BOTES : Boss of the Elastic SOC

Last updated 5 years ago

ECS and SIEM module release

The release of Elastic Common Schema (ECS) at the beginning of the year and the release of SIEM module with Elastic v7.2 is the perfect occasion to gain skills in SIEM Infrastrucure and Security Analytics, for free.

But without security events it's hard to fully exploit and try new Elastic features. This is where BOTS Datasets come into play. It's possible to quickly setup an Elastic Stack and ingest data as many time as desired to run different tests or to practice security analysis.

For example, this make easy to test enrichments scripts with data obtain though Shodan, Onyphe, or others Threat Intelligence sources.

For more information on ECS and SIEM module, check the following links :

Elastic SIEM module :

Elastic Common Schema :

From BOTS to BOTES

Before any investigation with Kibana and the SIEM module, BOTS Dataset need to be sanitized and even better, transformed following the Elastic Common Schema.

For this purpose, JSON files the from BOTS Dataset v1 will be used (BOTS Dataset v2 is only available in Splunk Pre-Index format). See section for BOTS v1 download links.

To move from BOTS to BOTES some actions are required :

For each sourcetype, list fields from JSON files.
Clean Splunk specific, duplicated and bad parsed fields.
Match original fields with ECS fields.
Generate ECS Schemas Fieldset, Elastic Index Mapping and Logstash configuration files from CSVs (Created during cleaning phase) with BOTES & ECS scripts.
Prepare Logstash and ingest the brand new clean BOTES JSON files.

This documentation contains details on how these actions were carried out and how to use BOTES Datasets (Logstash configuration files install, Elasticsearch Index mapping load, etc.).

Datasets information

BOTS/BOTES Dataset contains 31M of lines.

BOTES Download

Ready to be used BOTES Datasets (JSON formatted) can be downloaded here :

Last updated 5 years ago