├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | CC0 1.0 Universal 2 | 3 | Statement of Purpose 4 | 5 | The laws of most jurisdictions throughout the world automatically confer 6 | exclusive Copyright and Related Rights (defined below) upon the creator and 7 | subsequent owner(s) (each and all, an "owner") of an original work of 8 | authorship and/or a database (each, a "Work"). 9 | 10 | Certain owners wish to permanently relinquish those rights to a Work for the 11 | purpose of contributing to a commons of creative, cultural and scientific 12 | works ("Commons") that the public can reliably and without fear of later 13 | claims of infringement build upon, modify, incorporate in other works, reuse 14 | and redistribute as freely as possible in any form whatsoever and for any 15 | purposes, including without limitation commercial purposes. These owners may 16 | contribute to the Commons to promote the ideal of a free culture and the 17 | further production of creative, cultural and scientific works, or to gain 18 | reputation or greater distribution for their Work in part through the use and 19 | efforts of others. 20 | 21 | For these and/or other purposes and motivations, and without any expectation 22 | of additional consideration or compensation, the person associating CC0 with a 23 | Work (the "Affirmer"), to the extent that he or she is an owner of Copyright 24 | and Related Rights in the Work, voluntarily elects to apply CC0 to the Work 25 | and publicly distribute the Work under its terms, with knowledge of his or her 26 | Copyright and Related Rights in the Work and the meaning and intended legal 27 | effect of CC0 on those rights. 28 | 29 | 1. Copyright and Related Rights. A Work made available under CC0 may be 30 | protected by copyright and related or neighboring rights ("Copyright and 31 | Related Rights"). Copyright and Related Rights include, but are not limited 32 | to, the following: 33 | 34 | i. the right to reproduce, adapt, distribute, perform, display, communicate, 35 | and translate a Work; 36 | 37 | ii. moral rights retained by the original author(s) and/or performer(s); 38 | 39 | iii. publicity and privacy rights pertaining to a person's image or likeness 40 | depicted in a Work; 41 | 42 | iv. rights protecting against unfair competition in regards to a Work, 43 | subject to the limitations in paragraph 4(a), below; 44 | 45 | v. rights protecting the extraction, dissemination, use and reuse of data in 46 | a Work; 47 | 48 | vi. database rights (such as those arising under Directive 96/9/EC of the 49 | European Parliament and of the Council of 11 March 1996 on the legal 50 | protection of databases, and under any national implementation thereof, 51 | including any amended or successor version of such directive); and 52 | 53 | vii. other similar, equivalent or corresponding rights throughout the world 54 | based on applicable law or treaty, and any national implementations thereof. 55 | 56 | 2. Waiver. To the greatest extent permitted by, but not in contravention of, 57 | applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and 58 | unconditionally waives, abandons, and surrenders all of Affirmer's Copyright 59 | and Related Rights and associated claims and causes of action, whether now 60 | known or unknown (including existing as well as future claims and causes of 61 | action), in the Work (i) in all territories worldwide, (ii) for the maximum 62 | duration provided by applicable law or treaty (including future time 63 | extensions), (iii) in any current or future medium and for any number of 64 | copies, and (iv) for any purpose whatsoever, including without limitation 65 | commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes 66 | the Waiver for the benefit of each member of the public at large and to the 67 | detriment of Affirmer's heirs and successors, fully intending that such Waiver 68 | shall not be subject to revocation, rescission, cancellation, termination, or 69 | any other legal or equitable action to disrupt the quiet enjoyment of the Work 70 | by the public as contemplated by Affirmer's express Statement of Purpose. 71 | 72 | 3. Public License Fallback. Should any part of the Waiver for any reason be 73 | judged legally invalid or ineffective under applicable law, then the Waiver 74 | shall be preserved to the maximum extent permitted taking into account 75 | Affirmer's express Statement of Purpose. In addition, to the extent the Waiver 76 | is so judged Affirmer hereby grants to each affected person a royalty-free, 77 | non transferable, non sublicensable, non exclusive, irrevocable and 78 | unconditional license to exercise Affirmer's Copyright and Related Rights in 79 | the Work (i) in all territories worldwide, (ii) for the maximum duration 80 | provided by applicable law or treaty (including future time extensions), (iii) 81 | in any current or future medium and for any number of copies, and (iv) for any 82 | purpose whatsoever, including without limitation commercial, advertising or 83 | promotional purposes (the "License"). The License shall be deemed effective as 84 | of the date CC0 was applied by Affirmer to the Work. Should any part of the 85 | License for any reason be judged legally invalid or ineffective under 86 | applicable law, such partial invalidity or ineffectiveness shall not 87 | invalidate the remainder of the License, and in such case Affirmer hereby 88 | affirms that he or she will not (i) exercise any of his or her remaining 89 | Copyright and Related Rights in the Work or (ii) assert any associated claims 90 | and causes of action with respect to the Work, in either case contrary to 91 | Affirmer's express Statement of Purpose. 