CORTEX

XSOAR
CAPTURE
THE FLAG
INSTRUCTOR GUIDE

Dec 2021
TABLE OF CONTENTS
ABOUT THE CTF TRAINING 2
TARGET AUDIENCE 2
CTF EVENT DETAILS 2
CTF PRESENTER CHECKLIST 2

REQUEST A NEW CTF GAME INSTANCE 3

CTF GAME SETUP 6

ABOUT THE CTF GAME 6
LOG INTO THE CTF GAME ENGINE 6
GAME CONFIGURATION 7

CORTEX XSOAR DEMO ENVIRONMENT 9

CTF GAME INTRODUCTION 10

PREPARE THE PLAYERS 14

ASSIGN TEAM NUMBERS 14
LOG INTO THE CTF GAME ENGINE 14
CORTEX XSOAR ENVIRONMENT 15

BEGIN GAME 16

ENDING THE GAME 18

ANSWER KEY 19

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
1
ABOUT THE CTF TRAINING
The Palo Alto Networks Capture the Flag (CTF) is an enablement tool that introduces the
different features and capabilities of a solution with a hands-on competitive twist. The CTF
environment consists of a series of challenges that vary in their degree of difficulty and require
participants to exercise different skill sets to solve. Once a challenge is solved, a “flag” is given
to the participant which then results in points being awarded. The winning team/player is the
one that solved the most challenges thus having scored highest.

CTF events provide a fun way to learn a new technology. This guide is designed to provide you
with the information needed to host your own CTF event.

TARGET AUDIENCE
Partner engineers and customers.

CTF EVENT DETAILS

AGENDA:
1. Introduction to Cortex XSOAR presentation and UI demo - 30 mins
2. Capture the Flag game introduction - 10 mins
3. Break - 10 mins
4. Player access and log in - 5 mins
5. Begin the game - 30 mins
6. Closing with Q&A - 10 mins

CTF PRESENTER CHECKLIST

❏ Request the CTF game engine instance in advance.
❏ The CTF game will be provisioned within minutes of submitting the request and
will be available to use for 48 hours.
❏ Access the Cortex XSOAR environment.
❏ Review the Cortex XSOAR presentation.
❏ Add the unique XSOAR CTF game engine link into the presentation deck.
❏ Prepare for Cortex XSOAR UI demo.
❏ Prepare for the CTF game engine introduction.
❏ Select music to play during the CTF game.
❏ Select prizes for the winner(s).

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
2
REQUEST A NEW CTF GAME INSTANCE
1. Browse to:

https://www.paloaltonetworks.com/partners/nextwave-partner-portal/h
elp-me-learn/demo-systems/cortex-xsoar-ctf
2. This will take you to a request form that must be completed. Click Start to proceed.

3. Enter the passcode GoPaloAltoNetworks and click OK.

4. Enter your first name and click OK or hit enter on your keyboard.

5. Enter your last name and click OK or hit enter on your keyboard.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
3
6. Accurately enter your corporate email address. Please double-check for any typos or errors
entered into the email address field.

7. Enter your Company’s name.

8. Please select your Theatre or Region and then click OK or hit enter on your keyboard.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
4
9. Select the option that best describes how you will use this CTF environment.

10. Enter the number of participants you are expecting to attend.

11. Once the last question is answered, you will reach a confirmation page that the lab environment
is being provisioned.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
5
12. Two separate emails will be sent to the email address submitted in the form. This may take a few
minutes.

13. A confirmation email will be sent from [email protected] with the subject Palo
Alto Networks Lab Request.
a. Please contact [email protected] if the emails are not received.

14. 2 CTF game access email will be sent from [email protected] with the subject
PANW Lab Environment: Capture the Flag: XSOAR CTF and PANW Lab Environment: Capture
the Flag: XSOAR Demo

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
6
 15. The unique game instance will be available to you for 48 hours. If a longer duration is required,
please schedule a 5-day instance by emailing [email protected]. We do not
have the ability to extend existing instances.

