Player guide — Operation Quiet Harbor

Welcome to Operation Quiet Harbor, a Security Incident Response (SIR) Capture-the-Flag. A simulated intrusion has been pushed into your own ServiceNow instance. Your job: triage the incidents, pull out the indicators, and submit them as flags to score on the live leaderboard.

Every answer is unique to you — flags are derived per player, so they can't be shared.

What you need

• A free ServiceNow Personal Developer Instance (PDI) with Security Incident Response activated.
• The scoreboard URL and an enrollment token from your instructor.
• About 20 minutes of setup — do this as homework, before the event.

1. Get your instance ready (homework)

1. Sign in at https://developer.servicenow.com and request a PDI.

   PDIs are reclaimed after ~10 idle days — sign in every few days to keep yours alive.

2. In your PDI, open the Application Manager (filter navigator → All Available Applications), find Security Incident Response, and click Install. (Threat Intelligence installs alongside it.)

2. Register on the scoreboard

Open the scoreboard URL from your instructor and create an account. The email you register with is your handle — you'll reuse the exact same value in step 4, so choose it now and keep it consistent.

3. Install the CTF app

1. On the scoreboard, open Get started → Download the update set (an XML file).
2. In your PDI: All → Retrieved Update Sets → Import Update Set from XML → choose the file → Upload.
3. Open the loaded update set → Preview Update Set → then Commit Update Set.

4. Connect your range

In your PDI, open System Properties (search All for these names) and set:

Property	Value
x_snc_ctf_range.handle	the same email you registered on the scoreboard with
x_snc_ctf_range.range_url	the range URL from your instructor (it ends in /range)
x_snc_ctf_range.enroll_token	the enrollment token from your instructor

Then open CTF Range → Set up my CTF range. Your security incidents are created right in your SIR queue. (Re-run it any time — it won't create duplicates.)

5. Play

Open your Security Incident list (All → Security Incident → Incidents). You'll find five linked incidents — a phishing email that becomes malware, lateral movement, data exfiltration, and a campaign-correlation review.

For each challenge on the scoreboard, find the answer in your incidents and submit it. Indicators live in:

• Observables (related list / Threat Intelligence) — IPs, domains, file hashes, URLs.
• Work notes — process trees, detection sources, callback (C2) domains, entry points, business impact, containment actions, stolen accounts, data volumes.
• Affected CIs — hostnames, the CI owner (Assigned to), and how many were hit.
• Incident fields — priority, category, assignment group.
• The attachment on the phishing incident.

Answers are case-insensitive where it makes sense (hashes, names, hostnames) and exact for the planted tokens and numeric counts.

Two flags you have to earn

Two answers stay hidden until you do the work:

• Stage 2 — Detonation Verdict: open the malware incident and click Run Sandbox Detonation. A new work note appears with the verdict token.
• Stage 4 — Containment Receipt: close the containment task (set it to Closed Complete) first, then click Get Containment Receipt to reveal the token.

Tips

• Use the same handle everywhere — if your scoreboard email and the handle property differ, your flags won't match and submissions will fail.
• Stuck on a challenge? Most have a hint that tells you where to look.
• Start with the low-point challenges in each category to learn the queue, then chase the correlation and gated flags for the big points.
• Triage like it's real — because the queue is.