diff --git a/docs/usage/assets/atomic_testing_detection_remediation_human.png b/docs/usage/assets/atomic_testing_detection_remediation_human.png new file mode 100644 index 00000000..ff73b894 Binary files /dev/null and b/docs/usage/assets/atomic_testing_detection_remediation_human.png differ diff --git a/docs/usage/assets/atomic_testing_detection_remediation_no_present.png b/docs/usage/assets/atomic_testing_detection_remediation_no_present.png index feae1360..7c455f7b 100644 Binary files a/docs/usage/assets/atomic_testing_detection_remediation_no_present.png and b/docs/usage/assets/atomic_testing_detection_remediation_no_present.png differ diff --git a/docs/usage/assets/atomic_testing_detection_remediation_no_present_use_ariane_not_available.png b/docs/usage/assets/atomic_testing_detection_remediation_no_present_use_ariane_not_available.png new file mode 100644 index 00000000..20fc112a Binary files /dev/null and b/docs/usage/assets/atomic_testing_detection_remediation_no_present_use_ariane_not_available.png differ diff --git a/docs/usage/assets/atomic_testing_detection_remediation_outdated.png b/docs/usage/assets/atomic_testing_detection_remediation_outdated.png new file mode 100644 index 00000000..295e286e Binary files /dev/null and b/docs/usage/assets/atomic_testing_detection_remediation_outdated.png differ diff --git a/docs/usage/assets/atomic_testing_detection_remediation_use_ariane.png b/docs/usage/assets/atomic_testing_detection_remediation_use_ariane.png new file mode 100644 index 00000000..54838f86 Binary files /dev/null and b/docs/usage/assets/atomic_testing_detection_remediation_use_ariane.png differ diff --git a/docs/usage/atomic.md b/docs/usage/atomic.md index 89174192..d74a0777 100644 --- a/docs/usage/atomic.md +++ b/docs/usage/atomic.md @@ -11,22 +11,7 @@ The presented list allows you to easily see global scores of all your recent ato ![Example of Atomic testing](assets/atomic_list.png) ## Search the list - -You can search the list using the name or one the filters. Here are the available filters for this list. - -![Atomic testing filters list](assets/atomic_list_filter_attributes.png) - -Once you choose the attribute you want to apply a filter on, you can choose the operator. - -![Atomic testing filters operators](assets/atomic_list_filter_operator.png) - -Then you have the list of values for the attributes you choose. - -![Atomic testing filters attributes values](assets/atomic_list_filter_elements.png) - -Here is the list once you apply the filter. - -![Atomic testing filters values](assets/atomic_list_filter_result.png) +- [Injects: Search and Filters](inject-result-list.md/#executed-injects-search-and-filters) ## Create an Atomic testing @@ -62,48 +47,8 @@ Details of an Atomic testing is composed of three parts: ![Atomic testing Overview with Results](assets/atomic_details_overview.png) ![Atomic testing Overview with Results](assets/atomic_details_tooltip.png) -### Overview - -The first screen displayed when you click on a specific Atomic testing from the list is a breakdown of your security -posture against this test. - -As for Simulation and Scenario, Results are broken down into: - -- Prevention: the ability of your security posture to prevent the inject -- Detection: the ability of your security posture to detect the inject -- Human response: the ability of your security teams to react as intented facing the inject -- Vulnerability: the ability of your security posture to detect common vulnerabilities and exposures (CVEs) - -At the top, big metrics summarize how all targets performed. On the left, a list of targets lets you quickly check -results for each one. When you select a target, the right side shows a timeline of the test and its results, including -execution logs. - -![Atomic testing Overview with Results](assets/atomic_testing_overview.png) -![Atomic testing Overview with Results](assets/atomic_testing_overview_expectations.png) - -### Findings - -The Findings screen displays what was detected during the inject, based on the output parser in the payload. You can -filter findings by name, type, creation date, target, value, or tag. - -![Atomic testing Overview with Results](assets/atomic_testing_findings.png) - -### Execution details - -This screen shows the full trace of the inject’s execution, including logs and status information. - -![Execution trace of a successfull atomic testing](assets/atomic_testing_execution_details.png) - -### Payload info - -This screen is available for technical injects only. You can see the details of the payload related to the test. - -![Payload info of atomic testing](assets/atomic_testing_payload_info.png) - -### Remediations (EE) - -This screen is available for technical injects only. It displays remediation content related to the executed payload, -specifically focused on detection logic. You will see one Remediation tab per collector available in the platform. - -![Detection Remediations-no-present](assets/atomic_testing_detection_remediation_no_present.png) -![Detection Remediations](assets/atomic_testing_detection_remediation.png) +- [Overview](inject-result.md/#overview) +- [Findings](inject-result.md/#findings) +- [Inject execution details](inject-result.md/#execution-details) +- [Payload info](inject-result.md/#payload-info) +- [Remediation](inject-result.md/#remediations-ee) \ No newline at end of file diff --git a/docs/usage/inject-result-list.md b/docs/usage/inject-result-list.md new file mode 100644 index 00000000..5ca3d099 --- /dev/null +++ b/docs/usage/inject-result-list.md @@ -0,0 +1,17 @@ +## Executed Injects: Search and Filters + +You can search the list using the name or using one of the filters. Here are the available filters for this list. + +![Atomic testing filters list](assets/atomic_list_filter_attributes.png) + +Once you choose the attribute you want to apply a filter