diff --git a/1.12.X/404.html b/1.12.X/404.html
index 4664064..921d64f 100644
--- a/1.12.X/404.html
+++ b/1.12.X/404.html
@@ -730,27 +730,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="/latest/deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="/latest/deployment/resources/" class="md-nav__link">
         
@@ -2144,6 +2123,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="/latest/administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/administration/assets/enterprise-activate.png b/1.12.X/administration/assets/enterprise-activate.png
new file mode 100644
index 0000000..92f454f
Binary files /dev/null and b/1.12.X/administration/assets/enterprise-activate.png differ
diff --git a/1.12.X/administration/assets/enterprise-eula.png b/1.12.X/administration/assets/enterprise-eula.png
new file mode 100644
index 0000000..dc4b55b
Binary files /dev/null and b/1.12.X/administration/assets/enterprise-eula.png differ
diff --git a/1.12.X/administration/enterprise/index.html b/1.12.X/administration/enterprise/index.html
index a966352..e690257 100644
--- a/1.12.X/administration/enterprise/index.html
+++ b/1.12.X/administration/enterprise/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2256,6 +2235,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2750,9 +2750,9 @@ <h2 id="what-is-openbas-ee">What is OpenBAS EE?</h2>
 <p>The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file belongs to the Community Edition under the Apache License, Version 2.0.</p>
 <h2 id="ee-activation">EE Activation</h2>
 <p>Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.</p>
-<p><a class="glightbox" href="assets/enterprise-activate.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="OpenBAS activation" src="assets/enterprise-activate.png" /></a></p>
+<p><a class="glightbox" href="../assets/enterprise-activate.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="OpenBAS activation" src="../assets/enterprise-activate.png" /></a></p>
 <p>Then you will need to agree to the Filigran EULA.</p>
-<p><a class="glightbox" href="assets/enterprise-eula.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="OpenBAS EE EULA" src="assets/enterprise-eula.png" /></a></p>
+<p><a class="glightbox" href="../assets/enterprise-eula.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="OpenBAS EE EULA" src="../assets/enterprise-eula.png" /></a></p>
 <p>As a reminder:</p>
 <ul>
 <li>OpenBAS EE is free-to-use for development, testing and research purposes as well as for non-profit organizations.</li>
diff --git a/1.12.X/administration/introduction/index.html b/1.12.X/administration/introduction/index.html
index ab78880..fbd07c5 100644
--- a/1.12.X/administration/introduction/index.html
+++ b/1.12.X/administration/introduction/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2179,6 +2158,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/administration/parameters/index.html b/1.12.X/administration/parameters/index.html
index 9a1b822..46d486c 100644
--- a/1.12.X/administration/parameters/index.html
+++ b/1.12.X/administration/parameters/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2179,6 +2158,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/administration/policies/index.html b/1.12.X/administration/policies/index.html
index ea3f895..0030e01 100644
--- a/1.12.X/administration/policies/index.html
+++ b/1.12.X/administration/policies/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2260,6 +2239,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/integrations/index.html b/1.12.X/administration/taxonomies/index.html
similarity index 90%
rename from 1.12.X/deployment/integrations/index.html
rename to 1.12.X/administration/taxonomies/index.html
index 3de0211..399cea5 100644
--- a/1.12.X/deployment/integrations/index.html
+++ b/1.12.X/administration/taxonomies/index.html
@@ -12,13 +12,13 @@
         <meta name="author" content="Filigran">
       
       
-        <link rel="canonical" href="https://docs.openbas.io/latest/deployment/integrations/">
+        <link rel="canonical" href="https://docs.openbas.io/latest/administration/taxonomies/">
       
       
-        <link rel="prev" href="../ecosystem/collectors/">
+        <link rel="prev" href="../users/">
       
       
-        <link rel="next" href="../resources/">
+        <link rel="next" href="../../reference/apis/filters/">
       
       
       <link rel="icon" href="../../assets/images/favicon.png">
@@ -26,7 +26,7 @@
     
     
       
-        <title>Integrations - OpenBAS Documentation</title>
+        <title>Taxonomies - OpenBAS Documentation</title>
       
     
     
@@ -99,7 +99,7 @@
     <div data-md-component="skip">
       
         
-        <a href="#integrations" class="md-skip">
+        <a href="#taxonomies" class="md-skip">
           Skip to content
         </a>
       
@@ -270,21 +270,17 @@
         
   
   
-    
-  
   
     
     
       
   
   
-    
-  
   
     
     
-      <li class="md-tabs__item md-tabs__item--active">
-        <a href="../overview/" class="md-tabs__link">
+      <li class="md-tabs__item">
+        <a href="../../deployment/overview/" class="md-tabs__link">
           
   
   Deployment & Setup
@@ -319,11 +315,13 @@
         
   
   
+    
+  
   
     
     
-      <li class="md-tabs__item">
-        <a href="../../administration/introduction/" class="md-tabs__link">
+      <li class="md-tabs__item md-tabs__item--active">
+        <a href="../introduction/" class="md-tabs__link">
           
   
   Administration
@@ -456,28 +454,25 @@
       
   
   
-    
-  
   
   
     
     
     
       
-        
-        
-      
       
     
     
-    <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
+    <li class="md-nav__item md-nav__item--nested">
       
         
         
-        <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" checked>
+          
+        
+        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
         
           
-          <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="">
+          <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
             
   
   <span class="md-ellipsis">
@@ -488,7 +483,7 @@
             <span class="md-nav__icon md-icon"></span>
           </label>
         
-        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="true">
+        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
           <label class="md-nav__title" for="__nav_2">
             <span class="md-nav__icon md-icon"></span>
             Deployment & Setup
@@ -542,7 +537,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../overview/" class="md-nav__link">
+      <a href="../../deployment/overview/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -563,7 +558,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../installation/" class="md-nav__link">
+      <a href="../../deployment/installation/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -584,7 +579,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../configuration/" class="md-nav__link">
+      <a href="../../deployment/configuration/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -605,7 +600,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../authentication/" class="md-nav__link">
+      <a href="../../deployment/authentication/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -626,7 +621,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../upgrade/" class="md-nav__link">
+      <a href="../../deployment/upgrade/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -652,8 +647,6 @@
                 
   
   
-    
-  
   
   
     
@@ -663,11 +656,13 @@
       
     
     
-    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
+    <li class="md-nav__item md-nav__item--nested">
       
         
         
-        <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2_2" checked>
+          
+        
+        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
         
           
           <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
@@ -681,7 +676,7 @@
             <span class="md-nav__icon md-icon"></span>
           </label>
         
-        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="true">
+        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
           <label class="md-nav__title" for="__nav_2_2">
             <span class="md-nav__icon md-icon"></span>
             Ecosystem
@@ -695,7 +690,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../ecosystem/executors/" class="md-nav__link">
+      <a href="../../deployment/ecosystem/executors/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -716,7 +711,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../ecosystem/injectors/" class="md-nav__link">
+      <a href="../../deployment/ecosystem/injectors/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -737,7 +732,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../ecosystem/collectors/" class="md-nav__link">
+      <a href="../../deployment/ecosystem/collectors/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -755,41 +750,10 @@
                 
   
   
-    
-  
-  
-  
-    <li class="md-nav__item md-nav__item--active">
-      
-      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
-      
-      
-        
-      
-      
-      <a href="./" class="md-nav__link md-nav__link--active">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-      
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
   
   
     <li class="md-nav__item">
-      <a href="../resources/" class="md-nav__link">
+      <a href="../../deployment/resources/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -858,7 +822,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../clustering/" class="md-nav__link">
+      <a href="../../deployment/clustering/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -879,7 +843,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../troubleshooting/" class="md-nav__link">
+      <a href="../../deployment/troubleshooting/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -1952,25 +1916,28 @@
       
   
   
+    
+  
   
   
     
     
     
       
+        
+        
+      
       
     
     
-    <li class="md-nav__item md-nav__item--nested">
+    <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested">
       
         
         
-          
-        
-        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
+        <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
         
           
-          <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
+          <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="">
             
   
   <span class="md-ellipsis">
@@ -1981,7 +1948,7 @@
             <span class="md-nav__icon md-icon"></span>
           </label>
         
-        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
+        <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
           <label class="md-nav__title" for="__nav_4">
             <span class="md-nav__icon md-icon"></span>
             Administration
@@ -1995,7 +1962,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../administration/introduction/" class="md-nav__link">
+      <a href="../introduction/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -2016,7 +1983,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../administration/enterprise/" class="md-nav__link">
+      <a href="../enterprise/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -2034,6 +2001,8 @@
                 
   
   
+    
+  
   
   
     
@@ -2043,13 +2012,11 @@
       
     
     
-    <li class="md-nav__item md-nav__item--nested">
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
       
         
         
-          
-        
-        <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4_3" >
+        <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" checked>
         
           
           <label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0">
@@ -2063,7 +2030,7 @@
             <span class="md-nav__icon md-icon"></span>
           </label>
         
-        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false">
+        <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="true">
           <label class="md-nav__title" for="__nav_4_3">
             <span class="md-nav__icon md-icon"></span>
             Platform settings
@@ -2077,7 +2044,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../administration/parameters/" class="md-nav__link">
+      <a href="../parameters/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -2138,7 +2105,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../administration/policies/" class="md-nav__link">
+      <a href="../policies/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -2159,7 +2126,7 @@
   
   
     <li class="md-nav__item">
-      <a href="../../administration/users/" class="md-nav__link">
+      <a href="../users/" class="md-nav__link">
         
   
   <span class="md-ellipsis">
@@ -2181,6 +2148,94 @@
 
               
             
+              
+                
+  
+  
+    
+  
+  
+  
+    <li class="md-nav__item md-nav__item--active">
+      
+      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
+      
+      
+        
+      
+      
+        <label class="md-nav__link md-nav__link--active" for="__toc">
+          
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+          <span class="md-nav__icon md-icon"></span>
+        </label>
+      
+      <a href="./" class="md-nav__link md-nav__link--active">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+      
+        
+
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
+  
+  
+  
+    
+  
+  
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#tags" class="md-nav__link">
+    <span class="md-ellipsis">
+      Tags
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#kill-chain-phases" class="md-nav__link">
+    <span class="md-ellipsis">
+      Kill chain phases
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#attack-patterns" class="md-nav__link">
+    <span class="md-ellipsis">
+      Attack Patterns
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
+</nav>
+      
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2574,6 +2629,41 @@
     
   
   
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#tags" class="md-nav__link">
+    <span class="md-ellipsis">
+      Tags
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#kill-chain-phases" class="md-nav__link">
+    <span class="md-ellipsis">
+      Kill chain phases
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#attack-patterns" class="md-nav__link">
+    <span class="md-ellipsis">
+      Attack Patterns
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
 </nav>
                   </div>
                 </div>
@@ -2587,7 +2677,7 @@
                   
 
   
-    <a href="https://github.com/OpenBAS-Platform/docs/blob/main/docs/deployment/integrations.md" title="Edit this page" class="md-content__button md-icon">
+    <a href="https://github.com/OpenBAS-Platform/docs/blob/main/docs/administration/taxonomies.md" title="Edit this page" class="md-content__button md-icon">
       
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
     </a>
@@ -2596,18 +2686,41 @@
     
       
     
-    <a href="https://github.com/OpenBAS-Platform/docs/raw/main/docs/deployment/integrations.md" title="View source of this page" class="md-content__button md-icon">
+    <a href="https://github.com/OpenBAS-Platform/docs/raw/main/docs/administration/taxonomies.md" title="View source of this page" class="md-content__button md-icon">
       
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
     </a>
   
 
 
-<h1 id="integrations">Integrations</h1>
-<div class="admonition tip">
-<p class="admonition-title">Under construction</p>
-<p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the <a href="https://community.filigran.io">Filigran Community on Slack</a> or submit your pull request on the <a href="https://github.com/OpenBAS-Platform/docs">Github doc repository</a>.</p>
-</div>
+<h1 id="taxonomies">Taxonomies</h1>
+<p>Taxonomies in OpenBAS refer to the structured classification systems that help in organizing and categorizing platform
+data. They are essential to the platform, enabling users to systematically tag and retrieve information based on predefined categories and terms.
+predefined categories and terms.</p>
+<h2 id="tags">Tags</h2>
+<p>Tags in OpenBAS serve as a powerful tool for organizing, categorizing, and prioritizing data.</p>
+<p>Tags can be used to tag assets or teams with specific categories, making it easier to filter and search through large
+datasets.</p>
+<h2 id="kill-chain-phases">Kill chain phases</h2>
+<p>Kill chain phases are used in OpenBAS to structure and analyze the data related to cyber threats and attacks. They
+describe the stages of an attack from the perspective of the attacker and provide a framework for identifying, analysing
+and responding to threats.</p>
+<p>OpenBAS supports the following kill chain models:</p>
+<ul>
+<li><strong>MITRE ATT&amp;CK Framework (Entreprise, PRE, Mobile and ICS)</strong></li>
+</ul>
+<p>You can add, edit, or delete kill chain phases in the settings page, and assign them to attack patterns in the platform.
+Additionally, you can filter data by kill chains phases, visualize relationships between kill chain phases and
+injects, simulations or scenarios.</p>
+<h2 id="attack-patterns">Attack Patterns</h2>
+<p>Attack patterns are structured representations of the tactics, techniques, and procedures (TTPs) used by adversaries to
+compromise systems. In OpenBAS, attack patterns help analyze and classify threats, providing a standardized approach to
+identifying and mitigating cyber risks.</p>
+<p>OpenBAS supports the following attack pattern models:</p>
+<ul>
+<li><strong>MITRE ATT&amp;CK Framework (Enterprise, PRE, Mobile, and ICS)</strong></li>
+</ul>
+<p>You can add, edit, or delete attack patterns in the settings page and assign them to payloads or injectors.</p>
 
 
 
@@ -2630,7 +2743,7 @@ <h1 id="integrations">Integrations</h1>
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-05-01T18:56:20+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-05-01</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-02-21T09:15:15+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-02-21</span>
   </span>
 
     
@@ -2640,7 +2753,7 @@ <h1 id="integrations">Integrations</h1>
     <span class="md-icon" title="Created">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M14.47 15.08 11 13V7h1.5v5.25l3.08 1.83c-.41.28-.79.62-1.11 1m-1.39 4.84c-.36.05-.71.08-1.08.08-4.42 0-8-3.58-8-8s3.58-8 8-8 8 3.58 8 8c0 .37-.03.72-.08 1.08.69.1 1.33.32 1.92.64.1-.56.16-1.13.16-1.72 0-5.5-4.5-10-10-10S2 6.5 2 12s4.47 10 10 10c.59 0 1.16-.06 1.72-.16-.32-.59-.54-1.23-.64-1.92M18 15v3h-3v2h3v3h2v-3h3v-2h-3v-3z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2023-10-15T12:33:08+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2023-10-15</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-02-21T09:15:15+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-02-21</span>
   </span>
 
     
@@ -2658,14 +2771,14 @@ <h1 id="integrations">Integrations</h1>
     
     <nav>
       
-        <a href="https://github.com/Lhorus6" class="md-author" title="@Lhorus6">
+        <a href="https://github.com/RomuDeuxfois" class="md-author" title="@RomuDeuxfois">
           
-          <img src="https://avatars.githubusercontent.com/u/70956706?v=4&size=72" alt="Lhorus6">
+          <img src="https://avatars.githubusercontent.com/u/53513584?v=4&size=72" alt="RomuDeuxfois">
         </a>
       
-        <a href="https://github.com/SamuelHassine" class="md-author" title="@SamuelHassine">
+        <a href="https://github.com/web-flow" class="md-author" title="@web-flow">
           
-          <img src="https://avatars.githubusercontent.com/u/1334279?v=4&size=72" alt="SamuelHassine">
+          <img src="https://avatars.githubusercontent.com/u/19864447?v=4&size=72" alt="web-flow">
         </a>
       
       
@@ -2699,7 +2812,7 @@ <h1 id="integrations">Integrations</h1>
       <nav class="md-footer__inner md-grid" aria-label="Footer" >
         
           
-          <a href="../ecosystem/collectors/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Collectors">
+          <a href="../users/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Users and RBAC">
             <div class="md-footer__button md-icon">
               
               <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
@@ -2709,20 +2822,20 @@ <h1 id="integrations">Integrations</h1>
                 Previous
               </span>
               <div class="md-ellipsis">
-                Collectors
+                Users and RBAC
               </div>
             </div>
           </a>
         
         
           
-          <a href="../resources/" class="md-footer__link md-footer__link--next" aria-label="Next: Other resources">
+          <a href="../../reference/apis/filters/" class="md-footer__link md-footer__link--next" aria-label="Next: Filters">
             <div class="md-footer__title">
               <span class="md-footer__direction">
                 Next
               </span>
               <div class="md-ellipsis">
-                Other resources
+                Filters
               </div>
             </div>
             <div class="md-footer__button md-icon">
diff --git a/1.12.X/administration/users/index.html b/1.12.X/administration/users/index.html
index 61c7837..f0e124c 100644
--- a/1.12.X/administration/users/index.html
+++ b/1.12.X/administration/users/index.html
@@ -18,7 +18,7 @@
         <link rel="prev" href="../policies/">
       
       
-        <link rel="next" href="../../reference/apis/filters/">
+        <link rel="next" href="../taxonomies/">
       
       
       <link rel="icon" href="../../assets/images/favicon.png">
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2179,6 +2158,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2732,13 +2732,13 @@ <h1 id="users">Users</h1>
         
         
           
-          <a href="../../reference/apis/filters/" class="md-footer__link md-footer__link--next" aria-label="Next: Filters">
+          <a href="../taxonomies/" class="md-footer__link md-footer__link--next" aria-label="Next: Taxonomies">
             <div class="md-footer__title">
               <span class="md-footer__direction">
                 Next
               </span>
               <div class="md-ellipsis">
-                Filters
+                Taxonomies
               </div>
             </div>
             <div class="md-footer__button md-icon">
diff --git a/1.12.X/deployment/authentication/index.html b/1.12.X/deployment/authentication/index.html
index 0b29225..3ff148a 100644
--- a/1.12.X/deployment/authentication/index.html
+++ b/1.12.X/deployment/authentication/index.html
@@ -896,27 +896,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2310,6 +2289,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/clustering/index.html b/1.12.X/deployment/clustering/index.html
index df05428..25c107f 100644
--- a/1.12.X/deployment/clustering/index.html
+++ b/1.12.X/deployment/clustering/index.html
@@ -757,27 +757,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2181,6 +2160,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/configuration/index.html b/1.12.X/deployment/configuration/index.html
index 1d02287..3e9e991 100644
--- a/1.12.X/deployment/configuration/index.html
+++ b/1.12.X/deployment/configuration/index.html
@@ -980,27 +980,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2394,6 +2373,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/ecosystem/collectors/index.html b/1.12.X/deployment/ecosystem/collectors/index.html
index 20f175b..7b14f35 100644
--- a/1.12.X/deployment/ecosystem/collectors/index.html
+++ b/1.12.X/deployment/ecosystem/collectors/index.html
@@ -18,7 +18,7 @@
         <link rel="prev" href="../injectors/">
       
       
-        <link rel="next" href="../../integrations/">
+        <link rel="next" href="../../resources/">
       
       
       <link rel="icon" href="../../../assets/images/favicon.png">
@@ -887,27 +887,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../resources/" class="md-nav__link">
         
@@ -2301,6 +2280,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -3005,13 +3005,13 @@ <h2 id="collectors-status">Collectors status</h2>
         
         
           
-          <a href="../../integrations/" class="md-footer__link md-footer__link--next" aria-label="Next: Integrations">
+          <a href="../../resources/" class="md-footer__link md-footer__link--next" aria-label="Next: Other resources">
             <div class="md-footer__title">
               <span class="md-footer__direction">
                 Next
               </span>
               <div class="md-ellipsis">
-                Integrations
+                Other resources
               </div>
             </div>
             <div class="md-footer__button md-icon">
diff --git a/1.12.X/deployment/ecosystem/executors/index.html b/1.12.X/deployment/ecosystem/executors/index.html
index dd5a586..656bb24 100644
--- a/1.12.X/deployment/ecosystem/executors/index.html
+++ b/1.12.X/deployment/ecosystem/executors/index.html
@@ -989,27 +989,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../resources/" class="md-nav__link">
         
@@ -2403,6 +2382,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -3300,7 +3300,7 @@ <h3 id="deploy-caldera">Deploy Caldera</h3>
 add a <a href="https://github.com/OpenBAS-Platform/caldera/blob/filigran/docker/docker-compose.yml">Caldera service</a>:</p>
 <div class="highlight"><pre><span></span><code><span id="__span-4-1"><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a>services:
 </span><span id="__span-4-2"><a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a>  caldera:
-</span><span id="__span-4-3"><a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a>    image: openbas/caldera-server:5.0.0
+</span><span id="__span-4-3"><a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a>    image: openbas/caldera-server:5.1.0
 </span><span id="__span-4-4"><a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a>    restart: always
 </span><span id="__span-4-5"><a id="__codelineno-4-5" name="__codelineno-4-5" href="#__codelineno-4-5"></a>    ports:
 </span><span id="__span-4-6"><a id="__codelineno-4-6" name="__codelineno-4-6" href="#__codelineno-4-6"></a>      - &quot;8888:8888&quot;
@@ -3411,7 +3411,7 @@ <h4 id="checks_2">Checks</h4>
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-01-18T07:04:21+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-01-18</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-02-26T19:37:15+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-02-26</span>
   </span>
 
     
@@ -3439,6 +3439,11 @@ <h4 id="checks_2">Checks</h4>
     
     <nav>
       
+        <a href="https://github.com/Dimfacion" class="md-author" title="@Dimfacion">
+          
+          <img src="https://avatars.githubusercontent.com/u/10406250?v=4&size=72" alt="Dimfacion">
+        </a>
+      
         <a href="https://github.com/SamuelHassine" class="md-author" title="@SamuelHassine">
           
           <img src="https://avatars.githubusercontent.com/u/1334279?v=4&size=72" alt="SamuelHassine">
diff --git a/1.12.X/deployment/ecosystem/injectors/index.html b/1.12.X/deployment/ecosystem/injectors/index.html
index 58b9186..0836b99 100644
--- a/1.12.X/deployment/ecosystem/injectors/index.html
+++ b/1.12.X/deployment/ecosystem/injectors/index.html
@@ -905,27 +905,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../resources/" class="md-nav__link">
         
@@ -2319,6 +2298,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/installation/index.html b/1.12.X/deployment/installation/index.html
index f883dd7..cf50b74 100644
--- a/1.12.X/deployment/installation/index.html
+++ b/1.12.X/deployment/installation/index.html
@@ -1100,27 +1100,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2514,6 +2493,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/overview/index.html b/1.12.X/deployment/overview/index.html
index 431b031..62c3de0 100644
--- a/1.12.X/deployment/overview/index.html
+++ b/1.12.X/deployment/overview/index.html
@@ -881,27 +881,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2295,6 +2274,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/resources/index.html b/1.12.X/deployment/resources/index.html
index 1b5d876..1cbc03d 100644
--- a/1.12.X/deployment/resources/index.html
+++ b/1.12.X/deployment/resources/index.html
@@ -15,7 +15,7 @@
         <link rel="canonical" href="https://docs.openbas.io/latest/deployment/resources/">
       
       
-        <link rel="prev" href="../integrations/">
+        <link rel="prev" href="../ecosystem/collectors/">
       
       
         <link rel="next" href="../clustering/">
@@ -755,27 +755,6 @@
                 
   
   
-  
-  
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
     
   
   
@@ -2181,6 +2160,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2699,7 +2699,7 @@ <h1 id="resources">Resources</h1>
       <nav class="md-footer__inner md-grid" aria-label="Footer" >
         
           
-          <a href="../integrations/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Integrations">
+          <a href="../ecosystem/collectors/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Collectors">
             <div class="md-footer__button md-icon">
               
               <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
@@ -2709,7 +2709,7 @@ <h1 id="resources">Resources</h1>
                 Previous
               </span>
               <div class="md-ellipsis">
-                Integrations
+                Collectors
               </div>
             </div>
           </a>
diff --git a/1.12.X/deployment/troubleshooting/index.html b/1.12.X/deployment/troubleshooting/index.html
index 869456d..7d488f2 100644
--- a/1.12.X/deployment/troubleshooting/index.html
+++ b/1.12.X/deployment/troubleshooting/index.html
@@ -757,27 +757,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2181,6 +2160,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/deployment/upgrade/index.html b/1.12.X/deployment/upgrade/index.html
index 7f680cc..e71af97 100644
--- a/1.12.X/deployment/upgrade/index.html
+++ b/1.12.X/deployment/upgrade/index.html
@@ -839,27 +839,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../resources/" class="md-nav__link">
         
@@ -2253,6 +2232,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/api-usage/index.html b/1.12.X/development/api-usage/index.html
index ed02699..52a790b 100644
--- a/1.12.X/development/api-usage/index.html
+++ b/1.12.X/development/api-usage/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2166,6 +2145,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/assets/injectors-view.png b/1.12.X/development/assets/injectors-view.png
new file mode 100644
index 0000000..8082594
Binary files /dev/null and b/1.12.X/development/assets/injectors-view.png differ
diff --git a/1.12.X/development/build_from_source/index.html b/1.12.X/development/build_from_source/index.html
index f331548..276dab7 100644
--- a/1.12.X/development/build_from_source/index.html
+++ b/1.12.X/development/build_from_source/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/collectors/index.html b/1.12.X/development/collectors/index.html
index 196a4ab..74e15a0 100644
--- a/1.12.X/development/collectors/index.html
+++ b/1.12.X/development/collectors/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/environment_ubuntu/index.html b/1.12.X/development/environment_ubuntu/index.html
index c6afddd..439b38d 100644
--- a/1.12.X/development/environment_ubuntu/index.html
+++ b/1.12.X/development/environment_ubuntu/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/environment_windows/index.html b/1.12.X/development/environment_windows/index.html
index 3a799ce..01f1dcd 100644
--- a/1.12.X/development/environment_windows/index.html
+++ b/1.12.X/development/environment_windows/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/development/injectors/index.html b/1.12.X/development/injectors/index.html
index 72adf0a..aa70bfc 100644
--- a/1.12.X/development/injectors/index.html
+++ b/1.12.X/development/injectors/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2511,6 +2511,17 @@
         
       
       
+        <label class="md-nav__link md-nav__link--active" for="__toc">
+          
+  
+  <span class="md-ellipsis">
+    Injectors
+  </span>
+  
+
+          <span class="md-nav__icon md-icon"></span>
+        </label>
+      
       <a href="./" class="md-nav__link md-nav__link--active">
         
   
@@ -2521,6 +2532,76 @@
 
       </a>
       
+        
+
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
+  
+  
+  
+    
+  
+  
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#introduction" class="md-nav__link">
+    <span class="md-ellipsis">
+      Introduction
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#implementing-the-injector" class="md-nav__link">
+    <span class="md-ellipsis">
+      Implementing the Injector
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Implementing the Injector">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#1-define-one-or-more-contracts" class="md-nav__link">
+    <span class="md-ellipsis">
+      1. Define one or more contracts
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#2-define-the-internal-logic" class="md-nav__link">
+    <span class="md-ellipsis">
+      2. Define the internal logic
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#use-it" class="md-nav__link">
+    <span class="md-ellipsis">
+      Use it
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
+</nav>
+      
     </li>
   
 
@@ -2574,6 +2655,65 @@
     
   
   
+    <label class="md-nav__title" for="__toc">
+      <span class="md-nav__icon md-icon"></span>
+      Table of contents
+    </label>
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#introduction" class="md-nav__link">
+    <span class="md-ellipsis">
+      Introduction
+    </span>
+  </a>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#implementing-the-injector" class="md-nav__link">
+    <span class="md-ellipsis">
+      Implementing the Injector
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Implementing the Injector">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#1-define-one-or-more-contracts" class="md-nav__link">
+    <span class="md-ellipsis">
+      1. Define one or more contracts
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#2-define-the-internal-logic" class="md-nav__link">
+    <span class="md-ellipsis">
+      2. Define the internal logic
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#use-it" class="md-nav__link">
+    <span class="md-ellipsis">
+      Use it
+    </span>
+  </a>
+  
+</li>
+      
+    </ul>
+  
 </nav>
                   </div>
                 </div>
@@ -2604,10 +2744,40 @@
 
 
 <h1 id="injector-development">Injector development</h1>
-<div class="admonition tip">
-<p class="admonition-title">Under construction</p>
-<p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the <a href="https://community.filigran.io">Filigran Community on Slack</a> or submit your pull request on the <a href="https://github.com/OpenBAS-Platform/docs">Github doc repository</a>.</p>
+<div class="admonition question">
+<p class="admonition-title">What are injectors?</p>
+<p>For a functional overview of the role of Injectors within the OpenBAS ecosystem, please refer to <a href="../../usage/injectors/">the User Guide section on Injectors</a>.</p>
+</div>
+<h3 id="introduction">Introduction</h3>
+<p>This guide explains how to implement an <strong>OpenBAS injector</strong>, to extend the platform's capabilities by adding new type
+of injects.</p>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>The following is based on the Filigran-maintained <a href="https://github.com/OpenBAS-Platform/injectors/tree/main/http-query">HTTP Injector</a>
+and only highlights the larger picture of the steps to create an injector from scratch. Please refer to the HTTP injector's
+codebase for an example of the implementation of a functional injector.</p>
 </div>
+<h3 id="implementing-the-injector">Implementing the Injector</h3>
+<h4 id="1-define-one-or-more-contracts">1. Define one or more contracts</h4>
+<p>The contract is the list of parameters and corresponding fields that will constitute the data that the injector will
+handle as part of its core logic. It describes how OpenBAS will parse and display the input form in the GUI for defining
+new injects to be executed by the injector. It is also the data structure that the injector handles
+internally to access the parameter values.</p>
+<div class="admonition note">
+<p class="admonition-title">🐍 Python-based injectors</p>
+<p>For injectors created with the Python language, Filigran maintains the <a href="https://pypi.org/project/pyobas/"><code>pyobas</code> library</a>
+which provides a wealth of utility classes to compose a functional contract.</p>
+<p>Note however that injectors are typically independent processes communicating with OpenBAS via a network transport, 
+and may be implemented in any language.</p>
+</div>
+<h4 id="2-define-the-internal-logic">2. Define the internal logic</h4>
+<p>The next step is to implement the internal logic based on the parameters defined in the contract.
+When the inject executes an inject based on its contract, it will retrieve the parameters provided by the end user and
+use them within its internal logic to perform the necessary actions.</p>
+<h3 id="use-it">Use it</h3>
+<p>Now, the new injector may be launched as a new process, and it should register with OpenBAS. It will then be listed
+in <strong><em>Integrations &gt; Injectors</em></strong> and its inject contracts should be available for creating new injects.</p>
+<p><a class="glightbox" href="../assets/collectors-view.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Injectors view in OpenBAS" src="../assets/collectors-view.png" /></a></p>
 
 
 
@@ -2630,7 +2800,7 @@ <h1 id="injector-development">Injector development</h1>
     <span class="md-icon" title="Last update">
       <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
     </span>
-    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2024-05-01T18:56:20+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2024-05-01</span>
+    <span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-timeago"><span class="timeago" datetime="2025-02-25T11:32:17+00:00" locale="en"></span></span><span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_date">2025-02-25</span>
   </span>
 
     
@@ -2658,6 +2828,16 @@ <h1 id="injector-development">Injector development</h1>
     
     <nav>
       
+        <a href="https://github.com/RomuDeuxfois" class="md-author" title="@RomuDeuxfois">
+          
+          <img src="https://avatars.githubusercontent.com/u/53513584?v=4&size=72" alt="RomuDeuxfois">
+        </a>
+      
+        <a href="https://github.com/web-flow" class="md-author" title="@web-flow">
+          
+          <img src="https://avatars.githubusercontent.com/u/19864447?v=4&size=72" alt="web-flow">
+        </a>
+      
         <a href="https://github.com/Lhorus6" class="md-author" title="@Lhorus6">
           
           <img src="https://avatars.githubusercontent.com/u/70956706?v=4&size=72" alt="Lhorus6">
diff --git a/1.12.X/development/platform/index.html b/1.12.X/development/platform/index.html
index 618ddbb..f1f806f 100644
--- a/1.12.X/development/platform/index.html
+++ b/1.12.X/development/platform/index.html
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/index.html b/1.12.X/index.html
index b4f4b0e..48a726a 100644
--- a/1.12.X/index.html
+++ b/1.12.X/index.html
@@ -828,27 +828,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="deployment/resources/" class="md-nav__link">
         
@@ -2242,6 +2221,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/reference/apis/filters/index.html b/1.12.X/reference/apis/filters/index.html
index 34b452a..acb3541 100644
--- a/1.12.X/reference/apis/filters/index.html
+++ b/1.12.X/reference/apis/filters/index.html
@@ -15,7 +15,7 @@
         <link rel="canonical" href="https://docs.openbas.io/latest/reference/apis/filters/">
       
       
-        <link rel="prev" href="../../../administration/users/">
+        <link rel="prev" href="../../../administration/taxonomies/">
       
       
         <link rel="next" href="../../../development/environment_ubuntu/">
@@ -754,27 +754,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2168,6 +2147,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2998,7 +2998,7 @@ <h4 id="operators">Operators</h4>
       <nav class="md-footer__inner md-grid" aria-label="Footer" >
         
           
-          <a href="../../../administration/users/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Users and RBAC">
+          <a href="../../../administration/taxonomies/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Taxonomies">
             <div class="md-footer__button md-icon">
               
