SPL202: Ingesting the BoTSv3 Data (15 pts)

What you need:

Getting a Splunk Account

In a Web browser, go to https://www.splunk.com/

If you don't have an account, click the head at the top right and create one.

Downloading Apps

First download the files for each of these apps from the Splunkbase links below. Each app is a separate .tfz file, such as "aws-guardduty_219.tgz".

AWS GuardDuty (Restart required)
Cisco Endpoint Security Analytics (CESA) -- USE FIRST ONE
Code42 for Splunk (Legacy) (Restart required, Set up later)
TA for Code42 App For Splunk (Restart required)
Splunk Add-on for Cisco ASA
Splunk Add-on for Microsoft Cloud Services
Splunk Add-on for Microsoft Office 365
Splunk Add-on for Microsoft Windows
Splunk Add-on for Symantec Endpoint Protection
Splunk Add-on for Tenable Unavailable -- SKIP
Splunk Add-on for Unix and Linux (Set up later)
Splunk Common Information Model
Splunk Stream Add-on
VirusTotal Workflow Actions for Splunk
URL Toolbox
DecryptCommands
Microsoft Azure Active Directory Reporting Add-on for Splunk
Microsoft 365 App for Splunk
Splunk Add-on for Microsoft Office 365 Reporting Web Service
Splunk Add-On for Microsoft Sysmon
osquery App for Splunk
Splunk Add-on for Amazon Web Services (AWS)
Splunk ES Content Update
SA-cim_vladiator

Installing Apps

On the Splunk home page, at the top left, in the Apps section click Manage, as shown below.

On the Apps page, at the top right, click the "Install app from file" button.

Click the "Choose File" button. Navigate to the .tgz file you downloaded and double-click it.

Click the Upload button.

Repeat these actions for each app on the list above.

Installing the botsv3 Data

In an SSH shell on your Red Hatserver, Execute these commands to download and install the data from "Boss of the SOC v3", a training product from Splunk.
sudo wget -P /opt/ https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz
sudo tar zxvf /opt/botsv3_data_set.tgz -C /opt/splunk/etc/apps/
sudo chown -R splunk /opt/splunk
sudo reboot
When the server restarts, open the Splunk Web page.

At the top left, click "Search & Reporting".

Perform this search:

index="botsv3" earliest=0
It will slowly find more and more events, as the server processes the data.

Wait until you see the same number of events shown in the image below.

SPL 202.1: Most Common Sourcetype (15 pts)

Perform this search:
index="botsv3" earliest=0 sourcetype=* | stats count by sourcetype
When the search finishes, at the top right of the results, click the count header to sort by count, with the largest count on top.

The flag is covered by a green box in the image below.

Sources

Boss of the SOC (BOTS) Dataset Version 3

Posted 9-25-23
Date-changing cron job information removed 9-28-23