on, you can choose the operator. + +![Atomic testing filters operators](assets/atomic_list_filter_operator.png) + +Then you have the list of values for the attributes you choose. + +![Atomic testing filters attributes values](assets/atomic_list_filter_elements.png) + +Here is the list once you apply the filter. + +![Atomic testing filters values](assets/atomic_list_filter_result.png) \ No newline at end of file diff --git a/docs/usage/inject-result.md b/docs/usage/inject-result.md new file mode 100644 index 00000000..b5453e21 --- /dev/null +++ b/docs/usage/inject-result.md @@ -0,0 +1,65 @@ +# Inject result + +### Overview + +The first screen displayed when you click on a specific inject executed (Atomic testing or Simulation) is a breakdown of your security +posture against this test. + +Results are broken down into: + +- Prevention: the ability of your security posture to prevent the inject +- Detection: the ability of your security posture to detect the inject +- Human response: the ability of your security teams to react as intented facing the inject +- Vulnerability: the ability of your security posture to detect common vulnerabilities and exposures (CVEs) + +At the top, big metrics summarize how all targets performed. On the left, a list of targets lets you quickly check +results for each one. When you select a target, the right side shows a timeline of the test and its results, including +execution logs. + +![Atomic testing Overview with Results](assets/atomic_testing_overview.png) +![Atomic testing Overview with Results](assets/atomic_testing_overview_expectations.png) + +### Findings + +The Findings screen displays what was detected during the inject, based on the output parser in the payload. You can +filter findings by name, type, creation date, target, value, or tag. + +![Atomic testing Overview with Results](assets/atomic_testing_findings.png) + +### Execution details + +This screen shows the full trace of the inject’s execution, including logs and status information. + +![Execution trace of a successfull atomic testing](assets/atomic_testing_execution_details.png) + +### Payload info + +This screen is available for technical injects only. You can see the details of the payload related to the test. + +![Payload info of atomic testing](assets/atomic_testing_payload_info.png) + +### Remediations (EE) + +This screen is available for technical injects only. It displays remediation content related to the executed payload, +specifically focused on detection logic. You will see one Remediation tab per collector available in the platform. + +Ariane can generate AI‑based rules from an executed inject with the following: + +- Payload types: Command, DnsResolution +- Collectors: Splunk, CrowdStrike + +Remediation statuses: +- No remediation: + ![Detection Remediations-no-present](assets/atomic_testing_detection_remediation_no_present.png) + +- No remediation and Ariane not available: + ![Detection Remediations-no-present-ariane-not-available](assets/atomic_testing_detection_remediation_no_present_use_ariane_not_available.png) + +- Remediation written by a human: + ![Detection Remediations-human](assets/atomic_testing_detection_remediation_human.png) + +- Remediation generate with Ariane + ![Detection Remediations-ariane](assets/atomic_testing_detection_remediation_use_ariane.png) + +- Remediation outdated + ![Detection Remediations-outdated](assets/atomic_testing_detection_remediation_outdated.png) diff --git a/docs/usage/payloads/payloads.md b/docs/usage/payloads/payloads.md index 3c01dda7..269fe2bb 100644 --- a/docs/usage/payloads/payloads.md +++ b/docs/usage/payloads/payloads.md @@ -73,10 +73,37 @@ To create a new payload, follow these steps: ![Payload output parser view](assets/payload-output-parser-view.png) 5. In the **Remediation** tab (optional and EE): - This section allows payload creators to manually define detection rules to identify payloads that were not + This section allows payload creators to define detection rules to identify payloads that were not blocked or detected by existing security systems (such as EDRs, SIEMs, etc.). A dedicated Remediation tab is available for each collector integrated into the platform. - ![Payload remediation view](assets/payload-detection-remediation-view.png) + + 5.1 Use Ariane, allows payload creators to generate rules using AI, for payload of type Command or DnsResolution and for the collector Splunk or Crowdstrike + +![Payload remediation view](assets/payload-detection-remediation-view.png) + +### Status of detection remediation rules + +| Status | Description | +|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| Rules written by Human | The rules has been writen by an human | +| Rules generated by AI | The rules has been generated by AI | +| Payload changed since rule was edited | The payload has been edited since last AI rules generation **[(relevant fields)](#Fields-used-for-AI-rules-generation)** | + +### Fields used for AI rules generation + +| Fields | Tab | +|--------------------------------------|----------| +| Name | General | +| Description | General | +| Attack patterns | General | +| Type | Commands | +| Architecture | Commands | +| Platforms | Commands | +| Attack command - Executors (Command) | Commands | +| Attack command - Content (Command) | Commands | +| Arguments | Commands | +| Hostname (DnsResolution) | Commands | + Once completed, your new payload will appear in the payload list. diff --git a/mkdocs.yml b/mkdocs.yml index 28c40dfb..d8f74cec 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,6 +138,8 @@ nav: - Injects: - Overview: usage/inject-overview.md - Inject types: usage/inject-types.md + - Search and Filter: usage/inject-result-list.md + - Inject result: usage/inject-result.md - Targets: usage/targets.md - Expectations: usage/expectations.md - Findings: usage/findings.md