Scenarios are the core of BAS testing. They define what to test, how to test it safely, and what detections to expect.
{:scenario/id "unique-id-001"
:scenario/name "Human-readable name"
:scenario/description "Detailed description of what this scenario validates"
:scenario/risk-level :low ;; :low, :medium, :high
:scenario/category "Category name"
;; Execution phases
:scenario/phases
[{:phase/id "phase-1"
:phase/name "Phase Name"
:phase/actions
[{:action/type :action-type-here
:action/target "what to test"
:action/description "What this action does"
:action/parameters {...}}]}]
;; Expected detections
:scenario/expected-detections
[{:detection/rule "Rule name"
:detection/source "SIEM/EDR/etc"
:detection/min-confidence 0.8
:detection/description "What should be detected"}]
;; Optional
:scenario/preconditions [...]
:scenario/success-criteria [...]
:scenario/timeout-minutes 30}Validates that specific telemetry is being collected.
{:action/type :validate_telemetry
:action/target :dns-logs
:action/assertions
[{:field :timestamp :required true}
{:field :query :required true}
{:field :response :required true}]}Generates benign authentication events with patterns.
{:action/type :simulate_auth_events
:action/target :test-account
:action/parameters
{:attempts 5
:interval_seconds 30
:source_ips ["10.0.1.100"]
:time_of_day "02:00"}}Validates security hardening configurations.
{:action/type :check_hardening
:action/target :endpoint-config
:action/checks
[{:name "PowerShell logging enabled"
:expected true}]}- Always use
:risk-level :lowfor initial testing - Never include actual exploits - only simulate patterns
- Validate allowlist - all targets must be in scope
- Set realistic timeouts - prevent runaway executions
- Document expected detections - what SHOULD be detected
{:scenario/id "rdp-bruteforce-sim-001"
:scenario/name "RDP Brute Force Simulation (Benign)"
:scenario/description "Simulates failed RDP login attempts to validate IDS/IPS detection"
:scenario/risk-level :low
:scenario/category "Authentication Testing"
:scenario/phases
[{:phase/id "simulate"
:phase/name "Simulate Failed Logins"
:phase/actions
[{:action/type :simulate_auth_events
:action/target :rdp-service
:action/description "Generate failed RDP login attempts"
:action/parameters
{:protocol "RDP"
:attempts 10
:interval_seconds 5
:source_ip "10.0.1.50"
:target_ip "10.0.1.100"
:username "testuser"}}]}]
:scenario/expected-detections
[{:detection/rule "Multiple Failed RDP Logins"
:detection/source "IDS"
:detection/min-confidence 0.9
:detection/description "IDS should detect brute force pattern"}
{:detection/rule "Anomalous Authentication Activity"
:detection/source "SIEM"
:detection/min-confidence 0.7}]
:scenario/timeout-minutes 10}Save your scenario as EDN file in playbooks/ directory:
# File: playbooks/my-scenario.edn
{:scenario/id "my-scenario-001"
...}Then insert via migration or API:
INSERT INTO scenarios (id, name, description, risk_level, category, phases, expected_detections)
VALUES ('my-scenario-001', 'My Scenario', '...', 'low', 'Custom', '{...}'::jsonb, '{...}'::jsonb);- Create an Exercise referencing your scenario
- Set allowlist to lab environment only
- Provide proof of authorization
- Approve and execute
- Review results and detections
- Start simple, add complexity gradually
- Test in isolated lab first
- Document expected vs actual detections
- Iterate based on results
- Share successful scenarios with team
- Check existing scenarios in
migrations/002-seed-data.sql - Review orchestrator executor:
orchestrator/src/.../executor.clj - Ask Purple Team Lead for guidance