Skip to content
This repository has been archived by the owner on May 29, 2024. It is now read-only.

Threat Bus 2021.05.27
Compare
Choose a tag to compare
@dominiklohmann dominiklohmann released this 27 May 07:39
2021.05.27
8285c32
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

We're happy to announce our release 2021.05.27 of Threat Bus.

STIX-Shifter Integration

This month's release brings a new Threat Bus app to integrate with STIX-Shifter. STIX-Shifter is a tool and Python library to transform STIX patterns into native queries for (mostly commercial) security tools, like IBM QRadar or Splunk. The new app connects STIX-Shifter with Threat Bus and provides a simple way to communicate with the commercial tools of your choice via Threat Bus.

The new app works similar to pyvast-threatbus and communicates via ZeroMQ. It subscribes to the STIX-2 indicator stream in Threat Bus and then leverages the STIX-Shifter Python library to convert the received STIX patterns to native queries. Checkout the OCA documentation for a list of tools that STIX-Shifter can connect with.

Users can configure this new app via a verbose configuration file and tweak behavior for every connected third-party tool individually. STIX-Shifter is module-based, meaning that to connect with any tool, users must first install the required STIX-Shifter module for that particular tool (e.g.,stix-shifter-modules-splunk to communicate with Splunk). The new Threat Bus app supports module-specific configuration by adding an appropriate section for every installed module (e.g., splunk) in the app’s configuration file.

The STIX-Shifter integration is still very early and only works in one direction. Once indicators are transformed into native queries, the app simply logs the query results to the console. We are currently working on reporting back results from STIX-Shifter to Threat Bus. Stay tuned!

ZeroMQ App Template

It’s time to lower the barrier of entry to connect your own applications with Threat Bus. That’s why we created a template for writing Python applications. The template app uses ZeroMQ to connect with Threat Bus, so make sure to install the threatbus-zmq-app plugin on your Threat Bus host to get going.

The template app itself is a fully executable application that ships as an individual Python module. Users can execute the application via the CLI once it’s installed in a virtualenv. The template provides logic to manage subscriptions, heartbeats, and reconnection in case of (network) failures. It builds on Python coroutines via asyncio and can be extended easily to build your own app that connects with Threat Bus.

OpenCTI

Our OpenCTI Threat Bus connector can now import indicators from Threat Bus into OpenCTI. With this change, the connector subscribes to the stix2/indicator topic in Threat Bus and forwards received intelligence via API calls to OpenCTI.

Additionally, users can now configure the connector to request a snapshot of historical intelligence from Threat Bus during start up. That makes it effectively possible to pull indicators from other TI platforms (like MISP) into OpenCTI.

Last but not least, we are excited to see that the OpenCTI development team has addressed our issue about indicator removal with release 4.5.1. The platform now fully exports indicators into the SSE stream upon deletion. That makes it possible for our connector to correctly forward delete events from OpenCTI to Threat Bus.

Smaller Things

Threat Bus now supports subscriptions for multiple topics with a single Subscription object. The zmq-app-plugin implements that change in a backwards-compatible way. Subscribers can now transparently either subscribe for one or multiple topics within a single call.

Detection units like Zeek and pyvast-threatbus now set the last_seen attribute in STIX sightings when reporting back results to Threat Bus. That is particularly useful for human operators working with Threat Bus to update their TI platforms with the latest intelligence.

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus. Please also check our OpenCTI connector over in the official OpenCTI repository.

🎁 Features

  • stix-shifter-threatbus has come to life. This stand-alone application connects to Threat Bus via ZeroMQ and bridges the gap between Threat Bus and commercial security tools, like IBM QRadar or Splunk. stix-shifter-threatbus uses STIX-Shifter to first translate STIX-2 Indicators to native queries for commercial tools and then execute these queries to log the results. #118

  • We now provide a simple asyncio template for writing applications that connect to Threat Bus via ZeroMQ. #118

  • Threat Bus now supports subscriptions for multiple topics. The zmq-app-plugin implements those multi-topic subscriptions in a backwards-compatible way. Subscribers benefit from this change, as they only get assigned a single point-to-point topic for their subscription, instead of one point-to-point topic for every subscribed Threat Bus topic. #120

⚠️ Changes

  • The -c / --config parameter is now explicitly required to start Threat Bus and pyvast-threatbus. Starting without it will print a helpful error message. #119

  • The threatbus-zeek plugin and pyvast-threatbus now use the timestamp of actual intel matches to set the last_seen property of resulting STIX-2 Sightings, instead of setting the created timestamp. The created timestamp now always refers to the actual creation time of the sightings. #117

  • All Threat Bus apps that connect via ZeroMQ like pyvast-threatbus now shutdown gracefully and do no longer print a stack trace when receiving any stop signal. #118

Assets 3
Loading
0 Join discussion