Boss of the SOC Version 8 - Live from .conf23

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

We're just a few short weeks away from .conf23, Splunk’s annual user conference, hosted this year in Las Vegas from July 17-20. BOTS version 8 will launch Monday night, the 17th, at 8:00 PM Pacific time onsite at .conf23. Since 2015, the Security Strategist team at Splunk has debuted new versions of our Boss of the SOC (BOTS) competition at .conf. This year is no different! We are proud to present to our customers BOTS .v8 with tales of a new fictional adversary. BOTS8 will encompass all the things that our customers have come to expect and love. We will have our tried and true Advanced Persistent Threat scenario, our showcase scenarios around our flagship Security products Splunk Enterprise Security and Splunk SOAR, and some new content surrounding DevSecOps and DevOps. We’ll also keep you on your toes with the traditional steganography questions and some interesting easter eggs across the entire program to keep you looking for those hard to find clues.

Our new Web App Attack scenario will take a dive into the world of application development and look at web application attacks against modern application architectures. You’ll have to keep your wits as you unpick the CI/CD pipeline and take a deep dive into the application codebase to unravel the secrets of this complex attack.

Speaking of modern application architecture, we’re happy to include our Observability team and product line in BOTS this year. You’ll get to see the world through a whole new lens, investigating an incident in a microservices architecture using code instrumentation in the Splunk Observability cloud. You’ll use metrics, application traces and real-user-monitoring to get to the bottom of what’s really happening in this exciting new scenario. 

What is Boss of the SOC?

BOTS is a blue-team, jeopardy-style, capture-the-flag-esque (CTF) activity where participants leverage Splunk's Security Suite to answer a variety of questions about the type of real-world incidents that security analysts face regularly. We developed BOTS because we were tired of showing up at security conferences and finding the CTFs to be entirely red team-oriented. There are other blue team CTFs out there — especially the grandfather to them all, SANS NetWars — but few of them attempt to recreate the life of a security analyst facing an adversary at all stages of an attack.

For BOTS, we work very hard to ask questions that not only require competitors to understand Splunk but also know how to research open-source intelligence (OSINT) and think outside of the “Splunk box." Are you excited yet?

Should I Play BOTS?

Yes! We've written about who should play before, but it's worth repeating here. If you've gotten this far, you are almost certainly an excellent fit for BOTS.

To hold your own in BOTS, we usually tell folks they need to know a little about Splunk Security Solutions and a little about security. However, all you really need is the desire to learn something new and have fun.

The questions in BOTS range from easy to hard and everything in between. Every question comes with hints to nudge you in the right direction. If you need more help, coaches are onsite and online to assist when the hints run out. Also — don't forget — BOTS is a team sport, so if you bring your crew, you won't be alone.

If all of that isn't enough to convince you that BOTS is a safe, supportive, and fun learning environment, we've now made it super easy to play anonymously if you choose. 

How Can I Prepare?

• Take a spin on previous BOTS versions, workshops, and other Splunk security focused content right here.
• Check out our "Hunting With Splunk" blog series. Mastering the topics covered in this series will help you answer questions faster.
• Take advantage of our free training.

Fine Print

There's always something, isn’t there? Registration at .conf23 is required to compete in BOTS.

• Each individual must register at bots.splunk.com.
• Please register with an email address you’ll be able to access on the day of the event.
• You will need a laptop computer equipped with WiFi that runs a supported web browser.
• To participate in BOTS you must be onsite in Las Vegas for .conf23.
• If you’ve been with us in-person before, you know the trials and tribulations of WiFi - and the public shaming! Please bring a USB network adapter for your laptop! Hard wires will be provided for the competition.

What Are the Important Links Again?

Registration for .conf23 is available at this link and you can register for BOTS once you receive your confirmation email. For any questions, please reach out to bots@splunk.com.

Follow all the conversations coming out of #splunkconf23!

Follow @splunk