Splunk Boss of the SOC (BOTS) Competition Write Up

Back in November, I competed in Splunk’s Boss of the SOC (BOTS) Southwest region competition with some of my colleagues at Grand Canyon University, and we won 2nd place against teams from all across Arizona, New Mexico, and Texas

BOTS is the defensive security equivalent to offensive security Capture the Flag (CTF) competitions. We had four hours to complete as many challenges and gain as many points as possible. All activities took place in the Splunk ecosystem. Splunk (now owned by Cisco Systems) is a security platform that offers log collection and management, an advanced SIEM (Security Information & Event Management) platform that enables analysts to look at network events and identify incidents, an advanced SOAR (Security Orchestration Automation & Response) platform that allows analysts to set up playbooks to streamline the incident response process, and much more.

I focused my efforts on solving problems using Splunk’s SOAR solution. These problems gave me sets of related incidents to solve utilizing the automation features in Splunk’s SOAR platform. I cannot get into the specific problems because this version of BOTS is still active, but the incidents I had to resolve using playbooks in the SOAR platform were mostly related to phishing emails.

I also solved some problems related to an incident on a cloud website as well as problems requiring me to create and execute queries in the SIEM to find logs and extract data.

I learned a lot during this process about Splunk, practical SIEM and SOAR applications, teamwork, and more! Check out my submitted responses about my experience to the Splunk team below!

Special thanks to my teammates (Dylan, Crofton, & Alex), Mike Manrod & Ajay Joshi for encouraging our participation, Chris Perkins and the rest of the Splunk Team, and Grand Canyon University’s Cyber Center of Excellence for this opportunity!