CTF GAME SETUP

ABOUT THE CTF GAME
Logging in as an ADMIN will allow you to make adjustments to the game before beginning. The
default game time is 30 minutes but this can be adjusted accordingly with your training event.
The game consists of 27 questions, with a maximum possible score of 5,000 points. All
questions have associated hints available to guide the player. Players who use a hint will be
penalized points.

LOG INTO THE CTF GAME ENGINE

1. Browse to the CTF Page link provided in the game access email.

2. Click PLAY.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
7
3. Click LOGIN.

4. Select ADMIN for the team name and then enter the password that was provided in the
game access email.

5. Click Login.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
8
GAME CONFIGURATION
Check the game configuration before the event.

1. Make sure the team LOGIN feature and TEAM SECTION are both set to ON.
This will enable the dropdown menu for the pre-configured team names for the
attendees to login.

2. Make sure the GAME SCORING and REFRESH GAMEBOARD are both set to ON.
This will enable the scoreboard to track points. The scoreboard will automatically refresh
to accurately display the ranks throughout the game.

3. Make sure the game TIME is set to ON. The GAME DURATION is set to 30 minutes but
can be adjusted to better fit your event schedule. 30 or 45 minute game time is
recommended.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
9
CORTEX XSOAR DEMO ENVIRONMENT
1. Using an incognito browser, navigate to the URL in the XSOAR Demo email you
received to ensure it is operational.
This XSOAR environment login link will be used by the players as well.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
10
CTF GAME INTRODUCTION
1. In this Capture the Flag training event, you will be capturing countries by answering a
series of quiz questions pertaining to the Cortex XSOAR environment. To win the game,
you will need to capture every available country as quickly as possible. If the time runs
out, the team with the most points will win.

2. You will first start on the gameboard after logging in.

3. You can mouse over each country to see how many points it’s worth. The higher the
points, the more difficult the question will be.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
11
4. To view the question, click on the country.

5. The answer value is not case sensitive however the syntax must be accurately entered as
there is only one correct answer per quiz question.

6. In a separate incognito window or tab, use the Cortex XSOAR environment to find the
answers. It’s highly recommended to copy and paste answers from the XSOAR interface.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
12
7. Hints can be used however they do cost points so use them wisely.

8. The countries you capture will have a yellow triangle. Red triangles will appear for
countries captured by your opponents. You will still receive points for countries that
have already been captured by others.

9. The Scoreboard will show the full ranking of each team.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
13
PREPARE THE PLAYERS
ASSIGN TEAM NUMBERS
1. Assign each player or team of players a Team number. Their password will be dictated by
their team number in the following format:

a. Username: Team#
b. Password: paloalto#

For example: Team2’s password is paloalto2

LOG INTO THE CTF GAME ENGINE

1. Each player will need to navigate to the unique game URL provided in the game access
email.

2. From the CTF game engine front page, click PLAY.

3. Click LOGIN to proceed.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
14
 4. Using the TEAM NAME dropdown, the players will need to select their assigned team
number and enter in the corresponding password.

5. Confirm all players have successfully logged in.

CORTEX XSOAR ENVIRONMENT

1. Share the unique URL for the XSOAR environment that you received in the email with
the players. In the CTF presentation deck, there’s a dedicated Player Access slide already
included.

2. Have participants open the link using an incognito window to reach the XSOAR UI.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
15
 3. The XSOAR instance is pre-populated with 30 user accounts. You will need to assign
usernames to each player, and Each player will log in using a separate account. All
accounts use the same password.
User account names are as follows:

Username: demouser1, demouser2, demouser3,...,demouser30

Password: Password1!

4. IMPORTANT: SHARE THIS TIP WITH THE PLAYERS:

To view the data necessary for the CTF game, you must set the date range to ‘All Times’ when
viewing tables in XSOAR.
All security events, incidents, and logs occurred in the past. These may not be visible in the
default table view in XSOAR (the default filter shows events from the last 7 days).

BEGIN GAME
1. Once all of the players are logged into both the CTF game engine and the Cortex XSOAR
engine, click BEGIN GAME to start.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
16
2. As an ADMIN you have the ability to pause the game or end it early.

