Thank you for putting so much time into the video. It was an excellent walk-through and I picked up several tips that I can use at my work and Splunk BOTS/Splunk BOO events.
I made a bunch of "Shorts" for work, but have not gotten around to doing more videos yet. My plan in the future is to someday do TH-cam shorts for Splunk stuff. It should serve as better reference material than a 90 minute video like this, which takes forever to edit 😵💫
Hey thx for the great video but was there one for setup? I have the dataset in but the apps that arent archivded id like to make sure i get them in and how do you make it look like the actual challenge ?
I worked off the docs on the Github page here. The guide is really good, but the apps are not archived like you say. github.com/splunk/botsv3 There were version dependencies expected in the docs that I also did not meet, and so my installation wasn't really perfect. I ended up uploading the questions and answers into a lookup and querying that, instead of using the scoring app, because I was not able to get the apps to play nice. The focus of this video is primarily on analysis instead of setup, since there are other setup videos on TH-cam but I did not find any other videos on BOTS analysis :( If you are looking to explore the BOTS v3 dataset and answer those questions from an analyst perspective vice an admin perspective, having access to the Q&A CSVs inside of Splunk should do the job. If you are looking for a more immersive BOTS experience that more accurately represents what an in-person BOTS experience is like, I recommend their online BOTS experience here: bots.splunk.com/ It is behind an auth wall, so you will need to login to Splunk. And also it is the BOTS v1 dataset instead of v3, but it would avoid you having to do any substantial setup.
@@cwo1010 thanks I really appreciate all the great info, I got up and running with cyberdefenders VM after all was said and done and it’s been pretty good, they have v1 2 and 3
It's 2022, and I laboured high and low to figure out why "process_cpu_used_percent" wasn't working 38.00. I had to change it to "%_Processor_Time", which seems to yield the same results.
Awesome walkthrough! You use regex like its a second language too.. any tips on how to get better at using it? I'm new to threat hunting and I've been trying to incorporate it more in my searches.
regexpal.com is a good resource for testing your regex. The best way I have found to get better at regex is to solve real world problems using regex. As the saying goes, "necessity is the mother of invention" and when you NEED regex to work to solve a problem, often times you'll improve your regex as you go. In the context of Splunking, I would recommend using the "rex" command to extract out new values in your searches. Even if those values are unnecessary, the act of using regex to extract from your data will improve your regex ability. if those extractions should fail, they should be harmless if they were only "extra". As for building regex, I find a catch-all strategy of "Not delimiters" works well in most situations as a universal tool. For example: "Match an alphanumeric string" versus "Match NOT [comma,single-quote,double-quote,whitespace]". This can be done like: "(\w+[^\,\'\"\s]*). Similarly, "word boundaries" are great for that too (\b).
Hello, Thank you for this insructive video ;) I have the same problem as you, i can't submit questions in my ctf_scoreboard. Do you have an idea of what's the problem? i also got a "404 Not Found" Page : / Thanks a lot!
According to www.splunk.com/en_us/blog/security/botsv3-dataset-released.html """ The BOTSv3.0 questions, answers, and hints are available too! Just send an email to bots[@]splunk.com, and we'll provide the download link. """
![[LIVE] : ONE ลุมพินี 87 วันนี้!! คู่เอก "ก้องชัย vs โชคปรีชา"](http://i.ytimg.com/vi/YN6e7HVnekw/mqdefault.jpg)
Great walk through. It makes a big difference to explain what you are doing with thought process AND with the commands breakdowns.
Super helpful, some really great tips for how to make better use of fieldsummary. Thanks very much for taking the time to make this!
Thank you for sharing! It was a perfect BOTS review. Look forward to more walkthroughs when you have time.
Thank you for putting so much time into the video. It was an excellent walk-through and I picked up several tips that I can use at my work and Splunk BOTS/Splunk BOO events.
It's very useful. Thank you so much! Waiting for next EP!
Excellent video! Very good approach to analyse data in splunk. Took a lot of notes!
