From a fresh SimRun to your first matched detection.
- SimRun is running and reachable. See getting-started.md if you haven't set it up yet.
- You're familiar with the vocabulary — assessments, runs, scenarios, expectations, matchers. See concepts.md for a quick overview.
Goal: detonate a real pack simulation in AWS and confirm that the expected Elastic Security alert fires.
You'll need:
- A running Elastic Security deployment with Kibana access and an API key.
- An AWS account and credentials (access key or role ARN) that SimRun can use to run the simulation.
Navigate to http://localhost:8080. The Dashboard gives an at-a-glance view of recent runs and scenario pass/fail rates.
SimRun needs to know where your SIEM is and how to reach AWS. Both are configured as connectors backed by secret groups.
- Go to Connectors (
/connectors). - Click Add connector, choose type
elastic. - Enter your
kibana_url(e.g.https://kibana.example.com). - Under Secret group, create a new group and add
SR_ELASTIC_API_KEYwith your Elasticsearch API key. - Save. SimRun will use this connector as the default SIEM for all runs.
- Still on Connectors, click Add connector, choose type
aws. - If you're using role assumption, enter the
role_arn. - (if not using a role) Under Secret group, create a group and add
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY.
See connectors-and-secrets.md for the full field reference.
A pack bundles the Terraform modules and scenario definitions for a set of simulations.
- Go to Packs (
/packs) and start a new install. - Choose Remote and enter the pack name (e.g.
simrun-base-pack) and its source. (The Upload tab installs a pack binary you built locally — handy when developing your own simulations.) - Click Install. SimRun fetches the pack, validates its manifest, and lists the available simulations.
- Optionally set pack-level parameters — for example, set
aws_regiontous-east-2so every simulation in the pack targets that region by default.
See packs.md for both install methods and parameter details.
An assessment is a saved definition of scenarios. You'll create one with a single scenario that detonates a pack simulation and expects an Elastic Security alert.
- Go to Assessments (
/assessments) and click New assessment. - Give it a name, then define the scenario. The editor opens in Builder mode, where you add detonators and expectations with forms — or switch to YAML mode to write or paste it directly. Either way, here's the YAML this scenario produces:
targets:
aws: my-aws-connector # the connector name from Step 2
scenarios:
- name: S3 public access block disabled
detonate:
simrunDetonator:
pack: simrun-base-pack
simulation: aws.s3-disable-public-access-block
expectations:
- elasticSecurityAlert:
name: "S3 Public Access Block Disabled"Key points:
targets.awsmust match the connector name you created in Step 2.simrunDetonator.packandsimrunDetonator.simulationreference the pack you installed in Step 3.elasticSecurityAlert.nameis the exact Detection Engine rule name in Kibana that you expect to fire.
See scenarios.md for the full YAML reference.
Click Run on the assessment. SimRun creates a new Run and begins executing scenarios in parallel.
- Each scenario detonates the simulation, then polls Kibana for the expected alert.
- The run page updates in real time as scenarios complete.
Each scenario shows one of:
- Matched — the expectation fired; the expected alert was found in Kibana within the timeout.
- Unmatched — the alert was not found before the timeout expired. Check whether the rule is enabled in Kibana and that the simulation actually ran.
If you added a collect block to your scenario, the related Elasticsearch logs are shown alongside the results for post-hoc analysis.
- Rule Coverage (
/rules/coverage) — view your Elastic detection rules mapped to MITRE ATT&CK techniques. Identify which techniques have coverage and which are gaps. - Scheduling — run assessments on a recurring schedule directly from the Assessments page.
- Write your own scenarios — see scenarios.md for the full YAML reference: multiple expectations, AWS CLI detonation, log injection, indicators, and collectors.