Bridges the gap between Threat Bus and STIX-Shifter
Project description
STIX-Shifter Threat Bus
This app bridges the gap between Threat Bus and various security tools by leveraging STIX-Shifter.
STIX-Shifter is a tool and library to transform STIX patterns into native queries for a variety of (mostly commercial) security tools, like IBM QRadar or Splunk. This app connects STIX-Shifter with Threat Bus and provides a simple way to communicate with the commercial tools of your choice via Threat Bus.
How It Works
The stix-shifter-threatbus
app uses ZeroMQ to connect with Threat Bus. To
connect via ZeroMQ, users must first install and configure the
threatbus-zmq-app
plugin on
their Threat Bus host.
This app functions as middleman between Threat Bus and security tools supported by STIX-Shifter. It subscribes to indicator updates from the bus and uses STIX-Shifter to actively translate STIX-2 intelligence to native queries. The app then executes these queries via STIX-Shifter. [Result processing is yet to be implemented.]
Quick Start
You can configure the app via a YAML configuration file. See
config.yaml.example
for an example config file.
Install stix-shifter-threatbus
in a virtualenv and start it by passing a
config file:
python -m venv venv
source venv/bin/activate
make dev-mode
stix-shifter-threatbus -c config.yaml
Configuration
Apart from the logging section, which is self-explanatory, users need to
configure the threatbus
endpoint of the ZerMQ-App plugin and an optional
snapshot
of historic threat intel data they want to fetch.
Additionally, users must configure each STIX-Shifter module individually to use
it with this app. You also must install the corresponding modules according to
your configuration. For example, if you configure a key splunk
in the
modules
section, you must install the stix-shifter-modules-splunk
. Otherwise
the app will throw an error. See below for an example:
threatbus: localhost:13370 # connect with Threat Bus via this endpoint
snapshot: 300 # request 300 days of historic indicators
modules:
# for details on a module's options, please see https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#how-to-use
# to use the key `splunk` you must install `stix-shifter-modules-splunk`
# same goes for any other key, e.g., `elastic`, `qradar`, etc...
splunk:
max_results: 100 # limit the number of events queried by STIX-Shifter
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#connection
connection:
host: localhost
port: 8089 # Management port
selfSignedCert: false
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#configuration
transmission:
auth:
username: admin
password: admin123
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#translate
translation: # {<Any required options specific to the particular data source>}
# The data_source is a STIX-2 DataSource (e.g., an `identity`) and is used
# to create a STIX bundle with the queried results. You configure it here
# and only once for this module.
data_source:
type: identity
identity_class: events
name: Splunk
id: identity--629a6400-8817-4bcb-aee7-8c74fc57482c
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for stix-shifter-threatbus-2021.5.27.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | e0be174c873bd08c1d79bb93d1fb0f67973bbe443f6199d10f2ab84291e81378 |
|
MD5 | 4700a87482e84ba1780a450fbff2d660 |
|
BLAKE2b-256 | 9a14ea7cdd1951b3d587baa902d200c376d530c6e2d824a0aa54d511226c910d |
Hashes for stix_shifter_threatbus-2021.5.27-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | c9fb1dd032b13cafd2d1972380d37d78cb815862f05654d7b143335168306bce |
|
MD5 | 709643a4a7b9dd697bb4166312815511 |
|
BLAKE2b-256 | 6d1f3a364b53f8ad8c6bbe030b106f01f62b1091cd1857a4cdd5266da64acf12 |