Hands-on blue-team investigations from real-world Splunk BOTS (Boss of the SOC) attack simulations.
Step-by-step threat hunting, SPL breakdowns, detection logic, and analyst methodology.
- About BOTS
- What This Repository Contains
- Methodology Used
- Repository Structure
- Example SPL Query
- Skills Demonstrated
- Prerequisites
- Progress
- Contributing
- Connect With Me
- Why This Repository Exists
Boss of the SOC (BOTS) is a blue-team CTF-style challenge created by Splunk.
It simulates realistic enterprise attack scenarios where analysts must investigate logs using:
- Splunk Enterprise
- Splunk Enterprise Security (ES)
- SPL (Search Processing Language)
Participants analyze datasets, detect attacker behavior, pivot on indicators, and answer forensic-style questions — just like a real SOC analyst.
For each BOTS challenge, I document:
- 🔍 Full investigation workflow
- 🧠 SPL queries used
- 📊 Evidence correlation & analysis
- 🛡 Detection logic explanation
- 🏁 Final answers with reasoning
- 📝 Lessons learned & defensive insights
This repository is structured as a SOC analyst notebook, not just final answers.
Each investigation follows a structured blue-team process:
- Understand the objective and scope
- Identify relevant indexes and sourcetypes
- Narrow timeframe based on suspected activity
- Pivot on indicators (IP, username, hash, process, domain, etc.)
- Build & refine SPL queries
- Validate findings with supporting evidence
- Document detection logic and response considerations
This mirrors real-world:
- Threat Hunting
- Incident Investigation
- Detection Engineering
- Log Correlation
.
└── Getting Started with Splunk for Security/
└── botsv1_getting_started.md
Each folder represents a course or BOTS module.
Each markdown file contains:
- Challenge overview
- Step-by-step analysis
- SPL queries
- Evidence findings
- Final answers with explanation
index=botsv1 sourcetype=wineventlog EventCode=4624
| stats count by Account_Name
| sort -count
Example use case: Detecting authentication patterns and identifying suspicious login behavior.
- Threat Hunting
- Blue Team Analysis
- SOC Investigation Workflow
- Detection Engineering
- Log Correlation
- Incident Response Methodology
- SPL Optimization
- Analytical Documentation
To follow along, you should have:
- Access to BOTS datasets
- Basic familiarity with SPL
- A working Splunk environment (Enterprise or ES)
- Fundamental understanding of SOC investigations
This repository focuses on analysis and methodology — not Splunk installation setup.
- ✅ Getting Started with Splunk for Security
- ⬜ Additional BOTS Challenges (In Progress)
Repository will be updated as new challenges are completed.
If you have:
- Alternative SPL approaches
- Improved detection logic
- Optimization suggestions
- Additional pivot strategies
Feel free to open an issue or submit a pull request.
Collaboration improves detection thinking.
If you're also working on BOTS or interested in blue-team investigations, feel free to connect.
This project serves as:
- A documented blue-team learning journey
- A practical demonstration of SOC investigation skills
- A public portfolio of detection engineering methodology
- A reference for other analysts working through BOTS