|
| 1 | +# Collector development |
| 2 | + |
| 3 | +## Detection & Prevention (SIEM, XDR, EDR, NDR) |
| 4 | + |
| 5 | +### Introduction |
| 6 | + |
| 7 | +This guide explains how to implement an **OpenBAS collector for a EDR/XDR**, to retrieve security events and compare |
| 8 | +them against injected expectations in OpenBAS. |
| 9 | + |
| 10 | +### Implementing the Collector |
| 11 | + |
| 12 | +The following documentation is based on the [CrowdStrike Collector](https://github.com/OpenBAS-Platform/collectors/tree/main/crowdstrike). |
| 13 | + |
| 14 | +#### 1. Retrieving Expectations |
| 15 | + |
| 16 | +The first step involves fetching all expectations that have not yet been fulfilled by your collector. These expectations |
| 17 | +must be validated within a short timeframe to assess the responsiveness of your EDR/XDR (default: 45 minutes). If this |
| 18 | +period is exceeded, the expectations will be marked as failed. |
| 19 | + |
| 20 | +#### 2. Retrieving Alerts |
| 21 | + |
| 22 | +This step focuses on collecting alerts from your service tiers. There are two key aspects to define: |
| 23 | + |
| 24 | +- How to extract relevant information from an alert to match OpenBAS signatures. |
| 25 | +- How to determine whether the alert successfully prevented or detected the attack based on the expectations. |
| 26 | + |
| 27 | +Definition: a signature is a way to find an attack in an alert. |
| 28 | + |
| 29 | +| Signature | Description | |
| 30 | +|---------------------|-------------------------------------------------------------------------------------------------------------------------| |
| 31 | +| PARENT_PROCESS_NAME | The parent process name of the attack, which corresponds to the implant name created with openbas-implant-INJECT_ID.exe | |
| 32 | + |
| 33 | +#### 3. Matching Expectations |
| 34 | + |
| 35 | +The final step involves aligning retrieved expectations with logs and signatures from your service tiers to ensure |
| 36 | +proper validation. |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +### Use it |
| 41 | + |
| 42 | +Now, you can launch your collector by connecting it with OpenBAS. |
| 43 | +Your collector will register to OpenBAS and you can view in Integrations > Collectors. |
| 44 | + |
| 45 | + |
0 commit comments