frothly’s quirky security professional, Alice Bluebird. This year at .conf19, in the best of Splunk traditions, BOTS will be BIGGER, BOLDER and EVEN MOAR MOAR AWESOME, with exciting new datasets and BOTS education opportunities.

Don’t miss out! Once you’re registered for .conf19, sign up for BOTS in Las Vegas and mark October 21st on your calendars.

So What is “BOTS”?

Boss of the SOC (otherwise known as BOTS) is a hands-on, self-paced, blue-team exercise which uses Splunk to defeat threats. It’s a jeopardy-style, capture-the-flag-esque (CTF) activity where participants answer a variety of questions about security incidents that have occurred in a realistic but fictitious enterprise environment. It's designed to emulate how real security incidents look in Splunk and the type of questions analysts have to answer.

We first developed Boss of the SOC because we were tired of showing up at security conferences and finding the CTFs to be entirely red-team oriented. There are other Blue Team CTFs out there—including the grandfather to them all, SANS DFIR NetWars—but few (or none) of them attempt to recreate the life of a security analyst facing down an adversary at all stages of an attack. BOTS, however, is designed not only for the seasoned Splunk security professional, but also for customers who want to try a new activity in a stress-free environment.

For those who wish to participate but not compete, there will be tables specifically set up to facilitate mentoring and coaching.

For BOTS, we work very hard to ask questions that not only require contestants to know Splunk, but also know how to research open source intelligence (OSINT) and think outside of the “Splunk” box.

Dataset

Every year the BOTS team tries to create data that is new, exciting, and educational for participants. This year is no different. We spent 2019 attending hundreds of hours of security conferences and have brought some of the most interesting adversary techniques that have ever been seen to the BOTS 4.0 dataset. Not only will contestants have the normal Windows endpoint, server, and cloud data, but we will also be challenging you with a brand new ICS/SCADA scenario. That’s right. Frothly is buying a brewery. :-) Similar to last year, you will have access to all of Splunk’s security products like Splunk User Behavior Analaytics, Splunk Enterprise Security, and Splunk Phantom. In fact, this year we plan to greatly extend the Phantom integration so get ready to play with...umm...playbooks and fix some python!

Education

As with previous years we know that it can be scary to see new datasets that you’ve never been exposed to. With that in mind we will be starting to release blogs, webinars, videos, and more to help you level-up to meet these new challenges. Follow @splunk on Twitter, and subscribe to Splunk Blogs for updates and webinar announcements. For extra points, follow @meansec, @daveherrald, and @stonerpsu on Twitter for “special” announcements. To be clear, these blogs will be VERY relevant to BOTS 4.0 at .conf19, so we highly recommend reading them. And of course, don’t forget our handy dandy blog series, "Hunting with Splunk: The Basics,” which was inspired by the questions customers have asked at BOTS events all over the world!

Finally, you can try out or practice these new techniques using our cloud-hosted “Security Datasets Project” that has the BOTSv1 dataset and more. If you’d rather set up a home lab and really dig into BOTS data, try out our BOTSv1 and BOTSv2 open sourced dataset and CTF scoring server app.

Okay. Should I Play BOTS?

Probably! Seriously, if you’re reading this blog and you've gotten this far, you’re almost certainly a great fit for BOTS. To hold your own, we usually tell folks they need to know a little about Splunk and a little about security. However, all you really need is the desire to learn something new and the desire to have a lot of fun. If you are a newbie, don't worry we are setting up a special table just for you! Finally, BOTS is a team sport, so be sure to bring along your crew to join you in the fun!

Fine, you convinced me! How do I register?

It’s pretty easy. If you’ve already registered for .conf19, then look in your email for a note on how to sign up for BOTS. It is critical that each member of your team register for BOTS individually. Your individual registration will not reserve space for your teammates!

As mentioned above, BOTS is best experienced as a team, but you can fly solo too. Each individual should specify a team name while signing up for BOTS. It's important to coordinate with your teammates so that you all enter the exact same (case sensitive) team name. The maximum team size is four participants which is strictly enforced. If you don’t know anyone, we’ll provide a place on the Splunk Community Slack where you can find others to join forces with!

Welp, after all that, I hope we’ve managed to convince you. If you have any questions feel free to email bots[@]splunk[.]com. We’re very excited to host you for the 4th annual Boss of the SOC competition at .conf19 in Las Vegas, NV and can’t wait to see you there!