Installing Boss of the SOC (BOTS) Investigation Wo...

therevenant · ‎12-31-2018

Despite the number of links:
https://www.splunk.com/blog/2018/05/25/boss-of-the-soc-bots-investigation-workshop-for-splunk.html

One first installs the app:

https://splunkbase.splunk.com/app/3985/

You are then directed to Copy/Move the entire extracted BOTS directory into the $SPLUNK_HOME/etc/apps directory.

How can I find the exact path for my own environment? This directory does not appear to exist.

and secondly the dataset:

http://explore.splunk.com/BOTS_1_0_datasets

For which you must register. It will take you to a GitHub link. Then what?

mstephenson716 · ‎10-09-2019

I believe that by default the home paths, if you didn't customize your installation are:

Windows
C:\Program Files\Splunk

e.g., C:\Program Files\Splunk\etc\apps

Linux
/opt/splunk

e.g., /opt/splunk/etc/apps

So if I'm, understanding correctly, you would put that app in one of these directories.

Where the BOTS1.0 data set is concerned you would install the prerequisite apps, download the data that you want to explore, either the attack only or the full data set. I would recommend, like they do, using the app pre-indexed data set. Also extract this app and place it in the apps folder, and restart Splunk.

You should then be able to find the data in the Search app by searching:

index=botsv1 earliest=0

**edited to answer both questions.

Installing Boss of the SOC (BOTS) Investigation Workshop

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?