Splunk & BOTS - Practical Tools for Your Cyber Lab

For community college educators in Washington state looking for hands-on lab exercises, Splunk's Boss of the SOC (BOTS) presents a compelling option. It's a ready-made Capture The Flag (CTF) environment that simulates the tasks of a Security Operations Center (SOC) analyst. While there are many excellent CTF tools available, BOTS v3 is particularly noteworthy because its entire dataset and instructions are publicly available on GitHub, allowing you to deploy it in your own classroom environment.

A competitive event will be held in Boston on September 8th, offering a look at how these skills are tested at a professional level. If travel is not an option, view the keynotes and sessions live online. Register <here>.

What is the BOTS Challenge?

BOTS is a blue-team CTF built around a realistic but entirely fictitious dataset from a company called "Frothy," a brewing company. Learners will be investigating a massive, static set of simulated logs within the Splunk platform. (Not live traffic.)

Splunk, a Cisco company, is a leading platform for searching, monitoring, and analyzing machine data. In a SOC, analysts use it to centralize logs from firewalls, endpoints, servers, and applications to hunt for threats and investigate incidents.

The challenge guides students through the stages of a cyber attack kill chain. Their goal is to use Splunk's Search Processing Language (SPL) to sift through the data, find evidence of the attack, and answer specific questions about the breach, from initial compromise to data exfiltration.

How It Works as a Learning Tool

The provided data is vast and includes:

• Network Data: Proxy, firewall, DNS, and Netflow logs.
• Endpoint Data: Windows Event Logs, Sysmon, and antivirus detections.
• Other Data: Email and cloud service logs.

Students learn by doing: they form a hypothesis based on a question, craft precise SPL searches to investigate, and correlate events across different data sources to follow the attacker's path. This process builds critical skills in investigative methodology, log analysis, and using Splunk - a core industry tool.

How to Implement BOTS in Your Program

The BOTS v3 GitHub repository provides all the necessary instructions and data to set up your own local instance. To run it, you would need a Splunk environment.

Accessing the software is straightforward for educators. Through the Splunk Academic Alliance program, qualifying nonprofit organizations and educational institutions can receive a renewable one-year, 10GB license for Splunk Enterprise at no cost. This program provides equitable access to the platform, including complimentary eLearning courses and support resources to help you and your students get started.

Furthermore, our Washington State Cybersecurity Center of Excellence supports faculty development by providing stipends for teachers to learn Splunk, often through courses offered by WASTC. This combination of free software and professional development support makes implementing tools like Splunk and BOTS highly accessible.

This could be an excellent project for the upcoming academic year. You and your students can practice at your own pace, building proficiency with the platform and investigative techniques. This preparation could then position your learners to confidently participate in a live BOTS event or other competitions in the future.

BOTS is one of many tools, but its publicly available, enterprise-scale dataset makes it a particularly valuable and practical resource for bridging classroom theory with hands-on analytical experience.

Download BOTS v3 from GitHub: https://github.com/splunk/botsv3

Learn about the Splunk Academic Alliance: https://www.splunk.com/en_us/resources/splunk-academic-alliance.html 

Apply for Splunk academic program: https://www.splunk.com/en_us/about-us/splunk-pledge/academic-license-application.html 

A YouTuber walks through the BOTS v3 challenge exercises here:  < LINK >