diff --git a/docs/usage/scenario/assets/inject-placeholder.png b/docs/usage/scenario/assets/inject-placeholder.png new file mode 100644 index 00000000..9791b2c9 Binary files /dev/null and b/docs/usage/scenario/assets/inject-placeholder.png differ diff --git a/docs/usage/scenario/assets/inject-scenario-openbas.png b/docs/usage/scenario/assets/inject-scenario-openbas.png new file mode 100644 index 00000000..94827c5d Binary files /dev/null and b/docs/usage/scenario/assets/inject-scenario-openbas.png differ diff --git a/docs/usage/scenario/assets/inject-ttp.png b/docs/usage/scenario/assets/inject-ttp.png new file mode 100644 index 00000000..a37e08c6 Binary files /dev/null and b/docs/usage/scenario/assets/inject-ttp.png differ diff --git a/docs/usage/scenario/assets/octi-alert-technical.png b/docs/usage/scenario/assets/octi-alert-technical.png new file mode 100644 index 00000000..9ac75ead Binary files /dev/null and b/docs/usage/scenario/assets/octi-alert-technical.png differ diff --git a/docs/usage/scenario/assets/octi-form-options.png b/docs/usage/scenario/assets/octi-form-options.png new file mode 100644 index 00000000..b7118ff3 Binary files /dev/null and b/docs/usage/scenario/assets/octi-form-options.png differ diff --git a/docs/usage/scenario/assets/octi-form-simulated.png b/docs/usage/scenario/assets/octi-form-simulated.png new file mode 100644 index 00000000..2bf06c24 Binary files /dev/null and b/docs/usage/scenario/assets/octi-form-simulated.png differ diff --git a/docs/usage/scenario/assets/octi-form-tech-arch.png b/docs/usage/scenario/assets/octi-form-tech-arch.png new file mode 100644 index 00000000..023be6d6 Binary files /dev/null and b/docs/usage/scenario/assets/octi-form-tech-arch.png differ diff --git a/docs/usage/scenario/assets/octi-form-technical.png b/docs/usage/scenario/assets/octi-form-technical.png new file mode 100644 index 00000000..cdd1b0f2 Binary files /dev/null and b/docs/usage/scenario/assets/octi-form-technical.png differ diff --git a/docs/usage/scenario/assets/octi-ttps-no-covered.png b/docs/usage/scenario/assets/octi-ttps-no-covered.png new file mode 100644 index 00000000..183a5ac3 Binary files /dev/null and b/docs/usage/scenario/assets/octi-ttps-no-covered.png differ diff --git a/docs/usage/scenario/assets/scenario-openbas.png b/docs/usage/scenario/assets/scenario-openbas.png new file mode 100644 index 00000000..1e9c33bc Binary files /dev/null and b/docs/usage/scenario/assets/scenario-openbas.png differ diff --git a/docs/usage/scenario/opencti_scenario.md b/docs/usage/scenario/opencti_scenario.md index 51953a4f..bbe5ffa7 100644 --- a/docs/usage/scenario/opencti_scenario.md +++ b/docs/usage/scenario/opencti_scenario.md @@ -9,28 +9,61 @@ This integration works across multiple entities: - Reports - Grouping - Incident Response +- Malware +- Campaigns +- Intrusion - Request For Information - Request For Takedown ![simulate button](assets/simulate-btn.png) -When you click on the simulate button, you’ll have two options: +When you click on the "Simulate" button, a form will appear with the following fields: -- Generate a scenario based on technical injects -- Generate a scenario based on email injects, using AI to automatically generate email content +| Property | Description | +|------------------------------------------------------------------|---------------------------------------------------------------| +| Simulation type | Can be either "Technical" (payloads) or "Simulated" (emails) | +| Interval between injection (in minutes) | The time between each injection execution | +| Number of injects generated by attack
pattern and platform | | + +![simulation simulated](assets/octi-form-options.png) +![simulation simulated](assets/octi-form-simulated.png) + +If you choose the "Technical" (payloads) simulation type, you will also need to fill in the following fields: + +| Property | Description | +|------------------------------------------------------------------|--------------------------------------------------------------------| +| Targeted platforms | Supported platforms for executing the TTPs (Windows, Linux, macOS) | +| Targeted architecture | Supported architectures for executing the TTPs (x86_64, arm64) | + +![simulation technical(payloads)](assets/octi-form-technical.png) +![simulation technical(payloads)](assets/octi-form-tech-arch.png) +![simulation technical(payloads)](assets/octi-alert-technical.png) It’s essential to understand that a scenario creation for these entities relies on matching TTPs between OpenCTI and OpenBAS. You’ll need to ensure that the TTPs in both platforms are aligned. For instance, if your report contains the -TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001. +TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001. Otherwise, an +inject with a placeholder will be created instead for this TTP. + +If these TTPs are not supported by OpenBAS, you will receive an alert listing the uncovered TTPs. -When generating a scenario from OpenCTI, a scenario is created and can be accessed from the scenarios screen. The +![ttps not covered obas](assets/octi-ttps-no-covered.png) + +When generating a scenario from OpenCTI, a scenario is created in OpenBas and can be accessed from the scenarios screen. The scenario name will include a reference to OpenCTI, indicating its origin. This scenario will automatically contain relevant sequences of injects based on the threat context identified in OpenCTI. +![Scenario OpenBAS](assets/scenario-openbas.png) + +![Scenario OpenBAS](assets/inject-scenario-openbas.png) + +![Scenario OpenBAS](assets/inject-placeholder.png) + However, it's important to review and potentially customize the scenario to ensure it meets your organization's specific requirements. Additionally, you'll need to select appropriate [targets](../targets.md) for the injects within the scenario. +![Scenario OpenBAS](assets/inject-ttp.png) + Once you've finalized the scenario, you can schedule your simulation as you would do for any other scenarios. The overall results of the simulation will also be available directly within OpenCTI, providing insights into the threat context upon which the scenario is based.