3. Click GAMEBOARD to see the game in progress.

4. During the game, have the GAME CLOCK up. The players will also have the game clock
on their screen.

5. Switch between the GAMEBOARD view and the SCOREBOARD to show the leader ranks.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
17
ENDING THE GAME
Once the game is finished and the winner(s) are determined, the players will have questions for
you. Please use the Answer Key below as a cheat sheet to help demonstrate where to find
answers to questions that stumped players.

For more information and resources on Cortex XSOAR, please visit the Palo Alto Networks
Partner Portal website.

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
18
ANSWER KEY
Assigns, assigns, everywhere assigns
Q: Incidents in XSOAR can be assigned to users automatically. Who is the incident #19 (Fwd:
CONSIDER MY PLIGHT! - Case info) assigned to?
A: raystantz
Screenshot:

Phish out of water

Q: XSOAR will automatically categorize new incidents based on their content. How many incidents have
been Categorized as "phishing"?
A: 2
Screenshot:

High water mark

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
19
Q: XSOAR will automatically assign a severity level to incidents as they are processed. How many
incidents have been assigned a high severity?
A: 5
Screenshot:

On a role
Q: XSOAR has built-in role-based access control. What role is assigned to Peter Venkman?
A: Analyst
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
20
Dashboard confessional
Q: XSOAR dashboards can be customised to display data that is most relevant to users. on the
"Incidents" dashboards, how many "Cortex XDR Incidents'' are there
A: 3
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
21
User Friendly
Q: XSOAR dashboards can be customized to display data that is most relevant to users. on the
"Incidents" dashboards, a widget displays "Incidents Assigned by User". Which user has the most
incidents assigned to them?
A: egonspengler
Screenshot:

Child's play

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
22
Q: XSOAR uses playbooks to automate a series of actions taken on a given incident. What playbook has
been assigned to incident #41 "Dumping lsass.exe memory for credential extraction"?
A: Cortex XDR Incident Handling Demo
Screenshot:

Incident Proposal
Q: In XSOAR's settings, playbooks can be automatically assigned based on the type of incident in
XSOAR. Which playbook is associated with the incident type "Brute Force"?
A: Brute Force Investigation - Generic
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
23
You can't fight in here. This is the War Room!
Q: When working an incident, the War Room is a space for investigation and collaboration between
analysts. In incident #47 (Impossible Traveler Risk), analyst Ray Stantz queried information on the IP
address 176.10.104.240, and XSOAR automatically returned threat intelligence data. Per the Autofocus
results, what is the top "public tag name" associated with this IP address?
A: Commodity.CoinMiner
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
24
Tag, you're it.
Q: Similar to Slack or other IRC-like communication platforms, analysts can tag other analysts with their
@username in the war room to get assistance with an investigation. A user has tagged their coworker in
the war room of Incident #1 (ONE WEIRD TRICK TO GET FREE E_BOOK!). What is the tagged
coworker's username?
A: dblankenship
Screenshot:

Self evidence
Q: When investigating an incident, users can tag important findings as evidence. One such item was
tagged in Incident #1 (ONE WEIRD TRICK TO GET FREE E_BOOK!) by user raystantz. What was the
SHA256 hash of this file?
A: 3ebf0d265d717a0d7e90c17cde10ede9ae96eb4d7fbfca39a87b0e9a9e77489b
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
25
One small step for a man
Q: XSOAR uses playbooks to automate a series of actions taken on a given incident. Playbook steps
can be automatic, or can require human interaction as necessary. The work plan for Incident #41
(Dumping lsass.exe memory for credential extraction) is paused on a step requiring an analyst to perform
an action. What is the step called?
A: Ask analyst which accounts to disable
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
26
Silver Linings Playbook
Q: XSOAR comes with hundreds of playbooks out of the box so users can quickly start automating
common tasks and responses. In the playbook "Phishing Investigation - Generic", what is the last task
before the playbook is completed?
A: Close Investigation
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
27
Three Letter Acronyms
Q: XSOAR can set and track SLA time to ensure incidents are handled in a timely fashion. Incident #19
(Fwd: CONSIDER MY PLIGHT!) has passed its SLA timer. When did this expire?
A: July 25, 2020
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
28
Signs point to yes
Q: XSOAR can automatically check if indicators in incidents are malicious. In incident #19 (FWD:
CONSIDER MY PLIGHT!) a malicious domain was identified. What is the domain name?
A: textspeier.de
Screenshot:

