Bridges the gap between Threat Bus and STIX-Shifter
Project description
STIX-Shifter Threat Bus
This app bridges the gap between Threat Bus and various security tools by leveraging STIX-Shifter.
STIX-Shifter is a tool and library to transform STIX patterns into native queries for a variety of (mostly commercial) security tools, like IBM QRadar or Splunk. This app connects STIX-Shifter with Threat Bus and provides a simple way to communicate with the commercial tools of your choice via Threat Bus.
How It Works
The stix-shifter-threatbus
app uses ZeroMQ to connect with Threat Bus. To
connect via ZeroMQ, users must first install and configure the
threatbus-zmq-app
plugin on
their Threat Bus host.
This app functions as middleman between Threat Bus and security tools supported by STIX-Shifter. It subscribes to indicator updates from the bus and uses STIX-Shifter to actively translate STIX-2 intelligence to native queries. The app then executes these queries via STIX-Shifter. [Result processing is yet to be implemented.]
Quick Start
You can configure the app via a YAML configuration file. See
config.yaml.example
for an example config file.
Install stix-shifter-threatbus
in a virtualenv and start it by passing a
config file:
python -m venv venv
source venv/bin/activate
make dev-mode
stix-shifter-threatbus -c config.yaml
Docker
You can also run this app via Docker.
- Build it:
docker build . -t tenzir/stix-shifter-threatbus:latest
- Run it to print the helptext.
docker run tenzir/stix-shifter-threatbus:latest
- Run and mount a custom config file into the container:
docker run --net=host -v /path/to/your/conf.yaml:/opt/tenzir/threatbus/stix-shifter-threatbus/config.yaml tenzir/stix-shifter-threatbus:latest -c config.yaml
Configuration
Apart from the logging section, which is self-explanatory, users need to
configure the threatbus
endpoint of the ZerMQ-App plugin and an optional
snapshot
of historic threat intel data they want to fetch.
Additionally, users must configure each STIX-Shifter module individually to use
it with this app. You also must install the corresponding modules according to
your configuration. For example, if you configure a key splunk
in the
modules
section, you must install the stix-shifter-modules-splunk
. Otherwise
the app will throw an error. See below for an example:
threatbus: localhost:13370 # connect with Threat Bus via this endpoint
snapshot: 300 # request 300 days of historic indicators
modules:
# for details on a module's options, please see https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#how-to-use
# to use the key `splunk` you must install `stix-shifter-modules-splunk`
# same goes for any other key, e.g., `elastic`, `qradar`, etc...
splunk:
max_results: 100 # limit the number of events queried by STIX-Shifter
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#connection
connection:
host: localhost
port: 8089 # Management port
selfSignedCert: false
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#configuration
transmission:
auth:
username: admin
password: admin123
# https://github.com/opencybersecurityalliance/stix-shifter/blob/master/OVERVIEW.md#translate
translation: # {<Any required options specific to the particular data source>}
# The data_source is a STIX-2 DataSource (e.g., an `identity`) and is used
# to create a STIX bundle with the queried results. You configure it here
# and only once for this module.
data_source:
type: identity
identity_class: events
name: Splunk
id: identity--629a6400-8817-4bcb-aee7-8c74fc57482c
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for stix-shifter-threatbus-2021.6.24.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9ccde25ab9e89b0cee6ac3a58c4134d777de3a5f79a362aca118a11bb075865c |
|
MD5 | 9ae243cb41cb923f65f49feca32dac1c |
|
BLAKE2b-256 | 7e6e7cbfcc191d32850bfc32438717eae49734c984e217039a922fc4c79186ba |
Hashes for stix_shifter_threatbus-2021.6.24-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1a4d1fd319f0b2432fb29879116e7b6a74eb7ddfba2752e47743bff06a21fd8b |
|
MD5 | d8f45462c538a4139c5dfce7bb5bb74f |
|
BLAKE2b-256 | 996b089cdf35845a0a6449b3a3519dbca0cfe8b2b075da76a2bdc710cc70ec14 |