               <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
@@ -3008,7 +3008,7 @@ <h4 id="operators">Operators</h4>
                 Previous
               </span>
               <div class="md-ellipsis">
-                Users and RBAC
+                Taxonomies
               </div>
             </div>
           </a>
diff --git a/1.12.X/search/search_index.json b/1.12.X/search/search_index.json
index fc473d4..bdadb52 100644
--- a/1.12.X/search/search_index.json
+++ b/1.12.X/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"OpenBAS Documentation Space","text":"<p>Welcome to the OpenBAS Documentation space. Here you will be able to find all documents, meeting notes and presentations about the platform.</p> <p>Release notes</p> <p>Please, be sure to also take a look at the OpenBAS releases notes, they may contain important information about releases and deployments.</p>"},{"location":"#introduction","title":"Introduction","text":"<p>OpenBAS is an open source platform allowing organizations to plan, schedule and conduct crisis exercises as well as adversary and breach simulations. OpenBAS is an ISO 22398 compliant product and has been designed as a modern web application including a RESTFul API and an UX oriented frontend.</p>"},{"location":"#getting-started","title":"Getting started","text":"<ul> <li> <p> Deployment &amp; Setup</p> <p>Learn how to deploy and configure the platform as well as launch connectors to get the first data in OpenBAS.</p> <p> Deploy now</p> </li> <li> <p> User Guide</p> <p>Understand how to use the platform, create exercises and campaigns, use  media pressure simulation and integrate with other tools. </p> <p> Explore</p> </li> <li> <p> Administration</p> <p>Know how to administrate OpenBAS, create users and groups using RBAC / segregation, customize the overall experience.</p> <p> Customize</p> </li> </ul> <p>Need more help?</p> <p>We are doing our best to keep this documentation complete, accurate and up to date. </p> <p>If you still have questions or you find something which is not sufficiently explained, join the Filigran Community on Slack.</p>"},{"location":"#blog-posts","title":"Blog posts","text":"<ul> <li> <p> Resources and content</p> <p>Discover tutorials, best practices and deep dives on OpenBAS features on our Filigran blog.</p> <p> Read now</p> </li> </ul>"},{"location":"#additional-resources","title":"Additional resources","text":"<p>Below, you will find external resources which may be useful along your OpenCTI journey.</p> <p> OpenBAS Ecosystem List of available injectors and collectors to expand platform usage.</p> <p> Training Courses Training courses for analysts and administrators in the Filigran training center.</p> <p> Video materials Set of video illustrating the implementation of use cases and platform capabilities.</p> <p></p>"},{"location":"administration/enterprise/","title":"Enterprise edition","text":"<p>Filigran</p> <p>Filigran is providing an Enterprise Edition of the platform, whether on-premise or in the SaaS.</p>"},{"location":"administration/enterprise/#what-is-openbas-ee","title":"What is OpenBAS EE?","text":"<p>OpenBAS Enterprise Edition is based on the open core concept. This means that the source code of OCTI EE remains open source and included in the main GitHub repository of the platform but is published under a specific license. As specified in the GitHub license file:</p> <ul> <li>The OpenBAS Community Edition is licensed under the Apache License, Version 2.0 (the \u201cApache License\u201d).</li> <li>The OpenBAS Enterprise Edition is licensed under the OpenBAS Enterprise Edition License (the \u201cEnterprise Edition Licensee\u201d).</li> </ul> <p>The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file belongs to the Community Edition under the Apache License, Version 2.0.</p>"},{"location":"administration/enterprise/#ee-activation","title":"EE Activation","text":"<p>Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.</p> <p></p> <p>Then you will need to agree to the Filigran EULA.</p> <p></p> <p>As a reminder:</p> <ul> <li>OpenBAS EE is free-to-use for development, testing and research purposes as well as for non-profit organizations.</li> <li>OpenBAS EE is included for all Filigran SaaS customers without additional fee.</li> <li>For all other usages, OpenBAS EE is reserved to organizations that have signed a Filigran Enterprise agreement.</li> </ul>"},{"location":"administration/enterprise/#available-features","title":"Available features","text":""},{"location":"administration/enterprise/#generative-ai","title":"Generative AI","text":"<p>Be able to use AI for content generation including emails, media pressure articles etc.</p>"},{"location":"administration/enterprise/#more-to-come","title":"More to come","text":"<p>More features will be available in OpenBAS in the future. Features like:</p> <ul> <li>Security posture automatic evaluation.</li> <li>Premium mitigations and recommendation for configuration changes.</li> </ul>"},{"location":"administration/introduction/","title":"Introduction","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"administration/parameters/","title":"Parameters","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"administration/policies/","title":"Policies","text":""},{"location":"administration/policies/#overview","title":"Overview","text":"<p>The Policies configuration page, located under Settings &gt; Security &gt; Policies, is designed to manage and customize various security-related settings.  This page currently includes the configuration of login messages, with plans to expand its capabilities in the future.  </p>"},{"location":"administration/policies/#current-features","title":"Current Features","text":"<p>Login Messages  Administrators can create and manage messages that are displayed to users upon login. This feature is useful for providing important information or updates directly to users when they access the platform.   There are three types of messages:   * Platform Login Message: Displayed above the login form to communicate vital information or announcements.   * Platform Consent Message: Displayed to users during the login process. It appears as a notification that blocks access to the login form until users actively give their consent by checking an approval box. This ensures that users acknowledge and agree to certain terms or conditions before proceeding with logging in.   * Platform Consent Confirm Text: A message accompanying the consent box, providing clarity on the consent confirmation process.</p> <p>These messages can be customized to fit the organization's specific needs and requirements, ensuring that critical information is communicated effectively to users.</p>"},{"location":"administration/policies/#accessing-the-policies-configuration-page","title":"Accessing the Policies Configuration Page","text":"<p>To access the Policies configuration page, navigate to:</p> <pre><code>Settings / Security / Policies\n</code></pre>"},{"location":"administration/policies/#how-to-configure-login-messages","title":"How to Configure Login Messages","text":"<ol> <li>Navigate to the Policies Configuration Page: Go to \"Settings &gt; Security &gt; Policies\".</li> <li>Login Messages Section: Locate the section for login messages.  </li> <li>Enter Message Details: Provide the content for the login message.  </li> <li>Save Changes: Save your changes to apply the new or updated message.  </li> </ol>"},{"location":"administration/policies/#best-practices","title":"Best Practices","text":"<ul> <li>Regular Updates: Regularly update login messages to keep users informed of any critical updates or changes.</li> <li>Clear Communication: Ensure that messages are clear and concise to avoid confusion.</li> </ul>"},{"location":"administration/users/","title":"Users","text":"<p>You can manage users in <code>Settings &gt; Security &gt; Users</code>. If you are using Single Sign-On (SSO), user accounts in OpenBAS are automatically created upon login.</p> <p></p> <p>To create a user, just click on the <code>+</code> button :</p> <p> </p> <p>To update a user, click on the ellipsis menu (\u22ee) : </p> <p></p> <p>Here, you can modify parameters such as the organization, phone number, password, and even your GPG public key : </p> <p> </p> <p>To delete a user : </p> <p></p>"},{"location":"deployment/authentication/","title":"Authentication","text":""},{"location":"deployment/authentication/#introduction","title":"Introduction","text":"<p>Welcome to the authentication documentation for OpenBAS. This documentation provides details on setting up and utilizing the authentication system, which supports multiple authentication methods to cater to different user needs and security requirements.</p>"},{"location":"deployment/authentication/#supported-authentication-methods","title":"Supported authentication methods","text":""},{"location":"deployment/authentication/#local-users","title":"Local users","text":"<p>OpenBAS use this strategy as the default, but it's not the one we recommend for security reasons.</p> <ul> <li><code>OPENBAS.AUTH-LOCAL-ENABLE</code>: Set this to <code>true</code> to enable username/password authentication.</li> </ul> <p>Production deployment</p> <p>Please use the LDAP/Auth0/OpenID/SAML strategy for production deployment.</p>"},{"location":"deployment/authentication/#openid","title":"OpenID","text":"<p>This method allows to use the OpenID Connect Protocol to handle the authentication.</p> <ul> <li><code>OPENBAS.AUTH-OPENID-ENABLE</code>: Set this to <code>true</code> to enable OAuth (OpenID) authentication.</li> </ul> <p>Example for Auth0:</p> <pre><code>SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_{registrationId}_ISSUER-URI=https://auth.auth0.io\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-NAME=Login with auth0\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-ID=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-SECRET=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_REDIRECT-URI=${openbas.base-url}/login/oauth2/code/{registrationId}\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_SCOPE=openid,profile,email\n</code></pre> <p>Example for GitHub (or others pre-handled oauth2 providers):</p> <pre><code>SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_NAME=Login with Github\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_ID=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_SECRET=\n</code></pre> <p>Tips</p> <p>{registrationId} is an arbitrary identifier you choose.</p>"},{"location":"deployment/authentication/#saml2","title":"SAML2","text":"<p>This strategy can be used to authenticate your user with your company SAML.</p> <ul> <li><code>OPENBAS.AUTH-SAML2-ENABLE</code>: Set this to <code>true</code> to enable SAML2 authentication. </li> </ul> <p>Example for Microsoft : <pre><code>SPRING_SECURITY_SAML2_RELYINGPARTY_REGISTRATION_{registrationId}_ENTITY-ID=\nSPRING_SECURITY_SAML2_RELYINGPARTY_REGISTRATION_{registrationId}_ASSERTINGPARTY_METADATA-URI=\nOPENBAS_PROVIDER_{registrationId}_FIRSTNAME_ATTRIBUTE_KEY=\nOPENBAS_PROVIDER_{registrationId}_LASTNAME_ATTRIBUTE_KEY=\n</code></pre></p> <p>Tips</p> <p>{registrationId} is an arbitrary identifier you choose.   metadata-uri is the uri of the xml file given by your identity provider</p>"},{"location":"deployment/authentication/#single-sign-on-url","title":"Single Sign On URL","text":""},{"location":"deployment/authentication/#saml2_1","title":"SAML2","text":"<p>Url for the config of your sso provider <pre><code>${openbas.base-url}/login/saml2/sso/{registrationId}\n</code></pre></p>"},{"location":"deployment/authentication/#map-administrators-to-specific-roles-openid-and-saml-2","title":"Map administrators to specific roles (OpenID and SAML 2)","text":"<p>To grant administrative roles, you can utilize OAuth and SAML2 integration. If you opt for this approach, you'll need to include the following variables:</p> <pre><code>OPENBAS_PROVIDER_{registrationId}_ROLES_PATH=http://schemas.microsoft.com/ws/2008/06/identity/claims/role\nOPENBAS_PROVIDER_{registrationId}_ROLES_ADMIN=\n</code></pre> <p>However, if you intend to manage administrative roles within the OpenBAS platform itself, there's no need to provide these variables.</p>"},{"location":"deployment/authentication/#error-handling","title":"Error Handling","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/clustering/","title":"Clustering","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/configuration/","title":"Configuration","text":"<p>The purpose of this section is to learn how to configure OpenBAS to have it tailored for your production and development needs. It is possible to check all default parameters implemented in the platform in the  <code>application.properties</code> file.</p> <p>Here are the configuration keys, for both containers (environment variables) and manual deployment.</p> <p>Parameters equivalence</p> <p>The equivalent of a config variable in environment variables is the usage of an underscore (<code>_</code>) for a level of config.</p> <p>For example: <pre><code>spring.servlet.multipart.max-file-size=5GB\n</code></pre></p> <p>will become: <pre><code>SPRING_SERVLET_MULTIPART_MAX-FILE-SIZE=5GB\n</code></pre></p>"},{"location":"deployment/configuration/#platform","title":"Platform","text":""},{"location":"deployment/configuration/#api-frontend","title":"API &amp; Frontend","text":""},{"location":"deployment/configuration/#basic-parameters","title":"Basic parameters","text":"Parameter Environment variable Default value Description server.address SERVER_ADDRESS 0.0.0.0 Listen address of the application server.port SERVER_PORT 8080 Listen port of the application openbas.base-url OPENBAS_BASE-URL http://localhost:8080 Base URL of the application, will be used in some email links server.servlet.session.timeout SERVER_SERVLET_SESSION_TIMEOUT 60m Default duration of session (60 minutes) openbas.cookie-secure OPENBAS_COOKIE-SECURE <code>false</code> Turn on if the access is done in HTTPS openbas.cookie-duration OPENBAS_COOKIE-DURATION P1D Cookie duration (default 1 day) openbas.admin.email OPENBAS_ADMIN_EMAIL admin@openbas.io Default login email of the admin user openbas.admin.password OPENBAS_ADMIN_PASSWORD ChangeMe Default password of the admin user openbas.admin.token OPENBAS_ADMIN_TOKEN ChangeMe Default token (must be a valid UUIDv4)"},{"location":"deployment/configuration/#network-and-security","title":"Network and security","text":"Parameter Environment variable Default value Description server.ssl.enabled SERVER_SSL_ENABLED <code>false</code> Turn on to enable SSL on the local server server.ssl.key-store-type SERVER_SSL_KEY-STORE-TYPE PKCS12 Type of SSL keystore server.ssl.key-store SERVER_SSL_KEY-STORE classpath:localhost.p12 SSL keystore path server.ssl.key-store-password SERVER_SSL_KEY-STORE-PASSWORD admin SSL keystore password server.ssl.key-alias SERVER_SSL_KEY-ALIAS localhost SSL key alias openbas.unsecured-certificate OPENBAS_UNSECURED-CERTIFICATE <code>false</code> Turn on to authorize self-signed or unsecure ssl certificate openbas.with-proxy OPENBAS_WITH-PROXY <code>false</code> Turn on to authorize environment with proxy"},{"location":"deployment/configuration/#logging","title":"Logging","text":"Parameter Environment variable Default value Description logging.level.root LOGGING_LEVEL_ROOT fatal Root log level logging.level.io.openbas LOGGING_LEVEL_IO_OPENBAS warn OpenBAS log level logging.file.name LOGGING_FILE_NAME ./logs/openbas.log Log file path (in addition to console output) logging.logback.rollingpolicy.max-file-size LOGGING_LOGBACK_ROLLINGPOLICY_MAX-FILE-SIZE 10MB Rolling max file size logging.logback.rollingpolicy.max-history LOGGING_LOGBACK_ROLLINGPOLICY_MAX-HISTORY 7 Rolling max days"},{"location":"deployment/configuration/#dependencies","title":"Dependencies","text":""},{"location":"deployment/configuration/#xtm-suite","title":"XTM Suite","text":"Parameter Environment variable Default value Description openbas.xtm.opencti.enable OPENBAS_XTM_OPENCTI_ENABLE false Enable integration with OpenCTI openbas.xtm.opencti.url OPENBAS_XTM_OPENCTI_URL OpenCTI URL openbas.xtm.opencti.token OPENBAS_XTM_OPENCTI_TOKEN OpenCTI token openbas.xtm.opencti.disable-display OPENBAS_XTM_OPENCTI_DISABLE-DISPLAY <code>false</code> Disable OpenCTI in the UI"},{"location":"deployment/configuration/#postgresql","title":"PostgreSQL","text":"Parameter Environment variable Default value Description spring.datasource.url SPRING_DATASOURCE_URL jdbc:postgresql://... URL of the database (ex jdbc:postgresql://postgresql.mydomain.com:5432/openbas) spring.datasource.username SPRING_DATASOURCE_USERNAME Login for the database spring.datasource.password SPRING_DATASOURCE_PASSWORD password Password for the database"},{"location":"deployment/configuration/#rabbitmq","title":"RabbitMQ","text":"Parameter Environment variable Default value Description openbas.rabbitmq.prefix OPENBAS_RABBITMQ_PREFIX openbas Prefix for the queue names openbas.rabbitmq.hostname OPENBAS_RABBITMQ_HOSTNAME localhost Hostname of the RabbitMQ server openbas.rabbitmq.vhost OPENBAS_RABBITMQ_VHOST / Vhost of the RabbitMQ server openbas.rabbitmq.port OPENBAS_RABBITMQ_PORT 5672 Port of the RabbitMQ Server openbas.rabbitmq.management-port OPENBAS_RABBITMQ_MANAGEMENT-PORT 15672 Management port of the RabbitMQ Server openbas.rabbitmq.ssl OPENBAS_RABBITMQ_SSL <code>false</code> Use SSL openbas.rabbitmq.user OPENBAS_RABBITMQ_USER guest RabbitMQ user openbas.rabbitmq.pass OPENBAS_RABBITMQ_PASS guest RabbitMQ password openbas.rabbitmq.queue-type OPENBAS_RABBITMQ_QUEUE-TYPE classic RabbitMQ Queue Type (\"classic\" or \"quorum\") openbas.rabbitmq.management-insecure OPENBAS_RABBITMQ_MANAGEMENT-INSECURE <code>true</code> Whether or not the calls to the management plugin of rabbitmq can be insecure openbas.rabbitmq.trust.store OPENBAS_RABBITMQ_TRUST_STORE &lt;file:/path/to/client-store.p12&gt; Path to the p12 keystore file to use if ssl is activated and insecure management is deactivated. The keystore must contain the client side certificate and key generated for ssl. openbas.rabbitmq.trust-store-password OPENBAS_RABBITMQ_TRUST-STORE-PASSWORD &lt;trust-store-password&gt; Password of the keystore"},{"location":"deployment/configuration/#s3-bucket","title":"S3 bucket","text":"Parameter Environment variable Default value Description minio.endpoint MINIO_ENDPOINT localhost Hostname of the S3 Service. Example if you use AWS Bucket S3: s3.us-east-1.amazonaws.com (if <code>minio:bucket_region</code> value is us-east-1). This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio.port MINIO_PORT 9000 Port of the S3 Service. For AWS Bucket S3 over HTTPS, this value can be changed (usually 443). minio.secure MINIO_SECURE <code>false</code> Indicates whether the S3 Service has TLS enabled. For AWS Bucket S3 over HTTPS, this value could be <code>true</code>. minio.access-key MINIO_ACCESS-KEY key Access key for the S3 Service. minio.access-secret MINIO_ACCESS-SECRET secret Secret key for the S3 Service. minio.bucket MINIO_BUCKET openbas S3 bucket name. Useful to change if you use AWS. minio.bucket-region MINIO_BUCKET-REGION us-east-1 Region of the S3 bucket if you are using AWS. This parameter value can be omitted if you use Minio as an S3 Bucket Service. openbas.s3.use-aws-role OPENBAS_S3_USE-AWS-ROLE <code>false</code> Whether or not we want to get the AWS role using AWS Security Token Service openbas.s3.sts-endpoint OPENBAS_S3_STS-ENDPOINT <code>experimental</code> This parameter is optional. If it stays empty, it will use either the AWS legacy STS endpoint (https://sts.amazonaws.com) or the regional one using AWS_REGION if the environment variable is set (you can learn more about it here). Otherwise, if you want to use your own custom implementation of STS endpoints, you can set it here."},{"location":"deployment/configuration/#agents-executors","title":"Agents (executors)","text":"<p>To be able to use the power of the OpenBAS platform on endpoints, you need at least one neutral executor that will be in charge of executing implants as detached processes. Implants will then execute payloads.</p>"},{"location":"deployment/configuration/#openbas-agent","title":"OpenBAS Agent","text":"<p>The OpenBAS agent is enabled by default and cannot be disabled. It is available for:</p> <ul> <li>Windows (<code>x86_64</code> / <code>arm64</code>)</li> <li>Linux (<code>x86_64</code> / <code>arm64</code>)</li> <li>MacOS (<code>x86_64</code> / <code>arm64</code>)</li> </ul>"},{"location":"deployment/configuration/#other-executors","title":"Other executors","text":"<p>To know more about other available executors, please refer to the executors documentation</p>"},{"location":"deployment/configuration/#mail-services","title":"Mail services","text":"<p>For the associated mailbox, for the moment the platform only relies on IMAP / SMTP protocols, we are actively developing integrations with APIs such as O365 and Google Apps.</p>"},{"location":"deployment/configuration/#smtp","title":"SMTP","text":"Parameter Environment variable Default value Description spring.mail.host SPRING_MAIL_HOST smtp.mail.com SMTP Server hostname spring.mail.port SPRING_MAIL_PORT 465 SMTP Server port spring.mail.username SPRING_MAIL_USERNAME username@mail.com SMTP Server username spring.mail.password SPRING_MAIL_PASSWORD password SMTP Server password Parameter Environment variable Default value Description spring.mail.properties.mail.smtp.ssl.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_SSL_ENABLE <code>true</code> Turn on SMTP SSL mode spring.mail.properties.mail.smtp.ssl.trust SPRING_MAIL_PROPERTIES_MAIL_SMTP_SSL_TRUST * Trust unverified certificates spring.mail.properties.mail.smtp.auth SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH <code>true</code> Turn on SMTP authentication spring.mail.properties.mail.smtp.starttls.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE <code>false</code> Turn on SMTP STARTTLS <p>Note : Example with Gmail</p> Parameter Environment variable Value Description spring.mail.host SPRING_MAIL_HOST smtp.gmail.com Gmail SMTP server hostname spring.mail.port SPRING_MAIL_PORT 587 Gmail SMTP server port (TLS) spring.mail.username SPRING_MAIL_USERNAME username@mail.com Gmail address spring.mail.password SPRING_MAIL_PASSWORD app password Gmail App-specific password spring.mail.properties.mail.smtp.auth SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH true Enable SMTP authentication spring.mail.properties.mail.smtp.starttls.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE true Enable SMTP STARTTLS <p>\u26a0\ufe0f Important: If you are using two-factor authentication on your Gmail account, an app-specific password is required. You can find a guide here.</p>"},{"location":"deployment/configuration/#imap","title":"IMAP","text":"Parameter Environment variable Default value Description openbas.mail.imap.enabled OPENBAS_MAIL_IMAP_ENABLED false Turn on to enable IMAP mail synchronization. Injector email must be well configured openbas.mail.imap.host OPENBAS_MAIL_IMAP_HOST imap.mail.com IMAP Server hostname openbas.mail.imap.port OPENBAS_MAIL_IMAP_PORT 993 IMAP Server port openbas.mail.imap.username OPENBAS_MAIL_IMAP_USERNAME username@mail.com IMAP Server username openbas.mail.imap.password OPENBAS_MAIL_IMAP_PASSWORD password IMAP Server password openbas.mail.imap.inbox OPENBAS_MAIL_IMAP_INBOX INBOX IMAP inbox directory to synchronize from openbas.mail.imap.sent OPENBAS_MAIL_IMAP_SENT Sent IMAP sent directory to synchronize from Parameter Environment variable Default value Description openbas.mail.imap.ssl.enable OPENBAS_MAIL_IMAP_SSL_ENABLE true Turn on IMAP SSL mode openbas.mail.imap.ssl.trust OPENBAS_MAIL_IMAP_SSL_TRUST * Trust unverified certificates openbas.mail.imap.auth OPENBAS_MAIL_IMAP_AUTH true Turn on IMAP authentication openbas.mail.imap.starttls.enable OPENBAS_MAIL_IMAP_STARTTLS_ENABLE true Turn on IMAP STARTTLS <p>Note : Example with Gmail</p> Parameter Environment variable Value Description openbas.mail.imap.enabled OPENBAS_MAIL_IMAP_ENABLED true Enable IMAP for Gmail openbas.mail.imap.host OPENBAS_MAIL_IMAP_HOST imap.gmail.com Gmail IMAP server hostname openbas.mail.imap.port OPENBAS_MAIL_IMAP_PORT 993 Gmail IMAP port (SSL) openbas.mail.imap.username OPENBAS_MAIL_IMAP_USERNAME username@mail.com Gmail address openbas.mail.imap.password OPENBAS_MAIL_IMAP_PASSWORD app password Gmail App-specific password openbas.mail.imap.ssl.enable OPENBAS_MAIL_IMAP_SSL_ENABLE true Enable IMAP SSL openbas.mail.imap.ssl.trust OPENBAS_MAIL_IMAP_SSL_TRUST * Trust unverified certificates openbas.mail.imap.auth OPENBAS_MAIL_IMAP_AUTH true Enable IMAP authentication openbas.mail.imap.sent OPENBAS_MAIL_IMAP_SENT [Gmail]/Sent Mail IMAP sent directory to synchronize from <p>\u26a0\ufe0f Important: If you are using two-factor authentication on your Gmail account, an app-specific password is required. You can find a guide here.</p>"},{"location":"deployment/configuration/#ai-service","title":"AI Service","text":"<p>AI deployment and cloud services</p> <p>There are several possibilities for Enterprise Edition customers to use OpenBAS AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> Parameter Environment variable Default value Description ai.enabled AI_ENABLED true Enable AI capabilities ai.type AI_TYPE mistralai AI type (<code>mistralai</code> or <code>openai</code>) ai.endpoint AI_ENDPOINT Endpoint URL (empty means default cloud service) ai.token AI_TOKEN Token for endpoint credentials ai.model AI_MODEL Model to be used for text generation (depending on type) ai.model_images AI_MODEL_IMAGES Model to be used for image generation (depending on type)"},{"location":"deployment/installation/","title":"Installation","text":"<p>All components of OpenBAS are shipped both as Docker images and manual installation packages.</p> <p>Production deployment</p> <p>For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.</p> <ul> <li> <p> Use Docker</p> <p>Deploy OpenBAS using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> <li> <p> Manual installation</p> <p>Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.</p> <p> Explore</p> </li> </ul>"},{"location":"deployment/installation/#using-docker","title":"Using Docker","text":""},{"location":"deployment/installation/#introduction","title":"Introduction","text":"<p>OpenBAS can be deployed using the docker compose command.</p>"},{"location":"deployment/installation/#pre-requisites","title":"Pre-requisites","text":"<p> Linux</p> <pre><code>sudo apt install docker-compose\n</code></pre> <p> Windows and MacOS</p> <p>Just download the appropriate Docker for Desktop version for your operating system.</p>"},{"location":"deployment/installation/#clone-the-repository","title":"Clone the repository","text":"<p>Docker helpers are available in the Docker GitHub repository.</p> <pre><code>mkdir -p /path/to/your/app &amp;&amp; cd /path/to/your/app\ngit clone https://github.com/OpenBAS-Platform/docker.git\ncd docker\n</code></pre>"},{"location":"deployment/installation/#configure-the-environment","title":"Configure the environment","text":"<p>Before running the <code>docker compose</code> command, the <code>docker-compose.yml</code> file should be configured. By default, the <code>docker-compose.yml</code> file is using environment variables available in the <code>.env.sample</code> file.</p> <p>You can either rename the file <code>.env.sample</code> in <code>.env</code> and put the expected values or just fill directly the <code>docker-compose.yml</code> with the values corresponding to your environment.</p>"},{"location":"deployment/installation/#docker-compose-env","title":"Docker compose env","text":"<p>Configuration static parameters</p> <p>The complete list of available static parameters is available in the configuration section.</p> <p>Whether you are using one method or the other, here are the mandatory parameters to fill:</p> <pre><code>POSTGRES_USER=ChangeMe\nPOSTGRES_PASSWORD=ChangeMe\nKEYSTORE_PASSWORD=ChangeMe\nMINIO_ROOT_USER=ChangeMeAccess\nMINIO_ROOT_PASSWORD=ChangeMeKey\nRABBITMQ_DEFAULT_USER=ChangeMe\nRABBITMQ_DEFAULT_PASS=ChangeMe\nSPRING_MAIL_HOST=smtp.example.com\nSPRING_MAIL_PORT=465\nSPRING_MAIL_USERNAME=ChangeMe@example.com\nSPRING_MAIL_PASSWORD=ChangeMe\nOPENBAS_MAIL_IMAP_ENABLED=true\nOPENBAS_MAIL_IMAP_HOST=imap.example.com\nOPENBAS_MAIL_IMAP_PORT=993\nOPENBAS_ADMIN_EMAIL=ChangeMe@example.com # must be a valid email address\nOPENBAS_ADMIN_PASSWORD=ChangeMe\nOPENBAS_ADMIN_TOKEN=ChangeMe # must be a valid UUID\nCOLLECTOR_MITRE_ATTACK_ID=3050d2a3-291d-44eb-8038-b4e7dd107436 # No need for change\nCOLLECTOR_ATOMIC_RED_TEAM_ID=0f2a85c1-0a3b-4405-a79c-c65398ee4a76 # No need for change\n</code></pre> <p>If your <code>docker-compose</code> deployment does not support <code>.env</code> files, just export all environment variables before launching the platform:</p> <pre><code>export $(cat .env | grep -v \"#\" | xargs)\n</code></pre>"},{"location":"deployment/installation/#persist-data","title":"Persist data","text":"<p>The default for OpenBAS data is to be persistent.</p> <p>In the <code>docker-compose.yml</code>, you will find at the end the list of necessary persistent volumes for the dependencies:</p> <pre><code>volumes:\n  esdata:     # ElasticSearch data\n  s3data:     # S3 bucket data\n  amqpdata:   # RabbitMQ data\n</code></pre>"},{"location":"deployment/installation/#run-openbas","title":"Run OpenBAS","text":""},{"location":"deployment/installation/#using-single-node-docker","title":"Using single node Docker","text":"<p>After changing your <code>.env</code> file run <code>docker compose</code> in detached (-d) mode:</p> <pre><code>sudo systemctl start docker.service\n# Run docker compose in detached\ndocker compose up -d\n</code></pre>"},{"location":"deployment/installation/#using-docker-swarm","title":"Using Docker swarm","text":"<p>In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.</p> <pre><code># If your virtual machine is not a part of a Swarm cluster, please use:\ndocker swarm init\n</code></pre> <p>Put your environment variables in <code>/etc/environment</code>:</p> <pre><code># If you already exported your variables to .env from above:\nsudo cat .env &gt;&gt; /etc/environment\nsudo bash -c 'cat .env &gt;&gt; /etc/environment\u2019\nsudo docker stack deploy --compose-file docker-compose.yml openbas\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials filled in your configuration.</p>"},{"location":"deployment/installation/#openbas-x-caldera-optional-part","title":"OpenBAS X Caldera (Optional part)","text":"<p>You can deploy Caldera alongside OpenBAS to manage agent deployment and execute Caldera scripts.</p> <ul> <li> <p> Use Docker</p> <p>Deploy Caldera using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> </ul> <p>Unfortunately, Caldera does not support well environment variables, the <code>caldera.yml</code> needs to be modified to change default API keys and passwords. Only change what is marked as Change this, listed below:</p> <p>Caldera application</p> <p>You will never be asked to go into Caldera directly because OpenBAS manages everything for you, so don't hesitate to put the same UUIDv4 in all parameters here.</p> <pre><code>users:\n  red:\n    red: ChangeMe                                                                     # Change this\n  blue:\n    blue: ChangeMe                                                                    # Change this\napi_key_red: ChangeMe                                                                 # Change this\napi_key_blue: ChangeMe                                                                # Change this\napi_key: ChangeMe                                                                     # Change this\ncrypt_salt: ChangeMe                                                                  # Change this\nencryption_key: ChangeMe                                                              # Change this\napp.contact.http: http://caldera.myopenbas.myorganization.com:8888                    # Change this\napp.contact.tunnel.ssh.user_password: ChangeMe                                        # Change this\n</code></pre>"},{"location":"deployment/installation/#docker-compose-env_1","title":"Docker compose env","text":"<p>Add this environment variable to connect OpenBAS and Caldera:</p> <pre><code>INJECTOR_CALDERA_ENABLE=true\nINJECTOR_CALDERA_URL=${CALDERA_URL:-http://caldera:8888}\nINJECTOR_CALDERA_PUBLIC_URL=${CALDERA_PUBLIC_URL:-http://localhost:8888}\nINJECTOR_CALDERA_API_KEY=${CALDERA_API_KEY:-ChangeMe}\nEXECUTOR_CALDERA_ENABLE=true\nEXECUTOR_CALDERA_URL=${CALDERA_URL:-http://caldera:8888}\nEXECUTOR_CALDERA_PUBLIC_URL=${CALDERA_PUBLIC_URL:-http://localhost:8888}\nEXECUTOR_CALDERA_API_KEY=${CALDERA_API_KEY:-ChangeMe}\n</code></pre>"},{"location":"deployment/installation/#login-to-caldera","title":"Login to Caldera","text":"<p>To connect to Caldera, you need to use one of the users defined in your <code>caldera.yml</code> file (either 'red' or 'blue'). OpenBAS will use the red user.</p>"},{"location":"deployment/installation/#manual-installation","title":"Manual installation","text":"<p>This section provides instructions to install and run a pre-built OpenBAS server with its dependencies. Note that this does not cover building from source, which you will find in the Development section instead.</p>"},{"location":"deployment/installation/#prepare-the-installation","title":"Prepare the installation","text":""},{"location":"deployment/installation/#installation-of-dependencies","title":"Installation of dependencies","text":"<p>You have to enable all the mandatory dependencies for the main application if you would like to play breach and attack simulation scenarios.</p> <p>You may choose to use the dependencies from the provided compose file (see: Using Docker). If you elect doing so, make sure you disable the openbas server container first, and expose the dependencies on appropriate ports. You may refer to the official Docker documentation to achieve this.</p> <p>Otherwise, you are responsible for providing the dependencies yourself by installing and running them. You need at least a Java Runtime, PostgreSQL (database), RabbitMQ (queue management), and MinIO (for object storage).</p> <p>Supported dependency versions</p> <p>See the Dependencies section for details on the recommended (and supported) versions of the dependencies.</p> <p>If you choose to install the dependencies manually, please refer to their respective documentation:</p> <ul> <li>Java: the Java documentation portal</li> <li>PostgreSQL: the PostgreSQL documentation portal</li> <li>RabbitMQ: the RabbitMQ documentation portal</li> <li>MinIO: the MinIO website. </li> </ul>"},{"location":"deployment/installation/#download-the-application-files","title":"Download the application files","text":"<p>First, you have to download and extract the latest release file.</p> <pre><code>mkdir /path/to/your/app &amp;&amp; cd /path/to/your/app\nwget &lt;https://github.com/OpenBAS-Platform/openbas/releases/download/{RELEASE_VERSION}/openbas-release-{RELEASE_VERSION}.tar.gz&gt;\ntar xvfz openbas-release-{RELEASE_VERSION}.tar.gz\n</code></pre>"},{"location":"deployment/installation/#install-the-main-platform","title":"Install the main platform","text":""},{"location":"deployment/installation/#configure-the-application","title":"Configure the application","text":"<p>You may change the <code>application.properties</code> file (located at the root of the extracted release archive) according to your needs; alternatively you may set the equivalent environment variables.</p> <pre><code>$ cd openbas\n$ ls\napplication.properties  openbas-api.jar\n</code></pre> <p>Mandatory configuration</p> <p>Note that the configuration keys relevant to the mandatory dependencies listed above must be set in the file or as environment variables.</p> <p>See the relevant Configuration sections for more details:</p> <ul> <li>PostgreSQL</li> <li>RabbitMQ</li> <li>MinIO</li> </ul>"},{"location":"deployment/installation/#start-the-application","title":"Start the application","text":"<p>Before you can start the application, ensure your dependencies are up and running, and healthy.</p> <p>Then start the application itself:</p> <pre><code>java -jar openbas-api.jar\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials configured in your <code>application.properties</code> file.</p>"},{"location":"deployment/installation/#build-the-application-locally","title":"Build the application locally","text":"<ol> <li>cd openbas-front yarn build</li> <li>cp -r builder/prod/* ../openbas-api/src/main/resources/static/ </li> <li>cd ../openbas-api</li> <li>mvn clean install -DskipTests</li> <li>create an application.properties based on the existing one in openbas-api and fill all the mandatory fields</li> <li>run java -jar target/openbas-api.jar --spring.config.location=%PATH%\\application.properties</li> </ol>"},{"location":"deployment/installation/#community-contributions","title":"Community contributions","text":""},{"location":"deployment/installation/#helm-charts","title":"Helm Charts","text":"<ul> <li> <p> Kubernetes Helm Charts</p> <p>OpenBAS Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#deploy-behind-a-reverse-proxy","title":"Deploy behind a reverse proxy","text":"<p>If you want to use OpenBAS behind a reverse proxy with a context path, like <code>https://example.com/openbas</code>, please change the <code>base_path</code> static parameter.</p> <ul> <li><code>APP__BASE_PATH=/openbas</code></li> </ul> <p>By default OpenBAS use websockets so don't forget to configure your proxy for this usage, an example with <code>Nginx</code>:</p> <pre><code>location / {\n    proxy_cache                 off;\n    proxy_buffering             off;\n    proxy_http_version          1.1;\n    proxy_set_header Upgrade    $http_upgrade;\n    proxy_set_header Connection \"upgrade\";\n    proxy_set_header Host       $host;\n    chunked_transfer_encoding   off;\n    proxy_pass                  http://YOUR_UPSTREAM_BACKEND;\n  }\n</code></pre>"},{"location":"deployment/installation/#additional-memory-information","title":"Additional memory information","text":"<p>OpenBAS platform is based on a JAVA runtime. The application needs at least 4GB of RAM to work properly.</p>"},{"location":"deployment/installation/#postgresql","title":"PostgreSQL","text":"<p>PostgreSQL is the main database of OpenBAS. You can find more information in the official PostgresQL documentation.</p>"},{"location":"deployment/installation/#minio","title":"MinIO","text":"<p>MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.</p>"},{"location":"deployment/integrations/","title":"Integrations","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/overview/","title":"Overview","text":"<p>Before starting the installation, let's discover how OpenBAS is working, which dependencies are needed and what are the minimal requirements to deploy it in production.</p>"},{"location":"deployment/overview/#architecture","title":"Architecture","text":"<p>The OpenBAS platform relies on several external databases and services in order to work.</p> <p></p>"},{"location":"deployment/overview/#platform","title":"Platform","text":"<p>The platform is the central part of the OpenBAS platform, allowing users to configure scenarios, simulations, atomic testings and all other components used in the context of breach and attack simulations and security validations.</p>"},{"location":"deployment/overview/#neutral-agents-executors","title":"Neutral agents / executors","text":"<p>Executors are embedded into the platform but you should configure at least one. This system is responsible for executing local injectors on endpoints.</p> <p>We developed a home-made XTM agent, and we support Caldera, Tanium and Crowdstrike. Others will be added in the near future.</p> <p>Tips</p> <p>If you want to learn more about how to deploy executors, you can have more info here.</p>"},{"location":"deployment/overview/#injectors","title":"Injectors","text":"<p>Injectors are used to interact with third-party applications or services (including execution on the endpoints through executors) in the context of a simulation or an atomic testing. A few injectors are built-in but most of them are standalone Python processes. </p> <p>Tips</p> <p>If you want to learn more about how to deploy injectors, you can have more info here.</p>"},{"location":"deployment/overview/#collectors","title":"Collectors","text":"<p>Collectors are used to connect to all security systems such as SIEMs, XDRs, EDRs, firewalls, mail gateways etc. to check if an inject (execution, emails, etc.) has been detected or prevented and fill the security posture. </p> <p>Tips</p> <p>If you want to learn more about how to deploy collectors, you can have more info here.</p>"},{"location":"deployment/overview/#infrastructure-requirements","title":"Infrastructure requirements","text":""},{"location":"deployment/overview/#dependencies","title":"Dependencies","text":"Component Recommended version CPU RAM Disk type Disk space PostgreSQL \u2265 17.0 2 cores \u2265 8GB SSD \u2265 16GB RabbitMQ &gt;= 4.0 1 core \u2265 512MB Standard \u2265 2GB S3 / MinIO \u2265 RELEASE.2023-02 1 core \u2265 128MB SSD \u2265 16GB <p>Please note that while the versions of these dependencies are the recommended ones, OpenBAS may still function with earlier versions. However, we will not provide support for versions prior to the recommended ones.</p>"},{"location":"deployment/overview/#platform_1","title":"Platform","text":"Component CPU RAM Disk type Disk space OpenBAS Core 2 cores \u2265 8GB None (stateless) - Injector(s) 1 core \u2265 128MB None (stateless) - Collector(s) 1 core \u2265 128MB None (stateless) -"},{"location":"deployment/resources/","title":"Resources","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/troubleshooting/","title":"Troubleshooting","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/upgrade/","title":"Upgrade","text":"<p>Depending on your installation mode, upgrade path may change.</p> <p>Migrations</p> <p>The platform is taking care of all necessary underlying migrations in the databases if any, you can upgrade OpenBAS from any version to the latest one, including skipping multiple major releases.</p>"},{"location":"deployment/upgrade/#using-docker","title":"Using Docker","text":"<p>Before applying this procedure, please update your <code>docker-compose.yml</code> file with the new version number of container images.</p>"},{"location":"deployment/upgrade/#for-single-node-docker","title":"For single node Docker","text":"<pre><code>$ sudo docker compose stop\n$ sudo docker compose pull\n$ sudo docker compose up -d\n</code></pre>"},{"location":"deployment/upgrade/#for-docker-swarm","title":"For Docker swarm","text":"<p>For each of services, you have to run the following command:</p> <pre><code>$ sudo docker service update --force service_name\n</code></pre>"},{"location":"deployment/upgrade/#manual-installation","title":"Manual installation","text":"<p>When upgrading the platform, you have to replace all files and restart the platform, the database migrations will be done automatically:</p> <pre><code>$ java -jar openbas-api.jar\n</code></pre>"},{"location":"deployment/ecosystem/collectors/","title":"Collectors","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of collectors, you can have more info here.</p>"},{"location":"deployment/ecosystem/collectors/#installation","title":"Installation","text":""},{"location":"deployment/ecosystem/collectors/#external-python-collectors","title":"External (Python) collectors","text":""},{"location":"deployment/ecosystem/collectors/#configuration","title":"Configuration","text":"<p>All external collectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENBAS_URL</code> and the <code>OPENBAS_TOKEN</code>. In addition to these 2 parameters, collectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Collector tokens</p> <p>You can use your administrator token or create another administrator service account to put in your collectors. It is not necessary to have one dedicated user for each collector.</p> <p>Here is an example of a collector <code>docker-compose.yml</code> file: <pre><code>- OPENBAS_URL=http://localhost\n- OPENBAS_TOKEN=ChangeMe\n- COLLECTOR_ID=ChangeMe # Specify a valid UUIDv4 of your choice \n- \"COLLECTOR_NAME=MITRE ATT&amp;CK\"\n- COLLECTOR_LOG_LEVEL=error\n</code></pre></p> <p>Here is an example in a collector <code>config.yml</code> file:</p> <pre><code>openbas:\n  url: 'http://localhost:3001'\n  token: 'ChangeMe'\n\ncollector:\n  id: 'ChangeMe'\n  name: 'MITRE ATT&amp;CK'\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of collectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/ecosystem/collectors/#add-an-collector-to-your-deployment","title":"Add an collector to your deployment","text":"<p>For instance, to enable the MITRE ATT&amp;CK collector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  collector-mitre-attack:\n    image: openbas/collector-mitre-attack:1.0.0\n    environment:\n      - OPENBAS_URL=http://localhost\n      - OPENBAS_TOKEN=ChangeMe\n      - COLLECTOR_ID=ChangeMe\n      - \"COLLECTOR_NAME=MITRE ATT&amp;CK\"\n      - COLLECTOR_LOG_LEVEL=error\n    restart: always\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#launch-a-standalone-collector","title":"Launch a standalone collector","text":"<p>To launch standalone collector, you can use the <code>docker-compose.yml</code> file of the collector itself. Just download the latest release and start the collector:</p> <pre><code>$ wget https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd collectors-{RELEASE_VERSION}/mitre-attack/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the collector:</p> <pre><code>$ docker compose up\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch collector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the collectors:</p> <pre><code>$ wget &lt;https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd collectors-{RELEASE_VERSION}/mitre-attack/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the collector:</p> <pre><code>$ python3 openbas_mitre.py\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#collectors-status","title":"Collectors status","text":"<p>The collector status can be displayed in the dedicated section of the platform available in Integration &gt; collectors. You will be able to see the statistics of the RabbitMQ queue of the collector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenBAS or collectors, you can consult the troubleshooting page page.</p>"},{"location":"deployment/ecosystem/executors/","title":"Executors","text":""},{"location":"deployment/ecosystem/executors/#introduction","title":"Introduction","text":"<p>To be able to use the power of the OpenBAS platform on endpoints, you need at least one neutral executor that will be in charge of executing implants as detached processes. Implants will then execute payloads.</p> <p></p>"},{"location":"deployment/ecosystem/executors/#openbas-agent","title":"OpenBAS Agent","text":"<p>The OpenBAS agent is available for Windows, Linux and MacOS, it is the native / default way to execute implants and payloads on endpoints.</p> <p>Learn More</p>"},{"location":"deployment/ecosystem/executors/#tanium-agent","title":"Tanium Agent","text":"<p>The Tanium agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-tanium-platform","title":"Configure the Tanium Platform","text":"<p>First of all, we are providing 2 Tanium packages to be imported in the Tanium platform.</p> <p></p> <p>Tanium package configuration</p> <p>Because OpenBAS should run implants as detached processed, you must uncheck the box \"Launch this package command in a process group\" in the package configuration:</p> <p></p> <p>Once configured and imported, retrieve the package IDs from the URL <code>ui/console/packages/XXXXX/preview</code>.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-openbas-platform","title":"Configure the OpenBAS platform","text":"<p>To use the Tanium executor, just fill the following configuration.</p> Parameter Environment variable Default value Description executor.tanium.enable EXECUTOR_TANIUM_ENABLE <code>false</code> Enable the Tanium executor executor.tanium.url EXECUTOR_TANIUM_URL Tanium URL executor.tanium.api-key EXECUTOR_TANIUM_API-KEY Tanium API key executor.tanium.computer-group-id EXECUTOR_TANIUM_COMPUTER_GROUP_ID Tanium Computer Group to be used in simulations executor.tanium.windows-package-id EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID ID of the OpenBAS Tanium Windows package executor.tanium.unix-package-id EXECUTOR_TANIUM_UNIX_PACKAGE_ID ID of the OpenBAS Tanium Unix package <p>Tanium API Key</p> <p>Please note that the Tanium API key should have the permissions to retrieve endpoint list from the Tanium GraphQL API as well as to launch packages on endpoints.</p>"},{"location":"deployment/ecosystem/executors/#checks","title":"Checks","text":"<p>Once enabled, you should see Tanium available in your <code>Install agents</code> section</p> <p></p> <p>Also, the assets in the selected computer groups should now be available in the endpoints section in OpenBAS:</p> <p></p> <p>NB : An Asset can only have one Tanium agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a Tanium agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p>Installation done</p> <p>You are now ready to leverage your Tanium platform to run OpenBAS payloads!</p>"},{"location":"deployment/ecosystem/executors/#crowdstrike-falcon-agent","title":"CrowdStrike Falcon Agent","text":"<p>The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-crowdstrike-platform","title":"Configure the CrowdStrike Platform","text":""},{"location":"deployment/ecosystem/executors/#upload-openbas-scripts","title":"Upload OpenBAS scripts","text":"<p>First of all, you need to create two custom scripts, one for Windows and one for Unix, covering both Linux and MacOS systems.</p> <p>To create it, go to <code>Host setup and management</code> &gt; <code>Response and containment</code> &gt; <code>Response scripts and files</code>. The names of the scripts can be changed if necessary, they will be put in the OpenBAS configuration.</p> <p>Unix Script</p> Attribute Value name OpenBAS Subprocessor (Unix) shell type bash script access Users with the role of RTR Administrator or RTR Active Responder shared with workflows yes <p>Put the following script:</p> <pre><code>command=`echo $1 | grep -o '\"command\":\"[^\"]*' | grep -o '[^\"]*$'`\necho $command | base64 -d | sh\n</code></pre> <p>Put the following Input schema: <pre><code>{\n  \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n  \"properties\": {\n    \"command\": {\n      \"type\": \"string\"\n    }\n  },\n  \"required\": [\n    \"command\"\n  ],\n  \"type\": \"object\",\n  \"description\": \"This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct.\"\n}\n</code></pre></p> <p></p> <p>Windows script</p> Attribute Value name OpenBAS Subprocessor (Windows) shell type PowerShell script access Users with the role of RTR Administrator or RTR Active Responder shared with workflows yes <p>Put the following script:</p> <pre><code>$command = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'command';\ncmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -Command \"Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([convert]::FromBase64String('$command')))\"\n</code></pre> <p>Put the following Input schema: <pre><code>{\n  \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n  \"properties\": {\n    \"command\": {\n      \"type\": \"string\"\n    }\n  },\n  \"required\": [\n    \"command\"\n  ],\n  \"type\": \"object\",\n  \"description\": \"This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct.\"\n}\n</code></pre> </p> <p>Once created, your RTR scripts should have something like this:</p> <p></p>"},{"location":"deployment/ecosystem/executors/#create-a-host-group-with-your-targeted-assets","title":"Create a host group with your targeted assets","text":"<p>To create a host group, go to <code>Host setup and management</code> &gt; <code>Host groups</code>.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-openbas-platform_1","title":"Configure the OpenBAS platform","text":"<p>CrowdStrike API Key</p> <p>Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response.</p> <p>To use the CrowdStrike executor, just fill the following configuration.</p> Parameter Environment variable Default value Description executor.crowdstrike.enable EXECUTOR_CROWDSTRIKE_ENABLE <code>false</code> Enable the Crowdstrike executor executor.crowdstrike.api-url EXECUTOR_CROWDSTRIKE_API_URL <code>https://api.us-2.crowdstrike.com</code> Crowdstrike API url executor.crowdstrike.client-id EXECUTOR_CROWDSTRIKE_CLIENT_ID Crowdstrike client id executor.crowdstrike.client-secret EXECUTOR_CROWDSTRIKE_CLIENT_SECRET Crowdstrike client secret executor.crowdstrike.host-group EXECUTOR_CROWDSTRIKE_HOST_GROUP Crowdstrike host group executor.crowdstrike.windows-script-name EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME <code>OpenBAS Subprocessor (Windows)</code> Name of the OpenBAS Crowdstrike windows script executor.crowdstrike.unix-script-name EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME <code>OpenBAS Subprocessor (Unix)</code> Name of the OpenBAS Crowdstrike unix script"},{"location":"deployment/ecosystem/executors/#checks_1","title":"Checks","text":"<p>Once enabled, you should see CrowdStrike available in your <code>Install agents</code> section</p> <p></p> <p>Also, the assets in the selected computer groups should now be available in the endpoints section in OpenBAS:</p> <p></p> <p>NB : An Asset can only have one CrowdStrike agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a CrowdStrike agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p>Installation done</p> <p>You are now ready to leverage your CrowdStrike platform to run OpenBAS payloads!</p>"},{"location":"deployment/ecosystem/executors/#caldera-agent","title":"Caldera Agent","text":"<p>The Caldera agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p> <p>Caldera already installed</p> <p>If you already have a working Caldera installation, just go directly to OpenBAS configuration section.</p>"},{"location":"deployment/ecosystem/executors/#deploy-caldera","title":"Deploy Caldera","text":"<p>To deploy Caldera, you can just add Caldera to the OpenBAS stack, we advise you to modify your <code>docker-compose.yml</code> and add a Caldera service:</p> <pre><code>services:\n  caldera:\n    image: openbas/caldera-server:5.0.0\n    restart: always\n    ports:\n      - \"8888:8888\"\n    environment:\n      CALDERA_URL: http://localhost:8888\n    volumes:\n      - type: bind\n        source: caldera.yml\n        target: /usr/src/app/conf/local.yml\n</code></pre> <p>As you can see in the configuration, you will also need a configuration file caldera.yml because Caldera does not support well environment variables for configuration.</p> <p>Download caldera.yml and put it alongside your <code>docker-compose.yml</code> file. This file must be modified prior launching, only change what is marked as * Change this*, listed below.</p> <pre><code>users:\n  red:\n    red: ChangeMe                                                                     # Change this\n  blue:\n    blue: ChangeMe                                                                    # Change this\napi_key_red: ChangeMe                                                                 # Change this\napi_key_blue: ChangeMe                                                                # Change this\napi_key: ChangeMe                                                                     # Change this\ncrypt_salt: ChangeMe                                                                  # Change this\nencryption_key: ChangeMe                                                              # Change this\napp.contact.http: http://caldera.myopenbas.myorganization.com:8888                    # Change this\napp.contact.tunnel.ssh.user_password: ChangeMe                                        # Change this\n</code></pre> <p>Just update your stack and check Caldera is running:</p> <pre><code>docker compose up -d\n</code></pre>"},{"location":"deployment/ecosystem/executors/#openbas-configuration","title":"OpenBAS configuration","text":"<p>Then, just change the OpenBAS configuration as follow:</p> Parameter Environment variable Default value Description executor.caldera.enable EXECUTOR_CALDERA_ENABLE <code>false</code> Enable the Caldera executor executor.caldera.url EXECUTOR_CALDERA_URL Caldera URL executor.caldera.public-url EXECUTOR_CALDERA_PUBLIC-URL Caldera URL accessible from endpoints (ex: http://caldera.myopenbas.myorganization.com:8888) executor.caldera.api-key EXECUTOR_CALDERA_API-KEY Caldera API key"},{"location":"deployment/ecosystem/executors/#agents","title":"Agents","text":""},{"location":"deployment/ecosystem/executors/#deploy-agents","title":"Deploy agents","text":"<p>Once enabled, you should see Caldera available in your <code>Install agents</code> section:</p> <p></p> <p>OpenBAS has built-in instruction if you want command line examples to deploy the agent on one endpoint.</p> <p></p> <p>Caldera AV detection</p> <p>By default, the Caldera agent \"Sandcat\" is detected and blocked by antivirus. Here, we are using Caldera as a neutral executor that will execute implants that will execute payloads, so you need to add the proper AV exclusions as instructed in the OpenBAS screen.</p> <p></p>"},{"location":"deployment/ecosystem/executors/#checks_2","title":"Checks","text":"<p>All assets with a proper Caldera agent installed using the OpenBAS provided command line (then persistent) should now be available in the OpenBAS endpoints list.</p> <p></p> <p>NB : An Asset can only have one Caldera agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a Caldera agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p>"},{"location":"deployment/ecosystem/injectors/","title":"Injectors","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of injectors, you can have more info here.</p> <p>Injectors list</p> <p>You are looking for the available injectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"deployment/ecosystem/injectors/#installation","title":"Installation","text":""},{"location":"deployment/ecosystem/injectors/#built-in-injectors","title":"Built-in injectors","text":"<p>Some injectors such as email, SMS, media pressure, etc. are directly embedded into the application. To configure them,  just add the proper configuration parameters in your platform configuration.</p>"},{"location":"deployment/ecosystem/injectors/#external-python-injectors","title":"External (Python) injectors","text":""},{"location":"deployment/ecosystem/injectors/#configuration","title":"Configuration","text":"<p>All external injectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENBAS_URL</code> and the <code>OPENBAS_TOKEN</code>. In addition to these 2 parameters, injectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Injector tokens</p> <p>You can use your administrator token or create another administrator service account to put in your injectors. It is not necessary to have one dedicated user for each injector.</p> <p>Here is an example of a injector <code>docker-compose.yml</code> file: <pre><code>- OPENBAS_URL=http://localhost\n- OPENBAS_TOKEN=ChangeMe\n- INJECTOR_ID=ChangeMe # Specify a valid UUIDv4 of your choice\n- \"INJECTOR_NAME=HTTP query\"\n- INJECTOR_LOG_LEVEL=error\n</code></pre></p> <p>Here is an example in a injector <code>config.yml</code> file:</p> <pre><code>openbas:\n  url: 'http://localhost:3001'\n  token: 'ChangeMe'\n\ninjector:\n  id: 'ChangeMe'\n  name: 'HTTP query'\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#networking","title":"Networking","text":"<p>Be aware that all injectors are reaching RabbitMQ based the RabbitMQ configuration provided by the OpenBAS platform. The injector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your <code>docker-compose.yml</code> file in such way that the injector container gets attached to the OpenBAS Network, e.g.:</p> <pre><code>networks:\n  default:\n    external: true\n    name: openbas-docker_default\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of injectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/ecosystem/injectors/#add-an-injector-to-your-deployment","title":"Add an injector to your deployment","text":"<p>For instance, to enable the HTTP query injector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  injector-http-query:\n    image: openbas/injector-http-query:latest\n    environment:\n      - OPENBAS_URL=http://localhost\n      - OPENBAS_TOKEN=ChangeMe\n      - INJECTOR_ID=ChangeMe\n      - \"INJECTOR_NAME=HTTP query\"\n      - INJECTOR_LOG_LEVEL=error\n    restart: always\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#launch-a-standalone-injector","title":"Launch a standalone injector","text":"<p>To launch standalone injector, you can use the <code>docker-compose.yml</code> file of the injector itself. Just download the latest release and start the injector:</p> <pre><code>$ wget https://github.com/OpenBAS-Platform/injectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd injectors-{RELEASE_VERSION}/http-query/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the injector:</p> <pre><code>$ docker compose up\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch injector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the injectors:</p> <pre><code>$ wget &lt;https://github.com/OpenBAS-Platform/injectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd injectors-{RELEASE_VERSION}/http-query/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the injector:</p> <pre><code>$ python3 openbas_http.py\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#injectors-status","title":"Injectors status","text":"<p>The injector status can be displayed in the dedicated section of the platform available in Integration &gt; injectors. You will be able to see the statistics of the RabbitMQ queue of the injector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenBAS or injectors, you can consult the troubleshooting page page.</p>"},{"location":"development/api-usage/","title":"REST API","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/build_from_source/","title":"Building from source","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/collectors/","title":"Collector development","text":""},{"location":"development/collectors/#detection-prevention-siem-xdr-edr-ndr","title":"Detection &amp; Prevention (SIEM, XDR, EDR, NDR)","text":""},{"location":"development/collectors/#introduction","title":"Introduction","text":"<p>This guide explains how to implement an OpenBAS collector for a EDR/XDR, to retrieve security events and compare them against injected expectations in OpenBAS.</p>"},{"location":"development/collectors/#implementing-the-collector","title":"Implementing the Collector","text":"<p>The following documentation is based on the CrowdStrike Collector.</p>"},{"location":"development/collectors/#1-retrieving-expectations","title":"1. Retrieving Expectations","text":"<p>The first step involves fetching all expectations that have not yet been fulfilled by your collector. These expectations must be validated within a short timeframe to assess the responsiveness of your EDR/XDR (default: 45 minutes). If this period is exceeded, the expectations will be marked as failed.</p>"},{"location":"development/collectors/#2-retrieving-alerts","title":"2. Retrieving Alerts","text":"<p>This step focuses on collecting alerts from your service tiers. There are two key aspects to define:</p> <ul> <li>How to extract relevant information from an alert to match OpenBAS signatures.</li> <li>How to determine whether the alert successfully prevented or detected the attack based on the expectations.</li> </ul> <p>Definition: a signature is a way to find an attack in an alert.</p> Signature Description PARENT_PROCESS_NAME The parent process name of the attack, which corresponds to the implant name created with openbas-implant-INJECT_ID.exe"},{"location":"development/collectors/#3-matching-expectations","title":"3. Matching Expectations","text":"<p>The final step involves aligning retrieved expectations with logs and signatures from your service tiers to ensure proper validation.</p> <p></p>"},{"location":"development/collectors/#use-it","title":"Use it","text":"<p>Now, you can launch your collector by connecting it with OpenBAS. Your collector will register to OpenBAS and you can view in Integrations &gt; Collectors.</p> <p></p>"},{"location":"development/environment_ubuntu/","title":"Prerequisites Ubuntu","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/environment_windows/","title":"Prerequisites Windows","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/injectors/","title":"Injector development","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/platform/","title":"Platform development","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"reference/apis/filters/","title":"Filter knowledge","text":"<p>In OpenBAS, you can filter data to focus on or display information with specific attributes.</p>"},{"location":"reference/apis/filters/#filters-usages","title":"Filters usages","text":""},{"location":"reference/apis/filters/#dynamic-filters","title":"Dynamic filters","text":"<p>Dynamic filters allow you to filter the UI view based on the attributes present in the data, such as the list of scenarios or simulations.</p> <p>These filters are not stored in the database. However, they remain persistent on the frontend of the platform. Your web browser saves the filters you set in different areas of the platform in local storage, allowing you to retrieve them when you return to the same view. This way, you can continue working from where you left off.</p> <p>Additionally, the filters applied in a view are saved as URL parameters, enabling you to save and share links to these filtered views.</p> <p></p>"},{"location":"reference/apis/filters/#create-a-filter","title":"Create a filter","text":"<p>To create a filter, add every key you need using the 'Add filter' select box. It will give you the possible attributes on which you can filter in the current view.</p> <p>A grey box appears and allows to select:</p> <ol> <li>the operator to use, and</li> <li>the values to compare (if the operator is not \"empty\" or \"not empty\").</li> </ol> <p>You can add as many filters as you need.</p> <p></p> <p>The boolean modes (and/or) are global (between every attribute filters) and can be switched with a single click, changing the logic of your filtering.</p> <p></p>"},{"location":"reference/apis/filters/#filters-format","title":"Filters format","text":"<p>The OpenBAS platform uses a filter format called <code>FilterGroup</code>. The <code>FilterGroup</code> model enables to do complex filters imbrication with different boolean operators, which extends greatly the filtering capabilities in every part of the platform.</p>"},{"location":"reference/apis/filters/#structure","title":"Structure","text":"<p>The format can be described as below:</p> <pre><code>{\n  \"filterGroup\": {\n    \"mode\": \"and\",\n    // or \"or\"\n    \"filters\": [\n      {\n        \"key\": \"name\",\n        \"mode\": \"or\",\n        // or \"and\"\n        \"values\": [\n          \"value1\",\n          \"value2\"\n        ],\n        \"operator\": \"contains\"\n        // or \"not_contains\", \"eq\", \"not_eq\", \"starts_with\", \"not_starts_with\",\n        // \"empty\", \"not_empty\"\n      }\n    ]\n  }\n}\n</code></pre>"},{"location":"reference/apis/filters/#properties","title":"Properties","text":"<p>In a given filter group, the <code>mode</code> (<code>and</code> or <code>or</code>) represents the boolean operation between the different <code>filters</code> and <code>filterGroups</code> arrays. The <code>filters</code> and <code>filterGroups</code> arrays are composed of objects of type Filter and FilterGroup.