Security

April 18, 2019

2 Minute Read

Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download

By Splunk

tl;dr: Click here to register and get access to open sourced BOTS 2.0 dataset!

It's hard to believe a year has passed since we released the Boss of the SOC (BOTS) Scoring Server, Questions and Answers, along with the BOTS 1.0 Dataset. During that time, BOTS has continued to grow at a breakneck pace. Last October, we hosted one of the largest single in-person capture the flag (CTF) events ever with over 700 participants joining us in Orlando, Florida to compete in the debut of BOTS 3.0. We also ran the largest-ever cybersecurity challenge in Australia, along with dozens of smaller events around the globe. All this helped drive the program to surpass the 10,000 participant mark overall since its inception.

WHAT Are We Releasing?

BOTS 2.0! During the past year, BOTS 2.0 (debuted at .conf in September 2017) has been our workhorse event, and became so popular that our team had to write a second question set (and then a third) to satisfy demand. BOTS 2.0 marked a dramatic expansion in scope over its predecessor, including five scenarios covering topics like advanced persistent threat, endpoint security, web application security, fraud and insider threat. It was created with the same attention to detail and commitment to realism that made BOTS 1.0 so popular.

Today, as BOTS 3.0 events become the new standard, we make good on our promise to release the BOTS 2.0 dataset along with its original question and answer set.

BOTS 2.0 Dataset

The BOTS 2.0 dataset is hosted on Github and Amazon S3 and comes in one of two forms:

The Full BOTSv2 Dataset
It’s "the whole enchilada." The dataset weighs in at around 16GB and is an exact copy of what was included in Splunk-hosted BOTS events throughout 2018 and early 2019.
The BOTSv2 "Attack Only" Dataset
The "Attack only" dataset is a pared-down version which eliminates the bulk of the "background noise" in return for a much more manageable total size of 3.2GB. In short, it's everything you need, and nothing you don't!

BOSS Scoring App

The scoring app continues to dutifully (if not stylishly) power every BOTS and BOTN event both big and small. As enhancements are made to the scoring app, they're released directly via GitHub. Some notable improvements made in the last year include:

Anonymous mode
Privacy notice/user agreement enforcement
Refined user interface with Dark Mode
Performance improvements

BOTS 2.0 Questions and Answers

We're happy to send you a copy of the BOTS 2.0 questions and answers upon request! All you have to do is register here.

What Can I Do with BOTS 2.0?

A whole lot! Over the past year, the BOTS 1.0 dataset has been downloaded hundreds of times and used for training, self-study, research, and of course, to recreate the BOTS CTF experience. Additionally, it has become common practice for security analysts and engineers to test new detection methods against the realistic BOTS dataset.

We'd love to hear how you use the data, so please feel free to tweet @splunk with #BossoftheSOC and share!

Is All This Stuff Really Free?

Yep, pretty much. The dataset, scoring apps and questions are distributed with licenses based on Creative Commons CCO. Of course, you’ll need a Splunk Enterprise instance to run all this on. If you have a Splunk license, great! If not, no worries—everything described in this post can be deployed on the free Splunk Enterprise trial version. The dataset is pre-indexed during packaging to avoid data ingest restrictions; packaging data in this way is unconventional, so please read the instructions carefully.

Those who have experienced a Splunk-run BOTS 2.0 event will recall that it included Splunk Enterprise Security (ES). Splunk ES is not included in the open source release of the BOTS 2.0 dataset and questions, but if you’d like to experience BOTS 2.0 with Splunk Enterprise Security, please reach out to your Splunk account team.

Thanks again for being part of this incredible journey!

Sincerely,


Dave Herrald	Ryan Kovar

----------------------------------------------------
Thanks!
Dave Herrald

Making Sense of the New SEC Cybersecurity Rules and What They Could Mean for Your Company

The United States Securities and Exchange Commission’s (SEC) July 26 approval of new cybersecurity 'incident' disclosure rules is top of mind for every public company, and understanding what it means and how companies will be held accountable is crucial.

Security 3 Min Read

Staff Picks for Splunk Security Reading January 2021

These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series!

Security 6 Min Read

Level Up Your Security Data Journey and MITRE ATT&CK Benchmarking with Splunk Security Essentials

Announcing the release of Splunk Security Essentials version 3.8.0, which adds maturity journey and benchmarking.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk