On July 25th 2019 over 600 active competitors across Australia and New Zealand participated in the annual Splunk Boss of the SOC event to put their Splunk incident response skills to the test.
Amongst a mix of teams comprised of Splunk clients and integration partners, Intalock finished 2nd in QLD and 6th overall – narrowly missing out on 1st and 5th (not that I’m bitter!). It was genuinely a team effort and something we’re all proud of.
Should you participate next time? Yes! Don’t be scared if you’ve never run a search in Splunk – almost everything we did started with google-style searches like ‘dave malware’ or checking for SIEM alerts in Enterprise Security. If you’re a stats ninja there’s plenty of chances to show off as the questions get harder – and more valuable.
Also don’t be put off if your day job isn’t in security. The scenarios crafted by the guys at Splunk are pretty easy to understand and you’ll almost certainly end up answering more questions than you expect. Even if you’re an analyst you may walk away with a few ideas about new ways to hunt.
So what did we do to prepare? Not as much as hoped – but real life has a habit of getting in the way. That said, we did:
- Stood up BotS v1 and v2 servers for the team to play with;
- Ran a couple of pizza-fuelled practice sessions;
- Read and re-read the excellent Hunting with Splunk series
- Bookmarked our favourite OSSINT sites and handy tools
- Agreed a strategy – which was largely thrown away when the competition started
Get involved in the next one! It’s great practice for splunking under pressure, a neat introduction to Splunk for security and a fun team experience. Also, there are free t-shirts – it’s Splunk after all.