Splunk have several "Boss of the SOC" datasets, simulating a security incident - think of it as a Blue Team/SIEM-based CTF. This is my write-up for BOTSv3, at the time of writing the most recent dataset available. It seems that Taedonggang, a North Korean group, have attacked Frothly, a beer maker...

The official BOTSv3 page is here: https://github.com/splunk/botsv3

This post can also be found on my website:

https://www.jamesgibbins.com/cybersecurity/articles/botsv3/

Or available as a PDF:

BOTSv3.pdf

Info

• I used the downloadable BOTS VM from CyberDefenders - https://cyberdefenders.org/labs/8. Much easier than installing it all manually!
• As the dataset only includes the BOTSv3 data, all searches have index=botsv3 omitted.
• Answers are not hidden. I think the process is more important than finding the correct answer, in this case.
• After completing the questions and this writeup, I went back to do some more discovery. These are found in the Bonus sections of related questions.

Initial Recon

Events

| eventcount index=botsv3: 2,030,269 events

index=botsv3: 2,798,824 events

Timeline