Usage

Basically we have created the framework to be quick and easy to set up, so if you want to run the bot in Discord or Slack you just need to start T3SF!

Initializing T3SF

To start the framework, you have to set 3 parameters. Depending on the platform and your preferences the following arguments will be set:

MSEL

The location of the MSEL. It accepts the complete file path.

Type:

str

Required:

True

platform

The platform you want to use.

Type:

str

Required:

True

Values:

Slack or Discord

gui

Starts the GUI of the framework.

Type:

bool

Required:

False

Default:

True

This example is for an exercise using the platform Slack with a GUI:

from T3SF import T3SF
import asyncio

async def main():
        await T3SF.start(MSEL="MSEL_Company.json", platform="Slack", gui=True)

if __name__ == '__main__':
        asyncio.run(main())

And that’s it!

MSEL Configuration

The file where you have all injects stored is the Master Scenario Events List (MSEL). From this file, the framework is going to retrieve all the messages and players, so it’s like the Heart of the exercise!

Format

Inside the repo you have an example of a common MSEL, but we will be explaining in a short and easy way the format of it.

Here is the first inject from the example in the repo.

{
    "#": 1,
    "Real Time": "07:30 PM",
    "Date": "Monday  9:40 AM",
    "Subject": "[URGENT] Ransom Request!",
    "From": "SOC - BASE4",
    "Player": "Legal",
    "Script": "Team, we received a ransom request. What should we do?",
    "Picture Name": "Base_4_SOC.jpg",
    "Photo": "https://img2.helpnetsecurity.com/posts2018/aws-s3-buckets-public.jpg",
    "Profile": "https://foreseeti.com/wp-content/uploads/2021/09/Ska%CC%88rmavbild-2021-09-02-kl.-15.44.24.png",
    "Poll": "We are checking on it | It is a false positive"
 }

#

The inject/incident number.

Type:

int

Required:

True

Real Time

The actual time by which the incident should arrive in the player’s inbox. This will not be shown to the player.

Note

We are mainly using the minutes of this key to make things work.

Type:

str

Required:

True

Date

The simulated date of the incident. This will be displayed to the player.

Type:

str

Required:

True

Subject

The Subject from the incident.

Type:

str

Required:

True

From

The sender of the incident/message.

Type:

str

Required:

True

Player

The player’s name, eg. "Information Security", "Legal", "SRE".

Type:

str

Required:

True

Script

The main text and the incident body of the message.

Type:

str

Required:

True

Picture Name

The attachment’s name.

Note

This key is used in Slack.

Type:

str -> Web URL

Required:

False -> True if the platform is Slack.

Photo

An attached photo for the incident.

Note

In WhatsApp the photo should be a local PATH. In other platforms, you can use the image url from internet.

Type:

str -> Web URL

Required:

False

Profile

The profile picture of the sender. If no profile picture is set for an incident, a default user avatar will be used.

Note

This key is only valid in Discord and Slack, due to platform restrictions.

Type:

str -> Web URL

Required:

False -> True if the platform is Discord or Slack.

Poll

Set up a survey to be sent to the players, where they have time to answer depending on the options.

Note

This key is only valid in Discord and Slack, due to platform restrictions.

Type:

str

Required:

False

Note

The options should be separated with a pipe (|) symbol.