Back in November I had the chance to attend the Splunk .conf conference here in DC. One of the big after hours events of the conference is the Boss of the SOC (BOTS) competition that puts teams against each other to try and analyze a set of data to identify a variety of indicators of compromise from an incident. Fast forward a bit and Cyber National Mission Force (CNMF) decided to work with Splunk to host its own edition of BOTS. I had a chance to participate in the CNMF BOTS and had a great time. While it doesn’t relate exactly to what I do on a daily basis as part of a Cyber Protection Team (CPT) it does give competitors a great chance to learn new tricks with using Splunk.
So why am I writing this? After the CNMF competition I was talking to my Splunk rep about trying to get a copy of the game engine that they use to host the game. It’s really just a Splunk app that runs on a normal version of Splunk. My thought was two-fold. One, it was a great training aid for my guys, and two I wanted to use it for this years upcoming Army Cyber Skills Challenge. After a little bit of talking, Splunk decided to release the app as an open-source project. On top of that, they have also released the data set and questions from their first version of the game. If you are interested in trying out the app, you can go to the Splunk github page and download the various projects.
- https://github.com/splunk/SA-ctf_scoreboard contains the BOTS front end app
- https://github.com/splunk/SA-ctf_scoreboard_admin contains an admin app to setup the BOTS front end
- https://github.com/splunk/botsv1 contains the data set for the first version of BOTS.
Unfortunately the data set doesn’t contain the questions and answers themselves but you can email bots <at> splunk.com and they will be happy to send you a link to download the questions and answers. Happy hunting.