</p> <p>The <code>Filter</code> has 4 properties:</p> <ul> <li>a <code>key</code>, representing the kind of data we want to target (example: <code>tags</code> to filter on tags or <code>name</code> to   filter on the data's name),</li> <li>an array of <code>values</code>, representing the values we want to compare to,</li> <li>an <code>operator</code> representing the operation we want to apply between the <code>key</code> and the <code>values</code>,</li> <li>a <code>mode</code> (<code>and</code> or <code>or</code>) to apply between the values if there are several ones.</li> </ul>"},{"location":"reference/apis/filters/#operators","title":"Operators","text":"<p>The available operators are:</p> Value Meaning contains contains not_contains not contains eq equal not_eq different empty empty / no value not_empty non-empty / any value <p>In addition, there are operators:</p> <ul> <li><code>starts_with</code> / <code>not_starts_with</code>, available for searching in short string fields (name, value, title, etc.),</li> </ul>"},{"location":"usage/assets/","title":"Assets","text":"<p>The Assets section provides users with a centralized hub for managing and organizing the entities targeted for testing and simulation.</p> <p>When you click on \u201cAssets\u201d in the left-hand banner, you see all the \u201cAssets\u201d pages. When accessing the Assets section, users are directed by default to the Endpoints page, where they can start managing their assets.</p> <p>From the <code>Assets</code> section, users can access the following pages:</p> <ul> <li><code>Endpoints</code>: Individual entities, representing any object or terminal that can be connected to a network.</li> <li><code>Asset groups</code>: Group of asset allowing you to organize endpoints into logical groups based on various filters applied   by the user.</li> </ul>"},{"location":"usage/assets/#endpoints","title":"Endpoints","text":"<p>Endpoints encompass devices and systems that connect to a network, serving as the foundation for interaction with OpenBAS.</p> <p>The list of endpoints continues to grow with the changing landscape of networked technologies and the increasing interconnectivity of digital ecosystems. Below is a non-exhaustive list of terminal categories:</p> <ul> <li>Computers: This category encompasses a wide range of computing devices, including desktops, laptops, and servers   deployed within organizational networks.</li> <li>Mobile devices: Smartphones and tablets represent another prominent category of endpoints, providing users with   mobile access to network resources and services.</li> <li>Workstations: Workstations refer to terminals or dedicated machines utilized by individuals or groups to perform   specific tasks or access networked resources. These systems are typically tailored to meet specific operational   requirements and may include specialized software or configurations.</li> <li>IoT devices: The Internet of Things (IoT) encompasses a diverse array of interconnected devices and sensors. IoT   endpoints include smart thermostats, cameras, environmental sensors, smart watches, and health tracking devices, among   others.</li> </ul> <p>When accessing the Endpoints pages, you see the list of all endpoints imported in your platform. Here, users can manage  details specific to each endpoint.</p> <p>Note</p> <p>Openbas marks an endpoint as inactive if none of its agents have communicated within one hour.</p> <p></p> <p>By clicking on an endpoint, you will be able to access its details :</p> <p></p> <p>To register new endpoints, you will need to install an agent. You can find detailed instructions on the agent installation page.</p>"},{"location":"usage/assets/#asset-groups","title":"Asset groups","text":"<p>Asset groups serve as a mechanism for organizing and grouping related Endpoints. These groups are constructed based on filters that define the criteria for inclusion, allowing administrators to segment and categorize Endpoints based on common characteristics or attributes.</p> <p>When creating a new asset group, administrators have the flexibility to specify the filters that will delineate the group's membership. Currently, the platform offers a range of filters such as platform type, hostname, and IP addresses. We plan to extend the possibilities by including additional filters in future updates.</p> <p></p>"},{"location":"usage/assets/#security-platforms","title":"Security platforms","text":"<p>Some integrations in OpenBAS are connected to your security platforms, such as Microsoft Sentinel, Microsoft Defender, etc., and can be viewed on this screen.</p> <p>OpenBAS strives to support as many integrations as possible with the most popular tools on the market. However, if your security platform integration is not yet available, you can create it manually here.</p> <p></p>"},{"location":"usage/atomic/","title":"Atomic testing","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p> <p>When clicking on Atomic testing in the left menu, you access to the list of all atomic testings ever launched in the platform.</p> <p>Atomic testing is a great way to simulate a singular attack technique you are particulary interested in, and test immediately your capability to prevent and detect it.</p> <p>You can search for a specific one by name.</p> <p>The presented list allows you to easily see global scores of all your recent atomic testings.</p> <p></p>"},{"location":"usage/atomic/#create-an-atomic-testing","title":"Create an Atomic testing","text":"<p>An atomic testing is essentially the simulation of a single inject, against a selection of targets (Players, Teams, Assets, Assets Group) with assorted expectations.</p> <p>By clicking on the + button at the bottom right of the screen, you enter the atomic testing creation workflow.</p> <p>On the left of the creation screen is the list of all available Inject you can play for atomic testing. Logos on the left of each line indicates which Injector is associated with each inject.</p> <p>Depending on your integrations, this list can be long. You can filter the list by compatible platforms or by Mitre Att&amp;ck tactics.By clicking on the \"Att&amp;CK\" logo near the search bar, you can also filter by selecting a precise Mitre Att&amp;ck techniques.</p> <p>When selecting an inject on the left, the form on the right populates itself with a by-default title and propose you to define when the inject should be played after the launch of the atomic testing. You can keep it to 0.</p> <p>By clicking on Inject content, you can define now or later the targeted assets or players, needed configurations, and the assorted expectations.</p> <p>The \"available variables\" button helps you to use already defined variables into compatible fields.</p>"},{"location":"usage/atomic/#atomic-testing-screens","title":"Atomic testing screens","text":"<p>Details of an Atomic testing is composed of three parts: - a header allowing to launch the test, see its state and update/delete it. - an Overview screen to eaily see the results of the test. - an execution details screen to see expectations of the test and investigate on execution logs</p>"},{"location":"usage/atomic/#overview","title":"Overview","text":"<p>The first screen displayed when you click on a specific Atomic testing from the list is a breakdown of your security posture against this test. </p> <p>As for Simulation and Scenario, Results are broken down into: - Prevention: the ability of your security posture to prevent the inject - Detection: the ability of your security posture to detect the inject - Human response: the ability of your security teams to react as intented facing the inject</p> <p>Big metrics on top of the screen sum up the expectations' result of all targets. </p> <p>The list of targets on the left allows you to easily see the result per Target, and for example investigate further why a specific Asset have failed the test.</p> <p>For a selected target, you can on the right the timeline of the test against the target and the assorted results. The result logs are also displayed.</p> <p></p>"},{"location":"usage/atomic/#execution-details","title":"Execution details","text":"<p>On this screen, you can retrieve details about the configuration, the command lines (if relevant) and the execution logs of the atomic testing and its expectations.</p> <p>You can also see the raw execution logs of the Injector responsible for the test execution.</p> <p></p>"},{"location":"usage/collectors/","title":"Collectors","text":"<p>Collectors list</p> <p>You are looking for the available collectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"usage/collectors/#introduction","title":"Introduction","text":"<p>Collectors are one of the cornerstones of the OpenBAS platform, they are responsible for pulling data from various external services for two purposes:</p> <ul> <li>Collect all alerts, logs and traces related to attacks, incidents or crisis and match them to simulated injects to   evaluate the security posture.</li> <li>Collect any data that may help to schedule breach and attack simulations such as list of assets, groups, identities,   payloads, etc.</li> </ul>"},{"location":"usage/collectors/#detection-prevention-siem-xdr-edr-ndr","title":"\ud83d\udee1\ufe0f Detection &amp; Prevention (SIEM, XDR, EDR, NDR)","text":"<p>Those collectors are the most important ones as they are used to evaluate the security posture (response to injects) from various detection and response systems and fulfill expectations for detection and prevention.</p>"},{"location":"usage/collectors/#detection-prevention-with-edr","title":"Detection &amp; Prevention with EDR","text":"<p>For EDRs, we analyze the tool's logs to identify matches for the hostname and the parent process name associated with the attack. If the attack is initiated by the OpenBAS agent, the parent process name will follow this format: openbas-implant-INJECT_ID.exe.</p>"},{"location":"usage/collectors/#detection-prevention-with-siem","title":"Detection &amp; Prevention with SIEM","text":"<p>For SIEMs, we rely on the upstream-deployed EDR, whose logs are collected by the SIEM. If the EDR confirms an expectation of type detection or prevention, we trace this information back in the SIEM to validate it as well.</p> <p>This means that within the workflow, the EDR collector must first validate the expectation before the SIEM collector can perform its task.</p>"},{"location":"usage/collectors/#threat-intelligence","title":"\ud83e\uddec Threat Intelligence","text":"<p>Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, payloads, etc.</p>"},{"location":"usage/collectors/#endpoint-management","title":"\ud83d\udcfa Endpoint management","text":"<p>Those collectors are pulling alternative information about your endpoints and assets to complete the overview about your current posture in terms of vulnerabilities and compliance.</p>"},{"location":"usage/collectors/#identities","title":"\ud83c\udfad Identities","text":"<p>Those collectors are pulling all information related to identities, including human assets, to be used in scenario or to complete the view overview about your current posture.</p>"},{"location":"usage/collectors/#others","title":"\ud83d\udd2d Others","text":"<p>All other system OpenBAS can pull from, to add more meaningful and relevant information to the view of your security posture.</p>"},{"location":"usage/components/","title":"Components","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/default_asset_rules/","title":"Default Asset Rules","text":"<p>Default Asset Rules let you define Asset Groups that are automatically applied to Injects based on a Scenario\u2019s tags. Each Asset Rule consists of a Tag and list of Asset Groups</p> <p>You can manage these rules in Settings \u2192 Customization.</p> <p>When you create an Inject in a Scenario, if the Scenario has a tag matching one of the Asset Rules, the associated default Asset Groups are automatically applied to that Inject. When a Scenario is updated, if you add a tag matching one of the Asset Rules, a pop-up will appear asking if you want to apply those default Asset Groups to the existing Injects in the Scenario.</p>"},{"location":"usage/default_asset_rules/#opencti-default-rule","title":"OpenCTI default rule","text":"<p>By default, a rule for the opencti tag is created. This tag is automatically applied to Scenarios generated from OpenCTI (see Generating Scenario from OpenCTI ). This default rule cannot be removed, and its tag cannot be modified.</p> <p></p>"},{"location":"usage/expectations/","title":"Expectations","text":"<p>Expectations define what is expected from an Asset (endpoint) or a Players when facing an Inject in terms of security posture. Each expectation has a score representing how well it has been met by the target.</p>"},{"location":"usage/expectations/#expectation-types","title":"Expectation types","text":"<p>Expectations can be categorized as either Manual or Automatic, depending on how they are validated.</p>"},{"location":"usage/expectations/#manual-expectations","title":"Manual expectations","text":"<p>Manual expectations require manual validation by the animation team, with the validation process and scoring managed manually. They are simple, customizable expectations to be manually validated.</p>"},{"location":"usage/expectations/#automatic-expectations","title":"Automatic expectations","text":"<p>Automatic expectations are validated automatically under specific conditions. Currently available automatic expectations include:</p> <ul> <li><code>Automatic - Prevention: Triggered when inject is processed</code>: automatically validated by security integration with   compatible Collectors if the inject's action generates a prevention alert, such as quarantine.</li> <li><code>Automatic - Detection: Triggered when inject is processed</code>: automatically validated by security integration with   compatible Collectors if the inject's action generates a detection alert, such as an incident.</li> <li><code>Automatic - Triggered when target reads articles</code>: Automatically validated when the article of a Media pressure inject   has been read by targets.</li> </ul>"},{"location":"usage/expectations/#validation-mode","title":"Validation Mode","text":"<p>There are two modes for validating an expectation :</p> <ul> <li> <p><code>All targets (per group) must validate the expectation</code> : in this case, the result depends on every group member's performance. If one target fails, the entire team fails. The score is calculated as the average of all targets' scores.</p> </li> <li> <p><code>At least one target (per group) must validate the expectation</code> : here, the success of the group depends on at least one target succeeding. If one target succeeds, the group is considered successful. The score is an average of all successful targets' scores.</p> </li> </ul> <p></p>"},{"location":"usage/expectations/#expectation-manipulation","title":"Expectation manipulation","text":""},{"location":"usage/expectations/#add-an-expectation-to-an-inject","title":"Add an expectation to an Inject","text":"<p>To add expectations to an inject, navigate to the inject's content and click on \"Add expectations\". From there, select the type of expectation you want to add and set a score for it.</p> <p>You can add multiple expectations to a single inject.</p>"},{"location":"usage/expectations/#validate-a-manual-expectation","title":"Validate a manual expectation","text":"<p>If you have configured manual expectations in your scenario, you will have the opportunity to handle manual validations during each simulation. During a Simulation, navigate to the Animation tab, under the Validation screen. Here, you'll find a list of expectations that require manual validation.</p>"},{"location":"usage/expectations/#customize-expectations","title":"Customize expectations","text":""},{"location":"usage/expectations/#default-score","title":"Default score","text":"<p>Expectations have a default score at creation. Depending on the expectation's type, there is a default score value set in the system.</p> <ul> <li>In the Docker .env file thanks to these variables</li> </ul> Parameter Environment variable Default value Description openbas.expectation.manual.default-score-value OPENBAS_EXPECTATION_MANUAL_DEFAULT-SCORE-VALUE 50 Default score value for manual expectation"},{"location":"usage/expectations/#expiration-time","title":"Expiration time","text":"<p>Expectations results must be validated within a time limit. Depending on the expectation's type, there is a default expiration time set in the system. You have two ways to modify that expiration time:</p> <ul> <li>In the Docker .env file thanks to these variables</li> </ul> Parameter Environment variable Default value Description openbas.expectation.technical.expiration-time OPENBAS_EXPECTATION_TECHNICAL_EXPIRATION-TIME 21600 Expiration time for Technical expectation (detection &amp; prevention) openbas.expectation.detection.expiration-time OPENBAS_EXPECTATION_DETECTION_EXPIRATION-TIME 21600 Expiration time for detection expectation openbas.expectation.prevention.expiration-time OPENBAS_EXPECTATION_PREVENTION_EXPIRATION-TIME 21600 Expiration time for prevention expectation openbas.expectation.human.expiration-time OPENBAS_EXPECTATION_HUMAN_EXPIRATION-TIME 86400 Expiration time for human expectation (manual, challenge &amp; article) openbas.expectation.challenge.expiration-time OPENBAS_EXPECTATION_CHALLENGE_EXPIRATION-TIME 86400 Expiration time for challenge expectation openbas.expectation.article.expiration-time OPENBAS_EXPECTATION_ARTICLE_EXPIRATION-TIME 86400 Expiration time for article expectation openbas.expectation.manual.expiration-time OPENBAS_EXPECTATION_MANUAL_EXPIRATION-TIME 86400 Expiration time for manual expectation <p>A default expiration time is set for technical and human expectations. Users can override them for each type of expectations.</p> <ul> <li>In the UI</li> </ul> <p></p> <p>When creating an expectation, users can set an expiration time. The system's default times are set on the form and users decide to override it.</p>"},{"location":"usage/getting-started/","title":"Getting started","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>This guide aims to give you a full overview of the OpenBAS features and workflows. The platform can be used in various contexts to handle Breach and Attack simulations at technical or strategical levels. OpenBAS has been designed as a part of the Filigran XTM suite and can be integrated with OpenCTI to generate meaningful attack scenarios based on real threat. OpenBAS is result-oriented with many dashboards helping you to evaluate you security posture given a defined context.</p> <p>Here are some examples of use cases:</p> <ul> <li>Designing attack scenario based on real threat</li> <li>Evaluate your security posture against technical simulations on endpoints</li> <li>Enhance team skills by evaluating them during simulations along with your security systems</li> <li>Organize Capture The Flag with multiple challenges</li> <li>Conduct atomic testing</li> </ul>"},{"location":"usage/getting-started/#welcome-dashboard","title":"Welcome dashboard","text":"<p>The welcome page provides every OpenBAS platform visitor with a snapshot of the platform activity as well as an overview of your global security posture. You can find more information in this section.</p>"},{"location":"usage/getting-started/#your-first-breach-and-attack-simulation","title":"Your first Breach and Attack Simulation","text":""},{"location":"usage/getting-started/#creating-or-importing-players-and-assets-to-play-with","title":"Creating or Importing players and assets to play with","text":"<p>First, you need to create or import Players and Assets that will participate in the simulation and be targeted by technical or strategical events. To do so, you can either create players and teams or deploy agent on assets.</p>"},{"location":"usage/getting-started/#building-your-scenario","title":"Building your Scenario","text":"<p>Once integrations is done, you are ready to create your first Scenario!</p> <p>Scenarios act as template for your Breach and Attack simulations. After establishing such a template, you will be able to schedule it as a one shot simulation, or as a recurring one.</p> <ul> <li>First, go to the Scenarios menu and create a new one with the + button.</li> <li>Once done, define Teams that will be playing in this Scenario by going to   the Definition/Teams tab</li> <li>Now go to the Injects tab and add some to build the serie of events that will define the core of your   Scenario. If you want to stay strategical, you can select inject like \"Send individual mails\". If you want to go   technical, you can select injects linked to attack pattern (Caldera integration allows you to play hundreds of them).</li> <li>Then, define who or what will be targeted by those injects, customize them, and define what is expected   to happen. For example, you expect the targeted team to perform a specific action and the animation team will   validated this expectation manually. Or, you expect the technical event to be prevented and it will be automatically   checked through your integrations with your security systems.</li> <li>Do not forget to define when the inject is played in the scenario chronology.</li> </ul> <p>Optionally, you can enhance your scenario by adding Documents, Media pressures, or even CTF Challenges to your injects.</p>"},{"location":"usage/getting-started/#play-the-simulation","title":"Play the simulation","text":"<p>You can now schedule your Simulation by hitting the blue \"Simulate now\" button. Choose your moment and hit start.</p> <p>On time, a Simulation based on your Scenario template is generated. It is listed in your Scenario overview and in the Simulations menu. From there, you can follow the course of the Simulation and interact with it, for example to validate manual expectations.</p> <p>During the course of the simulation, results are updated and can be consulted in the Simulation overview.</p>"},{"location":"usage/getting-started/#evaluate-your-security-posture","title":"Evaluate your security posture","text":"<p>Results in OpenBAS are based on expectations' results that are linked to injects played during Simulations. It is then important to manually validate expectations that need it.</p> <p>Results are broken down by \"Prevention\", \"Detection\" and \"Human response\" metrics.</p> <ul> <li>Prevention displays your ability to prevent the scenario's technical events to be completed</li> <li>Detection displays your ability to detect the scenario's technical events</li> <li>HUman response displays how well players and teams react as expected facing the scenario's events.</li> </ul>"},{"location":"usage/inject-caldera/","title":"Caldera injects","text":"<p>The Caldera framework, developed by MITRE, is a powerful framework designed to simulate cyberattacks. It enables security teams to conduct realistic and controlled simulations of adversary behavior, reducing the amount of time and resources needed for routine cybersecurity testing.</p>"},{"location":"usage/inject-caldera/#injects","title":"Injects","text":"<p>In OpenBAS, the Caldera framework has been fully integrated, offering users access to a comprehensive library of injects for conducting simulation exercises. With this integration, users can leverage the extensive capabilities of Caldera within OpenBAS.</p> <p>Caldera offers 1600+ abilities, covering the full range of ATT&amp;CK tactics and techniques. These capabilities equip security teams with an extensive toolkit to simulate various threats and assess defense mechanisms effectively.</p>"},{"location":"usage/inject-caldera/#behavior","title":"Behavior","text":"<p>Injects within the Caldera framework can be played on both individual Endpoints and Asset groups. Prior to playing injects, Caldera agents need to be installed on the target machines to enable interaction with the platform.</p> <p>Once the agents are deployed, simulations with Caldera injects can be executed. The platform will contact the Agent to start the ability. Subsequently, the agents will report the results to OpenBAS. Below is the workflow illustrating the behavior of injects.</p> <p></p>"},{"location":"usage/inject-caldera/#configuration-variables","title":"Configuration variables","text":"<p>Below are the properties you'll need to set for OpenBAS:</p> Property application.properties Docker environment variable Mandatory Description Enable Caldera injector injector.caldera.enable <code>INJECTOR_CALDERA_ENABLE</code> Yes Enable the Caldera injector. Injector ID injector.caldera.id <code>INJECTOR_CALDERA_ID</code> Yes The ID of the injector. Caldera URL injector.caldera.url <code>INJECTOR_CALDERA_URL</code> Yes The URL of the Caldera instance. Caldera API Key injector.caldera.api-key <code>INJECTOR_CALDERA_API-KEY</code> Yes The API Key for the rest API of the Caldera instance."},{"location":"usage/injectors/","title":"Injectors","text":"<p>Injectors list</p> <p>You are looking for the available injectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"usage/injectors/#introduction","title":"Introduction","text":"<p>Injectors are one of the cornerstones of the OpenBAS platform, they are responsible for pushing simulation actions to third party systems. According to their functionality and use case, they are categorized in the following classes.</p> <p></p>"},{"location":"usage/injectors/#endpoint-payloads-execution","title":"\ud83d\udce1 Endpoint payloads execution","text":"<p>Those injectors are special as they required an executor (neutral agent) to be launched on endpoints. When they register to the platform, they inform available executors on how to spawn them on the 3 currently supported platforms: Windows, Linux and MacOS.</p> <p>Some of them :</p> <ul> <li>Caldera: Facilitates the use of the MITRE Caldera framework, empowering administrators to leverage advanced simulation   capabilities. For more information concerning the Caldera injector, please refer to   the dedicated documentation page.</li> </ul>"},{"location":"usage/injectors/#communication-social-medias","title":"\ud83c\udf10 Communication &amp; social medias","text":"<p>Those injectors are used to push information to human assets (aka players) such as emails, SMS, phone calls, instant messaging etc.</p> <p>Some of them :</p> <ul> <li>Challenges: Manages inject \"publish challenges\". To find more information more about this type of inject, please refer   to the dedicated documentation section.</li> <li>Email: Manages the sending of injects' emails, enabling communication and dissemination of simulation-related     information.</li> <li>Manual: Platform functionality for creating manual action reminders, allowing administrators to prompt specific   actions to be performed manually. To find more information about the related inject, please refer to   the dedicated documentation section.</li> <li>Media pressure: Manages inject \"publish channel pressure\". To find more information about this type of inject, please   refer to the dedicated documentation section.</li> <li>OVHCloud SMS Platform: Facilitates SMS messaging for injects, providing an additional communication channel for   simulation participants.</li> </ul>"},{"location":"usage/injectors/#incident-response-case-management","title":"\ud83e\uddef Incident Response &amp; Case Management","text":"<p>Those injectors are used to inject real or fake information into case management, ticketing and incident response systems.</p>"},{"location":"usage/injectors/#others","title":"\ud83d\udc89 Others","text":"<p>All other system OpenBAS can inject, as part of breach and attack simulation campaigns.</p> <p>Some of them :</p> <ul> <li>Airbus CyberRange (Lade): Integration with the Airbus CyberRange platform, enabling seamless interaction and   collaboration with CyberRange environments. For more information concerning CyberRange, please refer to   the Airbus website.</li> <li>HTTP query: Executes HTTP requests on external services, facilitating interactions with external systems. To find more   information about the related inject, please refer to the dedicated documentation section.</li> <li>OpenCTI: Integration with an OpenCTI platform, enhancing simulation capabilities with access to threat intelligence   and automatic scenario generation based on observed threat activities.</li> </ul>"},{"location":"usage/injectors/#agents","title":"Agents","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of agents, you can have more info here.</p> <p>For certain injectors, deploying an agent on the target machine is necessary to facilitate integration with OpenBAS. These agents are software programs that connect back to OpenBAS at certain intervals to get instructions.</p> <p>To access the agents and installation instructions, navigate to the dedicated page located in the top right-hand corner (button with the screen logo).</p> <p>Detailed guidance on installing the agents, along with downloadable packages, is provided on this page. Agents are available for various operating systems, including Windows, Linux, and MacOS, ensuring compatibility across different environments.</p> <p>As of now, only the Caldera injector requires the installation of an agent. This agent enables full integration with the MITRE Caldera framework, unlocking advanced simulation capabilities and enhancing the overall effectiveness of simulation exercises. Full details of the Caldera agent are available in the MITRE documentation.</p> <p></p>"},{"location":"usage/injects/","title":"Injects","text":"<p>Injects are fundamental elements of simulations within OpenBAS, each representing a discrete action to be executed during a Scenario. Managed and facilitated by various injectors, each inject type serves a distinct purpose, contributing to the comprehensive evaluation of defenses.</p> <p></p>"},{"location":"usage/injects/#create-an-inject","title":"Create an inject","text":"<p>Whether intended for Atomic testing or for a Simulation, the process for creating injects remains consistent within OpenBAS.</p> <p></p>"},{"location":"usage/injects/#for-atomic-testing","title":"For Atomic testing","text":"<p>To create an inject for atomic testing, navigate to the \"Atomic testing\" section located in the left-hand banner. Click on the \"+\" icon in the bottom right corner to initiate the inject creation process.</p>"},{"location":"usage/injects/#for-scenarios-and-simulations","title":"For Scenarios and Simulations","text":"<p>For injects intended for use within simulations, access the desired Scenario or Simulation and navigate to the \"Injects\" tab. Click on the \"+\" icon in the bottom right corner of the screen to open the inject creation panel.</p> <p>Note that an inject defined in a Scenario will be used in all the scenario's subsequent simulations. An Inject defined at the simulation level will not be replicated into the Scenario itself, thus it will not be replicated in future scenario's simulations.</p> <p></p>"},{"location":"usage/injects/#inject-creation-process","title":"Inject creation process","text":"<p>Once the inject creation panel is open, you can proceed to configure the inject according to your requirements. Key steps in the creation process include:</p>"},{"location":"usage/injects/#1-choose-the-type-of-inject","title":"1. Choose the type of inject","text":"<p>You first need to select an inject in the list of available ones (on the left of the creation screen). Logos on the left of each line indicates which Injector is associated with each inject. Depending on your integrations, this list can be long.</p> <p>To facilitate the selection into this possibly very long list, you can search injects by name and filter the list by selecting a precise MITRE ATT&amp;CK techniques for instance.</p>"},{"location":"usage/injects/#2-set-inject-parameters","title":"2. Set inject parameters","text":"<p>When selecting an inject on the left, the form on the right populates itself with a by-default title and propose you to define:</p> <ul> <li>Descriptive information: Fill in details such as the title, description, and relevant tags to categorize the inject effectively.</li> <li>Execution timing: If you are creating your inject in the context of a scenario or simulation, you have to set the timing for when the inject should be executed within the simulation timeline, ensuring it aligns with the overall scenario progression.</li> </ul> <p>By clicking on \"Inject content\", you can define now or later:</p> <ul> <li>Inject targets: Specify the targets for the inject, which may include players and teams or assets and assets groups depending on the inject chosen. </li> <li>Expectations: Define the expected outcomes or responses to the inject, outlining the desired actions or behaviors by players. </li> <li>Attachments: Attach any relevant documents or resources to provide additional context or information related to the inject. </li> <li>Additional fields: Depending on the type of Inject selected, you may have access to additional fields specific to that inject type. These fields may include the subject and body of an email, channel pressure settings for public communications, obfuscation options, and more.</li> </ul> <p>The \"available variables\" button helps you to use already defined variables into compatible fields.</p> <p></p> <p>By following these steps and providing the necessary information, you can create injects tailored to your specific testing or simulation objectives.</p>"},{"location":"usage/injects/#inject-types","title":"Inject types","text":"<p>There are different types of injector in OpenBAS.</p> <p></p>"},{"location":"usage/injects/#manual-action-reminders","title":"Manual action reminders","text":"<p>Manual action reminders are injects designed to prompt animation team to perform specific actions manually. It allows to place in the timeline a stimulus to be produced manually, outside the platform (e.g. simulated a call from a journalist on the switchboard telephone). These reminders ensure that critical tasks are completed as part of the simulation, enhancing the accuracy and realism of the exercise.</p> <p>The inject associated with this type is referred to as <code>Manual</code>. To be able to log events not directly related to an email or a sms, you can attach manual expectation to this events (see Manual Expectations). </p>"},{"location":"usage/injects/#example-of-a-manual-inject","title":"Example of a manual inject:","text":"<ul> <li>\"A crisis cell has been put together\"</li> </ul>"},{"location":"usage/injects/#manual-expectations","title":"Manual expectations:","text":"<ul> <li>\"The team responded to the journalist's inquiry.\"</li> <li>\"Analyze the situation and identify the key issues.\"</li> <li>\"Anticipate future developments.\"</li> <li>\"Determine the necessary actions to take.\"</li> <li>\"Coordinate and communicate with both internal and external stakeholders.\"</li> <li>\"Provide regular updates on the ongoing situation.\"</li> </ul>"},{"location":"usage/injects/#direct-contact","title":"Direct contact","text":"<p>Injects for direct contact allow sending emails or SMS messages to players. These injects assess the organization's response to communication-based threats, such as phishing attempts, social engineering attacks, or emergency notifications. They can also assess crisis management, including responses to internal information requests or management pressure.</p> <p>Here's the list of injects linked to this category:</p> <ul> <li><code>Send a SMS</code>: enables sending SMS messages.</li> <li><code>Send individual mails</code>: enables sending emails to individuals separately.</li> <li><code>Send multi-recipients mail</code>: enables sending emails to a group of people (each recipient can see the other recipients).</li> </ul> <p></p>"},{"location":"usage/injects/#media-pressure","title":"Media pressure","text":"<p>Injects simulating public communications involve the publication of articles, social media posts, or other fake announcements. These injects replicate scenarios where public disclosure of information or events affects an organization's reputation or operational continuity.</p> <p>The inject associated with this type is referred to as <code>Publish channel pressure</code>.</p> <p></p>"},{"location":"usage/injects/#challenges","title":"Challenges","text":"<p>Challenge injects are set to test participants' skills and response capabilities by publishing challenges. These injects present scenarios or tasks that require active participation and problem-solving, allowing administrators to evaluate players.</p> <p>The inject associated with this type is referred to as <code>Publish challenges</code>.</p> <p></p>"},{"location":"usage/injects/#http-requests","title":"HTTP requests","text":"<p>HTTP request injects are used to forge HTTP requests to a third party services in order to perform actions outside the platform (e.g. API call to an EDR). These injects enable the platform to communicate with external services, gather information, or trigger specific actions via HTTP protocols.</p> <p>HTTP requests GET, POST, and PUT, can be sent. The corresponding injects are named <code>HTTP Request - \\&lt;request type&gt;</code>.</p> <p></p>"},{"location":"usage/injects/#integrations-with-agents-and-cyberranges","title":"Integrations with Agents and CyberRanges","text":"<p>Injects executed on remote systems are facilitated by Injectors like Caldera or Airbus CyberRange. These actions simulate real-world attack techniques, allowing administrators to gauge the effectiveness of their security posture in response to various technical actions attackers may take.</p> <p>There are over 1,700 such injects covering all the TTPs in the MITRE ATT&amp;CK matrix.</p>"},{"location":"usage/injects/#inject-tests","title":"Inject tests","text":"<p>You can test direct contact injects in simulations and scenarios.</p> <p>Warning</p> <p>For now, only email and sms inject are concerned by this feature.</p>"},{"location":"usage/injects/#unit-test","title":"Unit test","text":"<p>You can test injects one at a time.</p> <p></p> <p>In the injects list of your simulation/scenario, open the contextual menu of an email or sms inject. Click on \"Test\". A confirmation dialog appears, you can confirm the test or cancel it.</p> <p></p> <p>After launching the test, an alert appears at the top of the page. You can click on the \"dedicated page\" link. You are redirected to the tests list, a drawer with the execution details of the test opens.</p> <p></p> <p>Warning</p> <p>The option is disabled if your inject doesn't have any teams.</p>"},{"location":"usage/injects/#bulk-test","title":"Bulk test","text":"<p>You can test injects in bulk.</p> <p></p> <p>Select the injects you want to test then click on the bug icon. A confirmation dialog appears, you can cancel or confirm the launch of the test.</p> <p></p> <p>As mentioned in the dialog, only sms and emails injects will be tested. The emails/sms are sent to the current user. </p> <p>After the launch of the test, you are redirected to the tests list page.</p>"},{"location":"usage/injects/#tests-list","title":"Tests list","text":"<p>A \"Tests\" tab is available in simulations and scenarios. The list of all the tests done on the injects of the simulation/scenario are displayed. Clicking on one of the lines opens the drawer with the execution details of the tests.</p> <p>Note</p> <p>Only the latest test is displayed for each inject.</p>"},{"location":"usage/injects/#replay-tests","title":"Replay tests","text":"<p>Each test in the list has a menu allowing users to delete or replay the test.</p> <p></p> <p>After confirming the replay of the test, the details are updated.</p> <p>The user can also replay all the tests in the list. An icon similar to the one in the injects toolbar is available at the top of the list. After clicking on it, the user confirms the tests launch and the details are updated.</p>"},{"location":"usage/injects/#inject-status","title":"Inject status","text":""},{"location":"usage/injects/#inject-status-using-obas-agent","title":"Inject status using OBAS agent","text":""},{"location":"usage/injects/#viewing-execution-traces","title":"Viewing Execution Traces","text":"<p>When you create a technical Inject, you assign it to endpoints, each of which may have one or multiple agents. As the inject executes, agents communicate their progress to the OBAS Server, which logs detailed execution traces.</p> <p>In the \"Execution Details\" tab, traces are organized by agent, and agents are grouped by endpoint. This allows you to easily track execution progress at both the agent and endpoint levels.  Each agent generates multiple traces corresponding to different execution steps, including:  </p> <ul> <li>Prerequisite checks (validation before execution)</li> <li>Prerequisite retrieval (only if the check fails)</li> <li>Attack command</li> <li>Cleanup commands</li> </ul> <p></p> <p>Warning</p> <p>If a prerequisite check succeeds, the prerequisite retrieval step is skipped. However, the UI always marks prerequisite checks as \"SUCCESS\"\u2014to verify execution results, you must inspect the stderr logs.</p> <p>Trace Statuses</p> <p>Each execution step reports a status: </p> <ul> <li>\u2705 SUCCESS \u2013 Command executed successfully  </li> <li>\u26a0\ufe0f WARNING \u2013 Executed with minor issues  </li> <li>\u2753MAYBE_PREVENTED \u2013 A generic error occurred, possibly due to firewall restrictions  </li> <li>\ud83d\udeab COMMAND_CANNOT_BE_EXECUTED \u2013 Found but couldn't execute (e.g., permission issues)  </li> <li>\u274cCOMMAND_NOT_FOUND \u2013 Executor couldn\u2019t find the command  </li> <li>\ud83d\uded1 ERROR \u2013 General failure  </li> </ul> <p>All execution logs are stored on the OBAS Server, which later processes them to determine agent and inject statuses.</p> <p>Agent Status Computation</p> <p>When an agent completes execution, the server retrieves all traces and computes an agent status based on the following rules:  </p> <ul> <li>All traces SUCCESS \u2192 Agent status = INJECT EXECUTED</li> <li>All traces ERROR \u2192 Agent status = ERROR </li> <li>All traces MAYBE_PREVENTED \u2192 Agent status = MAYBE_PREVENTED</li> <li>At least one SUCCESS trace \u2192 Agent status = PARTIAL</li> <li>Otherwise \u2192 Agent status = MAYBE_PARTIAL_PREVENTED  </li> </ul> <p>Inject Status Computation </p> <p>After all agents have completed their execution, the system calculates the Inject status using the same logic applied to compute the agent status.</p>"},{"location":"usage/injects/#conditional-execution-of-injects","title":"Conditional execution of injects","text":"<p>You can add conditions to an inject, ensuring it is triggered at a specific time only if the specified conditions are met. These conditions typically relate to whether an expectation is fulfilled or not, but they can also pertain to the success or failure of an execution. There are several methods to achieve this.</p>"},{"location":"usage/injects/#using-the-update-form","title":"Using the update form","text":"<p>You can set conditions when updating an inject. In the inject update form, there is a tab \"Logical Chains\" for that.</p> <p></p> <p>As you can see, you can assign a Parent and multiple Children. A Parent indicates that the current inject will only execute if the conditions set on the Parent are met at the time of execution. Similarly, a Child will execute at the specified time only if the conditions set on the current inject are satisfied. </p> <p>The conditions you can set include the expectations for the inject and whether its execution was successful or not. You can select the desired expectation and Success/Fail status by clicking on them.</p> <p></p> <p>You can also toggle whether all conditions must be met or just one by clicking on the small OR/AND cards. Note that these settings are interconnected, so you cannot assign different values to them</p>"},{"location":"usage/injects/#using-the-timeline","title":"Using the timeline","text":"<p>You also have the possibility to quickly create conditions between injects. To do that, you can go to the timeline view of injects and place your cursor on the small point on the left and right of each injects. You can then drag and drop a link from a point to another.</p> <p></p> <p>The links created in this way will default to an expectation of \"Execution is Success\" and must be updated using the injects' update form. Additionally, you can reposition links between injects or remove them entirely by dragging them to an empty space.</p>"},{"location":"usage/injects_and_expectations/","title":"Injects and Expectations","text":"<p>Evaluating security posture in OpenBAS is to confront events (aka Injects) with Expectations.</p>"},{"location":"usage/injects_and_expectations/#injects","title":"Injects","text":"<p>Threats are the results of actions by threat actors, and a combination of intent, capability and opportunity. In OpenBAS, simulating threats and their attack capabilities involves executing injects targeting players and assets.</p> <p>Injects can be technical, emulating action attackers might take on an endpoint, and non-technical, representing interactions with players or impactful contextual events during a crisis (such as media inquiries by phone following a data breach). They are always triggered at a specific point in time but it is possible to execute them only if one or multiple conditions are met.</p> <p></p> <p></p> <p></p>"},{"location":"usage/injects_and_expectations/#expectations","title":"Expectations","text":"<p>Each Inject is associated with Expectations. Expectations outline the anticipated outcomes from security systems and teams in response to attacker actions or contextual events.</p> <p>Expectations can be about:</p> <ul> <li>Prevention: ensuring that the security posture can prevent the attacker's actions.</li> <li>Detection: ensuring that the security posture can detect the attacker's actions.</li> <li>Human response: ensuring that teams react appropriately according to defined security processes.</li> </ul> <p>The collection and concatenation of expectations' results, broken down per type, allows to assess the security posture against a threat context. This provides insights to identify areas for improvement. Expectations can also be used as conditions for the execution of other injects.</p>"},{"location":"usage/injects_builtin/","title":"Injects built-in","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/openbas-agent/","title":"OpenBAS Agent","text":""},{"location":"usage/openbas-agent/#introduction","title":"Introduction","text":"<p>The OpenBAS Agent is an application whose main role is to enroll an Asset on the OpenBAS platform, to retrieve jobs or scripts to be executed and to transmit this information to Implants (subject to come) for execution on the host Asset.</p> <p>The Agent will not perform direct actions on the Asset to remain neutral for antivirus and ensure the full run of the simulation.</p> <p>The OpenBAS Agent is compatible with different OS (Windows, Linux, macOS) and is developed in Rust.</p>"},{"location":"usage/openbas-agent/#installation","title":"Installation","text":"<p>Depending on the OS, several installations are at your disposal, you can find them on OpenBAS by clicking the blue icon on the right top corner : </p> <p>Linux</p> <ul> <li>Requirement \u2192 systemd, access to the openbas instance used</li> <li>Compatibility \u2192 All systemd based linux distros</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install Linux Agent\")</li> <li>Verification command line \u2192 <code>systemctl enable openbas-agent</code></li> <li>Start/Stop service \u2192<code>systemctl start openbas-agent</code> &amp; <code>systemctl stop openbas-agent</code></li> </ul> <p>MacOS</p> <ul> <li>Requirement \u2192 launchd, access to the openbas instance used</li> <li>Compatibility \u2192 All launchd based MacOS distros (10.4 Tiger or higher)</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install MacOS Agent\")</li> <li>Verification command line \u2192 <code>launchctl list | grep openbas.agent</code></li> <li>Start/Stop service \u2192 <code>launchctl bootstrap system ~/Library/LaunchDaemons/openbas-agent.plist</code> &amp; <code>launchctl bootout system ~/Library/LaunchDaemons/openbas-agent.plist</code></li> </ul> <p>Windows</p> <ul> <li>Requirement \u2192 Powershell \"run as administrator\", and ensure access to the OpenBAS instance being used. If the installation fails, try using PowerShell 7 or higher.</li> <li>Compatibility \u2192 All major Windows versions</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install Windows Agent\")</li> <li>Verification command line \u2192 <code>Get-Service -Name \"OBASAgentService\"</code></li> <li>Start/Stop service \u2192 <code>Start-Service -Name \"OBASAgentService\"</code> &amp; <code>Stop-Service -Name \"OBASAgentService\"</code></li> </ul> <p>The following flow diagram represents the Agent installation flow :</p> <p></p>"},{"location":"usage/openbas-agent/#network-traffic","title":"Network Traffic","text":"<p>The installation creates two firewall rules.</p> <p>Inbound rule </p> <p>Outbound rule </p>"},{"location":"usage/openbas-agent/#features","title":"Features","text":"<p>The main features of the OpenBAS Agent are:</p> <ul> <li>Agent registration on the OpenBAS platform</li> </ul> <p>The Agent is installed on the Asset using an agent-installer.exe file and runs as a service.   It communicates with the deployed OpenBAS instance in order to enroll the Asset. In some cases   like unsecured certificates or environment with proxy, the agent can't communicate with OpenBAS.   In order to fix those issues, look at \"Network and security\" chapter from configuration   to add the required attributes.</p> <p>NB : An Asset can only have one OpenBAS agent installed thanks to a machine id calculated according   to the operating system and its parameters. If you try to install again an OpenBAS agent on a platform, it will   overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p></p> <ul> <li> <p>Auto upgrade the Agent (on start-up and registration)</p> </li> <li> <p>Retrieval of jobs to be executed</p> </li> </ul> <p>The Agent retrieves jobs to be executed from the OpenBAS instance every 30 seconds.   For the moment, jobs are Implant to spawn and launch on the Asset, waiting to execute payloads of your Simulation's Injects.   Each job execution logs is kept in a dedicated directory in order to have a trace of what happened (pid, executable).</p> <ul> <li>Deleting executables and execution directories</li> </ul> <p>The Agent deletes Implants that have been running for a predefined time and cleans the execution directories.</p> <ul> <li>Health check</li> </ul> <p>The Agent pings the OpenBAS instance every 2 minutes to notify it of its healthy status.</p> <ul> <li>Cleanup</li> </ul> <p>The Agent ensures that the processes it has executed are correctly finished or deleted if necessary.    The maximum time in minutes that a process associated with an execution directory can remain active is 20 minutes.</p> <p>The Agent removes execution directories to avoid excessive disk space.    The maximum time in minutes that an execution directory can be kept before being deleted is 2 days.</p>"},{"location":"usage/openbas-agent/#troubleshooting","title":"Troubleshooting","text":"<p>If you experience issues with your agent, the logs are available here:</p> <ul> <li>Linux -&gt; /opt/openbas-agent/openbas-agent.log</li> <li>MacOS -&gt; /opt/openbas-agent/openbas-agent.log</li> <li>Windows -&gt; \"$PROGRAMFILES\\Filigran\\OBAS Agent\\openbas-agent.log\"</li> </ul>"},{"location":"usage/people/","title":"People","text":"<p>Breach and Attack Simulation involves testing your security posture, and people are an essential part of it!</p> <p>Players, teams, and organizations are where you organize the human aspect of your security posture within OpenBAS. These entities are the targets for injects during your simulations and atomic testings.</p> <p></p>"},{"location":"usage/people/#players","title":"Players","text":"<p>Players are the users that may take part into your scenarios, to be tested against attack or contextual events ( i.e. injects).</p> <p>Players can be created manually with the + button at the bottom right, but we encourage you to activate an integration allowing to import them from your IT environment, like with Microsoft Entra integration.</p> <p>Players are defined by:</p> <ul> <li>Email address,</li> <li>First name,</li> <li>Last name,</li> <li>Organization: to link a player to an organization (   see below),</li> <li>Country,</li> <li>Phone number: necessary if you want to play SMS injects,</li> <li>PGP public key: necessary if you want to play encrypted email injects,</li> <li>Tags: if you want to sort them by custom categories.</li> </ul> <p>This list of players can be exported by clicking on the export button, at the top right of the players screen.</p>"},{"location":"usage/people/#teams","title":"Teams","text":"<p>Teams group players into units that can be targeted by injects during simulations or atomic testing. They serve as a way to represent different security teams (e.g., CSIRT, SOC, VOC) and other relevant teams that might be involved into your scenario (e.g., legal department, communication department).</p> <p>Teams are defined by:</p> <ul> <li>Name,</li> <li>Description,</li> <li>Organization: to link a team to an organization (   see below),</li> <li>Tags: if you want to sort them by custom categories.</li> </ul> <p>From the teams list, you can manage players by clicking on the three-dots inline button on the right and selecting \" Manage players.\" From there, you can view, update, or delete all the team's players and see their communication channels' state.</p> <p></p>"},{"location":"usage/people/#organizations","title":"Organizations","text":"<p>Organization provides a straightforward method to segregate players and teams within the platform. A player associated with an organization, even with the required rights to animate and planned scenarios and simulations, will never see players and teams from other organizations.</p> <p>This feature can be particularly useful if you are using OpenBAS to plan and execute simulations for various companies or subsidiaries.</p>"},{"location":"usage/playing/","title":"Playing","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/rest-api/","title":"REST API","text":"<p>OpenBAS provides a REST API, allowing users to perform various actions programmatically. The API enables users to interact with OpenBAS's functionality and data, offering a powerful tool for automation, integration, and customization. Any action available through the platform's graphical interface can also be executed via the API.</p>"},{"location":"usage/rest-api/#authentication","title":"Authentication","text":"<p>Accessing the OpenBAS API requires authentication through standard mechanisms. To authenticate, users must include the following headers in their API requests:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer [API key]\n</code></pre> <p>Using the API key will provide you admin access.</p>"},{"location":"usage/rest-api/#swaggerui","title":"SwaggerUI","text":"<p>The OpenBAS API is documented using SwaggerUI, which provides an interactive interface for exploring the API's endpoints, parameters, and responses. The SwaggerUI is accessible at the following URL: [openbas url]:8080/swagger-ui/index.html</p>"},{"location":"usage/scenario/","title":"Scenario","text":"<p>When clicking on Scenarios in the left menu, you access to the list of all Scenarios defined in the platform. Scenarios act as templates that translate threat contexts into meaningful events to simulate.</p> <p>Scenarios can be grouped by defining categories, main focus, severity and tags. It is then possible to filter the Scenarios list based on these attributes. Quick filters are available by default at the top of the screen to filter Scenario on most used categories.</p> <p>It is also possible to search Scenarios by their names using the search bar.</p>"},{"location":"usage/scenario/#create-a-scenario","title":"Create a scenario","text":"<p>To create a scenario, hit the + button on the bottom right of the screen and define general metadata that make sense for you. </p> <p>Once done, the scenario is accessible in the list. Click on it to see its details and define them.</p>"},{"location":"usage/scenario/#scenario-overview","title":"Scenario overview","text":"<p>The overview provides comprehensive information for evaluating your security posture against the threat context over time. It displays the scenario's context along with the results of the simulations played from it. Additionally, the list of these simulations is shown, allowing easy access to their specific details and results.</p> <p>If the scenario has never been simulated, the results' widget contains an example of how results will be displayed, and the list of simulations is replaced with an invitation to generate one.</p>"},{"location":"usage/scenario/#defining-a-scenario","title":"Defining a Scenario","text":"<p>To define the scenario, navigate to the \"Definition\" and \"Injects\" tabs.</p> <p>In the \"Definition\" tab, you can add various elements to construct events:</p> <ul> <li>Teams and Players involved in the scenario,</li> <li>Custom variables for simplifying injects' customization,</li> <li>Articles that you might use to simulate media pressure,</li> <li>Challenges designed for including Capture The Flag elements in your scenario.</li> </ul> <p>Once you have added all the elements you need, you can go to the \"Injects\" tab to begin to create the chain of events that will shape your scenario.</p> <p>By clicking on the + button at the bottom right of the screen, you enter the inject creation workflow.</p>"},{"location":"usage/scenario/#launching-a-simulation-of-the-scenario","title":"Launching a simulation of the scenario","text":"<p>Once you've finished defining your scenario, it's time to simulate it and evaluate your security posture!</p> <p>To do so, click the \"Simulate now\" button. You can choose to simulate this scenario as a one-time evaluation, scheduling it for a specific date and time. Additionally, you can set it to simulate recurrently to assess your posture over time. The results of each simulation will populate your scenario overview.</p> <p>A visual indication, located to the right of the scenario's title, provides a quick way to know if the scenario is currently being simulated.</p>"},{"location":"usage/scenario/#export-your-scenario","title":"Export your scenario","text":"<p>You can export your carefully crafted scenario as a JSON file by clicking the three-dots button at the top right of the scenario screen. This allows you to share it with others, or store it outside the platform.</p>"},{"location":"usage/scenario_import/","title":"Importing Injects into a Scenario","text":"<p>Recreating a timeline of injects that were already defined in a spreadsheet can be a frustrating task. To help users save time, we added the possibility to import injects as defined in an xls file into a scenario. This is done via a two-steps process : creating a mapper and importing the xls file using the mapper.</p>"},{"location":"usage/scenario_import/#how-to-create-a-mapper","title":"How to create a mapper ?","text":"<p>First of all, to import injects into a scenario, you need to create a mapper. To do that, using an admin account, navigate to the Settings &gt; Data ingestion page. You will then be able to see a list of all the mappers but also to create new ones by clicking on the \"+\" button on the bottom right of the screen.</p> <p></p>"},{"location":"usage/scenario_import/#setting-up-the-mapper-to-tell-each-injects-apart","title":"Setting up the mapper to tell each injects apart","text":"<p>When creating a new mapper, you will quickly be asked to choose an inject type column. This column is the one that will allow the mapper to figure out which injects to create (Sending a mail, sending an sms, ...). Once this column has been chosen, you can add a representation for an inject type. </p> <p>The first thing to define in this representation is the matching type in the xls. This is the value that will define which inject to create when scanning the column defined in \"inject type column\". For instance, if you want to create an inject that sends individual emails when in the column there is the word \"mail\", then you will need to set the value as \"mail\". You can also make use of regular expressions in this field. Please keep in mind though that this value is case sensitive. </p> <p></p> <p>Once that is done, you can select the inject type among a list of injects that are compatible with the xls import. When that selection is done, you will be able to set a column for each of the attribute that can be completed using the import. If you wish to set a default value you can do so by clicking the gear on the right side of the field.</p>"},{"location":"usage/scenario_import/#properly-setting-the-trigger-time-of-the-inject","title":"Properly setting the trigger time of the inject","text":"<p>It should also be noted that the \"Trigger Time\" field has a second parameter that can be set using the gear button. It can be used to set a custom format for specific dates and or time to be interpreted. The complete format rules are available here but here is a very quick overview :</p> Symbol Meaning Presentation Examples y year-of-era year 2004; 04 M/L month-of-year number/text 7; 07; Jul; July; J d day-of-month number 10 a am-pm-of-day text PM h clock-hour-of-am-pm (1-12) number 12 H hour-of-day (0-23) number 0 m minute-of-hour number 30 s second-of-minute number 55 ' escape for text delimiter '' single quote literal ' [ optional section start ] optional section end <p>Please, do note that if you wish to use exact time of the day (e.g. 9:30) in your trigger time, you will need to set a launch date on your scenario before importing the timeline of injects from the xls file.</p> <p>You can also decide to use relative dates for each injects. For instance, you can say that your first inject happens at T and that subsequent injects happens at T+x. If so, you can set relative dates using the following values :</p> Symbol Meaning D Day J Day H Hour T Hour M Minutes <p>This means that if you want your inject to start 2 days, 3 hours and 45 minutes after the start of your scenario, you can set the trigger time to D+2 H+3 M+45. When using relative dates, you do not need to define a pattern for the trigger time field.</p> <p>Once you have set all fields you wish to set, you can click on the create button if you wish to create your mapper but you can also click on the test button to check that it works as intended.</p>"},{"location":"usage/scenario_import/#testing-the-mapper","title":"Testing the mapper","text":"<p>If you click on the test button, you'll then be asked to choose a file. Once that is done, you will have to select the sheet to test out of the spreadsheet and the timezone. You will then be able to click on Test to have the result field filled as well as a list of the messages generated during the import (those are not saved, and are just there to help figure out what happened during the import itself).</p> <p></p>"},{"location":"usage/scenario_import/#how-to-import-injects-into-a-scenario-using-a-mapper","title":"How to import injects into a scenario using a mapper ?","text":"<p>Once your mapper has been created, navigate to your scenario and then to the injects tab. There, you will be able to click on an import button on the top right. A modal will be opening, inviting you to select an .xls/.xlsx file. Once it has been selected, you can click on next. You will then be asked to choose the sheet to import out of the spreadsheet and to select the mapper to use. You will also be able to select the timezone to use for the import. Once everything is set, click on the launch import button and your injects will be imported into the current scenario ! Please do not that if all the dates in the xls file are absolute time of the day (e.g. 9:30, 12:45, ...), it is required for the scenario to have a launch date set.</p>"},{"location":"usage/scenarios_and_simulations/","title":"Scenarios and Simulations","text":"<p>In OpenBAS, the core concept to simulate attacks is based on the duo Scenario &amp; Simulation.</p>"},{"location":"usage/scenarios_and_simulations/#scenarios","title":"Scenarios","text":"<p>Scenario enable to translate a threat context, such as an attack or even a threat actor, into a meaningful sequence of events (referred to as injects), which can be technical or non-technical. This chronology of events can be enriched with associated documents or media articles to simulate the environment surrounding them.</p> <p>Within Scenarios, you also specify who participates, whether actual people (referred to as Players) or endpoints (referred to as Assets). They will be the targets of the events representing the threat.</p> <p>In order to translate real threats into Scenarios, it is possible to create them from OpenCTI data, such as Reports.</p>"},{"location":"usage/scenarios_and_simulations/#simulations","title":"Simulations","text":"<p>If a Scenario translates threat context into meaningful events, a Simulation serves as a means to evaluate your security posture against this threat context. </p> <p>By simulating a scenario with recurrence, you can evaluate your security posture over time in response to a threat context. Since simulations are always linked to their parent scenario, even if it evolves, you can: - assess your risk against evolving threats, - evaluate the effectiveness of your security governance in addressing your most relevant threats.</p>"},{"location":"usage/simulation/","title":"Simulation","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>When clicking on Simulations in the left menu, you access to the list of all Simulations ever launched in the platform. You can filter by tag (for example to only display simulation related to a specific threat actor) and sort them (chronologically, by status, etc.).</p> <p>From this screen, you can easily see last global scores and access ongoing Simulations at platform level.</p>"},{"location":"usage/simulation/#creating-a-simulation","title":"Creating a Simulation","text":"<p>The best practice to create a Simulation is to do it from a Scenario in order to evaluate your security posture over time against a specific threat context.</p> <p>But you can create directly a Simulation if you want, by hitting the + button on the bottom right of the screen. You will have similar definition options as in Scenario creation.</p>"},{"location":"usage/simulation/#simulation-overview","title":"Simulation overview","text":"<p>The Overview regroups everything you need to know to follow your Simulation by its Results. Results are broken down into 3 main metrics:</p> <ul> <li>Prevention: the ability of your security posture to prevent the simulated scenario's events to happen</li> <li>Detection: the ability of your security posture to detect the simulated scenario's events</li> <li>Human response: the ability of your security teams to react as intended facing the simulated scenario</li> </ul> <p>The top of the Simulation screen give you the ability to Start, stop and Reset the Simulation, delay the launch time.