Skip to content

Commit 0c5e777

Browse files
authored
[docs] Add collectors development explanation
1 parent b89df80 commit 0c5e777

File tree

4 files changed

+46
-0
lines changed

4 files changed

+46
-0
lines changed
20.8 KB
Loading
105 KB
Loading

docs/development/collectors.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Collector development
2+
3+
## Detection & Prevention (SIEM, XDR, EDR, NDR)
4+
5+
### Introduction
6+
7+
This guide explains how to implement an **OpenBAS collector for a EDR/XDR**, to retrieve security events and compare
8+
them against injected expectations in OpenBAS.
9+
10+
### Implementing the Collector
11+
12+
The following documentation is based on the [CrowdStrike Collector](https://github.com/OpenBAS-Platform/collectors/tree/main/crowdstrike).
13+
14+
#### 1. Retrieving Expectations
15+
16+
The first step involves fetching all expectations that have not yet been fulfilled by your collector. These expectations
17+
must be validated within a short timeframe to assess the responsiveness of your EDR/XDR (default: 45 minutes). If this
18+
period is exceeded, the expectations will be marked as failed.
19+
20+
#### 2. Retrieving Alerts
21+
22+
This step focuses on collecting alerts from your service tiers. There are two key aspects to define:
23+
24+
- How to extract relevant information from an alert to match OpenBAS signatures.
25+
- How to determine whether the alert successfully prevented or detected the attack based on the expectations.
26+
27+
Definition: a signature is a way to find an attack in an alert.
28+
29+
| Signature | Description |
30+
|---------------------|-------------------------------------------------------------------------------------------------------------------------|
31+
| PARENT_PROCESS_NAME | The parent process name of the attack, which corresponds to the implant name created with openbas-implant-INJECT_ID.exe |
32+
33+
#### 3. Matching Expectations
34+
35+
The final step involves aligning retrieved expectations with logs and signatures from your service tiers to ensure
36+
proper validation.
37+
38+
![Collector diagram](assets/collector-diagram.png)
39+
40+
### Use it
41+
42+
Now, you can launch your collector by connecting it with OpenBAS.
43+
Your collector will register to OpenBAS and you can view in Integrations > Collectors.
44+
45+
![Collectors view in OpenBAS](assets/collectors-view.png)

mkdocs.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,6 +181,7 @@ nav:
181181
- Windows: development/environment_windows.md
182182
- Build from source: development/build_from_source.md
183183
- Platform: development/platform.md
184+
- Collectors: development/collectors.md
184185
- Injectors: development/injectors.md
185186
- REST API: development/api-usage.md
186187

0 commit comments

Comments
 (0)