Threat Bus 2021.05.27

We're happy to announce our release 2021.05.27 of Threat Bus.

STIX-Shifter Integration

This month's release brings a new Threat Bus app to integrate with STIX-Shifter. STIX-Shifter is a tool and Python library to transform STIX patterns into native queries for (mostly commercial) security tools, like IBM QRadar or Splunk. The new app connects STIX-Shifter with Threat Bus and provides a simple way to communicate with the commercial tools of your choice via Threat Bus.

The new app works similar to pyvast-threatbus and communicates via ZeroMQ. It subscribes to the STIX-2 indicator stream in Threat Bus and then leverages the STIX-Shifter Python library to convert the received STIX patterns to native queries. Checkout the OCA documentation for a list of tools that STIX-Shifter can connect with.

Users can configure this new app via a verbose configuration file and tweak behavior for every connected third-party tool individually. STIX-Shifter is module-based, meaning that to connect with any tool, users must first install the required STIX-Shifter module for that particular tool (e.g.,stix-shifter-modules-splunk to communicate with Splunk). The new Threat Bus app supports module-specific configuration by adding an appropriate section for every installed module (e.g., splunk) in the app’s configuration file.

The STIX-Shifter integration is still very early and only works in one direction. Once indicators are transformed into native queries, the app simply logs the query results to the console. We are currently working on reporting back results from STIX-Shifter to Threat Bus. Stay tuned!

ZeroMQ App Template

It’s time to lower the barrier of entry to connect your own applications with Threat Bus. That’s why we created a template for writing Python applications. The template app uses ZeroMQ to connect with Threat Bus, so make sure to install the threatbus-zmq-app plugin on your Threat Bus host to get going.

The template app itself is a fully executable application that ships as an individual Python module. Users can execute the application via the CLI once it’s installed in a virtualenv. The template provides logic to manage subscriptions, heartbeats, and reconnection in case of (network) failures. It builds on Python coroutines via asyncio and can be extended easily to build your own app that connects with Threat Bus.

OpenCTI

Our OpenCTI Threat Bus connector can now import indicators from Threat Bus into OpenCTI. With this change, the connector subscribes to the stix2/indicator topic in Threat Bus and forwards received intelligence via API calls to OpenCTI.

Additionally, users can now configure the connector to request a snapshot of historical intelligence from Threat Bus during start up. That makes it effectively possible to pull indicators from other TI platforms (like MISP) into OpenCTI.

Last but not least, we are excited to see that the OpenCTI development team has addressed our issue about indicator removal with release 4.5.1. The platform now fully exports indicators into the SSE stream upon deletion. That makes it possible for our connector to correctly forward delete events from OpenCTI to Threat Bus.

Smaller Things

Threat Bus now supports subscriptions for multiple topics with a single Subscription object. The zmq-app-plugin implements that change in a backwards-compatible way. Subscribers can now transparently either subscribe for one or multiple topics within a single call.

Detection units like Zeek and pyvast-threatbus now set the last_seen attribute in STIX sightings when reporting back results to Threat Bus. That is particularly useful for human operators working with Threat Bus to update their TI platforms with the latest intelligence.

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus. Please also check our OpenCTI connector over in the official OpenCTI repository.

🎁 Features

• stix-shifter-threatbus has come to life. This stand-alone application connects to Threat Bus via ZeroMQ and bridges the gap between Threat Bus and commercial security tools, like IBM QRadar or Splunk. stix-shifter-threatbus uses STIX-Shifter to first translate STIX-2 Indicators to native queries for commercial tools and then execute these queries to log the results. #118

• We now provide a simple asyncio template for writing applications that connect to Threat Bus via ZeroMQ. #118

• Threat Bus now supports subscriptions for multiple topics. The zmq-app-plugin implements those multi-topic subscriptions in a backwards-compatible way. Subscribers benefit from this change, as they only get assigned a single point-to-point topic for their subscription, instead of one point-to-point topic for every subscribed Threat Bus topic. #120

⚠️ Changes

• The -c / --config parameter is now explicitly required to start Threat Bus and pyvast-threatbus. Starting without it will print a helpful error message. #119

• The threatbus-zeek plugin and pyvast-threatbus now use the timestamp of actual intel matches to set the last_seen property of resulting STIX-2 Sightings, instead of setting the created timestamp. The created timestamp now always refers to the actual creation time of the sightings. #117

• All Threat Bus apps that connect via ZeroMQ like pyvast-threatbus now shutdown gracefully and do no longer print a stack trace when receiving any stop signal. #118

Threat Bus 2021.04.29

We're happy to announce the monthly release 2021.04.29 of Threat Bus. While the Threat Bus project moved to the beta stage, we contributed a brand new connector to integrate with OpenCTI.

