[doc] Update opencti generating scenario doc

OpenBAS-Platform · Dec 13, 2024 · 22961be · 22961be
1 parent c5661f8
commit 22961be
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 4 deletions.
diff --git a/docs/usage/scenario/assets/octi-alert-technical.png b/docs/usage/scenario/assets/octi-alert-technical.png
diff --git a/docs/usage/scenario/assets/octi-form-options.png b/docs/usage/scenario/assets/octi-form-options.png
diff --git a/docs/usage/scenario/assets/octi-form-simulated.png b/docs/usage/scenario/assets/octi-form-simulated.png
diff --git a/docs/usage/scenario/assets/octi-form-tech-arch.png b/docs/usage/scenario/assets/octi-form-tech-arch.png
diff --git a/docs/usage/scenario/assets/octi-form-technical.png b/docs/usage/scenario/assets/octi-form-technical.png
diff --git a/docs/usage/scenario/assets/octi-ttp-not-covered.png b/docs/usage/scenario/assets/octi-ttp-not-covered.png
diff --git a/docs/usage/scenario/opencti_scenario.md b/docs/usage/scenario/opencti_scenario.md
@@ -10,22 +10,43 @@ This integration works across multiple entities:
 - Grouping
 - Incident Response
 - Malware
-- Campaings
+- Campaigns
 - Intrusion
 - Request For Information
 - Request For Takedown
 
 ![simulate button](assets/simulate-btn.png)
 
-When you click on the simulate button, you’ll have two options:
+When you click the "Simulate" button, a form will appear with the following fields:
 
-- Generate a scenario based on technical injects
-- Generate a scenario based on email injects, using AI to automatically generate email content
+| Property                                                         | Description                                                   |
+|------------------------------------------------------------------|---------------------------------------------------------------|
+| Simulation type                                                  | Can be either "Technical" (payloads) or "Simulated" (emails)  |
+| Interval between injection (in minutes)                          | The time between each injection execution                         |
+| Number of injects generated by attack <br/>pattern and platform  |                                                               |
+
+![simulation simulated](assets/octi-form-options.png)
+![simulation simulated](assets/octi-form-simulated.png)
+
+If you choose the "Technical" (payloads) simulation type, you will also need to fill in the following fields:
+
+| Property                                                         | Description                                                        |
+|------------------------------------------------------------------|--------------------------------------------------------------------|
+| Targeted platforms                                               | Supported platforms for executing the TTPs (Windows, Linux, macOS) |
+| Targeted architecture                                            | Supported architectures for executing the TTPs (x86_64, arm64)     |
+
+![simulation technical(payloads)](assets/octi-form-technical.png)
+![simulation technical(payloads)](assets/octi-form-tech-arch.png)
+![simulation technical(payloads)](assets/octi-alert-technical.png)
 
 It’s essential to understand that a scenario creation for these entities relies on matching TTPs between OpenCTI and
 OpenBAS. You’ll need to ensure that the TTPs in both platforms are aligned. For instance, if your report contains the
 TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001.
 
+If these TTPs are not supported by OpenBAS, you will receive an alert listing the uncovered TTPs.
+
+![ttps not covered obas](assets/octi-ttp-not-covered.png)
+
 When generating a scenario from OpenCTI, a scenario is created and can be accessed from the scenarios screen. The
 scenario name will include a reference to OpenCTI, indicating its origin. This scenario will automatically contain
 relevant sequences of injects based on the threat context identified in OpenCTI.