</p>"},{"location":"usage/simulation/#overriding-the-scenario-definition","title":"Overriding the Scenario definition","text":"<p>In a Simulation, you can see and modify all elements defining it: Teams and Players, Variables, Media pressure, Challenges, Injects. Modifying the Simulation definition allows you to customize it to adapt a singular play to some temporary changes. For example, change an email address into Variables to be used in email-related injects, change a playing team, etc.</p>"},{"location":"usage/simulation/#animating-a-simulation","title":"Animating a Simulation","text":"<p>The Animation screen of a Simulation is the place to follow the Simulation execution, especially if you are conducting simulation at strategical level (heavily relying on interactions with Teams and Players, manual validations of expectations) for training your organization on all aspects of a cyber crisis.</p> <p>The Timeline screen is the overview of the Animation tab, to see ongoing injects.</p> <p>The Mails screen is a way to manage email interaction with Players into the OpenBAS platform.</p> <p>The Validation screen is the place to manually validate expectations of the Simulation to consolidate Results.</p> <p>The Simulation logs is an interface for the animation team to collaborate during the Simulation.</p>"},{"location":"usage/simulation/#lessons-learned","title":"Lessons learned","text":"<p>In the Lesson Learned tab of a Simulation, you can manage the collection and concatenation of customizable surveys. It helps you in conducting the most underestimated part of a Breach and Attack simulation involving real people, by automating it and complete your Simulation's Results with qualitative feedback.</p>"},{"location":"usage/simulation_reports/","title":"Generating and Sharing Simulation Reports in PDF Format","text":"<p>You can generate and share a simulation report in PDF format.  The following steps guide you through viewing, creating, and editing simulation reports, as well as generating PDF of these reports.</p>"},{"location":"usage/simulation_reports/#viewing-the-list-of-simulation-reports","title":"Viewing the List of Simulation Reports","text":"<ul> <li>Access the Simulation Page</li> <li>Open the Report Drawer: Click on the \"Edit\" button located on the right side of the page, then select \"Access Reports\"</li> </ul> <ul> <li>A drawer will open, displaying the list of all previously generated reports for the selected simulation.</li> <li>Click on the report name from the list to view the full report details.</li> </ul>"},{"location":"usage/simulation_reports/#creating-a-new-simulation-reports","title":"Creating a New Simulation Reports","text":"<ol> <li>At the bottom of the report list in the drawer, click on the \"Add\" button to create a new report.</li> </ol> <ol> <li>The default name of the report will be the same as the simulation name. You can edit the report name if needed.</li> <li>You have the option to choose which modules to include in your report by selecting them.</li> </ol>"},{"location":"usage/simulation_reports/#adding-global-observations-and-comments","title":"Adding Global Observations and Comments","text":"<p>When you navigate into the Report Simulation Details page: * You can add a global observation related to the overall simulation. * You can add specific comments to each inject within the report.</p> <p>All observations and comments are independent and unique to each report.</p>"},{"location":"usage/simulation_reports/#editing-a-generated-report","title":"Editing a Generated Report","text":"<p>Even after a report has been generated, it is still possible to update:  * The report name. * The modules to be displayed in the report.</p>"},{"location":"usage/simulation_reports/#generating-a-pdf-of-the-report","title":"Generating a PDF of the Report","text":"<p>Once you are on the report page: Click on the \"PDF\" button on the top of the simulation report details page to generate a PDF format.</p> <p></p>"},{"location":"usage/systems/","title":"Systems","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/targets/","title":"Targets","text":"<p>When you are using an Inject, whether for Atomic testing, Scenario or Simulation, it's necessary to define the recipients, known as \"targets\", which could include Players, Teams, Assets (endpoints) or/and Asset groups it will be sent to. They are called \"targets\" of the inject.</p> <p>Note that certain injects can't target assets, while others can't target players. For instance, the \"Send individual mails\" inject can only target players and teams, not assets. </p> <p>Target selection is performed during inject creation or update.</p>"},{"location":"usage/targets/#selecting-players-and-teams","title":"Selecting Players and Teams","text":"<p>Directly targeting a player isn't yet possible. Instead, you must target a team. In scenarios or simulations, the team must be included in the scenario or simulation to be selectable. However, when creating atomic testing, all teams in the platform are selectable.</p> <p>Note that visibility of teams and players is limited by the organization's segregation.</p> <p>When selecting a team as the target, all players within that team will be targeted by the inject. Each player will have to complete expectations.</p> <p>Here is the step by step guide to add a team as a target of a simulation/scenario.</p> <p>Consider a simulation/scenario that was just created. Go to the Definition tab.</p> <p></p> <p>Click on + next to the Teams section, a dialog appears allowing the user to add a team.</p> <p></p> <p>The user now has two ways to enable players: - Click on the team, a drawer opens. Click on the DISABLED tag of a player, it is now enabled. - Click on the three dots of the team, then Manage players. A drawer opens, click on the DISABLED tag of a player.</p> <p></p> <p>Now the user can target the team when adding an inject in the simulation/scenario.</p> <p></p>"},{"location":"usage/targets/#selecting-assets-endpoints-and-asset-groups","title":"Selecting Assets (endpoints) and Asset groups","text":"<p>You can target assets (endpoints) directly or asset groups. In the dedicated dialog, only assets compatible with the inject are listed by default.</p> <p>When selecting an asset group to target, all assets (endpoints) within the group will be targeted by the inject. Each one will have to complete expectations.</p>"},{"location":"usage/testing/","title":"Testing","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/components/challenges/","title":"Challenges","text":"<p>Challenges are integral to handling CTF (Capture The Flag) activities on the OpenBAS platform. You can define your challenge and the flags that need to be found to complete it.</p>"},{"location":"usage/components/challenges/#create-a-challenge","title":"Create a Challenge","text":"<p>To create a new challenge, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new challenge a name and specify one or more flags.</li> <li>Optionally, fill in additional fields to provide more context to your players, such as the category, content (    explanation, context, steps), and attach any relevant documents.</li> <li>Manage your challenge by setting a score and a maximum number of attempts allowed for completing the challenge.</li> </ol> <p></p> <p>Once completed, your new challenge will appear in the challenge list.</p>"},{"location":"usage/components/challenges/#use-a-challenge","title":"Use a Challenge","text":"<p>Challenges can be utilized in Scenarios and Simulations. When creating an inject of type \"Publish challenges,\" you need to select a challenge to be sent to your players.</p> <p></p>"},{"location":"usage/components/channels/","title":"Channels","text":"<p>In OpenBAS, Channels represent communication medias with a particular look. There are used to present web articles or other media contents to Players in a specific way.</p> <p>It helps give shape to your Scenario context and events.</p>"},{"location":"usage/components/channels/#create-a-channel","title":"Create a Channel","text":"<p>First step is to click on the + button at the bottom right and give your new Channel a type (Newspaper, Microblogging, TV Channel), a name and a subtitle.</p> <p>Once done, click on the Channel in the list to access its overview. Here you can define how media content associated to this Chennel will be displayed to Players.</p> <p>You can define primary and secondary colors, choose logos and define how the header is presented.</p> <p>On the right, a mock up of the overview is displayed to give you the look and fill of it.</p> <p></p>"},{"location":"usage/components/channels/#use-a-channel","title":"Use a Channel","text":"<p>A Channel will then be used in Scenario and in Simulation definition. When you create an Article, you have to choose the Channel that will give it an adequate shape.</p> <p>See Media pressure page to know how to create and add Articles to your Scenarios.</p> <p></p>"},{"location":"usage/components/documents/","title":"Documents","text":"<p>Documents serve as resources for adding content to your table-top injects, helping your animation team and players. They can also be utilized in payloads for file dropping purposes.</p>"},{"location":"usage/components/documents/#create-a-document","title":"Create a Document","text":"<p>To create a new document, follow these steps:</p> <ol> <li>Click the + button in the bottom right corner of the screen.</li> <li>Select a file to create your document.</li> <li>Optionally, add a description and tags to provide additional context. You can also link your documents directly to specific simulations or scenarios.    specific simulations or scenarios.</li> </ol> <p></p> <p>After completing these steps, your new document will appear in the document list. Clicking on a document in the list will allow you to download it.</p>"},{"location":"usage/components/documents/#use-a-document","title":"Use a Document","text":"<p>Documents can be added into table-top injects and payloads.</p> <p>When creating an table-top inject, you can attach documents to provide context or, in the case of email injects, to include attachments.</p> <p>Additionally, you can create a File Drop payload and include your documents within it.</p>"},{"location":"usage/components/lessons/","title":"Lessons","text":"<p>Lessons in OpenBAS enable you to create customizable surveys for your simulations. These surveys can be composed of various categories and questions within those categories. This feature helps in conducting the often overlooked part of a Breach and Attack Simulation involving real people, by automating the process and complementing your simulation results with qualitative feedback.</p>"},{"location":"usage/components/lessons/#create-a-lesson-template","title":"Create a Lesson template","text":"<p>To create a new lesson template, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new lesson template a name.</li> </ol> <p></p> <p>Once completed, your new lesson will appear in the lesson learned list.</p>"},{"location":"usage/components/lessons/#create-a-category","title":"Create a Category","text":"<p>To create a new category, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new category a name and an order to organize your categories.</li> </ol> <p></p>"},{"location":"usage/components/lessons/#create-a-question","title":"Create a Question","text":"<p>To create a new question, follow these steps:</p> <ol> <li>Click the + button at the bottom of your category.</li> <li>Give your new question a content and an order to organize your questions.</li> </ol> <p></p>"},{"location":"usage/components/lessons/#use-a-lesson-template","title":"Use a Lesson template","text":"<p>Lesson templates can be utilized in the Lesson Learned tab of a Simulation. Here\u2019s how to use them:</p> <ol> <li>Apply a new template.</li> <li>Add relevant teams to the most pertinent categories.</li> <li>Send your survey to collect feedback.</li> </ol> <p>By integrating lesson templates into your simulations, you can gather valuable insights and improve the effectiveness of your Breach and Attack Simulations.</p>"},{"location":"usage/components/media_pressure/","title":"Media pressure","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p> <p>Media pressure are Articles or web contents you create to give more shape to your Scenario, or to simulate contextual pressure on your Teams and Players.</p> <p>For example, you can create an Article about the data leakage your organization is said to be affected by during the Scenario, and simulate its publishing by a large coverage media outlet with a \"Publish channel pressure\" inject.</p>"},{"location":"usage/components/media_pressure/#create-an-article","title":"Create an Article","text":"<p>To create an Article, go to the definition page of your Scenario or your Simulation and click on the + button near \"media pressure\". If you did not create Article yet, you can also click on the more visible \"Create an Article\" button.</p> <p>An media pressure Article is defined by: - Channel: the Channel template that will shape the article during the display to the Players. A Channel must have been defined in the platform. - Title - Author - Content: the content of your article. You can enrich the text and have a preview of the formatted result. You can also go fullscreen. - To simulate social network engagement, you can define number of comments, Shares and Likes of the Articles. - Documents: you can attach file to the Article. It can be useful if you want to simulate the publication of a large report you don't want to craft inside OpenBAS, like a pdf security report for example.</p> <p>Once created, Articles appears as cards in the definition screen of the Scenario or Simulation they have been created into. Note that if an article is not yet used in the Scenario or Simulation (probably because it does not have been used in a \"Publish channel pressure\" inject), it is mentioned into the Article's card.</p>"},{"location":"usage/components/media_pressure/#use-an-article-in-scenario-and-simulation","title":"Use an Article in Scenario and Simulation","text":"<p>To use an Article in a Scenario or Simulation, it must have been created in the context of the Scenario, the Simulation's parent Scenario or the Simulation itself.</p> <p>When you select an Inject, if it is compatible with media pressures, you can add a media pressure article to it.</p>"},{"location":"usage/components/variables/","title":"Variables","text":""},{"location":"usage/components/variables/#built-in-variables","title":"Built-In Variables","text":"<p>Within certain injects, users can leverage a set of predefined built-in variables to dynamically customize content. These variables are designed to streamline the process of personalizing messages. Examples of built-in variables include but not limited to :</p> <ul> <li>${user.email}: Represents the email of the target user</li> <li>${exercise.name}: Represents the name of the current exercise</li> <li>${player_uri}: Represents the player interface platform link</li> <li>${teams}: Represents the list of team name/s for the injection</li> </ul> <p>The list of available variables is found in the definition of the inject :</p> <p> </p>"},{"location":"usage/components/variables/#custom-variables","title":"Custom Variables","text":"<p>In addition to the built-in variables, users can define their own variables within an exercise.</p> <p>To define custom variables :</p> <ol> <li>Select an exercise</li> <li>Navigate to the Definition tab</li> <li>Navigate to the Variables section</li> </ol> <p>In this section, users can create, update or delete custom variables : </p> <p> </p>"},{"location":"usage/components/variables/#limitation","title":"Limitation","text":"<p>To create custom variables, consider the following limitation:</p> <ul> <li>Only lowercase characters and <code>_</code> are authorized for the key value</li> <li>Variable value can only be string</li> </ul>"},{"location":"usage/components/variables/#use-variables","title":"Use Variables","text":"<p>These variables can be used to enhance personalization of certain injects within an exercise. Here is a non-exhaustive list of concerned injects : - Email sending - Sms sending</p> <p> </p> <p>In case of a list like <code>articles</code>, which is a list of articles with properties such as <code>id</code>, <code>name</code>, and <code>uri</code>, or <code>${teams}</code>, you could write:</p> <p>&lt;#list articles as article&gt; - <code>${article.name}</code> &lt;/#list&gt; &lt;#list teams as team&gt; <code>${team}</code> &lt;/#list&gt;</p>"},{"location":"usage/evaluate/overview/","title":"Overview","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>The Home screen provides visitors of the OpenBAS platform with an overview of the platform's live activity and a snapshot of your global security posture. Below is a breakdown of the various widgets available on this page.</p>"},{"location":"usage/evaluate/overview/#metric-cards","title":"Metric cards","text":"<p>This section displays the count of different components within the platform, shown in two metrics:</p> <ul> <li>The first big metric inside a card represents the number of objects created over the last 180 days.</li> <li>The second small metric inside a card reflects the number of objects created in the last 30 days.</li> </ul> <p></p> <p>Note</p> <p>From here, the data is based on simulations created and launched within the last 180 days.</p>"},{"location":"usage/evaluate/overview/#performance-overview","title":"Performance overview","text":"<p>This section highlights the results of your simulation inject expectations, categorized in three types: prevention, detection, and human response.</p> <p></p>"},{"location":"usage/evaluate/overview/#simulations","title":"Simulations","text":"<p>This bar chart represents simulations grouped by week, based on their start date.</p> <p></p>"},{"location":"usage/evaluate/overview/#top-simulation-categories","title":"Top simulation categories","text":"<p>This polar chart aggregates all simulations by category, giving you a visual breakdown of the top categories.</p> <p></p>"},{"location":"usage/evaluate/overview/#top-attack-patterns","title":"Top attack patterns","text":"<p>This horizontal bar chart displays the top attack patterns identified in your simulations, based on the number of injects associated with each attack pattern.</p> <p></p>"},{"location":"usage/evaluate/overview/#last-simulations","title":"Last simulations","text":"<p>Here, we display the six most recent simulations, sorted in descending order by their start date.</p> <p></p>"},{"location":"usage/evaluate/overview/#mitre-attck-coverage","title":"MITRE ATT&amp;CK Coverage","text":"<p>This section presents the MITRE ATT&amp;CK matrix, based on the results of your simulation inject expectations. It provides an overview of which tactics and techniques have been covered in your simulations.</p>"},{"location":"usage/payloads/payloads/","title":"Payloads","text":"<p>In OpenBAS, you can create custom payloads based on different types to create new injects.</p> <p>Payloads enhance the platform, allowing you to further customize your scenarios.</p>"},{"location":"usage/payloads/payloads/#create-a-payload","title":"Create a Payload","text":"<p>To create a new payload, follow these steps:</p> <ol> <li>Click the \"+\" button at the bottom right corner of the screen.</li> <li>Choose a type based on your needs:<ul> <li>Command Line: To execute a command using an executor (e.g., PowerShell, Bash, etc.)</li> <li>Executable: To run an executable file on an asset</li> <li>File Drop: To drop a file onto an asset</li> <li>DNS Resolution: To resolve a hostname into IP addresses</li> </ul> </li> <li>Assign a name to your new payload and specify the platform where it should be executed.</li> <li>Provide additional details for executing your payload, such as arguments and prerequisites.</li> <li>Specify a cleanup executor and a cleanup command to remove any remnants from your execution on the asset.</li> </ol> <p> </p> <p>Once completed, your new payload will appear in the payload list.</p>"},{"location":"usage/payloads/payloads/#common-payload-properties","title":"Common Payload properties","text":"Property Description Name Payload name Platforms Compatible platforms (ex. Windows, Linux, MacOS) Description Payload description Prerequisites Prerequisites required to execute the command Cleanup executor Executor for cleaning commands Cleanup command Cleanup command to remove or reset changes made Attack patterns Command-related attack patterns Tags Tags Arguments Arguments for the cleanup, prerequisites and potential command line"},{"location":"usage/payloads/payloads/#prerequisites-in-depth","title":"Prerequisites in depth","text":"Property Description Command executor Executor for prerequisite Check command Verifies if specific condition are met Get command Run command if check command failed"},{"location":"usage/payloads/payloads/#additional-payload-properties-by-type","title":"Additional Payload properties by type","text":""},{"location":"usage/payloads/payloads/#command-line","title":"Command Line","text":"<p>This payload type executes commands directly on the command line interface (CLI) of the target system  (e.g., Windows Command Prompt, PowerShell, Linux Shell). </p> <p>Command Line payloads are used for remote command execution to simulate common attacker actions like privilege  escalation or data exfiltration.</p> Property Description Architecture Architecture in which the command can be executed (x86_64, arm64, all architectures) Command executor Executor for command to execute Command Command to execute"},{"location":"usage/payloads/payloads/#executable","title":"Executable","text":"<p>An Executable payload involves delivering a binary file (such as .exe on Windows or ELF on Linux) that the system runs  as an independent process.</p> <p>Executables can perform a variety of functions, from establishing a backdoor to running complex scripts (mimic malware).</p> Property Description Architecture Architecture in which the command can be executed (ex. x86_64, arm64) Executable file File to execute"},{"location":"usage/payloads/payloads/#file-drop","title":"File Drop","text":"<p>File Drop payloads are designed to deliver files (e.g., scripts, documents, binaries) to the target system without  immediately executing them.</p> <p>The goal is typically to simulate scenarios where attackers place files in specific locations for later use, either  manually or by another process.</p> Property Description File to drop File to drop"},{"location":"usage/payloads/payloads/#dns-resolution","title":"DNS Resolution","text":"<p>DNS resolution payloads attempts to resolve hostnames to associated IP address(es).</p> <p>The goal of DNS resolution is to test if specific hostnames resolve to IP addresses correctly, helping assess network  accessibility, detect issues, and simulate potential attacker behavior.</p> Property Description Hostnames Hostname list to resolve"},{"location":"usage/payloads/payloads/#payload-execution-workflow","title":"Payload execution workflow","text":""},{"location":"usage/payloads/payloads/#use-a-payload","title":"Use a Payload","text":"<p>After creation, a new inject type will automatically appear in the inject types list if the implant you're using supports it (the OpenBAS Implant does).</p> <p> </p>"},{"location":"usage/scenario/opencti_scenario/","title":"Scenario generation from OpenCTI","text":"<p>Creating a scenario can be a complex task, especially when aiming to build one that is meaningful and relevant to the specific threats facing your organization. To streamline this process and ensure that scenarios are closely aligned with your threat landscape, you can leverage the integration between OpenCTI and OpenBAS.</p> <p>This integration works across multiple entities:</p> <ul> <li>Reports</li> <li>Grouping</li> <li>Incident Response</li> <li>Malware</li> <li>Campaigns</li> <li>Intrusion</li> <li>Request For Information</li> <li>Request For Takedown</li> </ul> <p></p> <p>When you click on the \"Simulate\" button, a form will appear with the following fields:</p> Property Description Simulation type Can be either \"Technical\" (payloads) or \"Simulated\" (emails) Interval between injection (in minutes) The time between each injection execution Number of injects generated by attack pattern and platform <p> </p> <p>If you choose the \"Technical\" (payloads) simulation type, you will also need to fill in the following fields:</p> Property Description Targeted platforms Supported platforms for executing the TTPs (Windows, Linux, macOS) Targeted architecture Supported architectures for executing the TTPs (x86_64, arm64) <p> </p> <p>It\u2019s essential to understand that a scenario creation for these entities relies on matching TTPs between OpenCTI and OpenBAS. You\u2019ll need to ensure that the TTPs in both platforms are aligned. For instance, if your report contains the TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001. Otherwise, an  inject with a placeholder will be created instead for this TTP.</p> <p>If these TTPs are not supported by OpenBAS, you will receive an alert listing the uncovered TTPs.</p> <p></p> <p>When generating a scenario from OpenCTI, a scenario is created in OpenBas and can be accessed from the scenarios screen. The scenario name will include a reference to OpenCTI, indicating its origin. This scenario will automatically contain relevant sequences of injects based on the threat context identified in OpenCTI.</p> <p></p> <p></p> <p></p> <p>However, it's important to review and potentially customize the scenario to ensure it meets your organization's specific requirements. Additionally, you'll need to select appropriate targets for the injects within the scenario. You can also configure default asset groups for the scenarios created from OpenCTI using the Default Asset Groups page.</p> <p></p> <p>Once you've finalized the scenario, you can schedule your simulation as you would do for any other scenarios. The overall results of the simulation will also be available directly within OpenCTI, providing insights into the threat context upon which the scenario is based.</p> <p></p>"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"OpenBAS Documentation Space","text":"<p>Welcome to the OpenBAS Documentation space. Here you will be able to find all documents, meeting notes and presentations about the platform.</p> <p>Release notes</p> <p>Please, be sure to also take a look at the OpenBAS releases notes, they may contain important information about releases and deployments.</p>"},{"location":"#introduction","title":"Introduction","text":"<p>OpenBAS is an open source platform allowing organizations to plan, schedule and conduct crisis exercises as well as adversary and breach simulations. OpenBAS is an ISO 22398 compliant product and has been designed as a modern web application including a RESTFul API and an UX oriented frontend.</p>"},{"location":"#getting-started","title":"Getting started","text":"<ul> <li> <p> Deployment &amp; Setup</p> <p>Learn how to deploy and configure the platform as well as launch connectors to get the first data in OpenBAS.</p> <p> Deploy now</p> </li> <li> <p> User Guide</p> <p>Understand how to use the platform, create exercises and campaigns, use  media pressure simulation and integrate with other tools. </p> <p> Explore</p> </li> <li> <p> Administration</p> <p>Know how to administrate OpenBAS, create users and groups using RBAC / segregation, customize the overall experience.</p> <p> Customize</p> </li> </ul> <p>Need more help?</p> <p>We are doing our best to keep this documentation complete, accurate and up to date. </p> <p>If you still have questions or you find something which is not sufficiently explained, join the Filigran Community on Slack.</p>"},{"location":"#blog-posts","title":"Blog posts","text":"<ul> <li> <p> Resources and content</p> <p>Discover tutorials, best practices and deep dives on OpenBAS features on our Filigran blog.</p> <p> Read now</p> </li> </ul>"},{"location":"#additional-resources","title":"Additional resources","text":"<p>Below, you will find external resources which may be useful along your OpenCTI journey.</p> <p> OpenBAS Ecosystem List of available injectors and collectors to expand platform usage.</p> <p> Training Courses Training courses for analysts and administrators in the Filigran training center.</p> <p> Video materials Set of video illustrating the implementation of use cases and platform capabilities.</p> <p></p>"},{"location":"administration/enterprise/","title":"Enterprise edition","text":"<p>Filigran</p> <p>Filigran is providing an Enterprise Edition of the platform, whether on-premise or in the SaaS.</p>"},{"location":"administration/enterprise/#what-is-openbas-ee","title":"What is OpenBAS EE?","text":"<p>OpenBAS Enterprise Edition is based on the open core concept. This means that the source code of OCTI EE remains open source and included in the main GitHub repository of the platform but is published under a specific license. As specified in the GitHub license file:</p> <ul> <li>The OpenBAS Community Edition is licensed under the Apache License, Version 2.0 (the \u201cApache License\u201d).</li> <li>The OpenBAS Enterprise Edition is licensed under the OpenBAS Enterprise Edition License (the \u201cEnterprise Edition Licensee\u201d).</li> </ul> <p>The source files in this repository have a header indicating which license they are under. If no such header is provided, this means that the file belongs to the Community Edition under the Apache License, Version 2.0.</p>"},{"location":"administration/enterprise/#ee-activation","title":"EE Activation","text":"<p>Enterprise edition is easy to activate. You need to go the platform settings and click on the Activate button.</p> <p></p> <p>Then you will need to agree to the Filigran EULA.</p> <p></p> <p>As a reminder:</p> <ul> <li>OpenBAS EE is free-to-use for development, testing and research purposes as well as for non-profit organizations.</li> <li>OpenBAS EE is included for all Filigran SaaS customers without additional fee.</li> <li>For all other usages, OpenBAS EE is reserved to organizations that have signed a Filigran Enterprise agreement.</li> </ul>"},{"location":"administration/enterprise/#available-features","title":"Available features","text":""},{"location":"administration/enterprise/#generative-ai","title":"Generative AI","text":"<p>Be able to use AI for content generation including emails, media pressure articles etc.</p>"},{"location":"administration/enterprise/#more-to-come","title":"More to come","text":"<p>More features will be available in OpenBAS in the future. Features like:</p> <ul> <li>Security posture automatic evaluation.</li> <li>Premium mitigations and recommendation for configuration changes.</li> </ul>"},{"location":"administration/introduction/","title":"Introduction","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"administration/parameters/","title":"Parameters","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"administration/policies/","title":"Policies","text":""},{"location":"administration/policies/#overview","title":"Overview","text":"<p>The Policies configuration page, located under Settings &gt; Security &gt; Policies, is designed to manage and customize various security-related settings.  This page currently includes the configuration of login messages, with plans to expand its capabilities in the future.  </p>"},{"location":"administration/policies/#current-features","title":"Current Features","text":"<p>Login Messages  Administrators can create and manage messages that are displayed to users upon login. This feature is useful for providing important information or updates directly to users when they access the platform.   There are three types of messages:   * Platform Login Message: Displayed above the login form to communicate vital information or announcements.   * Platform Consent Message: Displayed to users during the login process. It appears as a notification that blocks access to the login form until users actively give their consent by checking an approval box. This ensures that users acknowledge and agree to certain terms or conditions before proceeding with logging in.   * Platform Consent Confirm Text: A message accompanying the consent box, providing clarity on the consent confirmation process.</p> <p>These messages can be customized to fit the organization's specific needs and requirements, ensuring that critical information is communicated effectively to users.</p>"},{"location":"administration/policies/#accessing-the-policies-configuration-page","title":"Accessing the Policies Configuration Page","text":"<p>To access the Policies configuration page, navigate to:</p> <pre><code>Settings / Security / Policies\n</code></pre>"},{"location":"administration/policies/#how-to-configure-login-messages","title":"How to Configure Login Messages","text":"<ol> <li>Navigate to the Policies Configuration Page: Go to \"Settings &gt; Security &gt; Policies\".</li> <li>Login Messages Section: Locate the section for login messages.  </li> <li>Enter Message Details: Provide the content for the login message.  </li> <li>Save Changes: Save your changes to apply the new or updated message.  </li> </ol>"},{"location":"administration/policies/#best-practices","title":"Best Practices","text":"<ul> <li>Regular Updates: Regularly update login messages to keep users informed of any critical updates or changes.</li> <li>Clear Communication: Ensure that messages are clear and concise to avoid confusion.</li> </ul>"},{"location":"administration/taxonomies/","title":"Taxonomies","text":"<p>Taxonomies in OpenBAS refer to the structured classification systems that help in organizing and categorizing platform data. They are essential to the platform, enabling users to systematically tag and retrieve information based on predefined categories and terms. predefined categories and terms.</p>"},{"location":"administration/taxonomies/#tags","title":"Tags","text":"<p>Tags in OpenBAS serve as a powerful tool for organizing, categorizing, and prioritizing data.</p> <p>Tags can be used to tag assets or teams with specific categories, making it easier to filter and search through large datasets.</p>"},{"location":"administration/taxonomies/#kill-chain-phases","title":"Kill chain phases","text":"<p>Kill chain phases are used in OpenBAS to structure and analyze the data related to cyber threats and attacks. They describe the stages of an attack from the perspective of the attacker and provide a framework for identifying, analysing and responding to threats.</p> <p>OpenBAS supports the following kill chain models:</p> <ul> <li>MITRE ATT&amp;CK Framework (Entreprise, PRE, Mobile and ICS)</li> </ul> <p>You can add, edit, or delete kill chain phases in the settings page, and assign them to attack patterns in the platform. Additionally, you can filter data by kill chains phases, visualize relationships between kill chain phases and injects, simulations or scenarios.</p>"},{"location":"administration/taxonomies/#attack-patterns","title":"Attack Patterns","text":"<p>Attack patterns are structured representations of the tactics, techniques, and procedures (TTPs) used by adversaries to compromise systems. In OpenBAS, attack patterns help analyze and classify threats, providing a standardized approach to identifying and mitigating cyber risks.</p> <p>OpenBAS supports the following attack pattern models:</p> <ul> <li>MITRE ATT&amp;CK Framework (Enterprise, PRE, Mobile, and ICS)</li> </ul> <p>You can add, edit, or delete attack patterns in the settings page and assign them to payloads or injectors.</p>"},{"location":"administration/users/","title":"Users","text":"<p>You can manage users in <code>Settings &gt; Security &gt; Users</code>. If you are using Single Sign-On (SSO), user accounts in OpenBAS are automatically created upon login.</p> <p></p> <p>To create a user, just click on the <code>+</code> button :</p> <p> </p> <p>To update a user, click on the ellipsis menu (\u22ee) : </p> <p></p> <p>Here, you can modify parameters such as the organization, phone number, password, and even your GPG public key : </p> <p> </p> <p>To delete a user : </p> <p></p>"},{"location":"deployment/authentication/","title":"Authentication","text":""},{"location":"deployment/authentication/#introduction","title":"Introduction","text":"<p>Welcome to the authentication documentation for OpenBAS. This documentation provides details on setting up and utilizing the authentication system, which supports multiple authentication methods to cater to different user needs and security requirements.</p>"},{"location":"deployment/authentication/#supported-authentication-methods","title":"Supported authentication methods","text":""},{"location":"deployment/authentication/#local-users","title":"Local users","text":"<p>OpenBAS use this strategy as the default, but it's not the one we recommend for security reasons.</p> <ul> <li><code>OPENBAS.AUTH-LOCAL-ENABLE</code>: Set this to <code>true</code> to enable username/password authentication.</li> </ul> <p>Production deployment</p> <p>Please use the LDAP/Auth0/OpenID/SAML strategy for production deployment.</p>"},{"location":"deployment/authentication/#openid","title":"OpenID","text":"<p>This method allows to use the OpenID Connect Protocol to handle the authentication.</p> <ul> <li><code>OPENBAS.AUTH-OPENID-ENABLE</code>: Set this to <code>true</code> to enable OAuth (OpenID) authentication.</li> </ul> <p>Example for Auth0:</p> <pre><code>SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_{registrationId}_ISSUER-URI=https://auth.auth0.io\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-NAME=Login with auth0\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-ID=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT-SECRET=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_REDIRECT-URI=${openbas.base-url}/login/oauth2/code/{registrationId}\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_SCOPE=openid,profile,email\n</code></pre> <p>Example for GitHub (or others pre-handled oauth2 providers):</p> <pre><code>SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_NAME=Login with Github\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_ID=\nSPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_{registrationId}_CLIENT_SECRET=\n</code></pre> <p>Tips</p> <p>{registrationId} is an arbitrary identifier you choose.</p>"},{"location":"deployment/authentication/#saml2","title":"SAML2","text":"<p>This strategy can be used to authenticate your user with your company SAML.</p> <ul> <li><code>OPENBAS.AUTH-SAML2-ENABLE</code>: Set this to <code>true</code> to enable SAML2 authentication. </li> </ul> <p>Example for Microsoft : <pre><code>SPRING_SECURITY_SAML2_RELYINGPARTY_REGISTRATION_{registrationId}_ENTITY-ID=\nSPRING_SECURITY_SAML2_RELYINGPARTY_REGISTRATION_{registrationId}_ASSERTINGPARTY_METADATA-URI=\nOPENBAS_PROVIDER_{registrationId}_FIRSTNAME_ATTRIBUTE_KEY=\nOPENBAS_PROVIDER_{registrationId}_LASTNAME_ATTRIBUTE_KEY=\n</code></pre></p> <p>Tips</p> <p>{registrationId} is an arbitrary identifier you choose.   metadata-uri is the uri of the xml file given by your identity provider</p>"},{"location":"deployment/authentication/#single-sign-on-url","title":"Single Sign On URL","text":""},{"location":"deployment/authentication/#saml2_1","title":"SAML2","text":"<p>Url for the config of your sso provider <pre><code>${openbas.base-url}/login/saml2/sso/{registrationId}\n</code></pre></p>"},{"location":"deployment/authentication/#map-administrators-to-specific-roles-openid-and-saml-2","title":"Map administrators to specific roles (OpenID and SAML 2)","text":"<p>To grant administrative roles, you can utilize OAuth and SAML2 integration. If you opt for this approach, you'll need to include the following variables:</p> <pre><code>OPENBAS_PROVIDER_{registrationId}_ROLES_PATH=http://schemas.microsoft.com/ws/2008/06/identity/claims/role\nOPENBAS_PROVIDER_{registrationId}_ROLES_ADMIN=\n</code></pre> <p>However, if you intend to manage administrative roles within the OpenBAS platform itself, there's no need to provide these variables.</p>"},{"location":"deployment/authentication/#error-handling","title":"Error Handling","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/clustering/","title":"Clustering","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/configuration/","title":"Configuration","text":"<p>The purpose of this section is to learn how to configure OpenBAS to have it tailored for your production and development needs. It is possible to check all default parameters implemented in the platform in the  <code>application.properties</code> file.</p> <p>Here are the configuration keys, for both containers (environment variables) and manual deployment.</p> <p>Parameters equivalence</p> <p>The equivalent of a config variable in environment variables is the usage of an underscore (<code>_</code>) for a level of config.</p> <p>For example: <pre><code>spring.servlet.multipart.max-file-size=5GB\n</code></pre></p> <p>will become: <pre><code>SPRING_SERVLET_MULTIPART_MAX-FILE-SIZE=5GB\n</code></pre></p>"},{"location":"deployment/configuration/#platform","title":"Platform","text":""},{"location":"deployment/configuration/#api-frontend","title":"API &amp; Frontend","text":""},{"location":"deployment/configuration/#basic-parameters","title":"Basic parameters","text":"Parameter Environment variable Default value Description server.address SERVER_ADDRESS 0.0.0.0 Listen address of the application server.port SERVER_PORT 8080 Listen port of the application openbas.base-url OPENBAS_BASE-URL http://localhost:8080 Base URL of the application, will be used in some email links server.servlet.session.timeout SERVER_SERVLET_SESSION_TIMEOUT 60m Default duration of session (60 minutes) openbas.cookie-secure OPENBAS_COOKIE-SECURE <code>false</code> Turn on if the access is done in HTTPS openbas.cookie-duration OPENBAS_COOKIE-DURATION P1D Cookie duration (default 1 day) openbas.admin.email OPENBAS_ADMIN_EMAIL admin@openbas.io Default login email of the admin user openbas.admin.password OPENBAS_ADMIN_PASSWORD ChangeMe Default password of the admin user openbas.admin.token OPENBAS_ADMIN_TOKEN ChangeMe Default token (must be a valid UUIDv4)"},{"location":"deployment/configuration/#network-and-security","title":"Network and security","text":"Parameter Environment variable Default value Description server.ssl.enabled SERVER_SSL_ENABLED <code>false</code> Turn on to enable SSL on the local server server.ssl.key-store-type SERVER_SSL_KEY-STORE-TYPE PKCS12 Type of SSL keystore server.ssl.key-store SERVER_SSL_KEY-STORE classpath:localhost.p12 SSL keystore path server.ssl.key-store-password SERVER_SSL_KEY-STORE-PASSWORD admin SSL keystore password server.ssl.key-alias SERVER_SSL_KEY-ALIAS localhost SSL key alias openbas.unsecured-certificate OPENBAS_UNSECURED-CERTIFICATE <code>false</code> Turn on to authorize self-signed or unsecure ssl certificate openbas.with-proxy OPENBAS_WITH-PROXY <code>false</code> Turn on to authorize environment with proxy"},{"location":"deployment/configuration/#logging","title":"Logging","text":"Parameter Environment variable Default value Description logging.level.root LOGGING_LEVEL_ROOT fatal Root log level logging.level.io.openbas LOGGING_LEVEL_IO_OPENBAS warn OpenBAS log level logging.file.name LOGGING_FILE_NAME ./logs/openbas.log Log file path (in addition to console output) logging.logback.rollingpolicy.max-file-size LOGGING_LOGBACK_ROLLINGPOLICY_MAX-FILE-SIZE 10MB Rolling max file size logging.logback.rollingpolicy.max-history LOGGING_LOGBACK_ROLLINGPOLICY_MAX-HISTORY 7 Rolling max days"},{"location":"deployment/configuration/#dependencies","title":"Dependencies","text":""},{"location":"deployment/configuration/#xtm-suite","title":"XTM Suite","text":"Parameter Environment variable Default value Description openbas.xtm.opencti.enable OPENBAS_XTM_OPENCTI_ENABLE false Enable integration with OpenCTI openbas.xtm.opencti.url OPENBAS_XTM_OPENCTI_URL OpenCTI URL openbas.xtm.opencti.token OPENBAS_XTM_OPENCTI_TOKEN OpenCTI token openbas.xtm.opencti.disable-display OPENBAS_XTM_OPENCTI_DISABLE-DISPLAY <code>false</code> Disable OpenCTI in the UI"},{"location":"deployment/configuration/#postgresql","title":"PostgreSQL","text":"Parameter Environment variable Default value Description spring.datasource.url SPRING_DATASOURCE_URL jdbc:postgresql://... URL of the database (ex jdbc:postgresql://postgresql.mydomain.com:5432/openbas) spring.datasource.username SPRING_DATASOURCE_USERNAME Login for the database spring.datasource.password SPRING_DATASOURCE_PASSWORD password Password for the database"},{"location":"deployment/configuration/#rabbitmq","title":"RabbitMQ","text":"Parameter Environment variable Default value Description openbas.rabbitmq.prefix OPENBAS_RABBITMQ_PREFIX openbas Prefix for the queue names openbas.rabbitmq.hostname OPENBAS_RABBITMQ_HOSTNAME localhost Hostname of the RabbitMQ server openbas.rabbitmq.vhost OPENBAS_RABBITMQ_VHOST / Vhost of the RabbitMQ server openbas.rabbitmq.port OPENBAS_RABBITMQ_PORT 5672 Port of the RabbitMQ Server openbas.rabbitmq.management-port OPENBAS_RABBITMQ_MANAGEMENT-PORT 15672 Management port of the RabbitMQ Server openbas.rabbitmq.ssl OPENBAS_RABBITMQ_SSL <code>false</code> Use SSL openbas.rabbitmq.user OPENBAS_RABBITMQ_USER guest RabbitMQ user openbas.rabbitmq.pass OPENBAS_RABBITMQ_PASS guest RabbitMQ password openbas.rabbitmq.queue-type OPENBAS_RABBITMQ_QUEUE-TYPE classic RabbitMQ Queue Type (\"classic\" or \"quorum\") openbas.rabbitmq.management-insecure OPENBAS_RABBITMQ_MANAGEMENT-INSECURE <code>true</code> Whether or not the calls to the management plugin of rabbitmq can be insecure openbas.rabbitmq.trust.store OPENBAS_RABBITMQ_TRUST_STORE &lt;file:/path/to/client-store.p12&gt; Path to the p12 keystore file to use if ssl is activated and insecure management is deactivated. The keystore must contain the client side certificate and key generated for ssl. openbas.rabbitmq.trust-store-password OPENBAS_RABBITMQ_TRUST-STORE-PASSWORD &lt;trust-store-password&gt; Password of the keystore"},{"location":"deployment/configuration/#s3-bucket","title":"S3 bucket","text":"Parameter Environment variable Default value Description minio.endpoint MINIO_ENDPOINT localhost Hostname of the S3 Service. Example if you use AWS Bucket S3: s3.us-east-1.amazonaws.com (if <code>minio:bucket_region</code> value is us-east-1). This parameter value can be omitted if you use Minio as an S3 Bucket Service. minio.port MINIO_PORT 9000 Port of the S3 Service. For AWS Bucket S3 over HTTPS, this value can be changed (usually 443). minio.secure MINIO_SECURE <code>false</code> Indicates whether the S3 Service has TLS enabled. For AWS Bucket S3 over HTTPS, this value could be <code>true</code>. minio.access-key MINIO_ACCESS-KEY key Access key for the S3 Service. minio.access-secret MINIO_ACCESS-SECRET secret Secret key for the S3 Service. minio.bucket MINIO_BUCKET openbas S3 bucket name. Useful to change if you use AWS. minio.bucket-region MINIO_BUCKET-REGION us-east-1 Region of the S3 bucket if you are using AWS. This parameter value can be omitted if you use Minio as an S3 Bucket Service. openbas.s3.use-aws-role OPENBAS_S3_USE-AWS-ROLE <code>false</code> Whether or not we want to get the AWS role using AWS Security Token Service openbas.s3.sts-endpoint OPENBAS_S3_STS-ENDPOINT <code>experimental</code> This parameter is optional. If it stays empty, it will use either the AWS legacy STS endpoint (https://sts.amazonaws.com) or the regional one using AWS_REGION if the environment variable is set (you can learn more about it here). Otherwise, if you want to use your own custom implementation of STS endpoints, you can set it here."},{"location":"deployment/configuration/#agents-executors","title":"Agents (executors)","text":"<p>To be able to use the power of the OpenBAS platform on endpoints, you need at least one neutral executor that will be in charge of executing implants as detached processes. Implants will then execute payloads.</p>"},{"location":"deployment/configuration/#openbas-agent","title":"OpenBAS Agent","text":"<p>The OpenBAS agent is enabled by default and cannot be disabled. It is available for:</p> <ul> <li>Windows (<code>x86_64</code> / <code>arm64</code>)</li> <li>Linux (<code>x86_64</code> / <code>arm64</code>)</li> <li>MacOS (<code>x86_64</code> / <code>arm64</code>)</li> </ul>"},{"location":"deployment/configuration/#other-executors","title":"Other executors","text":"<p>To know more about other available executors, please refer to the executors documentation</p>"},{"location":"deployment/configuration/#mail-services","title":"Mail services","text":"<p>For the associated mailbox, for the moment the platform only relies on IMAP / SMTP protocols, we are actively developing integrations with APIs such as O365 and Google Apps.</p>"},{"location":"deployment/configuration/#smtp","title":"SMTP","text":"Parameter Environment variable Default value Description spring.mail.host SPRING_MAIL_HOST smtp.mail.com SMTP Server hostname spring.mail.port SPRING_MAIL_PORT 465 SMTP Server port spring.mail.username SPRING_MAIL_USERNAME username@mail.com SMTP Server username spring.mail.password SPRING_MAIL_PASSWORD password SMTP Server password Parameter Environment variable Default value Description spring.mail.properties.mail.smtp.ssl.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_SSL_ENABLE <code>true</code> Turn on SMTP SSL mode spring.mail.properties.mail.smtp.ssl.trust SPRING_MAIL_PROPERTIES_MAIL_SMTP_SSL_TRUST * Trust unverified certificates spring.mail.properties.mail.smtp.auth SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH <code>true</code> Turn on SMTP authentication spring.mail.properties.mail.smtp.starttls.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE <code>false</code> Turn on SMTP STARTTLS <p>Note : Example with Gmail</p> Parameter Environment variable Value Description spring.mail.host SPRING_MAIL_HOST smtp.gmail.com Gmail SMTP server hostname spring.mail.port SPRING_MAIL_PORT 587 Gmail SMTP server port (TLS) spring.mail.username SPRING_MAIL_USERNAME username@mail.com Gmail address spring.mail.password SPRING_MAIL_PASSWORD app password Gmail App-specific password spring.mail.properties.mail.smtp.auth SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH true Enable SMTP authentication spring.mail.properties.mail.smtp.starttls.enable SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE true Enable SMTP STARTTLS <p>\u26a0\ufe0f Important: If you are using two-factor authentication on your Gmail account, an app-specific password is required. You can find a guide here.</p>"},{"location":"deployment/configuration/#imap","title":"IMAP","text":"Parameter Environment variable Default value Description openbas.mail.imap.enabled OPENBAS_MAIL_IMAP_ENABLED false Turn on to enable IMAP mail synchronization. Injector email must be well configured openbas.mail.imap.host OPENBAS_MAIL_IMAP_HOST imap.mail.com IMAP Server hostname openbas.mail.imap.port OPENBAS_MAIL_IMAP_PORT 993 IMAP Server port openbas.mail.imap.username OPENBAS_MAIL_IMAP_USERNAME username@mail.com IMAP Server username openbas.mail.imap.password OPENBAS_MAIL_IMAP_PASSWORD password IMAP Server password openbas.mail.imap.inbox OPENBAS_MAIL_IMAP_INBOX INBOX IMAP inbox directory to synchronize from openbas.mail.imap.sent OPENBAS_MAIL_IMAP_SENT Sent IMAP sent directory to synchronize from Parameter Environment variable Default value Description openbas.mail.imap.ssl.enable OPENBAS_MAIL_IMAP_SSL_ENABLE true Turn on IMAP SSL mode openbas.mail.imap.ssl.trust OPENBAS_MAIL_IMAP_SSL_TRUST * Trust unverified certificates openbas.mail.imap.auth OPENBAS_MAIL_IMAP_AUTH true Turn on IMAP authentication openbas.mail.imap.starttls.enable OPENBAS_MAIL_IMAP_STARTTLS_ENABLE true Turn on IMAP STARTTLS <p>Note : Example with Gmail</p> Parameter Environment variable Value Description openbas.mail.imap.enabled OPENBAS_MAIL_IMAP_ENABLED true Enable IMAP for Gmail openbas.mail.imap.host OPENBAS_MAIL_IMAP_HOST imap.gmail.com Gmail IMAP server hostname openbas.mail.imap.port OPENBAS_MAIL_IMAP_PORT 993 Gmail IMAP port (SSL) openbas.mail.imap.username OPENBAS_MAIL_IMAP_USERNAME username@mail.com Gmail address openbas.mail.imap.password OPENBAS_MAIL_IMAP_PASSWORD app password Gmail App-specific password openbas.mail.imap.ssl.enable OPENBAS_MAIL_IMAP_SSL_ENABLE true Enable IMAP SSL openbas.mail.imap.ssl.trust OPENBAS_MAIL_IMAP_SSL_TRUST * Trust unverified certificates openbas.mail.imap.auth OPENBAS_MAIL_IMAP_AUTH true Enable IMAP authentication openbas.mail.imap.sent OPENBAS_MAIL_IMAP_SENT [Gmail]/Sent Mail IMAP sent directory to synchronize from <p>\u26a0\ufe0f Important: If you are using two-factor authentication on your Gmail account, an app-specific password is required. You can find a guide here.</p>"},{"location":"deployment/configuration/#ai-service","title":"AI Service","text":"<p>AI deployment and cloud services</p> <p>There are several possibilities for Enterprise Edition customers to use OpenBAS AI endpoints:</p> <ul> <li>Use the Filigran AI Service leveraging our custom AI model using the token given by the support team.</li> <li>Use OpenAI or MistralAI cloud endpoints using your own tokens.</li> <li>Deploy or use local AI endpoints (Filigran can provide you with the custom model).</li> </ul> Parameter Environment variable Default value Description ai.enabled AI_ENABLED true Enable AI capabilities ai.type AI_TYPE mistralai AI type (<code>mistralai</code> or <code>openai</code>) ai.endpoint AI_ENDPOINT Endpoint URL (empty means default cloud service) ai.token AI_TOKEN Token for endpoint credentials ai.model AI_MODEL Model to be used for text generation (depending on type) ai.model_images AI_MODEL_IMAGES Model to be used for image generation (depending on type)"},{"location":"deployment/installation/","title":"Installation","text":"<p>All components of OpenBAS are shipped both as Docker images and manual installation packages.</p> <p>Production deployment</p> <p>For production deployment, we recommend to deploy all components in containers, including dependencies, using native cloud services or orchestration systems such as Kubernetes.</p> <ul> <li> <p> Use Docker</p> <p>Deploy OpenBAS using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> <li> <p> Manual installation</p> <p>Deploy dependencies and launch the platform manually using the packages released in the GitHub releases.</p> <p> Explore</p> </li> </ul>"},{"location":"deployment/installation/#using-docker","title":"Using Docker","text":""},{"location":"deployment/installation/#introduction","title":"Introduction","text":"<p>OpenBAS can be deployed using the docker compose command.</p>"},{"location":"deployment/installation/#pre-requisites","title":"Pre-requisites","text":"<p> Linux</p> <pre><code>sudo apt install docker-compose\n</code></pre> <p> Windows and MacOS</p> <p>Just download the appropriate Docker for Desktop version for your operating system.</p>"},{"location":"deployment/installation/#clone-the-repository","title":"Clone the repository","text":"<p>Docker helpers are available in the Docker GitHub repository.</p> <pre><code>mkdir -p /path/to/your/app &amp;&amp; cd /path/to/your/app\ngit clone https://github.com/OpenBAS-Platform/docker.git\ncd docker\n</code></pre>"},{"location":"deployment/installation/#configure-the-environment","title":"Configure the environment","text":"<p>Before running the <code>docker compose</code> command, the <code>docker-compose.yml</code> file should be configured. By default, the <code>docker-compose.yml</code> file is using environment variables available in the <code>.env.sample</code> file.</p> <p>You can either rename the file <code>.env.sample</code> in <code>.env</code> and put the expected values or just fill directly the <code>docker-compose.yml</code> with the values corresponding to your environment.</p>"},{"location":"deployment/installation/#docker-compose-env","title":"Docker compose env","text":"<p>Configuration static parameters</p> <p>The complete list of available static parameters is available in the configuration section.</p> <p>Whether you are using one method or the other, here are the mandatory parameters to fill:</p> <pre><code>POSTGRES_USER=ChangeMe\nPOSTGRES_PASSWORD=ChangeMe\nKEYSTORE_PASSWORD=ChangeMe\nMINIO_ROOT_USER=ChangeMeAccess\nMINIO_ROOT_PASSWORD=ChangeMeKey\nRABBITMQ_DEFAULT_USER=ChangeMe\nRABBITMQ_DEFAULT_PASS=ChangeMe\nSPRING_MAIL_HOST=smtp.example.com\nSPRING_MAIL_PORT=465\nSPRING_MAIL_USERNAME=ChangeMe@example.com\nSPRING_MAIL_PASSWORD=ChangeMe\nOPENBAS_MAIL_IMAP_ENABLED=true\nOPENBAS_MAIL_IMAP_HOST=imap.example.com\nOPENBAS_MAIL_IMAP_PORT=993\nOPENBAS_ADMIN_EMAIL=ChangeMe@example.com # must be a valid email address\nOPENBAS_ADMIN_PASSWORD=ChangeMe\nOPENBAS_ADMIN_TOKEN=ChangeMe # must be a valid UUID\nCOLLECTOR_MITRE_ATTACK_ID=3050d2a3-291d-44eb-8038-b4e7dd107436 # No need for change\nCOLLECTOR_ATOMIC_RED_TEAM_ID=0f2a85c1-0a3b-4405-a79c-c65398ee4a76 # No need for change\n</code></pre> <p>If your <code>docker-compose</code> deployment does not support <code>.env</code> files, just export all environment variables before launching the platform:</p> <pre><code>export $(cat .env | grep -v \"#\" | xargs)\n</code></pre>"},{"location":"deployment/installation/#persist-data","title":"Persist data","text":"<p>The default for OpenBAS data is to be persistent.</p> <p>In the <code>docker-compose.yml</code>, you will find at the end the list of necessary persistent volumes for the dependencies:</p> <pre><code>volumes:\n  esdata:     # ElasticSearch data\n  s3data:     # S3 bucket data\n  amqpdata:   # RabbitMQ data\n</code></pre>"},{"location":"deployment/installation/#run-openbas","title":"Run OpenBAS","text":""},{"location":"deployment/installation/#using-single-node-docker","title":"Using single node Docker","text":"<p>After changing your <code>.env</code> file run <code>docker compose</code> in detached (-d) mode:</p> <pre><code>sudo systemctl start docker.service\n# Run docker compose in detached\ndocker compose up -d\n</code></pre>"},{"location":"deployment/installation/#using-docker-swarm","title":"Using Docker swarm","text":"<p>In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.</p> <pre><code># If your virtual machine is not a part of a Swarm cluster, please use:\ndocker swarm init\n</code></pre> <p>Put your environment variables in <code>/etc/environment</code>:</p> <pre><code># If you already exported your variables to .env from above:\nsudo cat .env &gt;&gt; /etc/environment\nsudo bash -c 'cat .env &gt;&gt; /etc/environment\u2019\nsudo docker stack deploy --compose-file docker-compose.yml openbas\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials filled in your configuration.</p>"},{"location":"deployment/installation/#openbas-x-caldera-optional-part","title":"OpenBAS X Caldera (Optional part)","text":"<p>You can deploy Caldera alongside OpenBAS to manage agent deployment and execute Caldera scripts.</p> <ul> <li> <p> Use Docker</p> <p>Deploy Caldera using Docker and the default <code>docker-compose.yml</code> provided in the docker.</p> <p> Setup</p> </li> </ul> <p>Unfortunately, Caldera does not support well environment variables, the <code>caldera.yml</code> needs to be modified to change default API keys and passwords. Only change what is marked as Change this, listed below:</p> <p>Caldera application</p> <p>You will never be asked to go into Caldera directly because OpenBAS manages everything for you, so don't hesitate to put the same UUIDv4 in all parameters here.</p> <pre><code>users:\n  red:\n    red: ChangeMe                                                                     # Change this\n  blue:\n    blue: ChangeMe                                                                    # Change this\napi_key_red: ChangeMe                                                                 # Change this\napi_key_blue: ChangeMe                                                                # Change this\napi_key: ChangeMe                                                                     # Change this\ncrypt_salt: ChangeMe                                                                  # Change this\nencryption_key: ChangeMe                                                              # Change this\napp.contact.http: http://caldera.myopenbas.myorganization.com:8888                    # Change this\napp.contact.tunnel.ssh.user_password: ChangeMe                                        # Change this\n</code></pre>"},{"location":"deployment/installation/#docker-compose-env_1","title":"Docker compose env","text":"<p>Add this environment variable to connect OpenBAS and Caldera:</p> <pre><code>INJECTOR_CALDERA_ENABLE=true\nINJECTOR_CALDERA_URL=${CALDERA_URL:-http://caldera:8888}\nINJECTOR_CALDERA_PUBLIC_URL=${CALDERA_PUBLIC_URL:-http://localhost:8888}\nINJECTOR_CALDERA_API_KEY=${CALDERA_API_KEY:-ChangeMe}\nEXECUTOR_CALDERA_ENABLE=true\nEXECUTOR_CALDERA_URL=${CALDERA_URL:-http://caldera:8888}\nEXECUTOR_CALDERA_PUBLIC_URL=${CALDERA_PUBLIC_URL:-http://localhost:8888}\nEXECUTOR_CALDERA_API_KEY=${CALDERA_API_KEY:-ChangeMe}\n</code></pre>"},{"location":"deployment/installation/#login-to-caldera","title":"Login to Caldera","text":"<p>To connect to Caldera, you need to use one of the users defined in your <code>caldera.yml</code> file (either 'red' or 'blue'). OpenBAS will use the red user.</p>"},{"location":"deployment/installation/#manual-installation","title":"Manual installation","text":"<p>This section provides instructions to install and run a pre-built OpenBAS server with its dependencies. Note that this does not cover building from source, which you will find in the Development section instead.</p>"},{"location":"deployment/installation/#prepare-the-installation","title":"Prepare the installation","text":""},{"location":"deployment/installation/#installation-of-dependencies","title":"Installation of dependencies","text":"<p>You have to enable all the mandatory dependencies for the main application if you would like to play breach and attack simulation scenarios.</p> <p>You may choose to use the dependencies from the provided compose file (see: Using Docker). If you elect doing so, make sure you disable the openbas server container first, and expose the dependencies on appropriate ports. You may refer to the official Docker documentation to achieve this.</p> <p>Otherwise, you are responsible for providing the dependencies yourself by installing and running them. You need at least a Java Runtime, PostgreSQL (database), RabbitMQ (queue management), and MinIO (for object storage).</p> <p>Supported dependency versions</p> <p>See the Dependencies section for details on the recommended (and supported) versions of the dependencies.</p> <p>If you choose to install the dependencies manually, please refer to their respective documentation:</p> <ul> <li>Java: the Java documentation portal</li> <li>PostgreSQL: the PostgreSQL documentation portal</li> <li>RabbitMQ: the RabbitMQ documentation portal</li> <li>MinIO: the MinIO website. </li> </ul>"},{"location":"deployment/installation/#download-the-application-files","title":"Download the application files","text":"<p>First, you have to download and extract the latest release file.</p> <pre><code>mkdir /path/to/your/app &amp;&amp; cd /path/to/your/app\nwget &lt;https://github.com/OpenBAS-Platform/openbas/releases/download/{RELEASE_VERSION}/openbas-release-{RELEASE_VERSION}.tar.gz&gt;\ntar xvfz openbas-release-{RELEASE_VERSION}.tar.gz\n</code></pre>"},{"location":"deployment/installation/#install-the-main-platform","title":"Install the main platform","text":""},{"location":"deployment/installation/#configure-the-application","title":"Configure the application","text":"<p>You may change the <code>application.properties</code> file (located at the root of the extracted release archive) according to your needs; alternatively you may set the equivalent environment variables.</p> <pre><code>$ cd openbas\n$ ls\napplication.properties  openbas-api.jar\n</code></pre> <p>Mandatory configuration</p> <p>Note that the configuration keys relevant to the mandatory dependencies listed above must be set in the file or as environment variables.</p> <p>See the relevant Configuration sections for more details:</p> <ul> <li>PostgreSQL</li> <li>RabbitMQ</li> <li>MinIO</li> </ul>"},{"location":"deployment/installation/#start-the-application","title":"Start the application","text":"<p>Before you can start the application, ensure your dependencies are up and running, and healthy.</p> <p>Then start the application itself:</p> <pre><code>java -jar openbas-api.jar\n</code></pre> <p>Installation done</p> <p>You can now go to http://localhost:8080 and log in with the credentials configured in your <code>application.properties</code> file.</p>"},{"location":"deployment/installation/#build-the-application-locally","title":"Build the application locally","text":"<ol> <li>cd openbas-front yarn build</li> <li>cp -r builder/prod/* ../openbas-api/src/main/resources/static/ </li> <li>cd ../openbas-api</li> <li>mvn clean install -DskipTests</li> <li>create an application.properties based on the existing one in openbas-api and fill all the mandatory fields</li> <li>run java -jar target/openbas-api.jar --spring.config.location=%PATH%\\application.properties</li> </ol>"},{"location":"deployment/installation/#community-contributions","title":"Community contributions","text":""},{"location":"deployment/installation/#helm-charts","title":"Helm Charts","text":"<ul> <li> <p> Kubernetes Helm Charts</p> <p>OpenBAS Helm Charts for Kubernetes with a global configuration file. More information how to deploy here on basic installation and examples.</p> <p> GitHub Repository</p> </li> </ul>"},{"location":"deployment/installation/#deploy-behind-a-reverse-proxy","title":"Deploy behind a reverse proxy","text":"<p>If you want to use OpenBAS behind a reverse proxy with a context path, like <code>https://example.com/openbas</code>, please change the <code>base_path</code> static parameter.</p> <ul> <li><code>APP__BASE_PATH=/openbas</code></li> </ul> <p>By default OpenBAS use websockets so don't forget to configure your proxy for this usage, an example with <code>Nginx</code>:</p> <pre><code>location / {\n    proxy_cache                 off;\n    proxy_buffering             off;\n    proxy_http_version          1.1;\n    proxy_set_header Upgrade    $http_upgrade;\n    proxy_set_header Connection \"upgrade\";\n    proxy_set_header Host       $host;\n    chunked_transfer_encoding   off;\n    proxy_pass                  http://YOUR_UPSTREAM_BACKEND;\n  }\n</code></pre>"},{"location":"deployment/installation/#additional-memory-information","title":"Additional memory information","text":"<p>OpenBAS platform is based on a JAVA runtime. The application needs at least 4GB of RAM to work properly.</p>"},{"location":"deployment/installation/#postgresql","title":"PostgreSQL","text":"<p>PostgreSQL is the main database of OpenBAS. You can find more information in the official PostgresQL documentation.</p>"},{"location":"deployment/installation/#minio","title":"MinIO","text":"<p>MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.</p>"},{"location":"deployment/overview/","title":"Overview","text":"<p>Before starting the installation, let's discover how OpenBAS is working, which dependencies are needed and what are the minimal requirements to deploy it in production.</p>"},{"location":"deployment/overview/#architecture","title":"Architecture","text":"<p>The OpenBAS platform relies on several external databases and services in order to work.</p> <p></p>"},{"location":"deployment/overview/#platform","title":"Platform","text":"<p>The platform is the central part of the OpenBAS platform, allowing users to configure scenarios, simulations, atomic testings and all other components used in the context of breach and attack simulations and security validations.