Our community chat moved to Gitter. Find it at gitter.im/tenzir/threatbus. You can also join via Matrix at #tenzir_vast:gitter.im. The main driver for our decision to move was that our EMS-hosted server results in a confusing workflow where interested users have to create a matrix account on a third-party homeserver before they can participate in our chat. Gitter makes it easy to participate for everybody and still runs on top of Matrix, so we get the best of both worlds now.

OpenCTI Integration

We are proud to announce our contribution of a brand new Threat Bus connector to the OpenCTIPlatform connectors repository on GitHub. This connector enables users to export STIX-2 indicators in near-real time from OpenCTI to Threat Bus. The connector watches the OpenCTI SSE stream and forwards indicator updates to Threat Bus via ZeroMQ. But that's not all! Not only does the connector export indicators, it also reports back sightings from Threat Bus to OpenCTI, so you can conveniently inspect them in the web UI.

This connector bridges the gap between tactical threat intelligence stored in OpenCTI and detection tools connected to Threat Bus. For example, if you have connected a Zeek instance with Threat Bus, you can now benefit from live matching the intelligence stored in your OpenCTI platform. Should Zeek generate an intelligence match, it will find its way all back into the OpenCTI web UI. The same goes for live- and retrospective intelligence matching with VAST and basically everything else you connect with Threat Bus. We are looking forward to empowering the blueteam community and SOC teams alike, and are interested in hearing your feedback. Snapshot support is already on our roadmap, among other integrations, stay tuned!

Threat Bus moves to Beta

After several months of testing, both in-house and by external collaborators and contributors, we are happy to announce that the Threat Bus project moves from alpha to the beta stage of development 🎉. You can now find Threat Bus and the most commonly used plugins in the Stage 4 - Beta tier on PyPI.

Moving fromalpha to beta for us means we expect Threat Bus to operate smoothly in most cases. While there are still some rough edges in the project, hard crashes should be the unlikely exception.

Updates to PyVAST-Threat Bus

pyvast-threatbus has seen two important bug fixes in the post-processing pipeline of VAST sightings. The bugs were introduced with the STIX-2 rewrite and effectively rendered both the transform_context and sink options unusable. Additionally, we added a new feature for timing out VAST retro-queries. Users can now instruct pyvast-threatbus to abort VAST queries after a configurable interval via the config option retro_match_timeout. Last but not least, we updated the control plane of pyvast-threatbus so it works with our most recent changes to the VAST matcher plugin.

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus

🎁 Features

• 🎁 pyvast-threatbus now supports a new config option to set timeouts for
  VAST retro-queries: retro_match_timeout. Pending queries are killed upon
  timeout. VAST results that were exported before the timeout hit are still
  reported as valid Sightings.
  #110

🐞 Bug Fixes

• 🐞 We fixed a bug where VAST matcher results where passed to the wrong mapping function from pyvast-threatbus after being retrieved from VAST. #109

• 🐞 We fixed an unhandled exception in the post-processing of sighting context data for both retro- and live-matched sightings in pyvast-threatbus. The bug was introduced with the STIX-2 rewrite and effectively rendered both the transform_context and sink options unusable. #112

Threat Bus 2021.03.25

We're happy to announce the monthly release 2021.03.25 of Threat Bus. All Tenzir-maintained app plugins, as well as pyvast-threatbus now support STIX-2 for indicators and sightings.

STIX-2 Adoption

Following up on our February release, pyvast-threatbus and all Tenzir-maintained Threat Bus plugins now support STIX-2. This change brings a very clear separation of concerns into the codebase. Threat Bus only accepts Indicators and Sightings in STIX-2 format, while all format conversion logic is handled within the application plugins. For example, the Zeek plugin implements the conversion from STIX-2 Indicators to Zeek events, and likewise converts Zeek events into STIX-2 Sightings. Threat Bus itself only implements the open STIX-2 standard and stays completely unaware of application specific formats and communication protocols.

