Splunk Cost Fallacy — “Getting Started” Resources
Maybe the real BOTS Content hyperlinks are the friends we made along the way.
I have been searching for the absolute simplest Splunk tutorials. You can already find the question asked on Reddit here, and the top comment points to their free training courses, and to Boss Of The SOC.
In the past, I remember they would just point people to the Search Tutorial.
Spelunking The Splunk Resources
BOTS (Boss of the SOC) is a competitive cybersecurity Splunk exercise that apparently debuted at their 2016 conference. It’s a blue team exercise that you can play directly on their site, but I did not personally have any success with it. It seems that all of their links are dead, and I have half a mind to write them about it.
Take, for instance, their “Web Site Defacement” exercise. Looks really cool. Amazingly they have a link you can use to actually log into Splunk with their credentials (as opposed to having to install/setup Splunk yourself), and then they have a bunch of links that show where a malicious hacker has compromised you.
Unfortunately, a bunch of these links just don’t exist anymore. It instructs the user to go here for the sourcetype summary, which is a dead link, and it provides instructions here at another dead link. They may be aware of this. It is possible that they just figured it was more logical to let the links expire, as users would move onto version 3.
Version 3 is on GitHub, but I think you have to email them to actually receive the questions and answers.
Simpler Splunk Resources
So far, I think their YouTube introductory tutorial looks just fine.
You can install a free version of Splunk, then go here in the search tutorial. You can access some zip files for ButterCupGames, then launch Splunk and play with the data. It’s nice to see that the Search Tutorial has not changed much since I last looked at it.
Another option is TryHackMe. I really like this site and how it mimics cybersecurity scenarios by actually giving you boxes to use and boxes to hack, but it limits your usage to an hour. In other rooms, I remember thinking about how there are websites that allow you to do CTF exercises, only they are open 24/7. This seems analogous to me — TryHackMe looks great, but you can use Splunk search tutorials and their free product 24/7.
Closing Thoughts
The motivation for this is to review Splunk documentation. I would like to see if I can contribute something meaningful to their documents at some point.
One thing I found, though, is that their SIEM does not look like a free product. I may want to diverge into some CTF exercises, to gain cybersecurity confidence before returning to this.
