@@ -9,28 +9,61 @@ This integration works across multiple entities:
99- Reports
1010- Grouping
1111- Incident Response
12+ - Malware
13+ - Campaigns
14+ - Intrusion
1215- Request For Information
1316- Request For Takedown
1417
1518![ simulate button] ( assets/simulate-btn.png )
1619
17- When you click on the simulate button, you’ll have two options :
20+ When you click on the "Simulate" button, a form will appear with the following fields :
1821
19- - Generate a scenario based on technical injects
20- - Generate a scenario based on email injects, using AI to automatically generate email content
22+ | Property | Description |
23+ | ------------------------------------------------------------------| ---------------------------------------------------------------|
24+ | Simulation type | Can be either "Technical" (payloads) or "Simulated" (emails) |
25+ | Interval between injection (in minutes) | The time between each injection execution |
26+ | Number of injects generated by attack <br />pattern and platform | |
27+
28+ ![ simulation simulated] ( assets/octi-form-options.png )
29+ ![ simulation simulated] ( assets/octi-form-simulated.png )
30+
31+ If you choose the "Technical" (payloads) simulation type, you will also need to fill in the following fields:
32+
33+ | Property | Description |
34+ | ------------------------------------------------------------------| --------------------------------------------------------------------|
35+ | Targeted platforms | Supported platforms for executing the TTPs (Windows, Linux, macOS) |
36+ | Targeted architecture | Supported architectures for executing the TTPs (x86_64, arm64) |
37+
38+ ![ simulation technical(payloads)] ( assets/octi-form-technical.png )
39+ ![ simulation technical(payloads)] ( assets/octi-form-tech-arch.png )
40+ ![ simulation technical(payloads)] ( assets/octi-alert-technical.png )
2141
2242It’s essential to understand that a scenario creation for these entities relies on matching TTPs between OpenCTI and
2343OpenBAS. You’ll need to ensure that the TTPs in both platforms are aligned. For instance, if your report contains the
24- TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001.
44+ TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001. Otherwise, an
45+ inject with a placeholder will be created instead for this TTP.
46+
47+ If these TTPs are not supported by OpenBAS, you will receive an alert listing the uncovered TTPs.
2548
26- When generating a scenario from OpenCTI, a scenario is created and can be accessed from the scenarios screen. The
49+ ![ ttps not covered obas] ( assets/octi-ttps-no-covered.png )
50+
51+ When generating a scenario from OpenCTI, a scenario is created in OpenBas and can be accessed from the scenarios screen. The
2752scenario name will include a reference to OpenCTI, indicating its origin. This scenario will automatically contain
2853relevant sequences of injects based on the threat context identified in OpenCTI.
2954
55+ ![ Scenario OpenBAS] ( assets/scenario-openbas.png )
56+
57+ ![ Scenario OpenBAS] ( assets/inject-scenario-openbas.png )
58+
59+ ![ Scenario OpenBAS] ( assets/inject-placeholder.png )
60+
3061However, it's important to review and potentially customize the scenario to ensure it meets your organization's specific
3162requirements. Additionally, you'll need to select appropriate [ targets] ( ../targets.md ) for the injects within the
3263scenario.
3364
65+ ![ Scenario OpenBAS] ( assets/inject-ttp.png )
66+
3467Once you've finalized the scenario, you can schedule your simulation as you would do for any other scenarios. The overall
3568results of the simulation will also be available directly within OpenCTI, providing insights into the threat context
3669upon which the scenario is based.
0 commit comments