Most app plugins and pyvast-threatbus implement the conversion logic on best-effort basis, with the exception of the zmq-app plugin. Best-effort basis means that conversion between app-specific formats and STIX-2 can be lossy. The Zeek Intel Framework, for example, only supports point-indicators, meaning that a single IoC only makes up a single value like a domain name or URL. Hence, the Threat Bus Zeek plugin can only convert STIX-2 Indicators to Zeek events if they consist of a single value, and discards other Indicators, such as compound pairs.

We find that this is an acceptable trade-off. Subscribing apps are always limited to their own capabilities and formats, but with STIX-2 Threat Bus now supports a format that is more expressive than what most of the consuming apps can handle. We are excited about the new possibilities the project gains from the STIX-2 adoption, like seamless integration with other open security tools, such as OpenCTI. Keep an eye out on the OpenCTI connectors repository, as we have a Threat Bus integration already on our roadmap!

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus

🎁 Features

• The CIFv3 plugin now supports the STIX-2 (version 2.1) standard for Indicators. The plugin converts STIX-2 Indicators on best-effort basis to CIFv3 indicators before forwarding them to the configured CIF endpoint. #106

• The Zeek plugin now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The plugin converts STIX-2 Indicators on best-effort basis to Zeek Intel items before forwarding them to Zeek. Likewise, the plugin converts Zeek sightings to valid STIX-2 Sightings before publishing them on Threat Bus topics. #103

• The MISP plugin now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The plugin converts MISP attributes to valid STIX-2 Indicators on best-effort basis before publishing them on Threat Bus topics. Likewise, the plugin converts STIX-2 Sightings to MISP sightings before sending them the MISP. #102

• pyvast-threatbus now supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The app converts STIX-2 Indicators on best-effort basis to both VAST queries and VAST matcher IoCs to support both retro- and live-matching. Likewise, pyvast-threatbus converts VAST query results as well as VAST matcher sightings to valid STIX-2 Sightings before publishing them on Threat Bus topics. #105

🐞 Bugfixes

• We fixed a bug in the routing logic for SnapshotRequests. Apps can now request snapshots as expected for all stix2-prefixed topics. #103

Threat Bus 2021.02.24

We’re happy to announce the monthly release 2021.02.24 of Threat Bus. We now use STIX-2 as the internal format for indicators and sightings. This is the first step forward on our brand new roadmap for making Threat Bus a format-agnostic security content dissemination layer. Along with smaller improvements, the MISP plugin now comes with optional dependencies and pyvast-threatbus supports simultaneous live- and retro-matching with VAST.

STIX-2 Support

Threat Bus now supports STIX-2 (version 2.1) as internal format for indicators of compromise and sightings. We removed the hand-rolled types Intel and Sightingfrom threatbus.data together with all custom serialization logic.

We migrated half of the existing plugins for compatibility with the STIX-2 format. The two backbone plugins threatbus-rabbitmq and threatbus-inmem now multiplex messages on the stix2/ topic prefix for Threat Bus subscribers. Likewise, the threatbus-zmq-app plugin processes messages in STIX-2 format via that topic. Expect the other app plugins and pyvast-threatbus to be migrated to support STIX-2 with the next releases.

The decision to support STIX-2 is the first step towards making Threat Bus a format-agnostic security content dissemination layer. It will radically simplify integrations with tools that already use open standards, like OpenCTI. But that’s not all. We don’t want the project to be limited to IoCs and sightings. Instead, we plan to support other open threat intelligence standards like Sigma or YARA rules to generalize from point indicators to more powerful descriptions of detections.

For Threat Bus, this means we will gradually add more topic prefixes like sigma/ and yara/. Transported messages will always have a type corresponding to the topic prefix. For example, the stix2/ prefix only transports SITX-2 content and STIX-2 indicators will have the precise topic stix2/indicator. Sigma rules will be sent via the sigma/rule topic and so forth. We are excited to move forward with our roadmap and invite you to tag along on this journey!

