Skip to content

Ability to have expectation results on assets with Sentinel and without EDR alerts #2888

New issue
New issue
Open
Feature
Open
Ability to have expectation results on assets with Sentinel and without EDR alerts#2888
Feature
Assignees
guillaumejparisimpolitepandaSeb-MIGUEL
Labels
featureuse for describing a new feature to develop
Milestone
 
Release 1.16.0
@Seb-MIGUEL

Description

@Seb-MIGUEL
Seb-MIGUEL
opened on Apr 7, 2025

Context

In many security programs, validation efforts are limited to assets where an agent is deployed. Until now, OpenBAS followed this model — matching detection expectations with the endpoint’s agent ID. However, this approach does not reflect how real-world attacks unfold.

Use case

When I'm running a CVE scan or exploit from an OpenBAS agent to a remote host without OpenBAS, the expectation results will not raised alerts.

Current Workaround

Have OpenBAS on every endpoints but need to adapted the collected to match the target hostname and not the source one.

Proposed Solution

One idea could be to add a payload argument type with a specific key like "remote_ip", and then specify that we can create a KQL query in Sentinel to retrieve alerts where the IP matches the "remote_ip" value.

To discuss.

Metadata

Metadata

Assignees

Labels

featureuse for describing a new feature to develop

Type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions