Splunk have several "Boss of the SOC" datasets, simulating a security incident - think of it as a Blue Team/SIEM-based CTF. This is my write-up for BOTSv3, at the time of writing the most recent dataset available. It seems that Taedonggang, a North Korean group, have attacked Frothly, a beer maker...

The official BOTSv3 page is here: https://github.com/splunk/botsv3

This post can also be found on my website:

https://www.jamesgibbins.com/cybersecurity/articles/botsv3/

Or available as a PDF:

BOTSv3.pdf

Info

Initial Recon

Events

| eventcount index=botsv3: 2,030,269 events

index=botsv3: 2,798,824 events

Timeline