Optional MISP Plugin Install Targets

The MISP plugin now uses extra dependencies to relieve the need of installing unwanted dependencies. Users can chose the wanted dependencies during installation by running pip install threatbus-misp[zmq] to install the ZeroMQ dependency, or
pip install threatbus-misp[kafka] to install the Kafka dependency. The plugin throws a fatal error if none of the dependencies are installed.

Simultaneous Live- and Retro-Matching

pyvast-threatbus, the wrapper to connect VAST with Threat Bus, now supports both live- and retro-matching for a single IoC. These features were mutually exclusive prior to this release. Users can now enable both settings in the config.yaml. Under the hood, pyvast-threatbus parses the IoC to a retro-query and forwards the IoC to a VAST matcher. pyvast-threatbus executes the retro-query immediately, converts query results into sightings, and pushes the sightings back to Threat Bus. At the same time, pyvast-threatbus feeds the parsed IoC into the VAST matcher component. From that point forward, VAST’s matcher checks incoming telemetry automatically against the added IoC and immediately reports sightings back to Threat Bus.

Changelog Highlights

As always, you can find the full scoop in our changelogs for Threat Bus and pyvast-threatbus

⚡️ Breaking Changes

• ⚡️ Threat Bus now uses STIX-2 (version 2.1) as internal transport format for Indicators and Sightings. App-plugins now have to provide required mappings between the STIX-2 format and app-specific formats (e.g., the Zeek plugin needs to map STIX-2 to the Zeek intel format). The home-made types threatbus.data.Sighting and threatbus.data.Indicator are removed from the codebase. Plugins with versions earlier than 2021.02.24 are incompatible to the new Threat Bus version. #97

🎁 Features

• 🎁 Feature
  The MISP plugin now uses extra dependencies. Users can now chose the wanted dependencies during installation by running pip install threatbus-misp[zmq] to install the ZeroMQ dependency, or pip install threatbus-misp[kafka] to install the Kafka dependency. The plugin throws a fatal error if none of these dependencies is installed and exits immediately. #99

• 🎁 Feature
  The RabbitMQ backbone plugin, the In-memory backbone plugins, and the Zmq-app plugin now support the STIX-2 (version 2.1) standard for Indicators and Sightings. #97

⚠️ Changes

• ⚠️ Users now can use both, retro-matching and live-matching with VAST simultaneously for any given IoC with pyvast-threatbus. On the flip side, there is no longer a default mode of operation. To use live-matching, users now must specifically configure it via setting live_match: truein theirconfig.yaml` file #95.

• ⚠️ pyvast-threatbus drops support to unflatten JSON that it receives from vast export because VAST can now return unflattened JSON by default #92.

Threat Bus 2020.12.16

Matching Metrics & Systemd Units

This release brings new Systemd unit files to Threat Bus and pyvast-threatbus. Tenzir updates and maintains these unit files as part of the Threat Bus repository. Both unit files are sandboxed, feature dynamic users, and aim at generally protecting the Linux host-system.

Additionally, pyvast-threatbus now collects basic application metrics about matching with VAST. It writes out these metrics to a file in a configurable interval. The collected metrics differ depending on the use-case: for retro-matching, pyvast-threatbus collects the amount of retro-matches per IoC together with the query-time per IoC. For live-matching, pyvast-threatbus simply collects the amount of matches in general. For both cases it always meters the number of added and removed IoCs.

Changelog Highlights

As always, you can find the full technical scoop in our changelogs for Threat Bus and pyvast-threatbus

🎁 Features

• You can now find sandboxed unit files to run Threat Bus and pyvast-threatbus as system services via systemd. These files are officially maintained by us. #77
• pyvast-threatbus now collects basic application metrics about matching with VAST. #85

⚠️ Changes

• pyvast-threatbus has dropped support for all command-line options, except --help and --config. The application can only be run with a valid config.yaml configuration file. #85

Threat Bus RabbitMQ 2020.11.30

This is a hotfix release for the threatbus-rabbitmq plugin to fix a bug that was introduced with #61. The bug prohibited that user-defined settings were correctly forwarded to the RabbitMQ server.

Changelog Highlights

🐞 Bugs

• The RabbitMQ backbone plugin ignored user-defined queue parameters, such as durable or lazy queues. It now respects such parameters again. #76

Threat Bus 2020.11.26

We’re happy to announce the monthly release 2020.11.26 of Threat Bus.

