Skip to main content
Version: VAST v3.1

Threat Bus


Threat Bus is in maintenance mode. We are no longer adding features, as we are about to integrate the core concepts into a new version of VAST's Python bindings.

We're happy to answer any question about the upcoming relaunch in our community chat.

Threat Bus is a STIX-based security content fabric to connect security tools, such as network monitors like Zeek, telemetry engines like VAST, or threat intelligence platforms (TIP) like OpenCTI and MISP. Threat Bus wraps a tool's functions in a publish-subscrbe fashion and connects it to a messaging backbone.

For example, Threat Bus turns a TIP into a feed of STIX Indicator objects that can trigger action in other tools, such as installation into a blocklist or executing a SIEM retro matching.

Threat Bus is a plugin-based application. Almost all functionality is implemented in either backbone or application plugins. The remaining logic of Threat Bus is responsible for launching and initializing all installed plugins with the user-provided configuration. It provides some rudimentary data structures for message exchange and subscription management, as well as two callbacks for (un)subscribing to the bus.