Testcase Data Capture¶
This screen (/testcase/<testcaseid>) is the core of PurpleOps, allowing red / blue teams to enter their relevant data for each testcase.
Tip
Hit the i icon left of the testcases's name to see Mitre's description and advice for the testcase, applicable SIGMA rules, and references.
Tip
Use the Go dropdown right of the testcase end time to quickly jump to another testcase without returning to the assessment screen.
Red Side¶
Note
Only Admin and Red users can perform these functions.
The red team enters / edits data pertaining to the testcase's:
- Mitre ID
- Name
- Tactic
- Start / end execution time (as populated via the start / stop button)
- Visibility (toggled via the "eye" button)
- Source(s)
- Targets(s)
- Tools(s) used
- Objective (what's the aim of the testcase?)
- Actions (what command was run or manual action performed?)
- Notes (e.g. did successful execution require obfuscation?)
- Evidence (intended to include screenshots, logs and tools executed)
- Evidence captions (images only)
Blue Side¶
Note
Only Admin, Red and Blue users can perform these functions.
The blue team enters / edits data pertaining to the testcase's:
- Prevention status
- Detection status
- Alert generated
- Alert severity
- Logged status (inferred
Yesif there was an alert)
- Alert generated
- Priority
- Focus
- Urgency
- Applicable controls
- Tags
- Notes (e.g. alert IDs, log permalink URLs, commentary)
- Evidence (intended to include alert screenshots, raw log files...)
- Evidence captions (images only)
Managing Sources / Targets / Tools / Controls / Tags¶
Under each dropdown is a Manage button that opens a modal allowing for the specification of each asset. Changes in the manage modal are high-level to the assessment, not per-testcase. Per-testcase applicable controls are instead chosen in the dropdown.
Saving¶
The red "return" arrow returns to the assessment screen without saving. The green "tick" button saves the testcase and does not return to the assessment screen. The navbar return button also does not save.