This repository is for the Predictive Security Cloud (PSC) sandbox, an environment in which you can develop and use PSC connectors. Currently, there are two connectors which work with ThreatHunter: YARA and STIX/TAXII.
- Docker
- Access to CB ThreatHunter
This section covers configuring, building, and running the sandbox and the connectors within it.
The main configuration file for the sandbox is located under configs/docker.yml
. Edit this file to specify which PSC credentials to use, as well as which ThreatHunter Feed ID to give results to.
Inside of the main configuration file configs/docker.yml
, the first entry cbth_profile
allows you to specify which PSC credential profile you want the sandbox to use. For more information on Predictive Security Cloud Authentication, visit our documentation here. The pre-filled profile is default
.
To feed results from a connector into ThreatHunter, you must specify which ThreatHunter Feed ID to populate. Inside of configs/docker.yml
, the entry result_sinks
allows you to specify what feed to send connector results to.
If you want to create a new Feed, refer to the ThreatHunter Feed Manager API.
Otherwise, if you want to use a pre-existing feed, a helper script is included in this repository to enable retrieval of all feeds available to you. It is located at helper_scripts/get_feed_ids.py
. It can be run in a terminal with Python:
$ python3 helper_scripts/get_feed_ids.py
The script should print something like this to the console:
Feed name: Feed One Feed ID: 90TuDxDYQtiGyg5qhwYCg
Feed name: Feed Two Feed ID: mkF41og1SPactqjKVdfR9A
Feed name: Feed Three Feed ID: WjHEF4ZQccfGTaD7BzEQ
Feed name: Feed Four Feed ID: U1A4UMyaS2ybaeWUZrWqEA
Feed name: Feed Five Feed ID: ewWjIH1xTeSWsbwbqmCvg
In this example, if you wanted to feed results from the YARA connector into Feed One and results from the STIX/TAXII connector into Feed Three, your configs/docker.yml
file would look like this:
cbth_profile: default
connector_dirs:
- /opt/cb/integrations
feed_size: 50
binary_timeout: 600
result_sinks:
yara:
kind: feed
id: 90TuDxDYQtiGyg5qhwYCg
taxii:
kind: feed
id: WjHEF4ZQccfGTaD7BzEQ
If you wanted to use only one of the connectors, you may omit the other from your configs/docker.yml
file. To feed only results from the YARA connector into Feed One, your configs/docker.yml
file would look like this:
cbth_profile: default
connector_dirs:
- /opt/cb/integrations
feed_size: 50
binary_timeout: 600
result_sinks:
yara:
kind: feed
id: 90TuDxDYQtiGyg5qhwYCg
The STIX/TAXII Connector has a separate configuration file located at connectors/taxii/config.yml
. If you want to use the STIX/TAXII connector, see configuration details here.
To build the sandbox docker container, run the following command in your terminal:
docker-compose build
The first build may take a few minutes to complete, as it has to download packages from the internet.
To run the sandbox, you must run the docker container you just built. Run this command in your terminal:
docker-compose up
From here, this terminal will listen to incoming commands and display information.
To run the YARA connector, see its documentation here.
To run the STIX/TAXII connector, see its documentation here.
YARA
is a tool utilized to help malware researchers identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic.
YARA
is multi-platform connector. It currently runs on Windows, Linux, and MacOS and can be used through command-line and/or Python scripts.
STIX
(Structured Threat Information eXpression) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed. STIX is for anyone involved in defending networks or systems against cyber threats!
TAXII
(Trusted Automated Exchange of Intelligence Information) defines a set of services and message exchanges that allows for sharing of actionable threat information across organizationals, products, and services. It is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.