Simulations
List of attacks simulations
Attack simulations performed for this campaign. This table provides an overview of all the events executed with their main technical characteristics.
This sketch cannot currently be displayed in exports
Campaign simulation selection (section 1)
A campaign may consist of multiple simulations (the first one is a
calibration simulation, the others are control tests). The panel at the top left allows you to select the simulation of the campaign displayed. By default, only the
calibration simulation is available. If the campaign is calibrated, the control test simulations performed are also displayed.The status of the selected simulation is displayed, together with the start date/time and the number of events for which detection has not yet been qualified.
Hint: Use the
Mark my campaign as calibrated button to change the campaign status and freeze the results of its 1st simulation. This will allow you to run control tests to replay all the events in this campaign to assess how their detection is progressing.Simulation events list
Events list (section 2)
The table presents all the events executed for the campaign with the following information:
- Execution status
- Event number and name
- Date and time of execution
- Severity (red =
high, yellow =low) - Availability of IOC, Sigma rule, comments or evidence associated with the event
- Event type (
network,windows,linuxormacos) - MITRE ATT&CK tactic associated with the event
- Event execution source
- Event targets
- Event detection status
- Event detection
- Reaction following the event
- Time to Detect (TTD)
- Time to React (TTR)
It is possible to choose the columns to display using the button located at the top right:
Hint: The area at the bottom of the screen indicates the total number of events and allows you to choose how many events are displayed per screen.
Selecting and filtering
To facilitate the operation of the simulations list, several features are available:
- Choice of event display order: by date or event ID
- Application of filters: event start time, severity, type, comments, proofs, Sigma rule, IOC, MITRE ATT&CK Tactic, detection status, detection source, reaction
- Search field
Campaign data export
All data related to the campaign can be exported:
- A .csv file contains all the technical information of the events
- A zip archive contains all the evidence added to the events.
This sketch cannot currently be displayed in exports
Qualify events status
The events list allows for quickly informing the detection status of the events. The default status is
Unqualified. Three other statuses are possible: Undetected, Logged, Alerted.
The number of unqualified events is directly displayed at the top left under the name of the simulation. Qualifying all events allows for having complete results and thus better evaluating the effectiveness of defense means. The status is the criterion with the most impact on the score calculation.
Hint: Refer to the following section for an explanation of possible statuses for events
Kill Switch: The kill switch protocol allows you to stop the campaign. Note that if you activate the kill switch protocol, the campaign will be blocked and all the actions will be stopped.