This changelog documents all notable user-facing changes of pyvast-threatbus.
Every entry has a category for which we use the following visual abbreviations:
- π Features
- 𧬠Experimental Features
β οΈ Changes- β‘οΈ Breaking Changes
- π Bug Fixes
β οΈ To make use of VAST's new query query schedulervast-threatbusnow runs up to 500 queries in parallel by default. It also waits for one hour before aborting a query. #190
No user-facing changes.
-
π Added a new field
%matchtypeto thetransform_contextsetting ofvast-threatbusthat can be used to distinguish between live and retro matches. -
β οΈ vast-threatbusno longer adds asourcefield to thex_threatbus_sighting_contextfield of generated sightings. -
β οΈ vast-threatbusnow adds the matched event to thex_threatbus_sighting_contextfor results coming from live matcher. -
π
vast-threatbusnow handles sightings generated by VAST matchers using probabilistic filters. Note that to correlate sighting and indicator an exact filter must be used, as probabilistic filters do not store the STIX identifier of the indicator. VAST Threat Bus emits the invalid identifiernote--00000000-0000-4000-8000-000000000000for sightings generated from matchers with probabilistic filters. #176 #178
- π
vast-threatbusno longer fails to check for the availability of low priority queries. #173
β οΈ vast-threatbusnow issues low priority queries if those are supported by the version of VAST. #171
No user-facing changes.
-
β‘οΈ We renamed PyVAST Threat Bus to VAST Threat Bus for clarity. The PyPI package name and the binary name change from
pyvast-threatbustovast-threatbusaccordingly. #159 -
π Live matching with VAST works again! #156
-
β οΈ vast-threatbusnow depends on version 3.0 ofstix2package. #162
-
β οΈ The metric for indicator query time now only reflects the actual time spent querying VAST and does not regard unstarted VAST queries any longer. #145 -
β οΈ Metrics sent bypyvast-threatbusused the short hostname as given bysocket.gethostname(). This has been changed to usesocket.getfqdn(). #144 -
β οΈ The Dockerfile ofpyvast-threatbushas moved to the repository toplevel and now installs Threat Bus from source. This way, the Docker build always uses thelatestThreat Bus sources, instead of the latest version from PyPI. #141 -
π
pyvast-threatbusnow implements the new zmq management protocol of thethreatbus-zmq-appplugin. The app now simply re-uses the Threat Bus hostname as it is configured in the usersconfig.yamland appends the port specifications forpubandsubcommunication that it receives as part of the subscription success response. #140 -
π The metrics value serialization in
pyvast-threatbuscontained spaces in the fields of the measurements, which is not valid according to the line protocol spec and caused the measurement to be rejected. We fixed the format to ensure all fields are separated by commas. #136 -
β οΈ pyvast-threatbusnow uses Dynaconf for configuration management. Configuration via a config file works exactly as it has worked before. Users can provide a path to the config file using the-coption.pyvast-threatbusnow considers files namedconfig.yamlandconfig.ymlas default configs if located in the same directory. Additionally,pyvast-threatbusnow supports configration via environment variables and.dotenv. Env vars need to be prefixed withPYVAST_THREATBUS_to be respected and always take precedence over values in config files. #133
-
β‘οΈ
pyvast-threatbusnow uses point queries over substring queries for URI indicators, because such queries are much faster. This may result in less matches than before. E.g., a URI indicatortenzir.comthat used to matchdocs.tenzir.comas well ashttps://tenzir.comnow only matches exactly the indicator. #130 -
π
pyvast-threatbusnow collects metrics about received indicators that are about to be matched retrospectively against VAST. The new metric is calledretro_match_backlogand allows users to determine if a backlog is building up. A backlog builds whenpyvast-threatbushits the user-configured limit of max backgroud tasks while at the same time VAST responds slowly to the issued queries. #129 -
π
pyvast-threatbusnow comes with its own Dockerfile. Pre-built images are available on Dockerhub. #126
-
β οΈ All Threat Bus apps that connect via ZeroMQ likepyvast-threatbus. now shutdown gracefully and do not longer print a stack trace when receiving any stop signal. #118 -
β οΈ The-c/--configparameter is now explicitly required to startpyvast-threatbus. Starting without it will print a helpful error message. #119 -
β οΈ pyvast-threatbusnow uses the timestamp of retro- & live-matches to set thelast_seenproperty of STIX-2 Sightings, instead of setting thecreatedtimestamp. Thecreatedtimestamp now always refers to the actual creation time of the sightings. #117
-
π We fixed an unhandled exception in the post-processing of sighting context data for both retro- and live-matched sightings. The bug was introduced with the STIX-2 rewrite and effectively rendered both the
transform_contextandsinkoptions unusable. #112 -
π
pyvast-threatbusnow supports a new config option to set timeouts for VAST retro-queries:retro_match_timeout. Pending queries are killed upon timeout. VAST results that were exported before the timeout hit are still reported as valid Sightings. #110 -
β οΈ VAST's proprietary Threat Intel Matching feature was rewritten as a VAST plugin.pyvast-threatbusnow works with the changed command line interface. #109 -
π We fixed a bug where VAST matcher results where passed to the wrong mapping function after being retrieved from VAST. #109
-
π
pyvast-threatbusnow supports the STIX-2 (version 2.1) standard for Indicators and Sightings. The app converts STIX-2 Indicators on best-effort basis to both VAST queries and VAST matcher IoCs to support both retro- and live-matching. Likewise,pyvast-threatbusconverts VAST query results as well as VAST matcher sightings to valid STIX-2 Sightings before publishing them on Threat Bus topics. #105 -
β οΈ The retro-matching now applies a strict equality comparison when mapping IoCs to VAST queries. Prior to this changepyvast-threatbusused substring search, which came at heavy runtime costs when issuing hundreds of queries per second. #104
-
π Users can now run retro-queries with an unbounded number of results against VAST by setting the
retro_match_max_eventsparameter to0. #98 -
β οΈ Users now can use both, retro-matching and live-matching with VAST simultaneously for any given IoC. On the flip side, there is no longer a default mode of operation. To use live-matching, users now must specifically configure it via settinglive_match: truein theirconfig.yamlfile. #95 -
β οΈ pyvast-threatbusdrops support to unflatten JSON that it receives fromvast exportbecause VAST can now return unflattened JSON by default. #92
-
π
pyvast-threatbusnow supports basic metric collection. It stores metrics in influx line protocol syntax in a configurable file on disk. #85 -
β οΈ pyvast-threatbuscannot be started with command line arguments anymore. From now on, the application only supports one option,-c, to pass a config file. #85 -
π
pyvast-threatbusnow uses the Threat Busloggermodule. Users can configure logging the same way as in Threat Bus, via aloggingsection in theconfig.yamlfile. #80
-
π
pyvast-threatbusescapes backslashes and quotes in IoCs before it queries VAST. #74 -
π
pyvast-threatbusnow uses asynchronous background tasks to query VAST concurrently. VAST queries were executed sequentially prior to this change. This boosts the performance by the factor of allowed concurrent background tasks. Users can control the maximum number of concurrent background tasks with the newmax-background-tasksconfiguration option. #61 -
π The Python app to connect VAST with Threat Bus is now packaged and published on PyPI. You can install the package via
pip install pyvast-threatbus. #63