Prepare your instance for Capture The Flag
#
IntroductionThe Cortex XSOAR 8 Capture the Flag challenges (CTFs) provide a fun and engaging way for your audience or teams to learn about Cortex XSOAR. The CTFs can be completed in 1 hour and can easily be incorporated into an event for SOC practitioners.
#
Install CTF content PackThe XSOAR CTF consists of two content packs:
- Capture The Flag - 01
- Capture The Flag - 02 It is recommended to install "Capture The Flag - 01" and "Capture The Flag - 02" in this order.
- Navigate to Cortex XSOAR Marketplace.
- Search for "Capture The Flag - 01" and click install.
- After "Capture The Flag - 01" is installed, search for "Capture The Flag - 02" and click Install. Once the CTFs are installed, you will see a green checkmark by the CTF packs.
#
Prepare Your CTF playbook.After you install the CTF 1 and CTF 2 content packs from Marketplace, You must run the “Prepare your CTF” playbook. The wizard will provide instructions on how to configure instances that are required for running the CTF. It will also check the system for any missing items.
#
Install and Configure VirusTotal and Unit42 Atoms FeedUnit 42 ATOMs Feed provides access to published IOCs that contain known malicious indicators.
VirusTotal (API v3) will analyze suspicious hashes, URLs, domains, and IP addresses.
You will need these two integrations for the CTF.
- Go to Playbooks and search for “Prepare your CTF”.
- Click View to open the playbook.
- Click Run to run the playbook. The playbook will first check if VirusTotal and Unit 42 feeds are installed. If it is not installed, then follow the instructions to configure those from Marketplace. Here are the links to VirusTotal and Unit 42 ATOMs Feed. (Those integrations will enrich indicators and provide useful information to TIM).
- After installing VirusTotal and Unit 42 Feed, configure instances for those integrations. Click Settings & Info > Settings > Instances.
- Search for VirusTotal and add an instance of VirusTotal. Create your own VirusTotal account and retrieve the API key from there. (See the Help in the integration settings.)
- Search for Unit 42 ATOMs Feed and add an instance of Unit 42 ATOMs Feed. Create your own Unit 42 ATOMs Feed account and retrieve the API key from there. (See the Help located in the integration settings.)
#
Configure XDR-CTF and OHMYVT_CTF integrations.The XDR-CTF and OHMYVT_CTF integrations were configured by default when you installed the CTF content pack. But you must configure an instance of each of those integrations.
- Go to the Playbooks section and open the “Prepare your CTF” playbook and rerun it. To rerun, click Stop and then Run. If the previous configurations were configured correctly, the playbook will check for an XDR – CTF instance and a custom integration named “OHMYVT_CTF”.
- To configure Cortex XDR – IR CTF and OHMYVT_CTF instances, go to Settings & Info > Settings > Instances. Search for XDR - IR CTF and configure an instance by clicking +Add Instance.
Leave all the default settings and click Save & Exit. 3. Now search for OHMYVT_CTF and click + Add instance. Leave all the default settings and click Save & Exit.
#
Verify RDP brute force incidentYou can now analyze and investigate various aspects of an RDP incident ingested from Cortex XDR. This incident is automatically created for you. In the following step, you will verify that the incident exists in the database and all the indicators from that incident have been extracted successfully.
- After configuring XDR – IR CTF and OHMYVT_CTF, go back to the Playbooks section and open the “Prepare your CTF” playbook and rerun it by clicking Stop and then Run.
Now, the playbook will stop at the step “Ensure the following”. For this step, you are asked to check the following:
-[ ] The incidents created successfully - wait until the incident for BruteForece stops on the manual task that classifies the incident. -[ ] Indicators extracted properly.
- Click Incidents and search for the incident name: “XDR Incident 413 - 'Possible external RDP Brute-Force' generated by XDR Analytics detected on host dc1env12apc05 involving user env12\administrator”.
- Open the incident and click the Investigation tab and ensure that the indicators have been extracted properly.
- Go back to the Playbooks section and open the “Prepare your CTF” playbook and click Mark Completed for the “Ensure the following” step. If you need to rerun the playbook, click Stop and then Run.
#
Final ValidationWhen the validation is complete and the malicious IP is tagged, the playbook will stop at the step “You are all set!”