https://community.splunk.com/t5/Splunk-Search/Installing-Boss-of-the-SOC-BOTS-Investigation-Workshop/m-p/390734#M173864 <P>I believe that by default the home paths, if you didn't customize your installation are:</P> <P><STRONG>Windows</STRONG> <BR /> C:\Program Files\Splunk</P> <P>e.g., C:\Program Files\Splunk\etc\apps</P> <P><STRONG>Linux</STRONG><BR /> /opt/splunk</P> <P>e.g., /opt/splunk/etc/apps </P> <P>So if I'm, understanding correctly, you would put that app in one of these directories. </P> <P>Where the BOTS1.0 data set is concerned you would install the prerequisite apps, download the data that you want to explore, either the attack only or the full data set. I would recommend, like they do, using the app pre-indexed data set. Also extract this app and place it in the apps folder, and restart Splunk. </P> <P>You should then be able to find the data in the Search app by searching: </P> <P>index=botsv1 earliest=0 </P> <P>**edited to answer both questions. </P> Wed, 09 Oct 2019 14:40:53 GMT mstephenson716 2019-10-09T14:40:53Z https://community.splunk.com/t5/Splunk-Search/Installing-Boss-of-the-SOC-BOTS-Investigation-Workshop/m-p/390733#M173863 <P>Despite the number of links:<BR /> <A href="https://www.splunk.com/blog/2018/05/25/boss-of-the-soc-bots-investigation-workshop-for-splunk.html">https://www.splunk.com/blog/2018/05/25/boss-of-the-soc-bots-investigation-workshop-for-splunk.html</A></P> <P>One first installs the app:</P> <P><A href="https://splunkbase.splunk.com/app/3985/">https://splunkbase.splunk.com/app/3985/</A></P> <P>You are then directed to Copy/Move the entire extracted BOTS directory into the $SPLUNK_HOME/etc/apps directory.</P> <P>How can I find the exact path for my own environment? This directory does not appear to exist.</P> <P>and secondly the dataset:</P> <P><A href="http://explore.splunk.com/BOTS_1_0_datasets">http://explore.splunk.com/BOTS_1_0_datasets</A></P> <P>For which you must register. It will take you to a GitHub link. Then what?</P> Mon, 31 Dec 2018 23:05:07 GMT https://community.splunk.com/t5/Splunk-Search/Installing-Boss-of-the-SOC-BOTS-Investigation-Workshop/m-p/390733#M173863 therevenant 2018-12-31T23:05:07Z https://community.splunk.com/t5/Splunk-Search/Installing-Boss-of-the-SOC-BOTS-Investigation-Workshop/m-p/390734#M173864 <P>I believe that by default the home paths, if you didn't customize your installation are:</P> <P><STRONG>Windows</STRONG> <BR /> C:\Program Files\Splunk</P> <P>e.g., C:\Program Files\Splunk\etc\apps</P> <P><STRONG>Linux</STRONG><BR /> /opt/splunk</P> <P>e.g., /opt/splunk/etc/apps </P> <P>So if I'm, understanding correctly, you would put that app in one of these directories. </P> <P>Where the BOTS1.0 data set is concerned you would install the prerequisite apps, download the data that you want to explore, either the attack only or the full data set. I would recommend, like they do, using the app pre-indexed data set. Also extract this app and place it in the apps folder, and restart Splunk. </P> <P>You should then be able to find the data in the Search app by searching: </P> <P>index=botsv1 earliest=0 </P> <P>**edited to answer both questions. </P> Wed, 09 Oct 2019 14:40:53 GMT https://community.splunk.com/t5/Splunk-Search/Installing-Boss-of-the-SOC-BOTS-Investigation-Workshop/m-p/390734#M173864 mstephenson716 2019-10-09T14:40:53Z