</p>"},{"location":"deployment/overview/#neutral-agents-executors","title":"Neutral agents / executors","text":"<p>Executors are embedded into the platform but you should configure at least one. This system is responsible for executing local injectors on endpoints.</p> <p>We developed a home-made XTM agent, and we support Caldera, Tanium and Crowdstrike. Others will be added in the near future.</p> <p>Tips</p> <p>If you want to learn more about how to deploy executors, you can have more info here.</p>"},{"location":"deployment/overview/#injectors","title":"Injectors","text":"<p>Injectors are used to interact with third-party applications or services (including execution on the endpoints through executors) in the context of a simulation or an atomic testing. A few injectors are built-in but most of them are standalone Python processes. </p> <p>Tips</p> <p>If you want to learn more about how to deploy injectors, you can have more info here.</p>"},{"location":"deployment/overview/#collectors","title":"Collectors","text":"<p>Collectors are used to connect to all security systems such as SIEMs, XDRs, EDRs, firewalls, mail gateways etc. to check if an inject (execution, emails, etc.) has been detected or prevented and fill the security posture. </p> <p>Tips</p> <p>If you want to learn more about how to deploy collectors, you can have more info here.</p>"},{"location":"deployment/overview/#infrastructure-requirements","title":"Infrastructure requirements","text":""},{"location":"deployment/overview/#dependencies","title":"Dependencies","text":"Component Recommended version CPU RAM Disk type Disk space PostgreSQL \u2265 17.0 2 cores \u2265 8GB SSD \u2265 16GB RabbitMQ &gt;= 4.0 1 core \u2265 512MB Standard \u2265 2GB S3 / MinIO \u2265 RELEASE.2023-02 1 core \u2265 128MB SSD \u2265 16GB <p>Please note that while the versions of these dependencies are the recommended ones, OpenBAS may still function with earlier versions. However, we will not provide support for versions prior to the recommended ones.</p>"},{"location":"deployment/overview/#platform_1","title":"Platform","text":"Component CPU RAM Disk type Disk space OpenBAS Core 2 cores \u2265 8GB None (stateless) - Injector(s) 1 core \u2265 128MB None (stateless) - Collector(s) 1 core \u2265 128MB None (stateless) -"},{"location":"deployment/resources/","title":"Resources","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/troubleshooting/","title":"Troubleshooting","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"deployment/upgrade/","title":"Upgrade","text":"<p>Depending on your installation mode, upgrade path may change.</p> <p>Migrations</p> <p>The platform is taking care of all necessary underlying migrations in the databases if any, you can upgrade OpenBAS from any version to the latest one, including skipping multiple major releases.</p>"},{"location":"deployment/upgrade/#using-docker","title":"Using Docker","text":"<p>Before applying this procedure, please update your <code>docker-compose.yml</code> file with the new version number of container images.</p>"},{"location":"deployment/upgrade/#for-single-node-docker","title":"For single node Docker","text":"<pre><code>$ sudo docker compose stop\n$ sudo docker compose pull\n$ sudo docker compose up -d\n</code></pre>"},{"location":"deployment/upgrade/#for-docker-swarm","title":"For Docker swarm","text":"<p>For each of services, you have to run the following command:</p> <pre><code>$ sudo docker service update --force service_name\n</code></pre>"},{"location":"deployment/upgrade/#manual-installation","title":"Manual installation","text":"<p>When upgrading the platform, you have to replace all files and restart the platform, the database migrations will be done automatically:</p> <pre><code>$ java -jar openbas-api.jar\n</code></pre>"},{"location":"deployment/ecosystem/collectors/","title":"Collectors","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of collectors, you can have more info here.</p>"},{"location":"deployment/ecosystem/collectors/#installation","title":"Installation","text":""},{"location":"deployment/ecosystem/collectors/#external-python-collectors","title":"External (Python) collectors","text":""},{"location":"deployment/ecosystem/collectors/#configuration","title":"Configuration","text":"<p>All external collectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENBAS_URL</code> and the <code>OPENBAS_TOKEN</code>. In addition to these 2 parameters, collectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Collector tokens</p> <p>You can use your administrator token or create another administrator service account to put in your collectors. It is not necessary to have one dedicated user for each collector.</p> <p>Here is an example of a collector <code>docker-compose.yml</code> file: <pre><code>- OPENBAS_URL=http://localhost\n- OPENBAS_TOKEN=ChangeMe\n- COLLECTOR_ID=ChangeMe # Specify a valid UUIDv4 of your choice \n- \"COLLECTOR_NAME=MITRE ATT&amp;CK\"\n- COLLECTOR_LOG_LEVEL=error\n</code></pre></p> <p>Here is an example in a collector <code>config.yml</code> file:</p> <pre><code>openbas:\n  url: 'http://localhost:3001'\n  token: 'ChangeMe'\n\ncollector:\n  id: 'ChangeMe'\n  name: 'MITRE ATT&amp;CK'\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of collectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/ecosystem/collectors/#add-an-collector-to-your-deployment","title":"Add an collector to your deployment","text":"<p>For instance, to enable the MITRE ATT&amp;CK collector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  collector-mitre-attack:\n    image: openbas/collector-mitre-attack:1.0.0\n    environment:\n      - OPENBAS_URL=http://localhost\n      - OPENBAS_TOKEN=ChangeMe\n      - COLLECTOR_ID=ChangeMe\n      - \"COLLECTOR_NAME=MITRE ATT&amp;CK\"\n      - COLLECTOR_LOG_LEVEL=error\n    restart: always\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#launch-a-standalone-collector","title":"Launch a standalone collector","text":"<p>To launch standalone collector, you can use the <code>docker-compose.yml</code> file of the collector itself. Just download the latest release and start the collector:</p> <pre><code>$ wget https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd collectors-{RELEASE_VERSION}/mitre-attack/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the collector:</p> <pre><code>$ docker compose up\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch collector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the collectors:</p> <pre><code>$ wget &lt;https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd collectors-{RELEASE_VERSION}/mitre-attack/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the collector:</p> <pre><code>$ python3 openbas_mitre.py\n</code></pre>"},{"location":"deployment/ecosystem/collectors/#collectors-status","title":"Collectors status","text":"<p>The collector status can be displayed in the dedicated section of the platform available in Integration &gt; collectors. You will be able to see the statistics of the RabbitMQ queue of the collector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenBAS or collectors, you can consult the troubleshooting page page.</p>"},{"location":"deployment/ecosystem/executors/","title":"Executors","text":""},{"location":"deployment/ecosystem/executors/#introduction","title":"Introduction","text":"<p>To be able to use the power of the OpenBAS platform on endpoints, you need at least one neutral executor that will be in charge of executing implants as detached processes. Implants will then execute payloads.</p> <p></p>"},{"location":"deployment/ecosystem/executors/#openbas-agent","title":"OpenBAS Agent","text":"<p>The OpenBAS agent is available for Windows, Linux and MacOS, it is the native / default way to execute implants and payloads on endpoints.</p> <p>Learn More</p>"},{"location":"deployment/ecosystem/executors/#tanium-agent","title":"Tanium Agent","text":"<p>The Tanium agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-tanium-platform","title":"Configure the Tanium Platform","text":"<p>First of all, we are providing 2 Tanium packages to be imported in the Tanium platform.</p> <p></p> <p>Tanium package configuration</p> <p>Because OpenBAS should run implants as detached processed, you must uncheck the box \"Launch this package command in a process group\" in the package configuration:</p> <p></p> <p>Once configured and imported, retrieve the package IDs from the URL <code>ui/console/packages/XXXXX/preview</code>.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-openbas-platform","title":"Configure the OpenBAS platform","text":"<p>To use the Tanium executor, just fill the following configuration.</p> Parameter Environment variable Default value Description executor.tanium.enable EXECUTOR_TANIUM_ENABLE <code>false</code> Enable the Tanium executor executor.tanium.url EXECUTOR_TANIUM_URL Tanium URL executor.tanium.api-key EXECUTOR_TANIUM_API-KEY Tanium API key executor.tanium.computer-group-id EXECUTOR_TANIUM_COMPUTER_GROUP_ID Tanium Computer Group to be used in simulations executor.tanium.windows-package-id EXECUTOR_TANIUM_WINDOWS_PACKAGE_ID ID of the OpenBAS Tanium Windows package executor.tanium.unix-package-id EXECUTOR_TANIUM_UNIX_PACKAGE_ID ID of the OpenBAS Tanium Unix package <p>Tanium API Key</p> <p>Please note that the Tanium API key should have the permissions to retrieve endpoint list from the Tanium GraphQL API as well as to launch packages on endpoints.</p>"},{"location":"deployment/ecosystem/executors/#checks","title":"Checks","text":"<p>Once enabled, you should see Tanium available in your <code>Install agents</code> section</p> <p></p> <p>Also, the assets in the selected computer groups should now be available in the endpoints section in OpenBAS:</p> <p></p> <p>NB : An Asset can only have one Tanium agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a Tanium agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p>Installation done</p> <p>You are now ready to leverage your Tanium platform to run OpenBAS payloads!</p>"},{"location":"deployment/ecosystem/executors/#crowdstrike-falcon-agent","title":"CrowdStrike Falcon Agent","text":"<p>The CrowdStrike Falcon agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-crowdstrike-platform","title":"Configure the CrowdStrike Platform","text":""},{"location":"deployment/ecosystem/executors/#upload-openbas-scripts","title":"Upload OpenBAS scripts","text":"<p>First of all, you need to create two custom scripts, one for Windows and one for Unix, covering both Linux and MacOS systems.</p> <p>To create it, go to <code>Host setup and management</code> &gt; <code>Response and containment</code> &gt; <code>Response scripts and files</code>. The names of the scripts can be changed if necessary, they will be put in the OpenBAS configuration.</p> <p>Unix Script</p> Attribute Value name OpenBAS Subprocessor (Unix) shell type bash script access Users with the role of RTR Administrator or RTR Active Responder shared with workflows yes <p>Put the following script:</p> <pre><code>command=`echo $1 | grep -o '\"command\":\"[^\"]*' | grep -o '[^\"]*$'`\necho $command | base64 -d | sh\n</code></pre> <p>Put the following Input schema: <pre><code>{\n  \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n  \"properties\": {\n    \"command\": {\n      \"type\": \"string\"\n    }\n  },\n  \"required\": [\n    \"command\"\n  ],\n  \"type\": \"object\",\n  \"description\": \"This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct.\"\n}\n</code></pre></p> <p></p> <p>Windows script</p> Attribute Value name OpenBAS Subprocessor (Windows) shell type PowerShell script access Users with the role of RTR Administrator or RTR Active Responder shared with workflows yes <p>Put the following script:</p> <pre><code>$command = $args[0] | ConvertFrom-Json | Select -ExpandProperty 'command';\ncmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -Command \"Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([convert]::FromBase64String('$command')))\"\n</code></pre> <p>Put the following Input schema: <pre><code>{\n  \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n  \"properties\": {\n    \"command\": {\n      \"type\": \"string\"\n    }\n  },\n  \"required\": [\n    \"command\"\n  ],\n  \"type\": \"object\",\n  \"description\": \"This generated schema may need tweaking. In particular format fields are attempts at matching workflow field types but may not be correct.\"\n}\n</code></pre> </p> <p>Once created, your RTR scripts should have something like this:</p> <p></p>"},{"location":"deployment/ecosystem/executors/#create-a-host-group-with-your-targeted-assets","title":"Create a host group with your targeted assets","text":"<p>To create a host group, go to <code>Host setup and management</code> &gt; <code>Host groups</code>.</p>"},{"location":"deployment/ecosystem/executors/#configure-the-openbas-platform_1","title":"Configure the OpenBAS platform","text":"<p>CrowdStrike API Key</p> <p>Please note that the CrowdStrike API key should have the following permissions: API integrations, Hosts, Host groups, Real time response.</p> <p>To use the CrowdStrike executor, just fill the following configuration.</p> Parameter Environment variable Default value Description executor.crowdstrike.enable EXECUTOR_CROWDSTRIKE_ENABLE <code>false</code> Enable the Crowdstrike executor executor.crowdstrike.api-url EXECUTOR_CROWDSTRIKE_API_URL <code>https://api.us-2.crowdstrike.com</code> Crowdstrike API url executor.crowdstrike.client-id EXECUTOR_CROWDSTRIKE_CLIENT_ID Crowdstrike client id executor.crowdstrike.client-secret EXECUTOR_CROWDSTRIKE_CLIENT_SECRET Crowdstrike client secret executor.crowdstrike.host-group EXECUTOR_CROWDSTRIKE_HOST_GROUP Crowdstrike host group executor.crowdstrike.windows-script-name EXECUTOR_CROWDSTRIKE_WINDOWS_SCRIPT_NAME <code>OpenBAS Subprocessor (Windows)</code> Name of the OpenBAS Crowdstrike windows script executor.crowdstrike.unix-script-name EXECUTOR_CROWDSTRIKE_UNIX_SCRIPT_NAME <code>OpenBAS Subprocessor (Unix)</code> Name of the OpenBAS Crowdstrike unix script"},{"location":"deployment/ecosystem/executors/#checks_1","title":"Checks","text":"<p>Once enabled, you should see CrowdStrike available in your <code>Install agents</code> section</p> <p></p> <p>Also, the assets in the selected computer groups should now be available in the endpoints section in OpenBAS:</p> <p></p> <p>NB : An Asset can only have one CrowdStrike agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a CrowdStrike agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p>Installation done</p> <p>You are now ready to leverage your CrowdStrike platform to run OpenBAS payloads!</p>"},{"location":"deployment/ecosystem/executors/#caldera-agent","title":"Caldera Agent","text":"<p>The Caldera agent can be leveraged to execute implants as detached processes that will the execute payloads according to the OpenBAS architecture.</p> <p>Caldera already installed</p> <p>If you already have a working Caldera installation, just go directly to OpenBAS configuration section.</p>"},{"location":"deployment/ecosystem/executors/#deploy-caldera","title":"Deploy Caldera","text":"<p>To deploy Caldera, you can just add Caldera to the OpenBAS stack, we advise you to modify your <code>docker-compose.yml</code> and add a Caldera service:</p> <pre><code>services:\n  caldera:\n    image: openbas/caldera-server:5.1.0\n    restart: always\n    ports:\n      - \"8888:8888\"\n    environment:\n      CALDERA_URL: http://localhost:8888\n    volumes:\n      - type: bind\n        source: caldera.yml\n        target: /usr/src/app/conf/local.yml\n</code></pre> <p>As you can see in the configuration, you will also need a configuration file caldera.yml because Caldera does not support well environment variables for configuration.</p> <p>Download caldera.yml and put it alongside your <code>docker-compose.yml</code> file. This file must be modified prior launching, only change what is marked as * Change this*, listed below.</p> <pre><code>users:\n  red:\n    red: ChangeMe                                                                     # Change this\n  blue:\n    blue: ChangeMe                                                                    # Change this\napi_key_red: ChangeMe                                                                 # Change this\napi_key_blue: ChangeMe                                                                # Change this\napi_key: ChangeMe                                                                     # Change this\ncrypt_salt: ChangeMe                                                                  # Change this\nencryption_key: ChangeMe                                                              # Change this\napp.contact.http: http://caldera.myopenbas.myorganization.com:8888                    # Change this\napp.contact.tunnel.ssh.user_password: ChangeMe                                        # Change this\n</code></pre> <p>Just update your stack and check Caldera is running:</p> <pre><code>docker compose up -d\n</code></pre>"},{"location":"deployment/ecosystem/executors/#openbas-configuration","title":"OpenBAS configuration","text":"<p>Then, just change the OpenBAS configuration as follow:</p> Parameter Environment variable Default value Description executor.caldera.enable EXECUTOR_CALDERA_ENABLE <code>false</code> Enable the Caldera executor executor.caldera.url EXECUTOR_CALDERA_URL Caldera URL executor.caldera.public-url EXECUTOR_CALDERA_PUBLIC-URL Caldera URL accessible from endpoints (ex: http://caldera.myopenbas.myorganization.com:8888) executor.caldera.api-key EXECUTOR_CALDERA_API-KEY Caldera API key"},{"location":"deployment/ecosystem/executors/#agents","title":"Agents","text":""},{"location":"deployment/ecosystem/executors/#deploy-agents","title":"Deploy agents","text":"<p>Once enabled, you should see Caldera available in your <code>Install agents</code> section:</p> <p></p> <p>OpenBAS has built-in instruction if you want command line examples to deploy the agent on one endpoint.</p> <p></p> <p>Caldera AV detection</p> <p>By default, the Caldera agent \"Sandcat\" is detected and blocked by antivirus. Here, we are using Caldera as a neutral executor that will execute implants that will execute payloads, so you need to add the proper AV exclusions as instructed in the OpenBAS screen.</p> <p></p>"},{"location":"deployment/ecosystem/executors/#checks_2","title":"Checks","text":"<p>All assets with a proper Caldera agent installed using the OpenBAS provided command line (then persistent) should now be available in the OpenBAS endpoints list.</p> <p></p> <p>NB : An Asset can only have one Caldera agent installed thanks to an unicity with hostname and IP parameters. If you try to install again a Caldera agent on a platform, it will overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p>"},{"location":"deployment/ecosystem/injectors/","title":"Injectors","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of injectors, you can have more info here.</p> <p>Injectors list</p> <p>You are looking for the available injectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"deployment/ecosystem/injectors/#installation","title":"Installation","text":""},{"location":"deployment/ecosystem/injectors/#built-in-injectors","title":"Built-in injectors","text":"<p>Some injectors such as email, SMS, media pressure, etc. are directly embedded into the application. To configure them,  just add the proper configuration parameters in your platform configuration.</p>"},{"location":"deployment/ecosystem/injectors/#external-python-injectors","title":"External (Python) injectors","text":""},{"location":"deployment/ecosystem/injectors/#configuration","title":"Configuration","text":"<p>All external injectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the <code>OPENBAS_URL</code> and the <code>OPENBAS_TOKEN</code>. In addition to these 2 parameters, injectors have other mandatory parameters that need to be set in order to get them work.</p> <p>Injector tokens</p> <p>You can use your administrator token or create another administrator service account to put in your injectors. It is not necessary to have one dedicated user for each injector.</p> <p>Here is an example of a injector <code>docker-compose.yml</code> file: <pre><code>- OPENBAS_URL=http://localhost\n- OPENBAS_TOKEN=ChangeMe\n- INJECTOR_ID=ChangeMe # Specify a valid UUIDv4 of your choice\n- \"INJECTOR_NAME=HTTP query\"\n- INJECTOR_LOG_LEVEL=error\n</code></pre></p> <p>Here is an example in a injector <code>config.yml</code> file:</p> <pre><code>openbas:\n  url: 'http://localhost:3001'\n  token: 'ChangeMe'\n\ninjector:\n  id: 'ChangeMe'\n  name: 'HTTP query'\n  log_level: 'info'\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#networking","title":"Networking","text":"<p>Be aware that all injectors are reaching RabbitMQ based the RabbitMQ configuration provided by the OpenBAS platform. The injector must be able to reach RabbitMQ on the specified hostname and port. If you have a specific Docker network configuration, please be sure to adapt your <code>docker-compose.yml</code> file in such way that the injector container gets attached to the OpenBAS Network, e.g.:</p> <pre><code>networks:\n  default:\n    external: true\n    name: openbas-docker_default\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#docker-activation","title":"Docker activation","text":"<p>You can either directly run the Docker image of injectors or add them to your current <code>docker-compose.yml</code> file.</p>"},{"location":"deployment/ecosystem/injectors/#add-an-injector-to-your-deployment","title":"Add an injector to your deployment","text":"<p>For instance, to enable the HTTP query injector, you can add a new service to your <code>docker-compose.yml</code> file:</p> <pre><code>  injector-http-query:\n    image: openbas/injector-http-query:latest\n    environment:\n      - OPENBAS_URL=http://localhost\n      - OPENBAS_TOKEN=ChangeMe\n      - INJECTOR_ID=ChangeMe\n      - \"INJECTOR_NAME=HTTP query\"\n      - INJECTOR_LOG_LEVEL=error\n    restart: always\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#launch-a-standalone-injector","title":"Launch a standalone injector","text":"<p>To launch standalone injector, you can use the <code>docker-compose.yml</code> file of the injector itself. Just download the latest release and start the injector:</p> <pre><code>$ wget https://github.com/OpenBAS-Platform/injectors/archive/{RELEASE_VERSION}.zip\n$ unzip {RELEASE_VERSION}.zip\n$ cd injectors-{RELEASE_VERSION}/http-query/\n</code></pre> <p>Change the configuration in the <code>docker-compose.yml</code> according to the parameters of the platform and of the targeted service. Then launch the injector:</p> <pre><code>$ docker compose up\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#manual-activation","title":"Manual activation","text":"<p>If you want to manually launch injector, you just have to install Python 3 and pip3 for dependencies:</p> <pre><code>$ apt install python3 python3-pip\n</code></pre> <p>Download the release of the injectors:</p> <pre><code>$ wget &lt;https://github.com/OpenBAS-Platform/injectors/archive/{RELEASE_VERSION}.zip&gt;\n$ unzip {RELEASE_VERSION}.zip\n$ cd injectors-{RELEASE_VERSION}/http-query/src/\n</code></pre> <p>Install dependencies and initialize the configuration:</p> <pre><code>$ pip3 install -r requirements.txt\n$ cp config.yml.sample config.yml\n</code></pre> <p>Change the <code>config.yml</code> content according to the parameters of the platform and of the targeted service and launch the injector:</p> <pre><code>$ python3 openbas_http.py\n</code></pre>"},{"location":"deployment/ecosystem/injectors/#injectors-status","title":"Injectors status","text":"<p>The injector status can be displayed in the dedicated section of the platform available in Integration &gt; injectors. You will be able to see the statistics of the RabbitMQ queue of the injector:</p> <p></p> <p>Problem</p> <p>If you encounter problems deploying OpenBAS or injectors, you can consult the troubleshooting page page.</p>"},{"location":"development/api-usage/","title":"REST API","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/build_from_source/","title":"Building from source","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/collectors/","title":"Collector development","text":""},{"location":"development/collectors/#detection-prevention-siem-xdr-edr-ndr","title":"Detection &amp; Prevention (SIEM, XDR, EDR, NDR)","text":""},{"location":"development/collectors/#introduction","title":"Introduction","text":"<p>This guide explains how to implement an OpenBAS collector for a EDR/XDR, to retrieve security events and compare them against injected expectations in OpenBAS.</p>"},{"location":"development/collectors/#implementing-the-collector","title":"Implementing the Collector","text":"<p>The following documentation is based on the CrowdStrike Collector.</p>"},{"location":"development/collectors/#1-retrieving-expectations","title":"1. Retrieving Expectations","text":"<p>The first step involves fetching all expectations that have not yet been fulfilled by your collector. These expectations must be validated within a short timeframe to assess the responsiveness of your EDR/XDR (default: 45 minutes). If this period is exceeded, the expectations will be marked as failed.</p>"},{"location":"development/collectors/#2-retrieving-alerts","title":"2. Retrieving Alerts","text":"<p>This step focuses on collecting alerts from your service tiers. There are two key aspects to define:</p> <ul> <li>How to extract relevant information from an alert to match OpenBAS signatures.</li> <li>How to determine whether the alert successfully prevented or detected the attack based on the expectations.</li> </ul> <p>Definition: a signature is a way to find an attack in an alert.</p> Signature Description PARENT_PROCESS_NAME The parent process name of the attack, which corresponds to the implant name created with openbas-implant-INJECT_ID.exe"},{"location":"development/collectors/#3-matching-expectations","title":"3. Matching Expectations","text":"<p>The final step involves aligning retrieved expectations with logs and signatures from your service tiers to ensure proper validation.</p> <p></p>"},{"location":"development/collectors/#use-it","title":"Use it","text":"<p>Now, you can launch your collector by connecting it with OpenBAS. Your collector will register to OpenBAS and you can view in Integrations &gt; Collectors.</p> <p></p>"},{"location":"development/environment_ubuntu/","title":"Prerequisites Ubuntu","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/environment_windows/","title":"Prerequisites Windows","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"development/injectors/","title":"Injector development","text":"<p>What are injectors?</p> <p>For a functional overview of the role of Injectors within the OpenBAS ecosystem, please refer to the User Guide section on Injectors.</p>"},{"location":"development/injectors/#introduction","title":"Introduction","text":"<p>This guide explains how to implement an OpenBAS injector, to extend the platform's capabilities by adding new type of injects.</p> <p>Note</p> <p>The following is based on the Filigran-maintained HTTP Injector and only highlights the larger picture of the steps to create an injector from scratch. Please refer to the HTTP injector's codebase for an example of the implementation of a functional injector.</p>"},{"location":"development/injectors/#implementing-the-injector","title":"Implementing the Injector","text":""},{"location":"development/injectors/#1-define-one-or-more-contracts","title":"1. Define one or more contracts","text":"<p>The contract is the list of parameters and corresponding fields that will constitute the data that the injector will handle as part of its core logic. It describes how OpenBAS will parse and display the input form in the GUI for defining new injects to be executed by the injector. It is also the data structure that the injector handles internally to access the parameter values.</p> <p>\ud83d\udc0d Python-based injectors</p> <p>For injectors created with the Python language, Filigran maintains the <code>pyobas</code> library which provides a wealth of utility classes to compose a functional contract.</p> <p>Note however that injectors are typically independent processes communicating with OpenBAS via a network transport,  and may be implemented in any language.</p>"},{"location":"development/injectors/#2-define-the-internal-logic","title":"2. Define the internal logic","text":"<p>The next step is to implement the internal logic based on the parameters defined in the contract. When the inject executes an inject based on its contract, it will retrieve the parameters provided by the end user and use them within its internal logic to perform the necessary actions.</p>"},{"location":"development/injectors/#use-it","title":"Use it","text":"<p>Now, the new injector may be launched as a new process, and it should register with OpenBAS. It will then be listed in Integrations &gt; Injectors and its inject contracts should be available for creating new injects.</p> <p></p>"},{"location":"development/platform/","title":"Platform development","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"reference/apis/filters/","title":"Filter knowledge","text":"<p>In OpenBAS, you can filter data to focus on or display information with specific attributes.</p>"},{"location":"reference/apis/filters/#filters-usages","title":"Filters usages","text":""},{"location":"reference/apis/filters/#dynamic-filters","title":"Dynamic filters","text":"<p>Dynamic filters allow you to filter the UI view based on the attributes present in the data, such as the list of scenarios or simulations.</p> <p>These filters are not stored in the database. However, they remain persistent on the frontend of the platform. Your web browser saves the filters you set in different areas of the platform in local storage, allowing you to retrieve them when you return to the same view. This way, you can continue working from where you left off.</p> <p>Additionally, the filters applied in a view are saved as URL parameters, enabling you to save and share links to these filtered views.</p> <p></p>"},{"location":"reference/apis/filters/#create-a-filter","title":"Create a filter","text":"<p>To create a filter, add every key you need using the 'Add filter' select box. It will give you the possible attributes on which you can filter in the current view.</p> <p>A grey box appears and allows to select:</p> <ol> <li>the operator to use, and</li> <li>the values to compare (if the operator is not \"empty\" or \"not empty\").</li> </ol> <p>You can add as many filters as you need.</p> <p></p> <p>The boolean modes (and/or) are global (between every attribute filters) and can be switched with a single click, changing the logic of your filtering.</p> <p></p>"},{"location":"reference/apis/filters/#filters-format","title":"Filters format","text":"<p>The OpenBAS platform uses a filter format called <code>FilterGroup</code>. The <code>FilterGroup</code> model enables to do complex filters imbrication with different boolean operators, which extends greatly the filtering capabilities in every part of the platform.</p>"},{"location":"reference/apis/filters/#structure","title":"Structure","text":"<p>The format can be described as below:</p> <pre><code>{\n  \"filterGroup\": {\n    \"mode\": \"and\",\n    // or \"or\"\n    \"filters\": [\n      {\n        \"key\": \"name\",\n        \"mode\": \"or\",\n        // or \"and\"\n        \"values\": [\n          \"value1\",\n          \"value2\"\n        ],\n        \"operator\": \"contains\"\n        // or \"not_contains\", \"eq\", \"not_eq\", \"starts_with\", \"not_starts_with\",\n        // \"empty\", \"not_empty\"\n      }\n    ]\n  }\n}\n</code></pre>"},{"location":"reference/apis/filters/#properties","title":"Properties","text":"<p>In a given filter group, the <code>mode</code> (<code>and</code> or <code>or</code>) represents the boolean operation between the different <code>filters</code> and <code>filterGroups</code> arrays. The <code>filters</code> and <code>filterGroups</code> arrays are composed of objects of type Filter and FilterGroup.</p> <p>The <code>Filter</code> has 4 properties:</p> <ul> <li>a <code>key</code>, representing the kind of data we want to target (example: <code>tags</code> to filter on tags or <code>name</code> to   filter on the data's name),</li> <li>an array of <code>values</code>, representing the values we want to compare to,</li> <li>an <code>operator</code> representing the operation we want to apply between the <code>key</code> and the <code>values</code>,</li> <li>a <code>mode</code> (<code>and</code> or <code>or</code>) to apply between the values if there are several ones.</li> </ul>"},{"location":"reference/apis/filters/#operators","title":"Operators","text":"<p>The available operators are:</p> Value Meaning contains contains not_contains not contains eq equal not_eq different empty empty / no value not_empty non-empty / any value <p>In addition, there are operators:</p> <ul> <li><code>starts_with</code> / <code>not_starts_with</code>, available for searching in short string fields (name, value, title, etc.),</li> </ul>"},{"location":"usage/assets/","title":"Assets","text":"<p>The Assets section provides users with a centralized hub for managing and organizing the entities targeted for testing and simulation.</p> <p>When you click on \u201cAssets\u201d in the left-hand banner, you see all the \u201cAssets\u201d pages. When accessing the Assets section, users are directed by default to the Endpoints page, where they can start managing their assets.</p> <p>From the <code>Assets</code> section, users can access the following pages:</p> <ul> <li><code>Endpoints</code>: Individual entities, representing any object or terminal that can be connected to a network.</li> <li><code>Asset groups</code>: Group of asset allowing you to organize endpoints into logical groups based on various filters applied   by the user.</li> </ul>"},{"location":"usage/assets/#endpoints","title":"Endpoints","text":"<p>Endpoints encompass devices and systems that connect to a network, serving as the foundation for interaction with OpenBAS.</p> <p>The list of endpoints continues to grow with the changing landscape of networked technologies and the increasing interconnectivity of digital ecosystems. Below is a non-exhaustive list of terminal categories:</p> <ul> <li>Computers: This category encompasses a wide range of computing devices, including desktops, laptops, and servers   deployed within organizational networks.</li> <li>Mobile devices: Smartphones and tablets represent another prominent category of endpoints, providing users with   mobile access to network resources and services.</li> <li>Workstations: Workstations refer to terminals or dedicated machines utilized by individuals or groups to perform   specific tasks or access networked resources. These systems are typically tailored to meet specific operational   requirements and may include specialized software or configurations.</li> <li>IoT devices: The Internet of Things (IoT) encompasses a diverse array of interconnected devices and sensors. IoT   endpoints include smart thermostats, cameras, environmental sensors, smart watches, and health tracking devices, among   others.</li> </ul> <p>When accessing the Endpoints pages, you see the list of all endpoints imported in your platform. Here, users can manage  details specific to each endpoint.</p> <p>Note</p> <p>Openbas marks an endpoint as inactive if none of its agents have communicated within one hour.</p> <p></p> <p>By clicking on an endpoint, you will be able to access its details :</p> <p></p> <p>To register new endpoints, you will need to install an agent. You can find detailed instructions on the agent installation page.</p>"},{"location":"usage/assets/#asset-groups","title":"Asset groups","text":"<p>Asset groups serve as a mechanism for organizing and grouping related Endpoints. These groups are constructed based on filters that define the criteria for inclusion, allowing administrators to segment and categorize Endpoints based on common characteristics or attributes.</p> <p>When creating a new asset group, administrators have the flexibility to specify the filters that will delineate the group's membership. Currently, the platform offers a range of filters such as platform type, hostname, and IP addresses. We plan to extend the possibilities by including additional filters in future updates.</p> <p></p>"},{"location":"usage/assets/#security-platforms","title":"Security platforms","text":"<p>Some integrations in OpenBAS are connected to your security platforms, such as Microsoft Sentinel, Microsoft Defender, etc., and can be viewed on this screen.</p> <p>OpenBAS strives to support as many integrations as possible with the most popular tools on the market. However, if your security platform integration is not yet available, you can create it manually here.</p> <p></p>"},{"location":"usage/atomic/","title":"Atomic testing","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p> <p>When clicking on Atomic testing in the left menu, you access to the list of all atomic testings ever launched in the platform.</p> <p>Atomic testing is a great way to simulate a singular attack technique you are particulary interested in, and test immediately your capability to prevent and detect it.</p> <p>You can search for a specific one by name.</p> <p>The presented list allows you to easily see global scores of all your recent atomic testings.</p> <p></p>"},{"location":"usage/atomic/#create-an-atomic-testing","title":"Create an Atomic testing","text":"<p>An atomic testing is essentially the simulation of a single inject, against a selection of targets (Players, Teams, Assets, Assets Group) with assorted expectations.</p> <p>By clicking on the + button at the bottom right of the screen, you enter the atomic testing creation workflow.</p> <p>On the left of the creation screen is the list of all available Inject you can play for atomic testing. Logos on the left of each line indicates which Injector is associated with each inject.</p> <p>Depending on your integrations, this list can be long. You can filter the list by compatible platforms or by Mitre Att&amp;ck tactics.By clicking on the \"Att&amp;CK\" logo near the search bar, you can also filter by selecting a precise Mitre Att&amp;ck techniques.</p> <p>When selecting an inject on the left, the form on the right populates itself with a by-default title and propose you to define when the inject should be played after the launch of the atomic testing. You can keep it to 0.</p> <p>By clicking on Inject content, you can define now or later the targeted assets or players, needed configurations, and the assorted expectations.</p> <p>The \"available variables\" button helps you to use already defined variables into compatible fields.</p>"},{"location":"usage/atomic/#atomic-testing-screens","title":"Atomic testing screens","text":"<p>Details of an Atomic testing is composed of three parts: - a header allowing to launch the test, see its state and update/delete it. - an Overview screen to eaily see the results of the test. - an execution details screen to see expectations of the test and investigate on execution logs</p>"},{"location":"usage/atomic/#overview","title":"Overview","text":"<p>The first screen displayed when you click on a specific Atomic testing from the list is a breakdown of your security posture against this test. </p> <p>As for Simulation and Scenario, Results are broken down into: - Prevention: the ability of your security posture to prevent the inject - Detection: the ability of your security posture to detect the inject - Human response: the ability of your security teams to react as intented facing the inject</p> <p>Big metrics on top of the screen sum up the expectations' result of all targets. </p> <p>The list of targets on the left allows you to easily see the result per Target, and for example investigate further why a specific Asset have failed the test.</p> <p>For a selected target, you can on the right the timeline of the test against the target and the assorted results. The result logs are also displayed.</p> <p></p>"},{"location":"usage/atomic/#execution-details","title":"Execution details","text":"<p>On this screen, you can retrieve details about the configuration, the command lines (if relevant) and the execution logs of the atomic testing and its expectations.</p> <p>You can also see the raw execution logs of the Injector responsible for the test execution.</p> <p></p>"},{"location":"usage/collectors/","title":"Collectors","text":"<p>Collectors list</p> <p>You are looking for the available collectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"usage/collectors/#introduction","title":"Introduction","text":"<p>Collectors are one of the cornerstones of the OpenBAS platform, they are responsible for pulling data from various external services for two purposes:</p> <ul> <li>Collect all alerts, logs and traces related to attacks, incidents or crisis and match them to simulated injects to   evaluate the security posture.</li> <li>Collect any data that may help to schedule breach and attack simulations such as list of assets, groups, identities,   payloads, etc.</li> </ul>"},{"location":"usage/collectors/#detection-prevention-siem-xdr-edr-ndr","title":"\ud83d\udee1\ufe0f Detection &amp; Prevention (SIEM, XDR, EDR, NDR)","text":"<p>Those collectors are the most important ones as they are used to evaluate the security posture (response to injects) from various detection and response systems and fulfill expectations for detection and prevention.</p>"},{"location":"usage/collectors/#detection-prevention-with-edr","title":"Detection &amp; Prevention with EDR","text":"<p>For EDRs, we analyze the tool's logs to identify matches for the hostname and the parent process name associated with the attack. If the attack is initiated by the OpenBAS agent, the parent process name will follow this format: openbas-implant-INJECT_ID.exe.</p>"},{"location":"usage/collectors/#detection-prevention-with-siem","title":"Detection &amp; Prevention with SIEM","text":"<p>For SIEMs, we rely on the upstream-deployed EDR, whose logs are collected by the SIEM. If the EDR confirms an expectation of type detection or prevention, we trace this information back in the SIEM to validate it as well.</p> <p>This means that within the workflow, the EDR collector must first validate the expectation before the SIEM collector can perform its task.</p>"},{"location":"usage/collectors/#threat-intelligence","title":"\ud83e\uddec Threat Intelligence","text":"<p>Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, payloads, etc.</p>"},{"location":"usage/collectors/#endpoint-management","title":"\ud83d\udcfa Endpoint management","text":"<p>Those collectors are pulling alternative information about your endpoints and assets to complete the overview about your current posture in terms of vulnerabilities and compliance.</p>"},{"location":"usage/collectors/#identities","title":"\ud83c\udfad Identities","text":"<p>Those collectors are pulling all information related to identities, including human assets, to be used in scenario or to complete the view overview about your current posture.</p>"},{"location":"usage/collectors/#others","title":"\ud83d\udd2d Others","text":"<p>All other system OpenBAS can pull from, to add more meaningful and relevant information to the view of your security posture.</p>"},{"location":"usage/components/","title":"Components","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/default_asset_rules/","title":"Default Asset Rules","text":"<p>Default Asset Rules let you define Asset Groups that are automatically applied to Injects based on a Scenario\u2019s tags. Each Asset Rule consists of a Tag and list of Asset Groups</p> <p>You can manage these rules in Settings \u2192 Customization.</p> <p>When you create an Inject in a Scenario, if the Scenario has a tag matching one of the Asset Rules, the associated default Asset Groups are automatically applied to that Inject. When a Scenario is updated, if you add a tag matching one of the Asset Rules, a pop-up will appear asking if you want to apply those default Asset Groups to the existing Injects in the Scenario.</p>"},{"location":"usage/default_asset_rules/#opencti-default-rule","title":"OpenCTI default rule","text":"<p>By default, a rule for the opencti tag is created. This tag is automatically applied to Scenarios generated from OpenCTI (see Generating Scenario from OpenCTI ). This default rule cannot be removed, and its tag cannot be modified.</p> <p></p>"},{"location":"usage/expectations/","title":"Expectations","text":"<p>Expectations define what is expected from an Asset (endpoint) or a Players when facing an Inject in terms of security posture. Each expectation has a score representing how well it has been met by the target.</p>"},{"location":"usage/expectations/#expectation-types","title":"Expectation types","text":"<p>Expectations can be categorized as either Manual or Automatic, depending on how they are validated.</p>"},{"location":"usage/expectations/#manual-expectations","title":"Manual expectations","text":"<p>Manual expectations require manual validation by the animation team, with the validation process and scoring managed manually. They are simple, customizable expectations to be manually validated.</p>"},{"location":"usage/expectations/#automatic-expectations","title":"Automatic expectations","text":"<p>Automatic expectations are validated automatically under specific conditions. Currently available automatic expectations include:</p> <ul> <li><code>Automatic - Prevention: Triggered when inject is processed</code>: automatically validated by security integration with   compatible Collectors if the inject's action generates a prevention alert, such as quarantine.</li> <li><code>Automatic - Detection: Triggered when inject is processed</code>: automatically validated by security integration with   compatible Collectors if the inject's action generates a detection alert, such as an incident.</li> <li><code>Automatic - Triggered when target reads articles</code>: Automatically validated when the article of a Media pressure inject   has been read by targets.</li> </ul>"},{"location":"usage/expectations/#validation-mode","title":"Validation Mode","text":"<p>There are two modes for validating an expectation :</p> <ul> <li> <p><code>All targets (per group) must validate the expectation</code> : in this case, the result depends on every group member's performance. If one target fails, the entire team fails. The score is calculated as the average of all targets' scores.</p> </li> <li> <p><code>At least one target (per group) must validate the expectation</code> : here, the success of the group depends on at least one target succeeding. If one target succeeds, the group is considered successful. The score is an average of all successful targets' scores.</p> </li> </ul> <p></p>"},{"location":"usage/expectations/#expectation-manipulation","title":"Expectation manipulation","text":""},{"location":"usage/expectations/#add-an-expectation-to-an-inject","title":"Add an expectation to an Inject","text":"<p>To add expectations to an inject, navigate to the inject's content and click on \"Add expectations\". From there, select the type of expectation you want to add and set a score for it.</p> <p>You can add multiple expectations to a single inject.</p>"},{"location":"usage/expectations/#validate-a-manual-expectation","title":"Validate a manual expectation","text":"<p>If you have configured manual expectations in your scenario, you will have the opportunity to handle manual validations during each simulation. During a Simulation, navigate to the Animation tab, under the Validation screen. Here, you'll find a list of expectations that require manual validation.</p>"},{"location":"usage/expectations/#customize-expectations","title":"Customize expectations","text":""},{"location":"usage/expectations/#default-score","title":"Default score","text":"<p>Expectations have a default score at creation. Depending on the expectation's type, there is a default score value set in the system.</p> <ul> <li>In the Docker .env file thanks to these variables</li> </ul> Parameter Environment variable Default value Description openbas.expectation.manual.default-score-value OPENBAS_EXPECTATION_MANUAL_DEFAULT-SCORE-VALUE 50 Default score value for manual expectation"},{"location":"usage/expectations/#expiration-time","title":"Expiration time","text":"<p>Expectations results must be validated within a time limit. Depending on the expectation's type, there is a default expiration time set in the system. You have two ways to modify that expiration time:</p> <ul> <li>In the Docker .env file thanks to these variables</li> </ul> Parameter Environment variable Default value Description openbas.expectation.technical.expiration-time OPENBAS_EXPECTATION_TECHNICAL_EXPIRATION-TIME 21600 Expiration time for Technical expectation (detection &amp; prevention) openbas.expectation.detection.expiration-time OPENBAS_EXPECTATION_DETECTION_EXPIRATION-TIME 21600 Expiration time for detection expectation openbas.expectation.prevention.expiration-time OPENBAS_EXPECTATION_PREVENTION_EXPIRATION-TIME 21600 Expiration time for prevention expectation openbas.expectation.human.expiration-time OPENBAS_EXPECTATION_HUMAN_EXPIRATION-TIME 86400 Expiration time for human expectation (manual, challenge &amp; article) openbas.expectation.challenge.expiration-time OPENBAS_EXPECTATION_CHALLENGE_EXPIRATION-TIME 86400 Expiration time for challenge expectation openbas.expectation.article.expiration-time OPENBAS_EXPECTATION_ARTICLE_EXPIRATION-TIME 86400 Expiration time for article expectation openbas.expectation.manual.expiration-time OPENBAS_EXPECTATION_MANUAL_EXPIRATION-TIME 86400 Expiration time for manual expectation <p>A default expiration time is set for technical and human expectations. Users can override them for each type of expectations.</p> <ul> <li>In the UI</li> </ul> <p></p> <p>When creating an expectation, users can set an expiration time. The system's default times are set on the form and users decide to override it.</p>"},{"location":"usage/getting-started/","title":"Getting started","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>This guide aims to give you a full overview of the OpenBAS features and workflows. The platform can be used in various contexts to handle Breach and Attack simulations at technical or strategical levels. OpenBAS has been designed as a part of the Filigran XTM suite and can be integrated with OpenCTI to generate meaningful attack scenarios based on real threat. OpenBAS is result-oriented with many dashboards helping you to evaluate you security posture given a defined context.</p> <p>Here are some examples of use cases:</p> <ul> <li>Designing attack scenario based on real threat</li> <li>Evaluate your security posture against technical simulations on endpoints</li> <li>Enhance team skills by evaluating them during simulations along with your security systems</li> <li>Organize Capture The Flag with multiple challenges</li> <li>Conduct atomic testing</li> </ul>"},{"location":"usage/getting-started/#welcome-dashboard","title":"Welcome dashboard","text":"<p>The welcome page provides every OpenBAS platform visitor with a snapshot of the platform activity as well as an overview of your global security posture. You can find more information in this section.</p>"},{"location":"usage/getting-started/#your-first-breach-and-attack-simulation","title":"Your first Breach and Attack Simulation","text":""},{"location":"usage/getting-started/#creating-or-importing-players-and-assets-to-play-with","title":"Creating or Importing players and assets to play with","text":"<p>First, you need to create or import Players and Assets that will participate in the simulation and be targeted by technical or strategical events. To do so, you can either create players and teams or deploy agent on assets.</p>"},{"location":"usage/getting-started/#building-your-scenario","title":"Building your Scenario","text":"<p>Once integrations is done, you are ready to create your first Scenario!</p> <p>Scenarios act as template for your Breach and Attack simulations. After establishing such a template, you will be able to schedule it as a one shot simulation, or as a recurring one.</p> <ul> <li>First, go to the Scenarios menu and create a new one with the + button.</li> <li>Once done, define Teams that will be playing in this Scenario by going to   the Definition/Teams tab</li> <li>Now go to the Injects tab and add some to build the serie of events that will define the core of your   Scenario. If you want to stay strategical, you can select inject like \"Send individual mails\". If you want to go   technical, you can select injects linked to attack pattern (Caldera integration allows you to play hundreds of them).</li> <li>Then, define who or what will be targeted by those injects, customize them, and define what is expected   to happen. For example, you expect the targeted team to perform a specific action and the animation team will   validated this expectation manually. Or, you expect the technical event to be prevented and it will be automatically   checked through your integrations with your security systems.</li> <li>Do not forget to define when the inject is played in the scenario chronology.</li> </ul> <p>Optionally, you can enhance your scenario by adding Documents, Media pressures, or even CTF Challenges to your injects.</p>"},{"location":"usage/getting-started/#play-the-simulation","title":"Play the simulation","text":"<p>You can now schedule your Simulation by hitting the blue \"Simulate now\" button. Choose your moment and hit start.</p> <p>On time, a Simulation based on your Scenario template is generated. It is listed in your Scenario overview and in the Simulations menu. From there, you can follow the course of the Simulation and interact with it, for example to validate manual expectations.</p> <p>During the course of the simulation, results are updated and can be consulted in the Simulation overview.</p>"},{"location":"usage/getting-started/#evaluate-your-security-posture","title":"Evaluate your security posture","text":"<p>Results in OpenBAS are based on expectations' results that are linked to injects played during Simulations. It is then important to manually validate expectations that need it.</p> <p>Results are broken down by \"Prevention\", \"Detection\" and \"Human response\" metrics.</p> <ul> <li>Prevention displays your ability to prevent the scenario's technical events to be completed</li> <li>Detection displays your ability to detect the scenario's technical events</li> <li>HUman response displays how well players and teams react as expected facing the scenario's events.</li> </ul>"},{"location":"usage/inject-caldera/","title":"Caldera injects","text":"<p>The Caldera framework, developed by MITRE, is a powerful framework designed to simulate cyberattacks. It enables security teams to conduct realistic and controlled simulations of adversary behavior, reducing the amount of time and resources needed for routine cybersecurity testing.</p>"},{"location":"usage/inject-caldera/#injects","title":"Injects","text":"<p>In OpenBAS, the Caldera framework has been fully integrated, offering users access to a comprehensive library of injects for conducting simulation exercises. With this integration, users can leverage the extensive capabilities of Caldera within OpenBAS.</p> <p>Caldera offers 1600+ abilities, covering the full range of ATT&amp;CK tactics and techniques. These capabilities equip security teams with an extensive toolkit to simulate various threats and assess defense mechanisms effectively.</p>"},{"location":"usage/inject-caldera/#behavior","title":"Behavior","text":"<p>Injects within the Caldera framework can be played on both individual Endpoints and Asset groups. Prior to playing injects, Caldera agents need to be installed on the target machines to enable interaction with the platform.</p> <p>Once the agents are deployed, simulations with Caldera injects can be executed. The platform will contact the Agent to start the ability. Subsequently, the agents will report the results to OpenBAS. Below is the workflow illustrating the behavior of injects.</p> <p></p>"},{"location":"usage/inject-caldera/#configuration-variables","title":"Configuration variables","text":"<p>Below are the properties you'll need to set for OpenBAS:</p> Property application.properties Docker environment variable Mandatory Description Enable Caldera injector injector.caldera.enable <code>INJECTOR_CALDERA_ENABLE</code> Yes Enable the Caldera injector. Injector ID injector.caldera.id <code>INJECTOR_CALDERA_ID</code> Yes The ID of the injector. Caldera URL injector.caldera.url <code>INJECTOR_CALDERA_URL</code> Yes The URL of the Caldera instance. Caldera API Key injector.caldera.api-key <code>INJECTOR_CALDERA_API-KEY</code> Yes The API Key for the rest API of the Caldera instance."},{"location":"usage/injectors/","title":"Injectors","text":"<p>Injectors list</p> <p>You are looking for the available injectors? The list is in the OpenBAS Ecosystem.</p>"},{"location":"usage/injectors/#introduction","title":"Introduction","text":"<p>Injectors are one of the cornerstones of the OpenBAS platform, they are responsible for pushing simulation actions to third party systems. According to their functionality and use case, they are categorized in the following classes.</p> <p></p>"},{"location":"usage/injectors/#endpoint-payloads-execution","title":"\ud83d\udce1 Endpoint payloads execution","text":"<p>Those injectors are special as they required an executor (neutral agent) to be launched on endpoints. When they register to the platform, they inform available executors on how to spawn them on the 3 currently supported platforms: Windows, Linux and MacOS.</p> <p>Some of them :</p> <ul> <li>Caldera: Facilitates the use of the MITRE Caldera framework, empowering administrators to leverage advanced simulation   capabilities. For more information concerning the Caldera injector, please refer to   the dedicated documentation page.</li> </ul>"},{"location":"usage/injectors/#communication-social-medias","title":"\ud83c\udf10 Communication &amp; social medias","text":"<p>Those injectors are used to push information to human assets (aka players) such as emails, SMS, phone calls, instant messaging etc.</p> <p>Some of them :</p> <ul> <li>Challenges: Manages inject \"publish challenges\". To find more information more about this type of inject, please refer   to the dedicated documentation section.</li> <li>Email: Manages the sending of injects' emails, enabling communication and dissemination of simulation-related     information.</li> <li>Manual: Platform functionality for creating manual action reminders, allowing administrators to prompt specific   actions to be performed manually. To find more information about the related inject, please refer to   the dedicated documentation section.</li> <li>Media pressure: Manages inject \"publish channel pressure\". To find more information about this type of inject, please   refer to the dedicated documentation section.</li> <li>OVHCloud SMS Platform: Facilitates SMS messaging for injects, providing an additional communication channel for   simulation participants.</li> </ul>"},{"location":"usage/injectors/#incident-response-case-management","title":"\ud83e\uddef Incident Response &amp; Case Management","text":"<p>Those injectors are used to inject real or fake information into case management, ticketing and incident response systems.</p>"},{"location":"usage/injectors/#others","title":"\ud83d\udc89 Others","text":"<p>All other system OpenBAS can inject, as part of breach and attack simulation campaigns.</p> <p>Some of them :</p> <ul> <li>Airbus CyberRange (Lade): Integration with the Airbus CyberRange platform, enabling seamless interaction and   collaboration with CyberRange environments. For more information concerning CyberRange, please refer to   the Airbus website.</li> <li>HTTP query: Executes HTTP requests on external services, facilitating interactions with external systems. To find more   information about the related inject, please refer to the dedicated documentation section.</li> <li>OpenCTI: Integration with an OpenCTI platform, enhancing simulation capabilities with access to threat intelligence   and automatic scenario generation based on observed threat activities.</li> </ul>"},{"location":"usage/injectors/#agents","title":"Agents","text":"<p>Tips</p> <p>If you want to learn more about the concept and features of agents, you can have more info here.</p> <p>For certain injectors, deploying an agent on the target machine is necessary to facilitate integration with OpenBAS. These agents are software programs that connect back to OpenBAS at certain intervals to get instructions.</p> <p>To access the agents and installation instructions, navigate to the dedicated page located in the top right-hand corner (button with the screen logo).</p> <p>Detailed guidance on installing the agents, along with downloadable packages, is provided on this page. Agents are available for various operating systems, including Windows, Linux, and MacOS, ensuring compatibility across different environments.</p> <p>As of now, only the Caldera injector requires the installation of an agent. This agent enables full integration with the MITRE Caldera framework, unlocking advanced simulation capabilities and enhancing the overall effectiveness of simulation exercises. Full details of the Caldera agent are available in the MITRE documentation.</p> <p></p>"},{"location":"usage/injects/","title":"Injects","text":"<p>Injects are fundamental elements of simulations within OpenBAS, each representing a discrete action to be executed during a Scenario. Managed and facilitated by various injectors, each inject type serves a distinct purpose, contributing to the comprehensive evaluation of defenses.</p> <p></p>"},{"location":"usage/injects/#create-an-inject","title":"Create an inject","text":"<p>Whether intended for Atomic testing or for a Simulation, the process for creating injects remains consistent within OpenBAS.</p> <p></p>"},{"location":"usage/injects/#for-atomic-testing","title":"For Atomic testing","text":"<p>To create an inject for atomic testing, navigate to the \"Atomic testing\" section located in the left-hand banner. Click on the \"+\" icon in the bottom right corner to initiate the inject creation process.</p>"},{"location":"usage/injects/#for-scenarios-and-simulations","title":"For Scenarios and Simulations","text":"<p>For injects intended for use within simulations, access the desired Scenario or Simulation and navigate to the \"Injects\" tab. Click on the \"+\" icon in the bottom right corner of the screen to open the inject creation panel.</p> <p>Note that an inject defined in a Scenario will be used in all the scenario's subsequent simulations. An Inject defined at the simulation level will not be replicated into the Scenario itself, thus it will not be replicated in future scenario's simulations.</p> <p></p>"},{"location":"usage/injects/#inject-creation-process","title":"Inject creation process","text":"<p>Once the inject creation panel is open, you can proceed to configure the inject according to your requirements. Key steps in the creation process include:</p>"},{"location":"usage/injects/#1-choose-the-type-of-inject","title":"1. Choose the type of inject","text":"<p>You first need to select an inject in the list of available ones (on the left of the creation screen). Logos on the left of each line indicates which Injector is associated with each inject. Depending on your integrations, this list can be long.</p> <p>To facilitate the selection into this possibly very long list, you can search injects by name and filter the list by selecting a precise MITRE ATT&amp;CK techniques for instance.</p>"},{"location":"usage/injects/#2-set-inject-parameters","title":"2. Set inject parameters","text":"<p>When selecting an inject on the left, the form on the right populates itself with a by-default title and propose you to define:</p> <ul> <li>Descriptive information: Fill in details such as the title, description, and relevant tags to categorize the inject effectively.</li> <li>Execution timing: If you are creating your inject in the context of a scenario or simulation, you have to set the timing for when the inject should be executed within the simulation timeline, ensuring it aligns with the overall scenario progression.</li> </ul> <p>By clicking on \"Inject content\", you can define now or later:</p> <ul> <li>Inject targets: Specify the targets for the inject, which may include players and teams or assets and assets groups depending on the inject chosen. </li> <li>Expectations: Define the expected outcomes or responses to the inject, outlining the desired actions or behaviors by players. </li> <li>Attachments: Attach any relevant documents or resources to provide additional context or information related to the inject. </li> <li>Additional fields: Depending on the type of Inject selected, you may have access to additional fields specific to that inject type. These fields may include the subject and body of an email, channel pressure settings for public communications, obfuscation options, and more.</li> </ul> <p>The \"available variables\" button helps you to use already defined variables into compatible fields.</p> <p></p> <p>By following these steps and providing the necessary information, you can create injects tailored to your specific testing or simulation objectives.</p>"},{"location":"usage/injects/#inject-types","title":"Inject types","text":"<p>There are different types of injector in OpenBAS.</p> <p></p>"},{"location":"usage/injects/#manual-action-reminders","title":"Manual action reminders","text":"<p>Manual action reminders are injects designed to prompt animation team to perform specific actions manually. It allows to place in the timeline a stimulus to be produced manually, outside the platform (e.g. simulated a call from a journalist on the switchboard telephone). These reminders ensure that critical tasks are completed as part of the simulation, enhancing the accuracy and realism of the exercise.</p> <p>The inject associated with this type is referred to as <code>Manual</code>. To be able to log events not directly related to an email or a sms, you can attach manual expectation to this events (see Manual Expectations). </p>"},{"location":"usage/injects/#example-of-a-manual-inject","title":"Example of a manual inject:","text":"<ul> <li>\"A crisis cell has been put together\"</li> </ul>"},{"location":"usage/injects/#manual-expectations","title":"Manual expectations:","text":"<ul> <li>\"The team responded to the journalist's inquiry.\"</li> <li>\"Analyze the situation and identify the key issues.\"</li> <li>\"Anticipate future developments.\"</li> <li>\"Determine the necessary actions to take.\"</li> <li>\"Coordinate and communicate with both internal and external stakeholders.\"</li> <li>\"Provide regular updates on the ongoing situation.\"</li> </ul>"},{"location":"usage/injects/#direct-contact","title":"Direct contact","text":"<p>Injects for direct contact allow sending emails or SMS messages to players. These injects assess the organization's response to communication-based threats, such as phishing attempts, social engineering attacks, or emergency notifications. They can also assess crisis management, including responses to internal information requests or management pressure.</p> <p>Here's the list of injects linked to this category:</p> <ul> <li><code>Send a SMS</code>: enables sending SMS messages.