How to install BOTS v1, v2 and v3 on Splunk

#splunk #splunk_bots #splunk_botsv1 #splunk_botsv2 #splunk_botsv3 #splunk_installation ## What is Splunk BOTS ? Splunk BOTS (Boss Of The SOC) is a (former) CTF (Capture The Flag) competition created and organized by Splunk. The main objective of this competition was to set up a rather realistic environment containing lots of logs. Competitors had to execute SPL (Splunk Processing Language) queries (but not only) on the environment to find the answers to the questions. ## Where to find the BOTS datasets ? Today, if you want to improve your Splunk skills and challenge yourself, you can find the 3 datasets here : - [splunk/botsv1 (github.com)](https://github.com/splunk/botsv1) - [splunk/botsv2: Splunk Boss of the SOC version 2 dataset. (github.com)](https://github.com/splunk/botsv2) - [splunk/botsv3: Splunk Boss of the SOC version 3 dataset. (github.com)](https://github.com/splunk/botsv3) ## Installation Prerequisite: - A server with Splunk installed ### Step 1 - Download dataset The first thing to do is to download one of the BOTS versions you want to install: - [splunk/botsv1 (github.com)](https://github.com/splunk/botsv1) - [splunk/botsv2: Splunk Boss of the SOC version 2 dataset. (github.com)](https://github.com/splunk/botsv2) - [splunk/botsv3: Splunk Boss of the SOC version 3 dataset. (github.com)](https://github.com/splunk/botsv3) ![[Screenshot 2024-06-03 191202.png]] ### Step 2 - Connect to Splunk (SSh) This will depend on your installation. If Splunk is installed in a virtual machine (VirtualBox or VMware), you can simply create a shared folder and place the dataset there. The second solution (my favorite) is to use [[FileZilla - The free FTP solution (filezilla-project.org)](https://filezilla-project.org/)](FileZilla) to connect to the machine and place the archive in it. ![[Screenshot 2024-06-03 191749 1.png]] **Host** : The IP address of your Splunk server **Username**: The username used to connect to the machine **Password** : The user's password **Port**: 22 ### Step 3 - final step Once the archive has been transferred to our Splunk server, we'll decompress it. To do this, log on to the machine's console and type : ``` jsx sudo tar -xvf /home/user/botsv2_data_set.tgz -C /opt/splunk/etc/apps ``` > Note that the `/home/user/` and `/opt/splunk/etc/apps` folders may be different in your environment. When the archive has been successfully decompressed into the folder (this may take some time), restart Splunk : ``` jsx sudo /opt/splunk/bin/splunk restart ``` Et voilà, it's installed ! You can now consult the index and see that BOTS has been installed: ![[Pasted image 20240603212903.png]] ## Training I wouldn't want to put my own content in the spotlight, but I've recently created a web page to train you with BOTS v1, v2 and v3. It's available at the following address: [SecuriTricks - Splunk Bots](https://securitricks.com/splunkbots) On this platform you can : - Select the Splunk BOTS version - Select a question - Test your answers - Select hints and the answer if you can't find the answer to the question Have fun!