Calisec Team won Splunk Boss of the SOC (BOTS) Day 2019 (San Jose).

What is Boss of the SOC (BOTS)?

Boss of the SOC is a blue-team jeopardy-style capture-the-flag-esque  (CTF) activity where participants use Splunk—and other tools—to answer a  variety of questions about security incidents that have occurred in a  realistic but fictitious enterprise environment. It's designed to  emulate how real security incidents look in Splunk and the type of  questions analysts have to answer.

Our Preparations

Our team members has spent full week to prepare for this competition. Our preparation includes:

  • Setup Splunk practice environment by using BOTSv1 and BOTSv2 datasets
  • Study all materials that related to BOTS in Splunk .conf (Annual Conference)
  • Study blog posts on splunk.com

Reference Materials

Blog Post

Hunting with Splunk

Microsoft Azure

Recording, Slide, Sample Searches

AWS

Recording, Slide, Sample Searches, Log Description

BOTSv3

Recording, Slide