Threat Bus 2021.04.29
We're happy to announce the monthly release 2021.04.29 of Threat Bus. While the Threat Bus project moved to the beta stage, we contributed a brand new connector to integrate with OpenCTI.
Our community chat moved to Gitter. Find it at gitter.im/tenzir/threatbus. You can also join via Matrix at #tenzir_vast:gitter.im. The main driver for our decision to move was that our EMS-hosted server results in a confusing workflow where interested users have to create a matrix account on a third-party homeserver before they can participate in our chat. Gitter makes it easy to participate for everybody and still runs on top of Matrix, so we get the best of both worlds now.
OpenCTI Integration
We are proud to announce our contribution of a brand new Threat Bus connector to the OpenCTIPlatform connectors repository on GitHub. This connector enables users to export STIX-2 indicators in near-real time from OpenCTI to Threat Bus. The connector watches the OpenCTI SSE stream and forwards indicator updates to Threat Bus via ZeroMQ. But that's not all! Not only does the connector export indicators, it also reports back sightings from Threat Bus to OpenCTI, so you can conveniently inspect them in the web UI.
This connector bridges the gap between tactical threat intelligence stored in OpenCTI and detection tools connected to Threat Bus. For example, if you have connected a Zeek instance with Threat Bus, you can now benefit from live matching the intelligence stored in your OpenCTI platform. Should Zeek generate an intelligence match, it will find its way all back into the OpenCTI web UI. The same goes for live- and retrospective intelligence matching with VAST and basically everything else you connect with Threat Bus. We are looking forward to empowering the blueteam community and SOC teams alike, and are interested in hearing your feedback. Snapshot support is already on our roadmap, among other integrations, stay tuned!
Threat Bus moves to Beta
After several months of testing, both in-house and by external collaborators and contributors, we are happy to announce that the Threat Bus project moves from alpha to the beta stage of development π. You can now find Threat Bus and the most commonly used plugins in the Stage 4 - Beta tier on PyPI.
Moving fromalpha to beta for us means we expect Threat Bus to operate smoothly in most cases. While there are still some rough edges in the project, hard crashes should be the unlikely exception.
Updates to PyVAST-Threat Bus
pyvast-threatbus has seen two important bug fixes in the post-processing pipeline of VAST sightings. The bugs were introduced with the STIX-2 rewrite and effectively rendered both the transform_context and sink options unusable. Additionally, we added a new feature for timing out VAST retro-queries. Users can now instruct pyvast-threatbus to abort VAST queries after a configurable interval via the config option retro_match_timeout. Last but not least, we updated the control plane of pyvast-threatbus so it works with our most recent changes to the VAST matcher plugin.
Changelog Highlights
As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus
π Features
- π
pyvast-threatbusnow supports a new config option to set timeouts for
VAST retro-queries:retro_match_timeout. Pending queries are killed upon
timeout. VAST results that were exported before the timeout hit are still
reported as valid Sightings.
#110
π Bug Fixes
-
π We fixed a bug where VAST matcher results where passed to the wrong mapping function from
pyvast-threatbusafter being retrieved from VAST. #109 -
π We fixed an unhandled exception in the post-processing of sighting context data for both retro- and live-matched sightings in
pyvast-threatbus. The bug was introduced with the STIX-2 rewrite and effectively rendered both thetransform_contextandsinkoptions unusable. #112