</li> <li><code>Send individual mails</code>: enables sending emails to individuals separately.</li> <li><code>Send multi-recipients mail</code>: enables sending emails to a group of people (each recipient can see the other recipients).</li> </ul> <p></p>"},{"location":"usage/injects/#media-pressure","title":"Media pressure","text":"<p>Injects simulating public communications involve the publication of articles, social media posts, or other fake announcements. These injects replicate scenarios where public disclosure of information or events affects an organization's reputation or operational continuity.</p> <p>The inject associated with this type is referred to as <code>Publish channel pressure</code>.</p> <p></p>"},{"location":"usage/injects/#challenges","title":"Challenges","text":"<p>Challenge injects are set to test participants' skills and response capabilities by publishing challenges. These injects present scenarios or tasks that require active participation and problem-solving, allowing administrators to evaluate players.</p> <p>The inject associated with this type is referred to as <code>Publish challenges</code>.</p> <p></p>"},{"location":"usage/injects/#http-requests","title":"HTTP requests","text":"<p>HTTP request injects are used to forge HTTP requests to a third party services in order to perform actions outside the platform (e.g. API call to an EDR). These injects enable the platform to communicate with external services, gather information, or trigger specific actions via HTTP protocols.</p> <p>HTTP requests GET, POST, and PUT, can be sent. The corresponding injects are named <code>HTTP Request - \\&lt;request type&gt;</code>.</p> <p></p>"},{"location":"usage/injects/#integrations-with-agents-and-cyberranges","title":"Integrations with Agents and CyberRanges","text":"<p>Injects executed on remote systems are facilitated by Injectors like Caldera or Airbus CyberRange. These actions simulate real-world attack techniques, allowing administrators to gauge the effectiveness of their security posture in response to various technical actions attackers may take.</p> <p>There are over 1,700 such injects covering all the TTPs in the MITRE ATT&amp;CK matrix.</p>"},{"location":"usage/injects/#inject-tests","title":"Inject tests","text":"<p>You can test direct contact injects in simulations and scenarios.</p> <p>Warning</p> <p>For now, only email and sms inject are concerned by this feature.</p>"},{"location":"usage/injects/#unit-test","title":"Unit test","text":"<p>You can test injects one at a time.</p> <p></p> <p>In the injects list of your simulation/scenario, open the contextual menu of an email or sms inject. Click on \"Test\". A confirmation dialog appears, you can confirm the test or cancel it.</p> <p></p> <p>After launching the test, an alert appears at the top of the page. You can click on the \"dedicated page\" link. You are redirected to the tests list, a drawer with the execution details of the test opens.</p> <p></p> <p>Warning</p> <p>The option is disabled if your inject doesn't have any teams.</p>"},{"location":"usage/injects/#bulk-test","title":"Bulk test","text":"<p>You can test injects in bulk.</p> <p></p> <p>Select the injects you want to test then click on the bug icon. A confirmation dialog appears, you can cancel or confirm the launch of the test.</p> <p></p> <p>As mentioned in the dialog, only sms and emails injects will be tested. The emails/sms are sent to the current user. </p> <p>After the launch of the test, you are redirected to the tests list page.</p>"},{"location":"usage/injects/#tests-list","title":"Tests list","text":"<p>A \"Tests\" tab is available in simulations and scenarios. The list of all the tests done on the injects of the simulation/scenario are displayed. Clicking on one of the lines opens the drawer with the execution details of the tests.</p> <p>Note</p> <p>Only the latest test is displayed for each inject.</p>"},{"location":"usage/injects/#replay-tests","title":"Replay tests","text":"<p>Each test in the list has a menu allowing users to delete or replay the test.</p> <p></p> <p>After confirming the replay of the test, the details are updated.</p> <p>The user can also replay all the tests in the list. An icon similar to the one in the injects toolbar is available at the top of the list. After clicking on it, the user confirms the tests launch and the details are updated.</p>"},{"location":"usage/injects/#inject-status","title":"Inject status","text":""},{"location":"usage/injects/#inject-status-using-obas-agent","title":"Inject status using OBAS agent","text":""},{"location":"usage/injects/#viewing-execution-traces","title":"Viewing Execution Traces","text":"<p>When you create a technical Inject, you assign it to endpoints, each of which may have one or multiple agents. As the inject executes, agents communicate their progress to the OBAS Server, which logs detailed execution traces.</p> <p>In the \"Execution Details\" tab, traces are organized by agent, and agents are grouped by endpoint. This allows you to easily track execution progress at both the agent and endpoint levels.  Each agent generates multiple traces corresponding to different execution steps, including:  </p> <ul> <li>Prerequisite checks (validation before execution)</li> <li>Prerequisite retrieval (only if the check fails)</li> <li>Attack command</li> <li>Cleanup commands</li> </ul> <p></p> <p>Warning</p> <p>If a prerequisite check succeeds, the prerequisite retrieval step is skipped. However, the UI always marks prerequisite checks as \"SUCCESS\"\u2014to verify execution results, you must inspect the stderr logs.</p> <p>Trace Statuses</p> <p>Each execution step reports a status: </p> <ul> <li>\u2705 SUCCESS \u2013 Command executed successfully  </li> <li>\u26a0\ufe0f WARNING \u2013 Executed with minor issues  </li> <li>\u2753MAYBE_PREVENTED \u2013 A generic error occurred, possibly due to firewall restrictions  </li> <li>\ud83d\udeab COMMAND_CANNOT_BE_EXECUTED \u2013 Found but couldn't execute (e.g., permission issues)  </li> <li>\u274cCOMMAND_NOT_FOUND \u2013 Executor couldn\u2019t find the command  </li> <li>\ud83d\uded1 ERROR \u2013 General failure  </li> </ul> <p>All execution logs are stored on the OBAS Server, which later processes them to determine agent and inject statuses.</p> <p>Agent Status Computation</p> <p>When an agent completes execution, the server retrieves all traces and computes an agent status based on the following rules:  </p> <ul> <li>All traces SUCCESS \u2192 Agent status = INJECT EXECUTED</li> <li>All traces ERROR \u2192 Agent status = ERROR </li> <li>All traces MAYBE_PREVENTED \u2192 Agent status = MAYBE_PREVENTED</li> <li>At least one SUCCESS trace \u2192 Agent status = PARTIAL</li> <li>Otherwise \u2192 Agent status = MAYBE_PARTIAL_PREVENTED  </li> </ul> <p>Inject Status Computation </p> <p>After all agents have completed their execution, the system calculates the Inject status using the same logic applied to compute the agent status.</p>"},{"location":"usage/injects/#conditional-execution-of-injects","title":"Conditional execution of injects","text":"<p>You can add conditions to an inject, ensuring it is triggered at a specific time only if the specified conditions are met. These conditions typically relate to whether an expectation is fulfilled or not, but they can also pertain to the success or failure of an execution. There are several methods to achieve this.</p>"},{"location":"usage/injects/#using-the-update-form","title":"Using the update form","text":"<p>You can set conditions when updating an inject. In the inject update form, there is a tab \"Logical Chains\" for that.</p> <p></p> <p>As you can see, you can assign a Parent and multiple Children. A Parent indicates that the current inject will only execute if the conditions set on the Parent are met at the time of execution. Similarly, a Child will execute at the specified time only if the conditions set on the current inject are satisfied. </p> <p>The conditions you can set include the expectations for the inject and whether its execution was successful or not. You can select the desired expectation and Success/Fail status by clicking on them.</p> <p></p> <p>You can also toggle whether all conditions must be met or just one by clicking on the small OR/AND cards. Note that these settings are interconnected, so you cannot assign different values to them</p>"},{"location":"usage/injects/#using-the-timeline","title":"Using the timeline","text":"<p>You also have the possibility to quickly create conditions between injects. To do that, you can go to the timeline view of injects and place your cursor on the small point on the left and right of each injects. You can then drag and drop a link from a point to another.</p> <p></p> <p>The links created in this way will default to an expectation of \"Execution is Success\" and must be updated using the injects' update form. Additionally, you can reposition links between injects or remove them entirely by dragging them to an empty space.</p>"},{"location":"usage/injects_and_expectations/","title":"Injects and Expectations","text":"<p>Evaluating security posture in OpenBAS is to confront events (aka Injects) with Expectations.</p>"},{"location":"usage/injects_and_expectations/#injects","title":"Injects","text":"<p>Threats are the results of actions by threat actors, and a combination of intent, capability and opportunity. In OpenBAS, simulating threats and their attack capabilities involves executing injects targeting players and assets.</p> <p>Injects can be technical, emulating action attackers might take on an endpoint, and non-technical, representing interactions with players or impactful contextual events during a crisis (such as media inquiries by phone following a data breach). They are always triggered at a specific point in time but it is possible to execute them only if one or multiple conditions are met.</p> <p></p> <p></p> <p></p>"},{"location":"usage/injects_and_expectations/#expectations","title":"Expectations","text":"<p>Each Inject is associated with Expectations. Expectations outline the anticipated outcomes from security systems and teams in response to attacker actions or contextual events.</p> <p>Expectations can be about:</p> <ul> <li>Prevention: ensuring that the security posture can prevent the attacker's actions.</li> <li>Detection: ensuring that the security posture can detect the attacker's actions.</li> <li>Human response: ensuring that teams react appropriately according to defined security processes.</li> </ul> <p>The collection and concatenation of expectations' results, broken down per type, allows to assess the security posture against a threat context. This provides insights to identify areas for improvement. Expectations can also be used as conditions for the execution of other injects.</p>"},{"location":"usage/injects_builtin/","title":"Injects built-in","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/openbas-agent/","title":"OpenBAS Agent","text":""},{"location":"usage/openbas-agent/#introduction","title":"Introduction","text":"<p>The OpenBAS Agent is an application whose main role is to enroll an Asset on the OpenBAS platform, to retrieve jobs or scripts to be executed and to transmit this information to Implants (subject to come) for execution on the host Asset.</p> <p>The Agent will not perform direct actions on the Asset to remain neutral for antivirus and ensure the full run of the simulation.</p> <p>The OpenBAS Agent is compatible with different OS (Windows, Linux, macOS) and is developed in Rust.</p>"},{"location":"usage/openbas-agent/#installation","title":"Installation","text":"<p>Depending on the OS, several installations are at your disposal, you can find them on OpenBAS by clicking the blue icon on the right top corner : </p> <p>Linux</p> <ul> <li>Requirement \u2192 systemd, access to the openbas instance used</li> <li>Compatibility \u2192 All systemd based linux distros</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install Linux Agent\")</li> <li>Verification command line \u2192 <code>systemctl enable openbas-agent</code></li> <li>Start/Stop service \u2192<code>systemctl start openbas-agent</code> &amp; <code>systemctl stop openbas-agent</code></li> </ul> <p>MacOS</p> <ul> <li>Requirement \u2192 launchd, access to the openbas instance used</li> <li>Compatibility \u2192 All launchd based MacOS distros (10.4 Tiger or higher)</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install MacOS Agent\")</li> <li>Verification command line \u2192 <code>launchctl list | grep openbas.agent</code></li> <li>Start/Stop service \u2192 <code>launchctl bootstrap system ~/Library/LaunchDaemons/openbas-agent.plist</code> &amp; <code>launchctl bootout system ~/Library/LaunchDaemons/openbas-agent.plist</code></li> </ul> <p>Windows</p> <ul> <li>Requirement \u2192 Powershell \"run as administrator\", and ensure access to the OpenBAS instance being used. If the installation fails, try using PowerShell 7 or higher.</li> <li>Compatibility \u2192 All major Windows versions</li> <li>Installation \u2192 Create a service with name openbas-agent (\"Install Windows Agent\")</li> <li>Verification command line \u2192 <code>Get-Service -Name \"OBASAgentService\"</code></li> <li>Start/Stop service \u2192 <code>Start-Service -Name \"OBASAgentService\"</code> &amp; <code>Stop-Service -Name \"OBASAgentService\"</code></li> </ul> <p>The following flow diagram represents the Agent installation flow :</p> <p></p>"},{"location":"usage/openbas-agent/#network-traffic","title":"Network Traffic","text":"<p>The installation creates two firewall rules.</p> <p>Inbound rule </p> <p>Outbound rule </p>"},{"location":"usage/openbas-agent/#features","title":"Features","text":"<p>The main features of the OpenBAS Agent are:</p> <ul> <li>Agent registration on the OpenBAS platform</li> </ul> <p>The Agent is installed on the Asset using an agent-installer.exe file and runs as a service.   It communicates with the deployed OpenBAS instance in order to enroll the Asset. In some cases   like unsecured certificates or environment with proxy, the agent can't communicate with OpenBAS.   In order to fix those issues, look at \"Network and security\" chapter from configuration   to add the required attributes.</p> <p>NB : An Asset can only have one OpenBAS agent installed thanks to a machine id calculated according   to the operating system and its parameters. If you try to install again an OpenBAS agent on a platform, it will   overwrite the actual one and you will always see one endpoint on the OpenBAS endpoint page.</p> <p></p> <ul> <li> <p>Auto upgrade the Agent (on start-up and registration)</p> </li> <li> <p>Retrieval of jobs to be executed</p> </li> </ul> <p>The Agent retrieves jobs to be executed from the OpenBAS instance every 30 seconds.   For the moment, jobs are Implant to spawn and launch on the Asset, waiting to execute payloads of your Simulation's Injects.   Each job execution logs is kept in a dedicated directory in order to have a trace of what happened (pid, executable).</p> <ul> <li>Deleting executables and execution directories</li> </ul> <p>The Agent deletes Implants that have been running for a predefined time and cleans the execution directories.</p> <ul> <li>Health check</li> </ul> <p>The Agent pings the OpenBAS instance every 2 minutes to notify it of its healthy status.</p> <ul> <li>Cleanup</li> </ul> <p>The Agent ensures that the processes it has executed are correctly finished or deleted if necessary.    The maximum time in minutes that a process associated with an execution directory can remain active is 20 minutes.</p> <p>The Agent removes execution directories to avoid excessive disk space.    The maximum time in minutes that an execution directory can be kept before being deleted is 2 days.</p>"},{"location":"usage/openbas-agent/#troubleshooting","title":"Troubleshooting","text":"<p>If you experience issues with your agent, the logs are available here:</p> <ul> <li>Linux -&gt; /opt/openbas-agent/openbas-agent.log</li> <li>MacOS -&gt; /opt/openbas-agent/openbas-agent.log</li> <li>Windows -&gt; \"$PROGRAMFILES\\Filigran\\OBAS Agent\\openbas-agent.log\"</li> </ul>"},{"location":"usage/people/","title":"People","text":"<p>Breach and Attack Simulation involves testing your security posture, and people are an essential part of it!</p> <p>Players, teams, and organizations are where you organize the human aspect of your security posture within OpenBAS. These entities are the targets for injects during your simulations and atomic testings.</p> <p></p>"},{"location":"usage/people/#players","title":"Players","text":"<p>Players are the users that may take part into your scenarios, to be tested against attack or contextual events ( i.e. injects).</p> <p>Players can be created manually with the + button at the bottom right, but we encourage you to activate an integration allowing to import them from your IT environment, like with Microsoft Entra integration.</p> <p>Players are defined by:</p> <ul> <li>Email address,</li> <li>First name,</li> <li>Last name,</li> <li>Organization: to link a player to an organization (   see below),</li> <li>Country,</li> <li>Phone number: necessary if you want to play SMS injects,</li> <li>PGP public key: necessary if you want to play encrypted email injects,</li> <li>Tags: if you want to sort them by custom categories.</li> </ul> <p>This list of players can be exported by clicking on the export button, at the top right of the players screen.</p>"},{"location":"usage/people/#teams","title":"Teams","text":"<p>Teams group players into units that can be targeted by injects during simulations or atomic testing. They serve as a way to represent different security teams (e.g., CSIRT, SOC, VOC) and other relevant teams that might be involved into your scenario (e.g., legal department, communication department).</p> <p>Teams are defined by:</p> <ul> <li>Name,</li> <li>Description,</li> <li>Organization: to link a team to an organization (   see below),</li> <li>Tags: if you want to sort them by custom categories.</li> </ul> <p>From the teams list, you can manage players by clicking on the three-dots inline button on the right and selecting \" Manage players.\" From there, you can view, update, or delete all the team's players and see their communication channels' state.</p> <p></p>"},{"location":"usage/people/#organizations","title":"Organizations","text":"<p>Organization provides a straightforward method to segregate players and teams within the platform. A player associated with an organization, even with the required rights to animate and planned scenarios and simulations, will never see players and teams from other organizations.</p> <p>This feature can be particularly useful if you are using OpenBAS to plan and execute simulations for various companies or subsidiaries.</p>"},{"location":"usage/playing/","title":"Playing","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/rest-api/","title":"REST API","text":"<p>OpenBAS provides a REST API, allowing users to perform various actions programmatically. The API enables users to interact with OpenBAS's functionality and data, offering a powerful tool for automation, integration, and customization. Any action available through the platform's graphical interface can also be executed via the API.</p>"},{"location":"usage/rest-api/#authentication","title":"Authentication","text":"<p>Accessing the OpenBAS API requires authentication through standard mechanisms. To authenticate, users must include the following headers in their API requests:</p> <pre><code>Content-Type: application/json\nAuthorization: Bearer [API key]\n</code></pre> <p>Using the API key will provide you admin access.</p>"},{"location":"usage/rest-api/#swaggerui","title":"SwaggerUI","text":"<p>The OpenBAS API is documented using SwaggerUI, which provides an interactive interface for exploring the API's endpoints, parameters, and responses. The SwaggerUI is accessible at the following URL: [openbas url]:8080/swagger-ui/index.html</p>"},{"location":"usage/scenario/","title":"Scenario","text":"<p>When clicking on Scenarios in the left menu, you access to the list of all Scenarios defined in the platform. Scenarios act as templates that translate threat contexts into meaningful events to simulate.</p> <p>Scenarios can be grouped by defining categories, main focus, severity and tags. It is then possible to filter the Scenarios list based on these attributes. Quick filters are available by default at the top of the screen to filter Scenario on most used categories.</p> <p>It is also possible to search Scenarios by their names using the search bar.</p>"},{"location":"usage/scenario/#create-a-scenario","title":"Create a scenario","text":"<p>To create a scenario, hit the + button on the bottom right of the screen and define general metadata that make sense for you. </p> <p>Once done, the scenario is accessible in the list. Click on it to see its details and define them.</p>"},{"location":"usage/scenario/#scenario-overview","title":"Scenario overview","text":"<p>The overview provides comprehensive information for evaluating your security posture against the threat context over time. It displays the scenario's context along with the results of the simulations played from it. Additionally, the list of these simulations is shown, allowing easy access to their specific details and results.</p> <p>If the scenario has never been simulated, the results' widget contains an example of how results will be displayed, and the list of simulations is replaced with an invitation to generate one.</p>"},{"location":"usage/scenario/#defining-a-scenario","title":"Defining a Scenario","text":"<p>To define the scenario, navigate to the \"Definition\" and \"Injects\" tabs.</p> <p>In the \"Definition\" tab, you can add various elements to construct events:</p> <ul> <li>Teams and Players involved in the scenario,</li> <li>Custom variables for simplifying injects' customization,</li> <li>Articles that you might use to simulate media pressure,</li> <li>Challenges designed for including Capture The Flag elements in your scenario.</li> </ul> <p>Once you have added all the elements you need, you can go to the \"Injects\" tab to begin to create the chain of events that will shape your scenario.</p> <p>By clicking on the + button at the bottom right of the screen, you enter the inject creation workflow.</p>"},{"location":"usage/scenario/#launching-a-simulation-of-the-scenario","title":"Launching a simulation of the scenario","text":"<p>Once you've finished defining your scenario, it's time to simulate it and evaluate your security posture!</p> <p>To do so, click the \"Simulate now\" button. You can choose to simulate this scenario as a one-time evaluation, scheduling it for a specific date and time. Additionally, you can set it to simulate recurrently to assess your posture over time. The results of each simulation will populate your scenario overview.</p> <p>A visual indication, located to the right of the scenario's title, provides a quick way to know if the scenario is currently being simulated.</p>"},{"location":"usage/scenario/#export-your-scenario","title":"Export your scenario","text":"<p>You can export your carefully crafted scenario as a JSON file by clicking the three-dots button at the top right of the scenario screen. This allows you to share it with others, or store it outside the platform.</p>"},{"location":"usage/scenario_import/","title":"Importing Injects into a Scenario","text":"<p>Recreating a timeline of injects that were already defined in a spreadsheet can be a frustrating task. To help users save time, we added the possibility to import injects as defined in an xls file into a scenario. This is done via a two-steps process : creating a mapper and importing the xls file using the mapper.</p>"},{"location":"usage/scenario_import/#how-to-create-a-mapper","title":"How to create a mapper ?","text":"<p>First of all, to import injects into a scenario, you need to create a mapper. To do that, using an admin account, navigate to the Settings &gt; Data ingestion page. You will then be able to see a list of all the mappers but also to create new ones by clicking on the \"+\" button on the bottom right of the screen.</p> <p></p>"},{"location":"usage/scenario_import/#setting-up-the-mapper-to-tell-each-injects-apart","title":"Setting up the mapper to tell each injects apart","text":"<p>When creating a new mapper, you will quickly be asked to choose an inject type column. This column is the one that will allow the mapper to figure out which injects to create (Sending a mail, sending an sms, ...). Once this column has been chosen, you can add a representation for an inject type. </p> <p>The first thing to define in this representation is the matching type in the xls. This is the value that will define which inject to create when scanning the column defined in \"inject type column\". For instance, if you want to create an inject that sends individual emails when in the column there is the word \"mail\", then you will need to set the value as \"mail\". You can also make use of regular expressions in this field. Please keep in mind though that this value is case sensitive. </p> <p></p> <p>Once that is done, you can select the inject type among a list of injects that are compatible with the xls import. When that selection is done, you will be able to set a column for each of the attribute that can be completed using the import. If you wish to set a default value you can do so by clicking the gear on the right side of the field.</p>"},{"location":"usage/scenario_import/#properly-setting-the-trigger-time-of-the-inject","title":"Properly setting the trigger time of the inject","text":"<p>It should also be noted that the \"Trigger Time\" field has a second parameter that can be set using the gear button. It can be used to set a custom format for specific dates and or time to be interpreted. The complete format rules are available here but here is a very quick overview :</p> Symbol Meaning Presentation Examples y year-of-era year 2004; 04 M/L month-of-year number/text 7; 07; Jul; July; J d day-of-month number 10 a am-pm-of-day text PM h clock-hour-of-am-pm (1-12) number 12 H hour-of-day (0-23) number 0 m minute-of-hour number 30 s second-of-minute number 55 ' escape for text delimiter '' single quote literal ' [ optional section start ] optional section end <p>Please, do note that if you wish to use exact time of the day (e.g. 9:30) in your trigger time, you will need to set a launch date on your scenario before importing the timeline of injects from the xls file.</p> <p>You can also decide to use relative dates for each injects. For instance, you can say that your first inject happens at T and that subsequent injects happens at T+x. If so, you can set relative dates using the following values :</p> Symbol Meaning D Day J Day H Hour T Hour M Minutes <p>This means that if you want your inject to start 2 days, 3 hours and 45 minutes after the start of your scenario, you can set the trigger time to D+2 H+3 M+45. When using relative dates, you do not need to define a pattern for the trigger time field.</p> <p>Once you have set all fields you wish to set, you can click on the create button if you wish to create your mapper but you can also click on the test button to check that it works as intended.</p>"},{"location":"usage/scenario_import/#testing-the-mapper","title":"Testing the mapper","text":"<p>If you click on the test button, you'll then be asked to choose a file. Once that is done, you will have to select the sheet to test out of the spreadsheet and the timezone. You will then be able to click on Test to have the result field filled as well as a list of the messages generated during the import (those are not saved, and are just there to help figure out what happened during the import itself).</p> <p></p>"},{"location":"usage/scenario_import/#how-to-import-injects-into-a-scenario-using-a-mapper","title":"How to import injects into a scenario using a mapper ?","text":"<p>Once your mapper has been created, navigate to your scenario and then to the injects tab. There, you will be able to click on an import button on the top right. A modal will be opening, inviting you to select an .xls/.xlsx file. Once it has been selected, you can click on next. You will then be asked to choose the sheet to import out of the spreadsheet and to select the mapper to use. You will also be able to select the timezone to use for the import. Once everything is set, click on the launch import button and your injects will be imported into the current scenario ! Please do not that if all the dates in the xls file are absolute time of the day (e.g. 9:30, 12:45, ...), it is required for the scenario to have a launch date set.</p>"},{"location":"usage/scenarios_and_simulations/","title":"Scenarios and Simulations","text":"<p>In OpenBAS, the core concept to simulate attacks is based on the duo Scenario &amp; Simulation.</p>"},{"location":"usage/scenarios_and_simulations/#scenarios","title":"Scenarios","text":"<p>Scenario enable to translate a threat context, such as an attack or even a threat actor, into a meaningful sequence of events (referred to as injects), which can be technical or non-technical. This chronology of events can be enriched with associated documents or media articles to simulate the environment surrounding them.</p> <p>Within Scenarios, you also specify who participates, whether actual people (referred to as Players) or endpoints (referred to as Assets). They will be the targets of the events representing the threat.</p> <p>In order to translate real threats into Scenarios, it is possible to create them from OpenCTI data, such as Reports.</p>"},{"location":"usage/scenarios_and_simulations/#simulations","title":"Simulations","text":"<p>If a Scenario translates threat context into meaningful events, a Simulation serves as a means to evaluate your security posture against this threat context. </p> <p>By simulating a scenario with recurrence, you can evaluate your security posture over time in response to a threat context. Since simulations are always linked to their parent scenario, even if it evolves, you can: - assess your risk against evolving threats, - evaluate the effectiveness of your security governance in addressing your most relevant threats.</p>"},{"location":"usage/simulation/","title":"Simulation","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>When clicking on Simulations in the left menu, you access to the list of all Simulations ever launched in the platform. You can filter by tag (for example to only display simulation related to a specific threat actor) and sort them (chronologically, by status, etc.).</p> <p>From this screen, you can easily see last global scores and access ongoing Simulations at platform level.</p>"},{"location":"usage/simulation/#creating-a-simulation","title":"Creating a Simulation","text":"<p>The best practice to create a Simulation is to do it from a Scenario in order to evaluate your security posture over time against a specific threat context.</p> <p>But you can create directly a Simulation if you want, by hitting the + button on the bottom right of the screen. You will have similar definition options as in Scenario creation.</p>"},{"location":"usage/simulation/#simulation-overview","title":"Simulation overview","text":"<p>The Overview regroups everything you need to know to follow your Simulation by its Results. Results are broken down into 3 main metrics:</p> <ul> <li>Prevention: the ability of your security posture to prevent the simulated scenario's events to happen</li> <li>Detection: the ability of your security posture to detect the simulated scenario's events</li> <li>Human response: the ability of your security teams to react as intended facing the simulated scenario</li> </ul> <p>The top of the Simulation screen give you the ability to Start, stop and Reset the Simulation, delay the launch time.</p>"},{"location":"usage/simulation/#overriding-the-scenario-definition","title":"Overriding the Scenario definition","text":"<p>In a Simulation, you can see and modify all elements defining it: Teams and Players, Variables, Media pressure, Challenges, Injects. Modifying the Simulation definition allows you to customize it to adapt a singular play to some temporary changes. For example, change an email address into Variables to be used in email-related injects, change a playing team, etc.</p>"},{"location":"usage/simulation/#animating-a-simulation","title":"Animating a Simulation","text":"<p>The Animation screen of a Simulation is the place to follow the Simulation execution, especially if you are conducting simulation at strategical level (heavily relying on interactions with Teams and Players, manual validations of expectations) for training your organization on all aspects of a cyber crisis.</p> <p>The Timeline screen is the overview of the Animation tab, to see ongoing injects.</p> <p>The Mails screen is a way to manage email interaction with Players into the OpenBAS platform.</p> <p>The Validation screen is the place to manually validate expectations of the Simulation to consolidate Results.</p> <p>The Simulation logs is an interface for the animation team to collaborate during the Simulation.</p>"},{"location":"usage/simulation/#lessons-learned","title":"Lessons learned","text":"<p>In the Lesson Learned tab of a Simulation, you can manage the collection and concatenation of customizable surveys. It helps you in conducting the most underestimated part of a Breach and Attack simulation involving real people, by automating it and complete your Simulation's Results with qualitative feedback.</p>"},{"location":"usage/simulation_reports/","title":"Generating and Sharing Simulation Reports in PDF Format","text":"<p>You can generate and share a simulation report in PDF format.  The following steps guide you through viewing, creating, and editing simulation reports, as well as generating PDF of these reports.</p>"},{"location":"usage/simulation_reports/#viewing-the-list-of-simulation-reports","title":"Viewing the List of Simulation Reports","text":"<ul> <li>Access the Simulation Page</li> <li>Open the Report Drawer: Click on the \"Edit\" button located on the right side of the page, then select \"Access Reports\"</li> </ul> <ul> <li>A drawer will open, displaying the list of all previously generated reports for the selected simulation.</li> <li>Click on the report name from the list to view the full report details.</li> </ul>"},{"location":"usage/simulation_reports/#creating-a-new-simulation-reports","title":"Creating a New Simulation Reports","text":"<ol> <li>At the bottom of the report list in the drawer, click on the \"Add\" button to create a new report.</li> </ol> <ol> <li>The default name of the report will be the same as the simulation name. You can edit the report name if needed.</li> <li>You have the option to choose which modules to include in your report by selecting them.</li> </ol>"},{"location":"usage/simulation_reports/#adding-global-observations-and-comments","title":"Adding Global Observations and Comments","text":"<p>When you navigate into the Report Simulation Details page: * You can add a global observation related to the overall simulation. * You can add specific comments to each inject within the report.</p> <p>All observations and comments are independent and unique to each report.</p>"},{"location":"usage/simulation_reports/#editing-a-generated-report","title":"Editing a Generated Report","text":"<p>Even after a report has been generated, it is still possible to update:  * The report name. * The modules to be displayed in the report.</p>"},{"location":"usage/simulation_reports/#generating-a-pdf-of-the-report","title":"Generating a PDF of the Report","text":"<p>Once you are on the report page: Click on the \"PDF\" button on the top of the simulation report details page to generate a PDF format.</p> <p></p>"},{"location":"usage/systems/","title":"Systems","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/targets/","title":"Targets","text":"<p>When you are using an Inject, whether for Atomic testing, Scenario or Simulation, it's necessary to define the recipients, known as \"targets\", which could include Players, Teams, Assets (endpoints) or/and Asset groups it will be sent to. They are called \"targets\" of the inject.</p> <p>Note that certain injects can't target assets, while others can't target players. For instance, the \"Send individual mails\" inject can only target players and teams, not assets. </p> <p>Target selection is performed during inject creation or update.</p>"},{"location":"usage/targets/#selecting-players-and-teams","title":"Selecting Players and Teams","text":"<p>Directly targeting a player isn't yet possible. Instead, you must target a team. In scenarios or simulations, the team must be included in the scenario or simulation to be selectable. However, when creating atomic testing, all teams in the platform are selectable.</p> <p>Note that visibility of teams and players is limited by the organization's segregation.</p> <p>When selecting a team as the target, all players within that team will be targeted by the inject. Each player will have to complete expectations.</p> <p>Here is the step by step guide to add a team as a target of a simulation/scenario.</p> <p>Consider a simulation/scenario that was just created. Go to the Definition tab.</p> <p></p> <p>Click on + next to the Teams section, a dialog appears allowing the user to add a team.</p> <p></p> <p>The user now has two ways to enable players: - Click on the team, a drawer opens. Click on the DISABLED tag of a player, it is now enabled. - Click on the three dots of the team, then Manage players. A drawer opens, click on the DISABLED tag of a player.</p> <p></p> <p>Now the user can target the team when adding an inject in the simulation/scenario.</p> <p></p>"},{"location":"usage/targets/#selecting-assets-endpoints-and-asset-groups","title":"Selecting Assets (endpoints) and Asset groups","text":"<p>You can target assets (endpoints) directly or asset groups. In the dedicated dialog, only assets compatible with the inject are listed by default.</p> <p>When selecting an asset group to target, all assets (endpoints) within the group will be targeted by the inject. Each one will have to complete expectations.</p>"},{"location":"usage/testing/","title":"Testing","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p>"},{"location":"usage/components/challenges/","title":"Challenges","text":"<p>Challenges are integral to handling CTF (Capture The Flag) activities on the OpenBAS platform. You can define your challenge and the flags that need to be found to complete it.</p>"},{"location":"usage/components/challenges/#create-a-challenge","title":"Create a Challenge","text":"<p>To create a new challenge, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new challenge a name and specify one or more flags.</li> <li>Optionally, fill in additional fields to provide more context to your players, such as the category, content (    explanation, context, steps), and attach any relevant documents.</li> <li>Manage your challenge by setting a score and a maximum number of attempts allowed for completing the challenge.</li> </ol> <p></p> <p>Once completed, your new challenge will appear in the challenge list.</p>"},{"location":"usage/components/challenges/#use-a-challenge","title":"Use a Challenge","text":"<p>Challenges can be utilized in Scenarios and Simulations. When creating an inject of type \"Publish challenges,\" you need to select a challenge to be sent to your players.</p> <p></p>"},{"location":"usage/components/channels/","title":"Channels","text":"<p>In OpenBAS, Channels represent communication medias with a particular look. There are used to present web articles or other media contents to Players in a specific way.</p> <p>It helps give shape to your Scenario context and events.</p>"},{"location":"usage/components/channels/#create-a-channel","title":"Create a Channel","text":"<p>First step is to click on the + button at the bottom right and give your new Channel a type (Newspaper, Microblogging, TV Channel), a name and a subtitle.</p> <p>Once done, click on the Channel in the list to access its overview. Here you can define how media content associated to this Chennel will be displayed to Players.</p> <p>You can define primary and secondary colors, choose logos and define how the header is presented.</p> <p>On the right, a mock up of the overview is displayed to give you the look and fill of it.</p> <p></p>"},{"location":"usage/components/channels/#use-a-channel","title":"Use a Channel","text":"<p>A Channel will then be used in Scenario and in Simulation definition. When you create an Article, you have to choose the Channel that will give it an adequate shape.</p> <p>See Media pressure page to know how to create and add Articles to your Scenarios.</p> <p></p>"},{"location":"usage/components/documents/","title":"Documents","text":"<p>Documents serve as resources for adding content to your table-top injects, helping your animation team and players. They can also be utilized in payloads for file dropping purposes.</p>"},{"location":"usage/components/documents/#create-a-document","title":"Create a Document","text":"<p>To create a new document, follow these steps:</p> <ol> <li>Click the + button in the bottom right corner of the screen.</li> <li>Select a file to create your document.</li> <li>Optionally, add a description and tags to provide additional context. You can also link your documents directly to specific simulations or scenarios.    specific simulations or scenarios.</li> </ol> <p></p> <p>After completing these steps, your new document will appear in the document list. Clicking on a document in the list will allow you to download it.</p>"},{"location":"usage/components/documents/#use-a-document","title":"Use a Document","text":"<p>Documents can be added into table-top injects and payloads.</p> <p>When creating an table-top inject, you can attach documents to provide context or, in the case of email injects, to include attachments.</p> <p>Additionally, you can create a File Drop payload and include your documents within it.</p>"},{"location":"usage/components/lessons/","title":"Lessons","text":"<p>Lessons in OpenBAS enable you to create customizable surveys for your simulations. These surveys can be composed of various categories and questions within those categories. This feature helps in conducting the often overlooked part of a Breach and Attack Simulation involving real people, by automating the process and complementing your simulation results with qualitative feedback.</p>"},{"location":"usage/components/lessons/#create-a-lesson-template","title":"Create a Lesson template","text":"<p>To create a new lesson template, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new lesson template a name.</li> </ol> <p></p> <p>Once completed, your new lesson will appear in the lesson learned list.</p>"},{"location":"usage/components/lessons/#create-a-category","title":"Create a Category","text":"<p>To create a new category, follow these steps:</p> <ol> <li>Click the + button at the bottom right corner of the screen.</li> <li>Give your new category a name and an order to organize your categories.</li> </ol> <p></p>"},{"location":"usage/components/lessons/#create-a-question","title":"Create a Question","text":"<p>To create a new question, follow these steps:</p> <ol> <li>Click the + button at the bottom of your category.</li> <li>Give your new question a content and an order to organize your questions.</li> </ol> <p></p>"},{"location":"usage/components/lessons/#use-a-lesson-template","title":"Use a Lesson template","text":"<p>Lesson templates can be utilized in the Lesson Learned tab of a Simulation. Here\u2019s how to use them:</p> <ol> <li>Apply a new template.</li> <li>Add relevant teams to the most pertinent categories.</li> <li>Send your survey to collect feedback.</li> </ol> <p>By integrating lesson templates into your simulations, you can gather valuable insights and improve the effectiveness of your Breach and Attack Simulations.</p>"},{"location":"usage/components/media_pressure/","title":"Media pressure","text":"<p>Under construction</p> <p>We are doing our best to complete this page.  If you want to participae, dont hesitate to join the Filigran Community on Slack  or submit your pull request on the Github doc repository.</p> <p>Media pressure are Articles or web contents you create to give more shape to your Scenario, or to simulate contextual pressure on your Teams and Players.</p> <p>For example, you can create an Article about the data leakage your organization is said to be affected by during the Scenario, and simulate its publishing by a large coverage media outlet with a \"Publish channel pressure\" inject.</p>"},{"location":"usage/components/media_pressure/#create-an-article","title":"Create an Article","text":"<p>To create an Article, go to the definition page of your Scenario or your Simulation and click on the + button near \"media pressure\". If you did not create Article yet, you can also click on the more visible \"Create an Article\" button.</p> <p>An media pressure Article is defined by: - Channel: the Channel template that will shape the article during the display to the Players. A Channel must have been defined in the platform. - Title - Author - Content: the content of your article. You can enrich the text and have a preview of the formatted result. You can also go fullscreen. - To simulate social network engagement, you can define number of comments, Shares and Likes of the Articles. - Documents: you can attach file to the Article. It can be useful if you want to simulate the publication of a large report you don't want to craft inside OpenBAS, like a pdf security report for example.</p> <p>Once created, Articles appears as cards in the definition screen of the Scenario or Simulation they have been created into. Note that if an article is not yet used in the Scenario or Simulation (probably because it does not have been used in a \"Publish channel pressure\" inject), it is mentioned into the Article's card.</p>"},{"location":"usage/components/media_pressure/#use-an-article-in-scenario-and-simulation","title":"Use an Article in Scenario and Simulation","text":"<p>To use an Article in a Scenario or Simulation, it must have been created in the context of the Scenario, the Simulation's parent Scenario or the Simulation itself.</p> <p>When you select an Inject, if it is compatible with media pressures, you can add a media pressure article to it.</p>"},{"location":"usage/components/variables/","title":"Variables","text":""},{"location":"usage/components/variables/#built-in-variables","title":"Built-In Variables","text":"<p>Within certain injects, users can leverage a set of predefined built-in variables to dynamically customize content. These variables are designed to streamline the process of personalizing messages. Examples of built-in variables include but not limited to :</p> <ul> <li>${user.email}: Represents the email of the target user</li> <li>${exercise.name}: Represents the name of the current exercise</li> <li>${player_uri}: Represents the player interface platform link</li> <li>${teams}: Represents the list of team name/s for the injection</li> </ul> <p>The list of available variables is found in the definition of the inject :</p> <p> </p>"},{"location":"usage/components/variables/#custom-variables","title":"Custom Variables","text":"<p>In addition to the built-in variables, users can define their own variables within an exercise.</p> <p>To define custom variables :</p> <ol> <li>Select an exercise</li> <li>Navigate to the Definition tab</li> <li>Navigate to the Variables section</li> </ol> <p>In this section, users can create, update or delete custom variables : </p> <p> </p>"},{"location":"usage/components/variables/#limitation","title":"Limitation","text":"<p>To create custom variables, consider the following limitation:</p> <ul> <li>Only lowercase characters and <code>_</code> are authorized for the key value</li> <li>Variable value can only be string</li> </ul>"},{"location":"usage/components/variables/#use-variables","title":"Use Variables","text":"<p>These variables can be used to enhance personalization of certain injects within an exercise. Here is a non-exhaustive list of concerned injects : - Email sending - Sms sending</p> <p> </p> <p>In case of a list like <code>articles</code>, which is a list of articles with properties such as <code>id</code>, <code>name</code>, and <code>uri</code>, or <code>${teams}</code>, you could write:</p> <p>&lt;#list articles as article&gt; - <code>${article.name}</code> &lt;/#list&gt; &lt;#list teams as team&gt; <code>${team}</code> &lt;/#list&gt;</p>"},{"location":"usage/evaluate/overview/","title":"Overview","text":"<p>Under construction</p> <p>We are doing our best to complete this page. If you want to participate, don't hesitate to join the Filigran Community on Slack or submit your pull request on the Github doc repository.</p> <p>The Home screen provides visitors of the OpenBAS platform with an overview of the platform's live activity and a snapshot of your global security posture. Below is a breakdown of the various widgets available on this page.</p>"},{"location":"usage/evaluate/overview/#metric-cards","title":"Metric cards","text":"<p>This section displays the count of different components within the platform, shown in two metrics:</p> <ul> <li>The first big metric inside a card represents the number of objects created over the last 180 days.</li> <li>The second small metric inside a card reflects the number of objects created in the last 30 days.</li> </ul> <p></p> <p>Note</p> <p>From here, the data is based on simulations created and launched within the last 180 days.</p>"},{"location":"usage/evaluate/overview/#performance-overview","title":"Performance overview","text":"<p>This section highlights the results of your simulation inject expectations, categorized in three types: prevention, detection, and human response.</p> <p></p>"},{"location":"usage/evaluate/overview/#simulations","title":"Simulations","text":"<p>This bar chart represents simulations grouped by week, based on their start date.</p> <p></p>"},{"location":"usage/evaluate/overview/#top-simulation-categories","title":"Top simulation categories","text":"<p>This polar chart aggregates all simulations by category, giving you a visual breakdown of the top categories.</p> <p></p>"},{"location":"usage/evaluate/overview/#top-attack-patterns","title":"Top attack patterns","text":"<p>This horizontal bar chart displays the top attack patterns identified in your simulations, based on the number of injects associated with each attack pattern.</p> <p></p>"},{"location":"usage/evaluate/overview/#last-simulations","title":"Last simulations","text":"<p>Here, we display the six most recent simulations, sorted in descending order by their start date.</p> <p></p>"},{"location":"usage/evaluate/overview/#mitre-attck-coverage","title":"MITRE ATT&amp;CK Coverage","text":"<p>This section presents the MITRE ATT&amp;CK matrix, based on the results of your simulation inject expectations. It provides an overview of which tactics and techniques have been covered in your simulations.</p>"},{"location":"usage/payloads/payloads/","title":"Payloads","text":"<p>In OpenBAS, you can create custom payloads based on different types to create new injects.</p> <p>Payloads enhance the platform, allowing you to further customize your scenarios.</p>"},{"location":"usage/payloads/payloads/#create-a-payload","title":"Create a Payload","text":"<p>To create a new payload, follow these steps:</p> <ol> <li>Click the \"+\" button at the bottom right corner of the screen.</li> <li>Choose a type based on your needs:<ul> <li>Command Line: To execute a command using an executor (e.g., PowerShell, Bash, etc.)</li> <li>Executable: To run an executable file on an asset</li> <li>File Drop: To drop a file onto an asset</li> <li>DNS Resolution: To resolve a hostname into IP addresses</li> </ul> </li> <li>Assign a name to your new payload and specify the platform where it should be executed.</li> <li>Provide additional details for executing your payload, such as arguments and prerequisites.</li> <li>Specify a cleanup executor and a cleanup command to remove any remnants from your execution on the asset.</li> </ol> <p> </p> <p>Once completed, your new payload will appear in the payload list.</p>"},{"location":"usage/payloads/payloads/#common-payload-properties","title":"Common Payload properties","text":"Property Description Name Payload name Platforms Compatible platforms (ex. Windows, Linux, MacOS) Description Payload description Prerequisites Prerequisites required to execute the command Cleanup executor Executor for cleaning commands Cleanup command Cleanup command to remove or reset changes made Attack patterns Command-related attack patterns Tags Tags Arguments Arguments for the cleanup, prerequisites and potential command line"},{"location":"usage/payloads/payloads/#prerequisites-in-depth","title":"Prerequisites in depth","text":"Property Description Command executor Executor for prerequisite Check command Verifies if specific condition are met Get command Run command if check command failed"},{"location":"usage/payloads/payloads/#additional-payload-properties-by-type","title":"Additional Payload properties by type","text":""},{"location":"usage/payloads/payloads/#command-line","title":"Command Line","text":"<p>This payload type executes commands directly on the command line interface (CLI) of the target system  (e.g., Windows Command Prompt, PowerShell, Linux Shell). </p> <p>Command Line payloads are used for remote command execution to simulate common attacker actions like privilege  escalation or data exfiltration.</p> Property Description Architecture Architecture in which the command can be executed (x86_64, arm64, all architectures) Command executor Executor for command to execute Command Command to execute"},{"location":"usage/payloads/payloads/#executable","title":"Executable","text":"<p>An Executable payload involves delivering a binary file (such as .exe on Windows or ELF on Linux) that the system runs  as an independent process.</p> <p>Executables can perform a variety of functions, from establishing a backdoor to running complex scripts (mimic malware).</p> Property Description Architecture Architecture in which the command can be executed (ex. x86_64, arm64) Executable file File to execute"},{"location":"usage/payloads/payloads/#file-drop","title":"File Drop","text":"<p>File Drop payloads are designed to deliver files (e.g., scripts, documents, binaries) to the target system without  immediately executing them.</p> <p>The goal is typically to simulate scenarios where attackers place files in specific locations for later use, either  manually or by another process.</p> Property Description File to drop File to drop"},{"location":"usage/payloads/payloads/#dns-resolution","title":"DNS Resolution","text":"<p>DNS resolution payloads attempts to resolve hostnames to associated IP address(es).</p> <p>The goal of DNS resolution is to test if specific hostnames resolve to IP addresses correctly, helping assess network  accessibility, detect issues, and simulate potential attacker behavior.</p> Property Description Hostnames Hostname list to resolve"},{"location":"usage/payloads/payloads/#payload-execution-workflow","title":"Payload execution workflow","text":""},{"location":"usage/payloads/payloads/#use-a-payload","title":"Use a Payload","text":"<p>After creation, a new inject type will automatically appear in the inject types list if the implant you're using supports it (the OpenBAS Implant does).</p> <p> </p>"},{"location":"usage/scenario/opencti_scenario/","title":"Scenario generation from OpenCTI","text":"<p>Creating a scenario can be a complex task, especially when aiming to build one that is meaningful and relevant to the specific threats facing your organization. To streamline this process and ensure that scenarios are closely aligned with your threat landscape, you can leverage the integration between OpenCTI and OpenBAS.</p> <p>This integration works across multiple entities:</p> <ul> <li>Reports</li> <li>Grouping</li> <li>Incident Response</li> <li>Malware</li> <li>Campaigns</li> <li>Intrusion</li> <li>Request For Information</li> <li>Request For Takedown</li> </ul> <p></p> <p>When you click on the \"Simulate\" button, a form will appear with the following fields:</p> Property Description Simulation type Can be either \"Technical\" (payloads) or \"Simulated\" (emails) Interval between injection (in minutes) The time between each injection execution Number of injects generated by attack pattern and platform <p> </p> <p>If you choose the \"Technical\" (payloads) simulation type, you will also need to fill in the following fields:</p> Property Description Targeted platforms Supported platforms for executing the TTPs (Windows, Linux, macOS) Targeted architecture Supported architectures for executing the TTPs (x86_64, arm64) <p> </p> <p>It\u2019s essential to understand that a scenario creation for these entities relies on matching TTPs between OpenCTI and OpenBAS. You\u2019ll need to ensure that the TTPs in both platforms are aligned. For instance, if your report contains the TTP T1059.001, a scenario can be created with an inject, provided OpenBAS also includes T1059.001. Otherwise, an  inject with a placeholder will be created instead for this TTP.</p> <p>If these TTPs are not supported by OpenBAS, you will receive an alert listing the uncovered TTPs.</p> <p></p> <p>When generating a scenario from OpenCTI, a scenario is created in OpenBas and can be accessed from the scenarios screen. The scenario name will include a reference to OpenCTI, indicating its origin. This scenario will automatically contain relevant sequences of injects based on the threat context identified in OpenCTI.</p> <p></p> <p></p> <p></p> <p>However, it's important to review and potentially customize the scenario to ensure it meets your organization's specific requirements. Additionally, you'll need to select appropriate targets for the injects within the scenario. You can also configure default asset groups for the scenarios created from OpenCTI using the Default Asset Groups page.</p> <p></p> <p>Once you've finalized the scenario, you can schedule your simulation as you would do for any other scenarios. The overall results of the simulation will also be available directly within OpenCTI, providing insights into the threat context upon which the scenario is based.</p> <p></p>"}]}
\ No newline at end of file
diff --git a/1.12.X/sitemap.xml b/1.12.X/sitemap.xml
index d0b1205..d256e79 100644
--- a/1.12.X/sitemap.xml
+++ b/1.12.X/sitemap.xml
@@ -2,238 +2,238 @@
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
     <url>
          <loc>https://docs.openbas.io/latest/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/administration/enterprise/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/administration/introduction/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/administration/parameters/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/administration/policies/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
+    </url>
+    <url>
+         <loc>https://docs.openbas.io/latest/administration/taxonomies/</loc>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/administration/users/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/authentication/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/clustering/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/configuration/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/installation/</loc>
-         <lastmod>2025-02-12</lastmod>
-    </url>
-    <url>
-         <loc>https://docs.openbas.io/latest/deployment/integrations/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/overview/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/resources/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/troubleshooting/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/upgrade/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/ecosystem/collectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/ecosystem/executors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/deployment/ecosystem/injectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/api-usage/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/build_from_source/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/collectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/environment_ubuntu/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/environment_windows/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/injectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/development/platform/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/reference/apis/filters/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/assets/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/atomic/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/collectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/default_asset_rules/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/expectations/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/getting-started/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/inject-caldera/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/injectors/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/injects/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/injects_and_expectations/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/injects_builtin/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/openbas-agent/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/people/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/playing/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/rest-api/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/scenario/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/scenario_import/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/scenarios_and_simulations/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/simulation/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/simulation_reports/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/systems/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/targets/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/testing/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/challenges/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/channels/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/documents/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/lessons/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/media_pressure/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/components/variables/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/evaluate/overview/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/payloads/payloads/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
     <url>
          <loc>https://docs.openbas.io/latest/usage/scenario/opencti_scenario/</loc>
-         <lastmod>2025-02-12</lastmod>
+         <lastmod>2025-02-26</lastmod>
     </url>
 </urlset>
\ No newline at end of file
diff --git a/1.12.X/sitemap.xml.gz b/1.12.X/sitemap.xml.gz
index fcfb272..f64d0be 100644
Binary files a/1.12.X/sitemap.xml.gz and b/1.12.X/sitemap.xml.gz differ
diff --git a/1.12.X/usage/assets/asset_rules.png b/1.12.X/usage/assets/asset_rules.png
new file mode 100644
index 0000000..081a544
Binary files /dev/null and b/1.12.X/usage/assets/asset_rules.png differ
diff --git a/1.12.X/usage/assets/index.html b/1.12.X/usage/assets/index.html
index 38453e6..f669cd3 100644
--- a/1.12.X/usage/assets/index.html
+++ b/1.12.X/usage/assets/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2236,6 +2215,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/atomic/index.html b/1.12.X/usage/atomic/index.html
index b44350d..87e3b60 100644
--- a/1.12.X/usage/atomic/index.html
+++ b/1.12.X/usage/atomic/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2251,6 +2230,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/collectors/index.html b/1.12.X/usage/collectors/index.html
index 2f47516..2f7ce74 100644
--- a/1.12.X/usage/collectors/index.html
+++ b/1.12.X/usage/collectors/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2293,6 +2272,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/challenges/index.html b/1.12.X/usage/components/challenges/index.html
index e6f1fc6..df34ea4 100644
--- a/1.12.X/usage/components/challenges/index.html
+++ b/1.12.X/usage/components/challenges/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/channels/index.html b/1.12.X/usage/components/channels/index.html
index fbc48d7..3557aa6 100644
--- a/1.12.X/usage/components/channels/index.html
+++ b/1.12.X/usage/components/channels/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/documents/index.html b/1.12.X/usage/components/documents/index.html
index 1b626f5..cbd781d 100644
--- a/1.12.X/usage/components/documents/index.html
+++ b/1.12.X/usage/components/documents/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/index.html b/1.12.X/usage/components/index.html
index 134b426..f8473fc 100644
--- a/1.12.X/usage/components/index.html
+++ b/1.12.X/usage/components/index.html
@@ -746,27 +746,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2160,6 +2139,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/lessons/index.html b/1.12.X/usage/components/lessons/index.html
index cc40f00..7152e40 100644
--- a/1.12.X/usage/components/lessons/index.html
+++ b/1.12.X/usage/components/lessons/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2251,6 +2230,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/media_pressure/index.html b/1.12.X/usage/components/media_pressure/index.html
index 3a9e6ba..c151b09 100644
--- a/1.12.X/usage/components/media_pressure/index.html
+++ b/1.12.X/usage/components/media_pressure/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/components/variables/index.html b/1.12.X/usage/components/variables/index.html
index 2aaa762..539b38b 100644
--- a/1.12.X/usage/components/variables/index.html
+++ b/1.12.X/usage/components/variables/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2251,6 +2230,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/default_asset_rules/index.html b/1.12.X/usage/default_asset_rules/index.html
index 685d3dc..371405c 100644
--- a/1.12.X/usage/default_asset_rules/index.html
+++ b/1.12.X/usage/default_asset_rules/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2218,6 +2197,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
@@ -2663,7 +2663,7 @@ <h1 id="default-asset-rules">Default Asset Rules</h1>
 <p>When you create an Inject in a Scenario, if the Scenario has a tag matching one of the Asset Rules, the associated default Asset Groups are automatically applied to that Inject. When a Scenario is updated, if you add a tag matching one of the Asset Rules, a pop-up will appear asking if you want to apply those default Asset Groups to the existing Injects in the Scenario.</p>
 <h2 id="opencti-default-rule">OpenCTI default rule</h2>
 <p>By default, a rule for the <strong>opencti</strong> tag is created. This tag is automatically applied to Scenarios generated from OpenCTI (see <a href="../scenario/opencti_scenario.md">Generating Scenario from OpenCTI</a> ). This default rule cannot be removed, and its tag cannot be modified.</p>
-<p><a class="glightbox" href="./assets/asset_rules.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Asset Rules" src="./assets/asset_rules.png" /></a></p>
+<p><a class="glightbox" href="../assets/asset_rules.png" data-type="image" data-width="auto" data-height="auto" data-desc-position="bottom"><img alt="Asset Rules" src="../assets/asset_rules.png" /></a></p>
 