Definitely interested, please do the next batch
this is very good content, hopefully you do other BOTS as well.
Thanks for your sharing!
Are you still around? Would love another Splunk searching video since I learned alot on this one
I made a bunch of "Shorts" for work, but have not gotten around to doing more videos yet. My plan in the future is to someday do TH-cam shorts for Splunk stuff. It should serve as better reference material than a 90 minute video like this, which takes forever to edit 😵💫
do have a video on how to setup the whole botsv3? i had issues with the add ons
Great video !!
Hey thx for the great video but was there one for setup? I have the dataset in but the apps that arent archivded id like to make sure i get them in and how do you make it look like the actual challenge ?
I worked off the docs on the Github page here. The guide is really good, but the apps are not archived like you say.
github.com/splunk/botsv3
There were version dependencies expected in the docs that I also did not meet, and so my installation wasn't really perfect. I ended up uploading the questions and answers into a lookup and querying that, instead of using the scoring app, because I was not able to get the apps to play nice.
The focus of this video is primarily on analysis instead of setup, since there are other setup videos on TH-cam but I did not find any other videos on BOTS analysis :( If you are looking to explore the BOTS v3 dataset and answer those questions from an analyst perspective vice an admin perspective, having access to the Q&A CSVs inside of Splunk should do the job. If you are looking for a more immersive BOTS experience that more accurately represents what an in-person BOTS experience is like, I recommend their online BOTS experience here:
bots.splunk.com/
It is behind an auth wall, so you will need to login to Splunk. And also it is the BOTS v1 dataset instead of v3, but it would avoid you having to do any substantial setup.
@@cwo1010 thanks I really appreciate all the great info, I got up and running with cyberdefenders VM after all was said and done and it’s been pretty good, they have v1 2 and 3
It's 2022, and I laboured high and low to figure out why "process_cpu_used_percent" wasn't working 38.00. I had to change it to "%_Processor_Time", which seems to yield the same results.
Awesome walkthrough! You use regex like its a second language too.. any tips on how to get better at using it? I'm new to threat hunting and I've been trying to incorporate it more in my searches.
regexpal.com is a good resource for testing your regex. The best way I have found to get better at regex is to solve real world problems using regex. As the saying goes, "necessity is the mother of invention" and when you NEED regex to work to solve a problem, often times you'll improve your regex as you go.
In the context of Splunking, I would recommend using the "rex" command to extract out new values in your searches. Even if those values are unnecessary, the act of using regex to extract from your data will improve your regex ability. if those extractions should fail, they should be harmless if they were only "extra".
As for building regex, I find a catch-all strategy of "Not delimiters" works well in most situations as a universal tool. For example: "Match an alphanumeric string" versus "Match NOT [comma,single-quote,double-quote,whitespace]". This can be done like: "(\w+[^\,\'\"\s]*). Similarly, "word boundaries" are great for that too (\b).
@@cwo1010 Nice! Thanks for the advice!
is there a walkthrough for 2-200?
How would I set this up to run in a linux VM?
Hello, Thank you for this insructive video ;)
I have the same problem as you, i can't submit questions in my ctf_scoreboard.
Do you have an idea of what's the problem? i also got a "404 Not Found" Page : /
Thanks a lot!
how to get the questions and answers??
According to www.splunk.com/en_us/blog/security/botsv3-dataset-released.html
"""
The BOTSv3.0 questions, answers, and hints are available too! Just send an email to bots[@]splunk.com, and we'll provide the download link.
"""
Pleaase do the cyberdefenders qradar walkthrough
Thank you. I want to vm Splunk this . Please can you upload vm in this video ?
Spin up a Linux VM, Install Splunk then follow the directions on BOTS, took me about 2 hours total to install all of it.
@@c1ph3rpunk you dont need to install splunk
@@davidbeiler6364 how come?
@@c1ph3rpunk do you have any good resources for how to do this? I am new to all of this but trying to set up and install it in a linux VM
@@daniellej.300 the last time I did it I just followed the BOTS instructions github.com/splunk/botsv3
any saxion students