attack_range VS botsv3

My advice… Don’t rush. Study the material and get a good understanding of the fundamentals. Each certification builds on the previous ones. If Splunk is a path you want to pursue, build those fundamentals. Put in the reps in a lab. Download BOTS, attack range data sets. Take a look at Splunk & Machine Learning YouTube channel. His videos are fantastic and he maintains a GitHub repo so you can use the datasets to practice what you learned on the video.

Somewhat related, but if you’re using splunk, you could use Splunk Attack Range which simulates attacks.

hey I think you are looking at a older repo for the local attack_range, we have not maintained this .. the current Splunk Attack Range lives here: https://github.com/splunk/attack_range/

Since you mention your in-depth ELK workflow, have you tried DetectionLab or Splunk's Attack Range? If you just want a fully working AD domain set up with various hosts, you can spin up the Red Team Attack Lab and then hook in your own logging stuff after it's built.

This is a project I've contributed to at work. It's designed to launch & configure a lab environment for security researchers, but that's not too important. It has a python CLI that takes a configuration file. That config file determines what bits of Terraform and ansible are executed. The Terraform builds instances in AWS (or Azure) and all the associated bits, and then calls the ansible playbook to provision that type of host.

Attack range: https://github.com/splunk/attack_range

have a look at Splunk's Attack Range project, which automates Caldera and Atomic Red Team for these kinds of purposes. i think this might help you as you gauge visibility, rulesets, etc ... https://github.com/splunk/attack_range

I haven't had much time to work on a BoTSv3 (Boss of the SOC Version 3) guide yet, but the GitHub guide for it should do the trick. I prefer video guides, but the README on GitHub is decent. At a high-level, you will need to install Splunk, install the needed apps+add-on, and finally install the dataset. Here is the GitHub repo for the dataset: https://github.com/splunk/botsv3

Once you have splunk installed and running, you can start ingesting data from your environment, such as your firewall or other machines/services you're working with. There are lots of supported add-ons and guides online to help you with ingesting data. If you don't have data to ingest but still want to play around with performing investigations in Splunk, I would check out Boss of the SOC. It contains a large data set as well as necessary add-ons and apps for you to start playing around. Here is a link to the GitHub repo: https://github.com/splunk/botsv3

And if you really have nothing you can download a BOTS dataset https://github.com/splunk/botsv3

Also, bots (Boss of the SOC) Here is v3

Look through the BOTS datasets. See if you can configure threat hunting reports/dashboards on your SIEM platforms based off of SIGMA rules or Att&ck Technique hypothesis. Follow Florian Roth, samir bousseaden, the Rodriguez brothers and olaf hartong on Twitter, watch all their talks and go through their various github projects.

You can start with Boss of The SOC BOTS. There are 3 datasets and walkthroughs, you just need to install the free community version of Splunk on any hypervisor. The advantage is that it’s free.