{"id":13454059,"url":"https://github.com/splunk/botsv3","last_synced_at":"2025-10-11T09:57:06.899Z","repository":{"id":66165956,"uuid":"240321774","full_name":"splunk/botsv3","owner":"splunk","description":"Splunk Boss of the SOC version 3 dataset.","archived":false,"fork":false,"pushed_at":"2020-06-18T13:56:56.000Z","size":13,"stargazers_count":322,"open_issues_count":0,"forks_count":50,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-03-24T05:38:04.518Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/splunk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-02-13T17:35:55.000Z","updated_at":"2025-03-17T15:21:04.000Z","dependencies_parsed_at":null,"dependency_job_id":"4ecbfbbb-8b29-4def-9722-cc9fea551162","html_url":"https://github.com/splunk/botsv3","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/splunk/botsv3","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fbotsv3","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fbotsv3/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fbotsv3/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fbotsv3/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/splunk","download_url":"https://codeload.github.com/splunk/botsv3/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/splunk%2Fbotsv3/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279006748,"owners_count":26084185,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:50.612Z","updated_at":"2025-10-11T09:57:06.879Z","avatar_url":"https://github.com/splunk.png","language":null,"readme":"# Boss of the SOC (BOTS) Dataset Version 3\nA sample security dataset and CTF platform for information security professionals, researchers, students, and enthusiasts. This page hosts information regarding the version 3 *dataset*. If you would like access to the scoreboard software, please visit [the CTF Scoreboard Github repository](https://github.com/splunk/SA-ctf_scoreboard). If you are looking for the BOTS version 2 dataset, it can be found [here](https://github.com/splunk/botsv2). If you are looking for the BOTS version 1 dataset, it can be found [here](https://github.com/splunk/botsv1).\n\n## Download\n\n| Dataset          | Description | Size | Format | MD5 |\n| ---------------- | ----------- | ---- | ------ | --- |\n| [BOTS V3 Dataset](https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz) |  BOTSv3 dataset. | 320.1MB | Pre-indexed Splunk | d7ccca99a01cff070dff3c139cdc10eb |\n\n\n## Installation\n1. Download the dataset file indicated above and check the MD5 hash to ensure integrity.\n2. Install Splunk Enterprise and the apps/add-ons listed in the *Required Software* section below. It is important to match the specific version of each app and add-on.\n3. Unzip/untar the downloaded file into $SPLUNK_HOME/etc/apps\n4. Restart Splunk\n5. The BOTS v3 data will be available by searching:\n```\nindex=botsv3 earliest=0\n```\n6. Note that because the data is distributed in a pre-indexed format, there are no volume-based licensing limits to be concerned with.\n\n## Data Sourcetypes included\n* access_combined\n* alternatives\n* amazon-ssm-agent\n* amazon-ssm-agent-too_small\n* apache_error\n* aws:cloudtrail\n* aws:cloudwatch\n* aws:cloudwatch:guardduty\n* aws:cloudwatchlogs\n* aws:cloudwatchlogs:vpcflow\n* aws:config:rule\n* aws:description\n* aws:elb:accesslogs\n* aws:rds:audit\n* aws:rds:error\n* aws:s3:accesslogs\n* bandwidth\n* bash_history\n* bootstrap\n* cisco:asa\n* cloud-init\n* cloud-init-output\n* code42:api\n* code42:computer\n* code42:org\n* code42:security\n* code42:user\n* config_file\n* cpu\n* cron-too_small\n* df\n* dmesg\n* dpkg\n* error-too_small\n* errors\n* errors-too_small\n* ess_content_importer\n* hardware\n* history-2\n* interfaces\n* iostat\n* lastlog\n* linux_audit\n* linux_secure\n* localhost-5\n* lsof\n* maillog-too_small\n* ms:aad:audit\n* ms:aad:signin\n* ms:o365:management\n* ms:o365:reporting:messagetrace\n* netstat\n* o365:management:activity\n* openports\n* osquery:info\n* osquery:results\n* osquery:warning\n* out-3\n* package\n* perfmonmk:process\n* protocol\n* ps\n* script:getendpointinfo\n* script:installedapps\n* script:listeningports\n* stream:arp\n* stream:dhcp\n* stream:dns\n* stream:http\n* stream:icmp\n* stream:igmp\n* stream:ip\n* stream:mysql\n* stream:smb\n* stream:smtp\n* stream:tcp\n* stream:udp\n* symantec:ep:agent:file\n* symantec:ep:agt_system:file\n* symantec:ep:behavior:file\n* symantec:ep:packet:file\n* symantec:ep:risk:file\n* symantec:ep:scm_system:file\n* symantec:ep:security:file\n* symantec:ep:traffic:file\n* syslog\n* time\n* top\n* unix:listeningports\n* unix:service\n* unix:sshdconfig\n* unix:update\n* unix:uptime\n* unix:useraccounts\n* unix:version\n* userswithloginprivs\n* vmstat\n* who\n* wineventlog\n* winhostmon\n* xmlwineventlog:microsoft-windows-sysmon/operational\n* yum-too_small\n\n\n## Required Software\nThe dataset requires the following software which is distributed and licensed separately\nand should be installed before using the dataset. The versions listed are\nthose that were used to create the dataset. Different versions of the software\nmay or may not work properly. If you are new to Splunk, follow [these instructions](http://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual) to install the free Splunk Enterprise trial and [these instructions](https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall) to install apps and add-ons.\n\n\n|\tApp / Add-on\t|\tVersion\t|\tDownload\n| ----------- | ------- | -------- |\n| Splunk Enterprise                               | 7.1.7 | http://www.splunk.com\n|\tAws_guardduty\t                                  |\t1.0.4\t|\thttps://splunkbase.splunk.com/app/3790/\n|\tCiscoNVM\t                                      |\t1.0.346\t|\thttps://splunkbase.splunk.com/app/2992/\n|\tCode42 App For Splunk\t                          |\t3.0.6\t|\thttps://splunkbase.splunk.com/app/3736/\n|\tCode42ForSplunk Technology Add-On\t              |\t3.0.4\t|\thttps://splunkbase.splunk.com/app/3746/\n|\tSplunk Add-on for Cisco ASA\t                    |\t3.3.0\t|\thttps://splunkbase.splunk.com/app/1620/\n|\tSplunk Add-on for Microsoft Cloud Services\t    |\t2.1.0\t|\thttps://splunkbase.splunk.com/app/3110/\n|\tSplunk Add-on for Microsoft Office 365\t        |\t1.0.0\t|\thttps://splunkbase.splunk.com/app/4055/\n|\tSplunk Add-on for Microsoft Windows\t            |\t4.8.4\t|\thttps://splunkbase.splunk.com/app/742/\n|\tSplunk Add-on for Symantec Endpoint Protection\t|\t2.3.0\t|\thttps://splunkbase.splunk.com/app/2772/\n|\tSplunk Add-on for Tenable\t                      |\t5.1.3\t|\thttps://splunkbase.splunk.com/app/1710/\n|\tSplunk Add-on for Unix and Linux\t              |\t5.2.4\t|\thttps://splunkbase.splunk.com/app/833/\n|\tSplunk Common Information Model\t                |\t4.11.0\t|\thttps://splunkbase.splunk.com/app/1621/\n|\tSplunk Security Essentials\t                    |\t2.2.0\t|\thttps://splunkbase.splunk.com/app/3435/\n|\tSplunk Stream Add-on\t                          |\t7.1.2\t|\thttps://splunkbase.splunk.com/app/1809/\n|\tTA-VirusTotalActions\t                          |\t0.2.0\t|\thttps://splunkbase.splunk.com/app/3446/\n|\tURL Toolbox\t                                    |\t1.6\t  |\thttps://splunkbase.splunk.com/app/2734/\n|\tDecryptCommands\t                                |\t2\t|\thttps://splunkbase.splunk.com/app/2655/\n|\tMicrosoft Azure Active Directory Reporting Add-on for Splunk\t|\t1.0.1\t|\thttps://splunkbase.splunk.com/app/3757/\n|\tMicrosoft Cloud App for Splunk\t                |\t1.0.1\t|\thttps://splunkbase.splunk.com/app/3786/\n|\tMicrosoft Office 365 Reporting Add-on for Splunk  |\t1.0.1\t|\thttps://splunkbase.splunk.com/app/3720/\n|\tMicrosoft Sysmon Add-on\t                        |\t8.0.0\t|\thttps://splunkbase.splunk.com/app/1914/\n|\tOSquery App for Splunk\t                        |\t0.6.0\t|\thttps://splunkbase.splunk.com/app/3902/\n|\tSplunk Add-on for AWS\t                          |\t4.5.0\t|\thttps://splunkbase.splunk.com/app/1876/\n|\tES Content Updates\t                            |\t1.0.25\t|\thttps://splunkbase.splunk.com/app/3449/\n|\tSA-cim_vladiator\t                              |\t1.2\t|\thttps://splunkbase.splunk.com/app/2968/\n\n\n## Warning\n**Please be advised that this dataset may contain profanity, slang, vulgar expressions, and/or generally offensive terminology. Please use with discretion.**\n\nThis dataset contains evidence captured during actual computer security incidents, or from realistic lab recreations of security incidents. As such, the dataset **may** contain profanity, slang, vulgar expressions, and/or generally offensive terminology. The authors believe that the educational benefits of preserving the realism of the dataset outweigh the risk of offending some users. If the possibility of encountering this type of offensive material is a concern to you or to any audience with whom you plan to share the dataset, please stop now and do not continue.\n\n## Authors\nWritten in 2018 by Ryan Kovar, David Herrald, James Brodsky, John Stoner, Jim Apger, David Veuve, Lily Lee, and Matt Valites\n\n## Copyright and License\nTo the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed\nwithout any warranty. You should have received a copy of the CC0 Public Domain Dedication along with this software. If not, see http://creativecommons.org/publicdomain/zero/1.0/.\n\n","funding_links":[],"categories":["Threat Detection and Hunting","Other Lists","CTFs"],"sub_categories":["Dataset","Training","📚 Training","API"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fbotsv3","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsplunk%2Fbotsv3","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsplunk%2Fbotsv3/lists"}