 
 
diff --git a/1.12.X/usage/evaluate/overview/index.html b/1.12.X/usage/evaluate/overview/index.html
index 04f6aeb..21705b1 100644
--- a/1.12.X/usage/evaluate/overview/index.html
+++ b/1.12.X/usage/evaluate/overview/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2272,6 +2251,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/expectations/index.html b/1.12.X/usage/expectations/index.html
index 1cd4a77..cb99fcd 100644
--- a/1.12.X/usage/expectations/index.html
+++ b/1.12.X/usage/expectations/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2317,6 +2296,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/getting-started/index.html b/1.12.X/usage/getting-started/index.html
index 8bf4264..a80895d 100644
--- a/1.12.X/usage/getting-started/index.html
+++ b/1.12.X/usage/getting-started/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2269,6 +2248,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/inject-caldera/index.html b/1.12.X/usage/inject-caldera/index.html
index 5a83df9..54fd714 100644
--- a/1.12.X/usage/inject-caldera/index.html
+++ b/1.12.X/usage/inject-caldera/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2236,6 +2215,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/injectors/index.html b/1.12.X/usage/injectors/index.html
index 5ce52b0..3bac864 100644
--- a/1.12.X/usage/injectors/index.html
+++ b/1.12.X/usage/injectors/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2269,6 +2248,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/injects/index.html b/1.12.X/usage/injects/index.html
index 4a526f0..779184d 100644
--- a/1.12.X/usage/injects/index.html
+++ b/1.12.X/usage/injects/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2491,6 +2470,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/injects_and_expectations/index.html b/1.12.X/usage/injects_and_expectations/index.html
index 82552ee..a11bfef 100644
--- a/1.12.X/usage/injects_and_expectations/index.html
+++ b/1.12.X/usage/injects_and_expectations/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/injects_builtin/index.html b/1.12.X/usage/injects_builtin/index.html
index bc1fa7c..1b78cf6 100644
--- a/1.12.X/usage/injects_builtin/index.html
+++ b/1.12.X/usage/injects_builtin/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2179,6 +2158,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/openbas-agent/index.html b/1.12.X/usage/openbas-agent/index.html
index 398e855..4d1cdfc 100644
--- a/1.12.X/usage/openbas-agent/index.html
+++ b/1.12.X/usage/openbas-agent/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2254,6 +2233,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/payloads/payloads/index.html b/1.12.X/usage/payloads/payloads/index.html
index 21f41a8..119a7ed 100644
--- a/1.12.X/usage/payloads/payloads/index.html
+++ b/1.12.X/usage/payloads/payloads/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2317,6 +2296,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/people/index.html b/1.12.X/usage/people/index.html
index 55cc4f4..4ed43fc 100644
--- a/1.12.X/usage/people/index.html
+++ b/1.12.X/usage/people/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2236,6 +2215,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/playing/index.html b/1.12.X/usage/playing/index.html
index 2339e64..e796872 100644
--- a/1.12.X/usage/playing/index.html
+++ b/1.12.X/usage/playing/index.html
@@ -746,27 +746,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2160,6 +2139,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/rest-api/index.html b/1.12.X/usage/rest-api/index.html
index 65b348d..0039257 100644
--- a/1.12.X/usage/rest-api/index.html
+++ b/1.12.X/usage/rest-api/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/scenario/index.html b/1.12.X/usage/scenario/index.html
index 7e568c7..dc012cb 100644
--- a/1.12.X/usage/scenario/index.html
+++ b/1.12.X/usage/scenario/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2254,6 +2233,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/scenario/opencti_scenario/index.html b/1.12.X/usage/scenario/opencti_scenario/index.html
index 0872f42..4c7c5dd 100644
--- a/1.12.X/usage/scenario/opencti_scenario/index.html
+++ b/1.12.X/usage/scenario/opencti_scenario/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../../deployment/resources/" class="md-nav__link">
         
