This repository has been archived by the owner on May 29, 2024. It is now read-only.
Threat Bus 2021.05.27 #122
dominiklohmann
started this conversation in
Releases
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We're happy to announce our release 2021.05.27 of Threat Bus.
STIX-Shifter Integration
This month's release brings a new Threat Bus app to integrate with STIX-Shifter. STIX-Shifter is a tool and Python library to transform STIX patterns into native queries for (mostly commercial) security tools, like IBM QRadar or Splunk. The new app connects STIX-Shifter with Threat Bus and provides a simple way to communicate with the commercial tools of your choice via Threat Bus.
The new app works similar to pyvast-threatbus and communicates via ZeroMQ. It subscribes to the STIX-2 indicator stream in Threat Bus and then leverages the STIX-Shifter Python library to convert the received STIX patterns to native queries. Checkout the OCA documentation for a list of tools that STIX-Shifter can connect with.
Users can configure this new app via a verbose configuration file and tweak behavior for every connected third-party tool individually. STIX-Shifter is module-based, meaning that to connect with any tool, users must first install the required STIX-Shifter module for that particular tool (e.g.,
stix-shifter-modules-splunkto communicate with Splunk). The new Threat Bus app supports module-specific configuration by adding an appropriate section for every installed module (e.g.,splunk) in the app’s configuration file.The STIX-Shifter integration is still very early and only works in one direction. Once indicators are transformed into native queries, the app simply logs the query results to the console. We are currently working on reporting back results from STIX-Shifter to Threat Bus. Stay tuned!
ZeroMQ App Template
It’s time to lower the barrier of entry to connect your own applications with Threat Bus. That’s why we created a template for writing Python applications. The template app uses ZeroMQ to connect with Threat Bus, so make sure to install the
threatbus-zmq-appplugin on your Threat Bus host to get going.The template app itself is a fully executable application that ships as an individual Python module. Users can execute the application via the CLI once it’s installed in a virtualenv. The template provides logic to manage subscriptions, heartbeats, and reconnection in case of (network) failures. It builds on Python coroutines via
asyncioand can be extended easily to build your own app that connects with Threat Bus.OpenCTI
Our OpenCTI Threat Bus connector can now import indicators from Threat Bus into OpenCTI. With this change, the connector subscribes to the
stix2/indicatortopic in Threat Bus and forwards received intelligence via API calls to OpenCTI.Additionally, users can now configure the connector to request a snapshot of historical intelligence from Threat Bus during start up. That makes it effectively possible to pull indicators from other TI platforms (like MISP) into OpenCTI.
Last but not least, we are excited to see that the OpenCTI development team has addressed our issue about indicator removal with release 4.5.1. The platform now fully exports indicators into the SSE stream upon deletion. That makes it possible for our connector to correctly forward
deleteevents from OpenCTI to Threat Bus.Smaller Things
Threat Bus now supports subscriptions for multiple topics with a single
Subscriptionobject. Thezmq-app-pluginimplements that change in a backwards-compatible way. Subscribers can now transparently either subscribe for one or multiple topics within a single call.Detection units like Zeek and
pyvast-threatbusnow set thelast_seenattribute in STIX sightings when reporting back results to Threat Bus. That is particularly useful for human operators working with Threat Bus to update their TI platforms with the latest intelligence.Changelog Highlights
As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus. Please also check our OpenCTI connector over in the official OpenCTI repository.
🎁 Features
stix-shifter-threatbushas come to life. This stand-alone application connects to Threat Bus via ZeroMQ and bridges the gap between Threat Bus and commercial security tools, like IBM QRadar or Splunk.stix-shifter-threatbususes STIX-Shifter to first translate STIX-2 Indicators to native queries for commercial tools and then execute these queries to log the results. #118We now provide a simple asyncio template for writing applications that connect to Threat Bus via ZeroMQ. #118
Threat Bus now supports subscriptions for multiple topics. The
zmq-app-pluginimplements those multi-topic subscriptions in a backwards-compatible way. Subscribers benefit from this change, as they only get assigned a single point-to-point topic for their subscription, instead of one point-to-point topic for every subscribed Threat Bus topic. #120The
-c/--configparameter is now explicitly required to start Threat Bus andpyvast-threatbus. Starting without it will print a helpful error message. #119The
threatbus-zeekplugin andpyvast-threatbusnow use the timestamp of actual intel matches to set thelast_seenproperty of resulting STIX-2 Sightings, instead of setting thecreatedtimestamp. Thecreatedtimestamp now always refers to the actual creation time of the sightings. #117All Threat Bus apps that connect via ZeroMQ like
pyvast-threatbusnow shutdown gracefully and do no longer print a stack trace when receiving any stop signal. #118This discussion was created from the release Threat Bus 2021.05.27.
Beta Was this translation helpful? Give feedback.
All reactions