Threat Bus — Performance

This release brings lots of performance tweaks. Additionally, we now release pyvast-threatbus as individual PyPI package and maintain a separate changelog.

Plugin Performance

Plugins in Threat Bus work with queues to deliver threat intelligence. Application plugins, such as the zmq-app plugin, create one queue for each new subscribing app. These queues are filled by the backbone with exactly those messages that match the subscribed topics. For example, pyvast-threatbus subscribes to the topic threatbus/intel via the zmq-app plugin. The plugin creates a new queue and passes it to the backbone. When the backbone puts new intel into that queue, the zmq-app plugin takes it and forwards it to pyvast-threatbus.

Backbones and application plugins are decoupled. It’s the application plugins’ responsibility to check for new messages and forward them to the subscribing app, e.g., using protocols like ZeroMQ or Zeek’s Broker.

The old Threat Bus implementation did not scale well with our usual workloads. In our setup, we maintain threat intelligence in MISP and other tools and store historical network telemetry in VAST. We use Threat Bus with the MISP and zmq-app plugins to ultimately forward intelligence updates from MISP to VAST. With the retro-matching feature of pyvast-threatbus we check new IoCs against historical data stored in VAST to effectively uncover past incidents with new threat intelligence in the fastest way possible.

We found that message consumption and intelligence matching was significantly slower than our IoC update. Threat Bus stacked up a growing backlog of undelivered messages, because our TI tools published IoCs way faster than the zmq-app plugin would deliver them to pyvast-threatbus.

We quickly identified the bottleneck. Application plugins, like the Zeek and zmq-app plugin, used a busy-polling approach to check subscriber queues for new messages from the backbone. Prior to this release, Threat Bus used the standard Python3 queues. Unfortunately, that implementation lacks performant notification schemes like select or epoll.

To fix this, we had to change the type of queues that Threat Bus uses internally. Starting this release, Threat Bus now uses joinable queues. They are backed by native OS primitives and can be selected or epolled.

Both the Zeek and zmq-app plugins now use select to publish new messages to subscribers the very moment the backbone shoves them into the subscriber’s queue. We opted for select to keep the logic simple, portable, and sufficiently performant to no longer be the bottleneck. The figure below shows the performance boost for message publishing in the zmq-app plugin.

We also improved the message consumption speed of the RabbitMQ backbone plugin. Instead of a synchronous, blocking connection, we now use an asynchronous select connection that works entirely based on callbacks. The following graphic shows the speedup of the RabbitMQ consumer in the backbone plugin.

Note that the second figure has a much smaller Y-axis than the first. To highlight the impact of the changes, we plotted them all together in the next graphic.

In addition to changing the internally used queue type, we introduced a new base class to implement asynchronous background threads in Threat Bus plugins. All existing plugins now extend that class to implement their workers. Using that base class allows us to implement a graceful application shutdown. When the user presses CTRL+c to terminate Threat Bus, it will first shut down backbone plugins, then application plugins, and lastly Threat Bus itself.

PyVAST-ThreatBus

This release also brings a great performance boost to pyvast-threatbus, the application that enables VAST to connect with Threat Bus. pyvast-threatbus consumes threat intelligence from Threat Bus, transforms it to valid VAST queries, and pipes back the query results in the form of sightings. Prior to this release we used to work sequentially through all incoming IoCs. Now, pyvast-threatbus works with asynchronous background tasks and can issue hundreds of concurrent VAST queries at once. Users can configure the maximum amount of concurrent background tasks in the config file.

Changelog Highlights

Starting with this release, pyvast-threatbus comes with its own changelog. We will release it monthly together with Threat Bus. The changelog highlights cover both Threat Bus and pyvast-threatbus.

🎁 Features

• Pressing ctrl+c shuts down Threat Bus and its plugins gracefully.
  #61
• The Zeek and zmq-app plugins now use the select system call to provision messages to subscribers instead of busy polling. This increases performance by an order of magnitude, while it keeps compatibility with all supported OSes.
  #61
• The zmq-app plugin now supports heart beats. This enables both Threat Bus and connected apps to mutually ensure that the connected party is still alive.
  #58
• pyvast-threatbus can now issue multiple concurrent VAST queries instead of working through all received IoCs sequentially. Users can configure the maximum number of concurrent background tasks in the configuration file.
  #61

⚠️ Changes

• The new StoppableWorker base class should be implemented by all Plugins for their asynchronous background tasks. All existing plugins in the official Threat Bus repository now implement this class.
  #61

🐞 Bugs

• pyvast-threatbus escapes backslashes and quotes in IoCs before it queries VAST.
  #74

Threat Bus 2020.10.29

We're happy to announce the monthly release 2020.10.29 of Threat Bus.

