Skip to content

Collectors

Introduction

Collectors list

You are looking for the available collectors? The list is in the OpenBAS Ecosystem.

Collectors are one of the cornerstones of the OpenBAS platform, they are responsible for pulling data from various external services for two purposes:

  • Collect all alerts, logs and traces related to attacks, incidents or crisis and match them to simulated injects to evaluate the security posture.
  • Collect any data that may help to schedule breach and attack simulations such as list of assets, groups, identities, payloads, etc.

🛡️ Detection (SIEM, XDR, EDR, NDR)

Those collectors are the most import ones as they are used to evaluate the security posture (response to injects) from various detection and response systems and fulfill expectations for detection and prevention.

🧬 Threat Intelligence

Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, payloads, etc.

📺 Endpoint management

Those collectors are pulling alternative information about your endpoints and assets to complete the overview about your current posture in terms of vulnerabilities and compliance.

🎭 Identities

Those collectors are pulling all information related to identities, including human assets, to be used in scenario or to complete the view overview about your current posture.

🔭 Others

All other system OpenBAS can pull from, to add more meaningful and relevant information to the view of your security posture.

Collectors installation

Built-in collectors

Some collectors such as Microsoft Sentinel are directly embedded into the application. To configure them, just add the proper configuration parameters in your platform configuration.

External (Python) collectors

Configuration

All external collectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the OPENBAS_URL and the OPENBAS_TOKEN. In addition to these 2 parameters, collectors have other mandatory parameters that need to be set in order to get them work.

Collector tokens

You can use your administrator token or create another administrator service account to put in your collectors. It is not necessary to have one dedicated user for each collector.

Here is an example of a collector docker-compose.yml file:

- OPENBAS_URL=http://localhost
- OPENBAS_TOKEN=ChangeMe
- COLLECTOR_ID=ChangeMe # Valid UUIDv4
- "COLLECTOR_NAME=MITRE ATT&CK"
- COLLECTOR_LOG_LEVEL=error

Here is an example in a collector config.yml file:

openbas:
  url: 'http://localhost:3001'
  token: 'ChangeMe'

collector:
  id: 'ChangeMe'
  name: 'MITRE ATT&CK'
  log_level: 'info'

Docker activation

You can either directly run the Docker image of collectors or add them to your current docker-compose.yml file.

Add an collector to your deployment

For instance, to enable the MITRE ATT&CK collector, you can add a new service to your docker-compose.yml file:

  collector-mitre-attack:
    image: openbas/collector-mitre-attack:1.0.0
    environment:
      - OPENBAS_URL=http://localhost
      - OPENBAS_TOKEN=ChangeMe
      - COLLECTOR_ID=ChangeMe
      - "COLLECTOR_NAME=MITRE ATT&CK"
      - COLLECTOR_LOG_LEVEL=error
    restart: always

Launch a standalone collector

To launch standalone collector, you can use the docker-compose.yml file of the collector itself. Just download the latest release and start the collector:

$ wget https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip
$ unzip {RELEASE_VERSION}.zip
$ cd collectors-{RELEASE_VERSION}/mitre-attack/

Change the configuration in the docker-compose.yml according to the parameters of the platform and of the targeted service. Then launch the collector:

$ docker-compose up

Manual activation

If you want to manually launch collector, you just have to install Python 3 and pip3 for dependencies:

$ apt install python3 python3-pip

Download the release of the collectors:

$ wget <https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip>
$ unzip {RELEASE_VERSION}.zip
$ cd collectors-{RELEASE_VERSION}/mitre-attack/src/

Install dependencies and initialize the configuration:

$ pip3 install -r requirements.txt
$ cp config.yml.sample config.yml

Change the config.yml content according to the parameters of the platform and of the targeted service and launch the collector:

$ python3 openbas_mitre.py

Collectors status

The collector status can be displayed in the dedicated section of the platform available in Integration > collectors. You will be able to see the statistics of the RabbitMQ queue of the collector:

collectors

Problem

If you encounter problems deploying OpenBAS or collectors, you can consult the troubleshooting page page.