Managing Engagements
This page explains how to manage a runbook engagement.
Engagements are runbooks being executed towards a specific client. Once an engagement begins, it will create a report associated to that client and viewable in the Reports module.
When a runbook is in progress or submitted/closed, it will be listed on the Engagements page of the Runbooks module.
This view displays the engagement title, associated client, runbook title, date started, and status. Engagements can also be edited or deleted from this page via the options under the "Actions" column.
Step 1: Click Edit under the "Actions" column for the desired engagement.
Only engagements that are "in Progress" can be edited. Once an engagement is submitted, it is tagged as "Closed" and cannot be edited.
Step 2: The Engagement Overview page appears and provides immediate visual progress status, what procedures exist within the engagement and their status, and other configuration options.
Below is an explanation of the page:
- Go to Report: Clicking this brings up the report created by the engagement under the Clients module.
- Submit Engagement: Clicking this changes the status of the engagement to "Closed" and prevents further editing.
Clicking Submit Engagement cannot be reversed.
- Import: Clicking this allows the import of new procedures from an outside source.
- Manage Procedures: Clicking this provides ability to add or remove procedures.
- Actions>Edit: This is where the work will take in order for the engagement to move forward. For each procedure that needs to be accomplished, it will need to be opened and managed. When it is done, the status of the procedure will dynamically turn to green under the "Completed" column, which will update the overall engagement progress bar appropriately. The procedure completed status can also be manually set.
Step 3: Click Edit on the procedure to work on. This brings up the Engagement Procedure page.
Navigate through procedures via the arrow buttons at the top of the page:
The Engagement Procedure page consists of three parts:
- 1.Procedure Overview Box
- 2.Red Team Tab
- 3.Blue Team Tab
This is the top section of the Engagement Procedure page and contains the procedure title, procedure description and supportive content, procedure status, any assigned operators for blue and red teams, techniques, tactics, and tags.
- Mark as Completed: This toggle marks if a procedure was completed or not and impacts the overall progress on the Engagements Overview page.
- Manage Operators: Clicking this allows assignment of procedures to people on either the Red or Blue Team (the option is given to specify when choosing an operator).
- Procedure Tags: Tags associated to the procedure and can added or deleted as desired.
This tab explains all the steps and findings of the Red team.
- Outcome: Identify the outcome of this procedure. This is separate from its completion status.
- Attachments: Upload evidence from screenshots, pictures, or code samples.
- Execution Steps: List all the execution steps associated with this procedure. Execution Steps include specifics on how to complete to procedure.
- Targeted Assets: List of assets applied to the execution steps to. Clicking Add Asset will allow creation of a new asset or a selection from existing an asset.
- Procedure Log: Evidentiary data that usually contains a forensic record of actions taken against a network or host.
- Attack Source: Location where the execution steps are being preformed from, such as a company headquarters, specific IP, subdomain, hostname, etc.
- Notes: Personal notes on this particular procedure.
This tab explains all the steps and findings of the Blue team.
- Attack Outcome: Informational content pulled directly from the Red Team section.
- Execution Steps: All the execution steps associated with this Procedure. This is the same as for the Red Team, except the Blue Team cannot complete or change any of the steps. This shows what the Red Team did to the network/host in each step.
- Detection Outcome: Outcome of the Blue Team's part of the Engagement. This would be the overall outcome indicator.
- Attachments: Upload evidence from screenshots, pictures, or code samples.
- Targeted Assets: List of assets applied to the execution steps to. Clicking Add Asset will allow creation of a new asset or a selection from existing an asset.
- Procedure Log: Evidentiary data that usually contains a forensic record of actions taken against a network or host.
- Notes: Personal notes on this particular procedure.
Once all procedures are ready, the engagement is complete, and it is time to build a report, return to the Engagement Overview page and click Submit Engagement. This process takes a minute and will complete the report in the specified client, which can then be modified and updated before export.
Clicking Submit Engagement cannot be reversed.
Last modified 4mo ago