So I just left the North American Boss of the SOC event and overall it was an amazing experience. I was challenged, I learned a few things and I got cookies.
I just wanted to toss some of my thoughts on a blog before I called it a day.
For those unfamiliar Boss of the SOC (BOTS) is a premier Blue Team security event put on and designed by Splunk centered around their product showcase. It's half Splunk showcase and half threat hunting skills.
Here is how they pitch it
You’ve heard of Boss of the SOC (BOTS) and now it’s time to test your skills against the top Splunk security experts from cities across North America! Even if you are new to Splunk or security, this event has something to offer. BOTS is the best place to see where you stand, understand how you can improve, and learn how to investigate real-world incidents in a safe, fun, and competitive environment.
And who knows, you might even have what it takes to become the next Boss of the SOC!
Already attended a BOTS event? This is a brand-new question set based off Boss of the SOC version 3 dataset. Even if you attended .conf18 or a BOTS event since then, this will be a new experience!
Not sure if BOTS is right for you?
Check out this blog to learn everything you need to know about BOTS.
Prerequisites:
Basic experience with Splunk.
Need to brush up before the event? See our tips below
Basic security investigation knowledge.
Need to brush up before the event?
See our tips belowA laptop computer equipped with WIFI and running a supported web browser
Need to brush up on your Splunk or security skills?
Check out our Hunting With Splunk blog series
Take advantage of Free Splunk Fundamentals 1 Training
Practice your Splunk hunting with prior versions of BOTS
Stand up your own BOTS environment and practice
Registration
Registration is required for all team members and is free, space is limited, no walk-insPlease register with an email that you can access on the day of eventContestants are encouraged to register in teams of up to four for the best experience
More questions?
Contact us at BOTS@splunk.com
The Good - Real World Commands: BOTS allows to apply your analytic skills to PRACTICAL problems. Instead of memorizing trivial commands, BOTS gamifies the commands and problems. This really lets their use cases sink in.
Real world use cases: BOTS team bases their challenges off real world problems they have run into. Where no single off the shelf security security solution has all the answers. The Bad - Team building: What happens when 6 for 6 of you coworkers don't show? Well you're on you own! Too bad for me, but the life of a Splunk admin is alas - a lonely one.
The Cloud: You had better have a VERY solid understanding of OS provisioning and AWS Cloud services fort his version of the BOTS. While the prerequisites were pitched as basics, I'd say it's more intermediate to advanced in the latest version of the BOTS data set.
What I'd change? Splunk is moving to their SOAR model. Which I have nothing against, but it made the challenges of BOTS VERY diverse. Going from Splunk Core, Splunk SIEM, Splunk Phantom and Splunk UBA solutions. It's just too much for one day. I'd like to see them focus on more. Perhaps toggle options to turn and off technology sets that might not be applicable to everyone.
More fundamental questions more "100" series. I felt like the learning curve was pretty heavy.
Random thoughts - I'd like to see as part of a custom training solution for Splunk ES customers as custom BOTS event based around the types of data and problems that customer is going to deal with.