Doctor Who
Q: XSOAR uses playbooks to automate a series of actions taken on a given incident. Playbook steps can
be automatic, or can require human interaction as necessary. The work plan for Incident #47 (Impossible
Traveller Risk) is paused on a step requiring an analyst to make a decision. What is the step called?
A: Should We Block The External IP Address?

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
29
Screenshot:

Miles to go before I sleep

Q: XSOAR can monitor user login locations to identify "Impossible Travellers", 2 consecutive logins from
vastly different geolocations. In Incident #47 (Impossible Traveller Risk), how many miles apart are the
user's geolocations?
A: 4154.08
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
30
Have IP will travel
Q: In incident #47 (Impossible Traveller Risk) XSOAR automatically identified a malicious IP address a
user was logging in from. What is that IP address?
A: 176.10.104.240
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
31
Stake your reputation
Q: XSOAR can handle Threat Intelligence Management, aggregating multiple intel feeds into one location
so analysts can easily search and manage indicators' reputations. What is the reputation of the domain
www.kloshpro.com?
A: Bad
Screenshot:

You are not prepared

Q: In Incident #52 (Blacklisted hash detected in use) the analyst assigned to the incident has marked a
file in evidence. What is the filename?
A: World of Warcraft Launcher.exe
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
32
Integration hunt
Q: XSOAR is ready to integrate with over 400 products out of the box. This instance is integrated with a
product from Tenable. What is that product's name?
A: Nessus
Screenshot:

Seems legit
Q: In incident #19 (Fwd: CONSIDER MY PLIGHT!) a phishing email is soliciting money from its target via
Western Union. The attacker has specified a " Money Transfer Control Number" with which to conduct
the transfer. What is that number?
A: 446-010-9854
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
33
XDR investigation 1 - evidence
Q: DBot is XSOAR's built-in AI assistant. In incident #41 "Dumping lsass.exe memory for credential
extraction" DBot has automatically tagged a user in evidence as a result of the work plan. What is the
affected user's username?
A: Victim
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
34
XDR investigation 2 - File Artifacts
Q: In incident #41 "Dumping lsass.exe memory for credential extraction", XSOAR had identified an
executable as malware. What is the executable's name?
A: mimikatz.exe
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
35
There are some who call me... Tim
Q: XSOAR can handle Threat Intelligence Management, aggregating multiple intel feeds into one location
and will prioritize them by reliability. This indicator IP address "1.186.40.2" has been identified by 2
intelligence feeds. Of the configured feeds, which one is the least reliable?
A: Blocklist_de_Feed_Instance_1 (Blocklist_de Feed)
Screenshot:

PDF PDQ
Q: XSOAR can rasterize attachments to suspected phishing emails so analysts can view them safely. In
Incident #1 (ONE WEIRD TRICK TO GET FREE E_BOOK). The attached PDF, the target is directed to
download an ebook. What is the title of the book?
A: the call of the wild special edition by jack london
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
36
Junk mail
Q: XSOAR will capture screenshots of links in suspected phishing emails so analysts can view them
safely. One of the phishing incidents in XSOAR was sent from an anonymous email service. What is the
name of the email service?
A: guerrillamail.com
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
37
Command Line
Q: XSOAR integrations allow it to interact with other products' APIs out of the box. This instance of
XSOAR is integrated with Virustotal. What is the first command associated with this integration?
A: domain
Screenshot:

©2020 Palo Alto Networks

Confidential. Do Not Distribute.
38
 ©2020 Palo Alto Networks
Confidential. Do Not Distribute.
39