@@ -2179,6 +2158,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/scenario_import/index.html b/1.12.X/usage/scenario_import/index.html
index 602f6b7..790ec95 100644
--- a/1.12.X/usage/scenario_import/index.html
+++ b/1.12.X/usage/scenario_import/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2260,6 +2239,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/scenarios_and_simulations/index.html b/1.12.X/usage/scenarios_and_simulations/index.html
index fcbe060..d68fd49 100644
--- a/1.12.X/usage/scenarios_and_simulations/index.html
+++ b/1.12.X/usage/scenarios_and_simulations/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/simulation/index.html b/1.12.X/usage/simulation/index.html
index ee44745..d58b49c 100644
--- a/1.12.X/usage/simulation/index.html
+++ b/1.12.X/usage/simulation/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2254,6 +2233,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/simulation_reports/index.html b/1.12.X/usage/simulation_reports/index.html
index 07a9e6e..a838db0 100644
--- a/1.12.X/usage/simulation_reports/index.html
+++ b/1.12.X/usage/simulation_reports/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2254,6 +2233,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/systems/index.html b/1.12.X/usage/systems/index.html
index efaaf8c..f226a20 100644
--- a/1.12.X/usage/systems/index.html
+++ b/1.12.X/usage/systems/index.html
@@ -746,27 +746,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2160,6 +2139,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/targets/index.html b/1.12.X/usage/targets/index.html
index 17a2ef0..9776c0f 100644
--- a/1.12.X/usage/targets/index.html
+++ b/1.12.X/usage/targets/index.html
@@ -752,27 +752,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2227,6 +2206,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>
       
diff --git a/1.12.X/usage/testing/index.html b/1.12.X/usage/testing/index.html
index 03bc686..4e39d5d 100644
--- a/1.12.X/usage/testing/index.html
+++ b/1.12.X/usage/testing/index.html
@@ -746,27 +746,6 @@
   
   
   
-    <li class="md-nav__item">
-      <a href="../../deployment/integrations/" class="md-nav__link">
-        
-  
-  <span class="md-ellipsis">
-    Integrations
-  </span>
-  
-
-      </a>
-    </li>
-  
-
-              
-            
-              
-                
-  
-  
-  
-  
     <li class="md-nav__item">
       <a href="../../deployment/resources/" class="md-nav__link">
         
@@ -2160,6 +2139,27 @@
 
               
             
+              
+                
+  
+  
+  
+  
+    <li class="md-nav__item">
+      <a href="../../administration/taxonomies/" class="md-nav__link">
+        
+  
+  <span class="md-ellipsis">
+    Taxonomies
+  </span>
+  
+
+      </a>
+    </li>
+  
+
+              
+            
           </ul>
         </nav>