92 | 93 | 4. Limitations and Disclaimers. 94 | 95 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 96 | surrendered, licensed or otherwise affected by this document. 97 | 98 | b. Affirmer offers the Work as-is and makes no representations or warranties 99 | of any kind concerning the Work, express, implied, statutory or otherwise, 100 | including without limitation warranties of title, merchantability, fitness 101 | for a particular purpose, non infringement, or the absence of latent or 102 | other defects, accuracy, or the present or absence of errors, whether or not 103 | discoverable, all to the greatest extent permissible under applicable law. 104 | 105 | c. Affirmer disclaims responsibility for clearing rights of other persons 106 | that may apply to the Work or any use thereof, including without limitation 107 | any person's Copyright and Related Rights in the Work. Further, Affirmer 108 | disclaims responsibility for obtaining any necessary consents, permissions 109 | or other rights required for any use of the Work. 110 | 111 | d. Affirmer understands and acknowledges that Creative Commons is not a 112 | party to this document and has no duty or obligation with respect to this 113 | CC0 or use of the Work. 114 | 115 | For more information, please see 116 | 117 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Boss of the SOC (BOTS) Dataset Version 2 2 | A sample security dataset and CTF platform for information security professionals, researchers, students, and enthusiasts. This page hosts information regarding the version 2 *dataset*. If you would like access to the scoreboard software, please visit [the CTF Scoreboard Github repository](https://github.com/splunk/SA-ctf_scoreboard). If you are looking for the BOTS version 1 dataset, it can be found [here](https://github.com/splunk/botsv1). 3 | 4 | ## Download 5 | 6 | | Dataset | Description | Size | Format | MD5 | 7 | | ---------------- | ----------- | ---- | ------ | --- | 8 | | [BOTS V2 Dataset](https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set.tgz) | Full BOTSv2 dataset. | 16.4GB | Pre-indexed Splunk | fd2673726c96e97a39fc03119d6686c6 | 9 | | [BOTS V2 Dataset (Attack Only)](https://s3.amazonaws.com/botsdataset/botsv2/botsv2_data_set_attack_only.tgz) | BOTSv2 "attack-only" dataset. This dataset contains minimal non-attack-related (aka "clean") data. It's everything you need and nothing you don't! | 3.2GB | Pre-indexed Splunk | 6ea8f15cc4ccf6186db7a31415c09c58 | 10 | 11 | Note: Choose *either* the full dataset *or* the attack-only dataset. You cannot install them both simultaneously. The BOTS V2 Dataset is a superset of the BOTS V2 Attack Only Dataset. 12 | 13 | ## Installation 14 | 1. Download the dataset file indicated above and check the MD5 hash to ensure integrity. 15 | 2. Install Splunk Enterprise and the apps/add-ons listed in the *Required Software* section below. It is important to match the specific version of each app and add-on. 16 | 3. Unzip/untar the downloaded file into $SPLUNK_HOME/etc/apps 17 | 4. Restart Splunk 18 | 5. The BOTS v2 data will be available by searching: 19 | 20 | ``` 21 | index=botsv2 earliest=0 22 | ``` 23 | 6. Note that because the data is distributed in a pre-indexed format, there are no volume-based licensing limits to be concerned with. 24 | 25 | ## Data Sourcetypes included 26 | * access_combined 27 | * activedirectory 28 | * apache:error 29 | * apache_error 30 | * auditd 31 | * bandwidth 32 | * collectd 33 | * cpu 34 | * csp-violation 35 | * df 36 | * ess_content_importer 37 | * hardware 38 | * interfaces 39 | * iostat 40 | * lastlog 41 | * linux:selinuxconfig 42 | * linux_audit 43 | * linux_secure 44 | * ms:o365:management 45 | * msad:nt6:health 46 | * msad:nt6:siteinfo 47 | * mysql:connection:stats 48 | * mysql:database 49 | * mysql:errorlog 50 | * mysql:instance:stats 51 | * mysql:server:stats 52 | * mysql:status 53 | * mysql:table_io_waits_summary_by_index_usage 54 | * mysql:tablestatus 55 | * mysql:transaction:details 56 | * mysql:transaction:stats 57 | * mysql:user 58 | * mysql:variables 59 | * mysqld-8 60 | * netstat 61 | * openports 62 | * osquery_info 63 | * osquery_results 64 | * osquery_warning 65 | * package 66 | * pan:system 67 | * pan:threat 68 | * pan:traffic 69 | * perfmon:cpu 70 | * perfmon:logicaldisk 71 | * perfmon:memory 72 | * perfmon:network 73 | * perfmon:network_interface 74 | * perfmon:ntds 75 | * perfmon:physicaldisk 76 | * perfmon:process 77 | * perfmon:processor 78 | * perfmon:system 79 | * powershell:scriptexecutionsummary 80 | * protocol 81 | * ps 82 | * script:installedapps 83 | * script:listeningports 84 | * stream:arp 85 | * stream:dhcp 86 | * stream:dns 87 | * stream:ftp 88 | * stream:http 89 | * stream:icmp 90 | * stream:ip 91 | * stream:irc 92 | * stream:ldap 93 | * stream:mysql 94 | * stream:smb 95 | * stream:smtp 96 | * stream:tcp 97 | * stream:udp 98 | * suricata 99 | * symantec:ep:agent:file 100 | * symantec:ep:agt_system:file 101 | * symantec:ep:behavior:file 102 | * symantec:ep:packet:file 103 | * symantec:ep:scan:file 104 | * symantec:ep:scm_system:file 105 | * symantec:ep:security:file 106 | * symantec:ep:traffic:file 107 | * syslog 108 | * time 109 | * top 110 | * unix:listeningports 111 | * unix:service 112 | * unix:update 113 | * unix:uptime 114 | * unix:useraccounts 115 | * unix:version 116 | * userswithloginprivs 117 | * vmstat 118 | * web_ping 119 | * weblogic_access_combined 120 | * weblogic_stdout 121 | * who 122 | * windowsupdatelog 123 | * wineventlog:application 124 | * wineventlog:directory-service 125 | * wineventlog:security 126 | * wineventlog:system 127 | * winhostmon 128 | * winregistry 129 | * xmlwineventlog:microsoft-windows-sysmon/operational 130 | 131 | ## Required Software 132 | The dataset requires the following software which is distributed and licensed separately 133 | and should be installed before using the dataset. The versions listed are 134 | those that were used to create the dataset. Different versions of the software 135 | may or may not work properly. If you are new to Splunk, follow [these instructions](http://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual) to install the free Splunk Enterprise trial and [these instructions](https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall) to install apps and add-ons. 136 | 137 | | App / Add-on | Version | Download | 138 | | ----------- | ------- | -------- | 139 | | Splunk Enterprise | 7.2.1 | http://www.splunk.com 140 | | SA-Investigator | 1.3.1 | https://splunkbase.splunk.com/app/3749/ 141 | | Base64 | 1.1 | https://splunkbase.splunk.com/app/1922/ 142 | | URL Toolbox | 1.6 | https://splunkbase.splunk.com/app/2734/ 143 | | Splunk Security Essentials | 2.3.0 | https://splunkbase.splunk.com/app/3435/ 144 | | JellyFisher | 0.1.0 | https://splunkbase.splunk.com/app/3626/ 145 | | Splunk Common Information Model | 4.12.0 | https://splunkbase.splunk.com/app/1621/ 146 | | Splunk Add-on for Apache | 1.0.0 | https://splunkbase.splunk.com/app/3186/ 147 | | Splunk Add-on for Microsoft Cloud Services | 2.0.3 | https://splunkbase.splunk.com/app/3110/ 148 | | Palo Alto Networks Add-on for Splunk | 3.8.2 | https://splunkbase.splunk.com/app/2757/ 149 | | Splunk Add-on for Symantec Endpoint Protection | 2.3.0 | https://splunkbase.splunk.com/app/2772/ 150 | | TA-Suricata | 2.3.3 | https://splunkbase.splunk.com/app/2760/ 151 | | Microsoft Sysmon Add-on | 6.0.4 | https://splunkbase.splunk.com/app/1914/ 152 | | Collectd App for Splunk Enterprise | 1.1 | https://splunkbase.splunk.com/app/2875/ 153 | | OSquery | 1 | https://splunkbase.splunk.com/app/3278/ 154 | | SSL Certificate Checker | 3.2 | https://splunkbase.splunk.com/app/3172/ 155 | | Website Monitoring | 2.5 | https://splunkbase.splunk.com/app/1493/ 156 | | Splunk Add-on for Microsoft IIS | 1.0.0 | https://splunkbase.splunk.com/app/3185/ 157 | | Splunk Add-on for Unix and Linux | 6.0.0 | https://splunkbase.splunk.com/app/833/ 158 | | Splunk Stream Add-on | 7.1.1 | https://splunkbase.splunk.com/app/1809/ 159 | | Splunk Add-on for Microsoft Windows | 5.0.1 | https://splunkbase.splunk.com/app/742/ 160 | 161 | 162 | ## Warning 163 | **Please be advised that this dataset may contain profanity, slang, vulgar expressions, and/or generally offensive terminology. Please use with discretion.** 164 | 165 | This dataset contains evidence captured during actual computer security incidents, or from realistic lab recreations of security incidents. As such, the dataset **may** contain profanity, slang, vulgar expressions, and/or generally offensive terminology. The authors believe that the educational benefits of preserving the realism of the dataset outweigh the risk of offending some users. If the possibility of encountering this type of offensive material is a concern to you or to any audience with whom you plan to share the dataset, please stop now and do not continue. 166 | 167 | ## Authors 168 | Written in 2017 by Ryan Kovar, David Herrald, James Brodsky, John Stoner, Jim Apger, and David Veuve 169 | 170 | ## Copyright and License 171 | To the extent possible under law, the author(s) have dedicated 172 | all copyright and related and neighboring rights to this software 173 | to the public domain worldwide. This software is distributed 174 | without any warranty. You should have received a copy of the CC0 175 | Public Domain Dedication along with this software. If not, see 176 | http://creativecommons.org/publicdomain/zero/1.0/. 177 | --------------------------------------------------------------------------------