Skip to content

3v1lW1th1n/cb-psc-sandbox

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

186 Commits

configs

configs

 
 

connectors

connectors

 
 

docs

docs

 
 

helper_scripts

helper_scripts

 
 

src/cb/psc/integration

src/cb/psc/integration

 
 

.flake8

.flake8

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

app.py

app.py

 
 

config.yml

config.yml

 
 

docker-compose.yml

docker-compose.yml

 
 

pyproject.toml

pyproject.toml

 
 

requirements.txt

requirements.txt

 
 

setup.py

setup.py

 
 

supervisord.conf

supervisord.conf

 
 

Repository files navigation

Predictive Security Cloud Connector Sandbox

This repository is for the Predictive Security Cloud (PSC) sandbox, an environment in which you can develop and use PSC connectors. Currently, there are two connectors which work with ThreatHunter: YARA and STIX/TAXII.

Pre-requisites

  • Docker
  • Access to CB ThreatHunter

Setting up the Sandbox and YARA and STIX/TAXII connectors

This section covers configuring, building, and running the sandbox and the connectors within it.

Configuring the Sandbox

The main configuration file for the sandbox is located under configs/docker.yml. Edit this file to specify which PSC credentials to use, as well as which ThreatHunter Feed ID to give results to.

Authentication and credentials

Inside of the main configuration file configs/docker.yml, the first entry cbth_profile allows you to specify which PSC credential profile you want the sandbox to use. For more information on Predictive Security Cloud Authentication, visit our documentation here. The pre-filled profile is default.

Specify Feed IDs

To feed results from a connector into ThreatHunter, you must specify which ThreatHunter Feed ID to populate. Inside of configs/docker.yml, the entry result_sinks allows you to specify what feed to send connector results to.

If you want to create a new Feed, refer to the ThreatHunter Feed Manager API.

Otherwise, if you want to use a pre-existing feed, a helper script is included in this repository to enable retrieval of all feeds available to you. It is located at helper_scripts/get_feed_ids.py. It can be run in a terminal with Python:

$ python3 helper_scripts/get_feed_ids.py

The script should print something like this to the console:

Feed name: Feed One                      Feed ID: 90TuDxDYQtiGyg5qhwYCg
Feed name: Feed Two                      Feed ID: mkF41og1SPactqjKVdfR9A
Feed name: Feed Three                    Feed ID: WjHEF4ZQccfGTaD7BzEQ
Feed name: Feed Four                     Feed ID: U1A4UMyaS2ybaeWUZrWqEA
Feed name: Feed Five                     Feed ID: ewWjIH1xTeSWsbwbqmCvg

In this example, if you wanted to feed results from the YARA connector into Feed One and results from the STIX/TAXII connector into Feed Three, your configs/docker.yml file would look like this:

cbth_profile: default
connector_dirs:
  - /opt/cb/integrations
feed_size: 50
binary_timeout: 600
result_sinks:
  yara:
    kind: feed
    id: 90TuDxDYQtiGyg5qhwYCg
  taxii:
    kind: feed
    id: WjHEF4ZQccfGTaD7BzEQ

If you wanted to use only one of the connectors, you may omit the other from your configs/docker.yml file. To feed only results from the YARA connector into Feed One, your configs/docker.yml file would look like this:

cbth_profile: default
connector_dirs:
  - /opt/cb/integrations
feed_size: 50
binary_timeout: 600
result_sinks:
  yara:
    kind: feed
    id: 90TuDxDYQtiGyg5qhwYCg

Configuring the STIX/TAXII Connector

The STIX/TAXII Connector has a separate configuration file located at connectors/taxii/config.yml. If you want to use the STIX/TAXII connector, see configuration details here.

Building the Sandbox

To build the sandbox docker container, run the following command in your terminal:

docker-compose build

The first build may take a few minutes to complete, as it has to download packages from the internet.

Running the Sandbox

To run the sandbox, you must run the docker container you just built. Run this command in your terminal:

docker-compose up

From here, this terminal will listen to incoming commands and display information.

Running the Connectors

To run the YARA connector, see its documentation here.

To run the STIX/TAXII connector, see its documentation here.

Background Information on YARA and STIX/TAXII

What is YARA?

YARA is a tool utilized to help malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic.

YARA is multi-platform connector. It currently runs on Windows, Linux, and MacOS and can be used through command-line and/or Python scripts.

What is STIX/TAXII?

STIX (Structured Threat Information eXpression) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed. STIX is for anyone involved in defending networks or systems against cyber threats!

TAXII (Trusted Automated Exchange of Intelligence Information) defines a set of services and message exchanges that allows for sharing of actionable threat information across organizationals, products, and services. It is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.

About

Integration code for building Predictive Security Cloud connectors

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 98.2%
  • Other 1.8%