This repository is dedicated to hosting personal comprehensive walkthrough solutions for Splunk's Boss of the SOC (BOTS) CTF-style labs.
To be eventually updated with all BOTS events.
- Splunk BOTSv1 (completed) ✅
- Splunk BOTSv2 (completed) ✅
- Splunk BOTSv3 (completed) ✅
-
If you find yourself stuck for an extended period of time, try walking away, sleeping on it, and come back with fresh eyes. There were instances where I would return to a previous question and have a new perspective on how to logically approach the solution.
-
There is no shame in needing help and finding other people's walkthroughs to reverse engineer the solution. The most important thing is that you geninuely understand the solution and would be able to implement it if you were to come across a similar problem next time. You can learn a lot when you work backwords.
-
There is no single SPL query solution. There are several ways to achieve the correct answer. Experiment with different approaches and ask yourself "how else could I have found the answer". Being able to come up with multiple approaches with different perpectives is indicative of geniuely understanding the material.
-
It's okay to utilize the provided hints, which often times will give you a suggested sourcetype or specific type of activity to query. Unless you're familiar with a lot of the sourcetypes and log data, a big part of the Splunk BOTS experience is exploring and learning what all the different sourcetypes are and the several fields they contain mean. Before being able to find the solution, you'll need to absorb and understand the context of the question and the environment.