Threat Bus 2020.06.25

This release brings a new Plugin for CIFv3 contributed by Michael Davis. Thanks for contributing!

🎁 Features

• CIFv3 Plugin: the new Threat Bus CIFv3 plugin enables data transport from IoC data in Threat Bus to CIFv3 via the HTTP API. The plugin currently supports the addition of indicators of compromise.

Threat Bus 2020.05.28

This release feature-completes the adoption of VAST. Additionally, plugins can now be disabled via config so it is no longer needed to un/install them all the time.

We received our first user issue by Michael Davis this month and are excited to see that they have started writing a CIFv3 plugin. Stay tuned for the next releases!

Improvements

• 🎁 VAST-Adoption Feature Complete: The VAST Python bridge, that facilitates communication between the Threat Bus VAST plugin and VAST itself, now supports the removal of IoCs. With this change the VAST integration is feature complete and on level with the Zeek integration.
• 🎁 Plugin Disabling: Installed plugins can now be disabled via the configuration file. To disable a plugin that has been installed via pip it suffices to omit the plugin configuration section.

Threat Bus 2020.04.29

This release brings a new plugin for the network telemetry engine VAST and some minor additions to the Threat Bus data model.

Improvements

• 🎁 New Docs: we now have a brand new documentation site over at docs.tenzir.com/threatbus with lots of details about the Threat Bus architecture, installation instructions, and plugin development docs.

• 🎁 VAST Plugin: the new Threat Bus VAST plugin enables VAST to subscribe to the bus and receive IoC intelligence items. With the help of the new VAST Python bridge, VAST is instructed to ingest all received intel items and start IoC matching. The plugin is packaged on PyPI and can be installed via pip install threatbus-vast. VAST is not yet able to report sightings in a way compatible to Threat Bus, but this limitation will be addressed with the next release. Stay tuned!

Changes

• 🔄 Data Structures for (Un)Subscriptions: the data structures for Subscriptions and Unsubscriptions are now part of the standard Threat Bus data model. They have been moved over from the Zeek plugin, and are now used by other plugins as well.

Threat Bus 2020.02.27

This is a maintenance release. We cleaned up the Docker setup and rubbed out some LGTM warnings to bump our score to A+.

Threat Bus 2020.01.31

We happily announce Threat Bus 🚌, the missing link to connect open-source threat intelligence tools. Threat Bus is a publish/subscribe broker for threat intelligence with a plugin-based architecture. The current set of plugins connect MISP and Zeek, but a lot more is planned.

🎁 Point-to-point pub/sub

In addition to the default broadcast behavior of publishing, subscribers get their own dedicated channel of messages such that no other subscribers get to see intelligence that is meant for selected requesters only.

🎁 Snapshotting

Subscribers can request a snapshot (time range) from other plugins. The snapshot is published for the requester only (point-to-point).

🎁 PyPI releases

• Threat Bus The core project can be extended with plugins.
• In-Memory Backbone An in-memory backbone that provisions messages.
• Zeek Plugin Feed intelligence items to the Zeek intel framework and to report back sightings.
• MISP Plugin Retrieve indicators from and report sightings to MISP deployments.

🎁 DockerHub release

A pre-built image with all plugins and required dependencies in place.

Threat Bus 2020-01-28

Merge pull request #16

Fix python package outline

Threat Bus v0.3.1

Merge pull request #11

Automate PyPI distribution