Collectors
Introduction
Collectors list
You are looking for the available collectors? The list is in the OpenBAS Ecosystem.
Collectors are one of the cornerstones of the OpenBAS platform, they are responsible for pulling data from various external services for two purposes:
- Collect all alerts, logs and traces related to attacks, incidents or crisis and match them to simulated injects to evaluate the security posture.
- Collect any data that may help to schedule breach and attack simulations such as list of assets, groups, identities, payloads, etc.
🛡️ Detection (SIEM, XDR, EDR, NDR)
Those collectors are the most import ones as they are used to evaluate the security posture (response to injects) from various detection and response systems and fulfill expectations for detection and prevention.
🧬 Threat Intelligence
Those collectors are used to collect threat intelligence data such as kill chains, scenarios, TTPs, payloads, etc.
📺 Endpoint management
Those collectors are pulling alternative information about your endpoints and assets to complete the overview about your current posture in terms of vulnerabilities and compliance.
🎭 Identities
Those collectors are pulling all information related to identities, including human assets, to be used in scenario or to complete the view overview about your current posture.
🔭 Others
All other system OpenBAS can pull from, to add more meaningful and relevant information to the view of your security posture.
Collectors installation
Built-in collectors
Some collectors such as Microsoft Sentinel are directly embedded into the application. To configure them, just add the proper configuration parameters in your platform configuration.
External (Python) collectors
Configuration
All external collectors have to be able to access the OpenBAS API. To allow this connection, they have 2 mandatory configuration parameters, the OPENBAS_URL
and the OPENBAS_TOKEN
. In addition to these 2 parameters, collectors have other mandatory parameters that need to be set in order to get them work.
Collector tokens
You can use your administrator token or create another administrator service account to put in your collectors. It is not necessary to have one dedicated user for each collector.
Here is an example of a collector docker-compose.yml
file:
- OPENBAS_URL=http://localhost
- OPENBAS_TOKEN=ChangeMe
- COLLECTOR_ID=ChangeMe # Valid UUIDv4
- "COLLECTOR_NAME=MITRE ATT&CK"
- COLLECTOR_LOG_LEVEL=error
Here is an example in a collector config.yml
file:
openbas:
url: 'http://localhost:3001'
token: 'ChangeMe'
collector:
id: 'ChangeMe'
name: 'MITRE ATT&CK'
log_level: 'info'
Docker activation
You can either directly run the Docker image of collectors or add them to your current docker-compose.yml
file.
Add an collector to your deployment
For instance, to enable the MITRE ATT&CK collector, you can add a new service to your docker-compose.yml
file:
collector-mitre-attack:
image: openbas/collector-mitre-attack:1.0.0
environment:
- OPENBAS_URL=http://localhost
- OPENBAS_TOKEN=ChangeMe
- COLLECTOR_ID=ChangeMe
- "COLLECTOR_NAME=MITRE ATT&CK"
- COLLECTOR_LOG_LEVEL=error
restart: always
Launch a standalone collector
To launch standalone collector, you can use the docker-compose.yml
file of the collector itself. Just download the latest release and start the collector:
$ wget https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip
$ unzip {RELEASE_VERSION}.zip
$ cd collectors-{RELEASE_VERSION}/mitre-attack/
Change the configuration in the docker-compose.yml
according to the parameters of the platform and of the targeted service. Then launch the collector:
Manual activation
If you want to manually launch collector, you just have to install Python 3 and pip3 for dependencies:
Download the release of the collectors:
$ wget <https://github.com/OpenBAS-Platform/collectors/archive/{RELEASE_VERSION}.zip>
$ unzip {RELEASE_VERSION}.zip
$ cd collectors-{RELEASE_VERSION}/mitre-attack/src/
Install dependencies and initialize the configuration:
Change the config.yml
content according to the parameters of the platform and of the targeted service and launch the collector:
Collectors status
The collector status can be displayed in the dedicated section of the platform available in Integration > collectors. You will be able to see the statistics of the RabbitMQ queue of the collector:
Problem
If you encounter problems deploying OpenBAS or collectors, you can consult the troubleshooting page page.