ZeroMQ Apps

Threat Bus got a new application plugin! The plugin offers a generic ZeroMQ interface to connect with Threat Bus. While most existing plugins are very application-specific, like the MISP or Zeek plugin, the new zmq-app plugin is way more generic: it exposes a simple ZeroMQ interface and protocol that apps can implement, independent of their application-specific communication protocol. The new plugin also replaces the previous VAST plugin.

Our VAST bridge now connects via the new zmq-app plugin and implements the new protocol. Learn how to connect via this plugin on our documentation page and check out the VAST bridge to see a working example.

MISP Plugin Enhancements

The MISP plugin now supports a whitelist-filtering mechanism. Users can specify required properties of IoCs (MISP attributes) in the configuration file. The filter applies to IoCs that are exported from MISP (either via ZeroMQ or Kafka) as well as IoCs that are requested as part of a snapshot. Learn more about the filtering feature on the MISP plugin documentation

Another enhancement of the MISP plugin now supports starting Threat Bus without a valid PyMISP API connection. If omitted in the configuration, the plugin can still receive indicators via ZeroMQ or Kafka, but it cannot report back sightings or request snapshots.

Changelog Highlights

Starting with this release, you can find the full technical scoop of what changed in our changelog.

🎁 Features

• The MISP plugin now works without a valid PyMISP API connection. If omitted in the configuration, the plugin can still receive indicators via ZeroMQ or Kafka, but it cannot report back sightings or request snapshots. #55
• The MISP plugin now supports a whitelist-filtering mechanism. Users can specify required properties of IoCs (MISP attributes) in the configuration file. The filter is implemented for IoCs that are received via ZeroMQ or Kafka as well as IoCs that are requested as part of a snapshot. #49
• The generic Threat Bus ZeroMQ application plugin has replaced the former VAST plugin. Any app that communicates via ZeroMQ can implement this plugin's protocol to connect with Threat Bus effortlessly. #46

Threat Bus 2020.09.30

This release brings a new Threat Bus plugin to use RabbitMQ as backbone for message passing and extends the VAST bridge for retrospective IoC matching. Make sure to check out our release blog post for details on retro matching!

🎁 Features

• RabbitMQ Backbone Plugin: This plugin shifts the heavy lifting for creating a reliable, high-performance message passing infrastructure to RabbitMQ. Using the new backbone plugin, Threat Bus will forward and consume all messages to/from a configurable RabbitMQ endpoint. In consequence, Threat Bus can be scaled horizontally via RabbitMQ.
• VAST Retro Matching: The Threat Bus VAST bridge now supports retro matching, i.e., the bridge transforms indicators from Threat Bus to VAST queries and sends back the query results as Sightings. This allows for checking new indicators against old telemetry data to retroactively discover new threats.
• JSON Marshaling: All elementary data types of threatbus.data can now be marshaled as JSON. Threat Bus and its plugins can communicate these data points over the wire to connected applications with ease.

🐞 Bug Fixes

• The Zeek integration tests have been revived and the overall integration test structure has been improved

Threat Bus 2020.07.28

This release introduces a level of user-interface consistency and unifies how snapshot requests are handled by application plugins. Make sure to check out our new blog post that gives an extended user introduction to Threat Bus’ basic features and explains how Threat Bus can help reduce the MTTD in your SOC. We’re also happy to share our first YouTube video about Threat Bus and its features. 🎉

Please reach out to us and share your opinion on Threat Bus over at our new Element chat.

🎁 Features

• The Threat Bus docker container now ships with all existing plugins preinstalled. You can simply disable those you don’t need via the Threat Bus configuration file. Check out the docs to find out more at docs.tenzir.com/threatbus.

⚠️ Changes

• The handling of snapshot requests is now unified to accept positive integers across all implementing plugins. Pass any positive finite number of days to either the VAST or Zeek plugin and get back intelligence items for the requested time range.