Introducing New XSOAR Capture the Flags!

Dec 14, 2023
5 minutes


Does the game of capture the flag bring back childhood memories?

Well, we have infused the fun element of the game into our capture the flag (CTF) content packs which take you on an interactive “treasure hunt” in Cortex XSOAR.

How Are Capture the Flags Used in Cybersecurity?

CTF challenges are cybersecurity competitions where participants tackle hands-on tasks, solving security-related puzzles and navigating through simulated scenarios to capture "flags." These flags represent sensitive information, and these exercises allow participants to showcase their prowess in areas like penetration testing, cryptography, and incident response.

CTFs can bridge the gap between theory and practice. Participants not only learn about cybersecurity concepts but also apply that knowledge to solve intricate problems. This approach cultivates problem-solving skills, critical thinking, and adaptability – crucial attributes in the ever-evolving field of cybersecurity.

Introducing the XSOAR CTF Playbooks

In this case, participants explore Cortex XSOAR as security analysts investigate and respond to an incident.

Since XSOAR delivers SecOps automation through its playbooks, which are automated sequences orchestrating security processes, we built these CTFs using playbooks. As participants navigate through the CTFs and tasks that mirror the complexity of real-world incident investigations, they will understand the underlying structure and components associated with building automated workflows. The modular and extensible nature of XSOAR playbooks empowers users to tailor challenges to specific learning objectives.

Preparing for the XSOAR CTF Challenge

Each CTF content pack comes with a playbook guiding you through setting up the CTF for your participants. This playbook ensures that your environment has all the requirements enabled to run your CTF.

Our CTF contains two different challenges:

  • The first CTF challenge walks participants through XSOAR 8, SaaS version
    For many customers, XSOAR 8, released in Jan 2023, is built on a new unified Cortex architecture and is a fully cloud-native SOAR solution. The CTF tasks guide the user through the system, introducing them to the key features of XSOAR.
  • The second CTF challenge allows participants to wear an analyst’s hat and investigate an incident using XSOAR
    Our mission with this CTF is to acquaint analysts with using XSOAR to respond to incidents, including identifying the type of malicious indicator detected in the incident, related indicators associated with the same campaign, severity of the attack, etc.
Fig 1: One of the gifs in the CTFs
Fig 1: One of the gifs in the CTFs


Using the CTF Content Packs

First, you need to download the Capture The Flag 01 pack. In this pack, you will find the following playbook that will assist you in preparing your environment and setting up. The playbook name is - “Prepare your CTF”

A screenshot of a computer Description automatically generated. Fig 2: Prepare your CTF playbook
Fig 2: Prepare your CTF playbook


You may run it as an incident or directly from the Playbook debugger section

Fig 3: Running the Prepare your CTF playbook
Fig 3: Running the Prepare your CTF playbook


The playbook will guide you through the setup tasks, including integrations and other settings required. In the example shown below, two missing integrations need to be enabled. You need to navigate to your integration tab in XSOAR to configure the integrations.

Fig 4: Missing integrations
Fig 4: Missing integrations


The end goal is to run this playbook without any stops or errors until you reach the final task which informs you that you are set.

Fig 5: Successful playbook run
Fig 5: Successful playbook run


Starting the CTF

To start interacting with the CTF, run the first CTF playbook by creating a new incident with the following playbooks - “CTF 1 - Get to know XSOAR 8”.

As a part of the game, participants will be required to search for clues (or flags) throughout XSOAR (such as in integration settings, reports, or playbooks). They will answer a series of questions related to their quest and the playbooks will prompt them with the correct answers.

Fig 6: Sample task in CTF with prompts
Fig 6: Sample task in CTF with prompts


If a participant gets stuck on a specific task, they can use the hint option to get a quick hint about the flag. If their answer is incorrect, they can re-run the task and check their answer as many times as they like - although this being a competition, there is a timer to determine who is the fastest at retrieving all the clues or flags.

Scoring Progress

The pack allows you to run this game for multiple users on the same tenant while providing a dashboard where you can see their progress.

Fig 7: Scoreboard using XSOAR’s incident dashboard
Fig 7: Scoreboard using XSOAR’s incident dashboard


Using this dashboard, you can track who finished the CTF and sort it by completion time (to determine the winner of the game). Note: An SLA timer starts when an incident is triggered.

Interested in trying it for yourself? Join us for a free CTF event and pit your skills against your peers while learning how a SOAR solution automates the incident response process.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.