This section covers a brief walk-through of how to get started with Threat Bus. First you have to install Threat Bus and all plugins you need. Threat Bus uses a configuration file to specify global and plugin-specific settings.
Once installed via
pip, each plugin
requires its own section in the Threat Bus configuration file. See the example
below to understand the structure of the config file.
Logging is configured globally. The main application forwards the logging settings to all installed plugins. Logging is supported via colored console logs and via file.
The plugin configuration either goes into the
depending on the plugin type. The available
options are defined by the specific plugin. See the documentation of the
individual plugins for more details.
Threat Bus requires a configuration file to start. Pass it via
Start Zeek as Threat Bus App
Apps need to register at the bus. Zeek can be scripted, and the relevant functionality is implemented in a Zeek script. To connect Zeek with Threat Bus, download and load the Zeek script as follows.
Start Zeek and Request an IOC Snapshot
Threat Bus allows apps to request snapshots of intelligence items from the past. The Zeek script implements the request functionality. Invoke it like this.
Use the Docker Container
Threat Bus can be used in a containerized setup. The pre-built docker image comes with all required dependencies and all existing plugins pre-installed.