Skip to main content
Version: VAST v3.1


This section covers a brief walk-through of how to get started with Threat Bus. First, install Threat Bus and all plugins you need. Use the default configuration file to get started or create a custom one.

Start Up

Display the help text:

threatbus --help

Start Threat Bus (it automatically looks for config.yaml or config.yml in the same directory):


Pass a configuration file to Threat Bus via -c <path/to/file>:

threatbus -c path/to/config.yaml

Start Zeek as Threat Bus App

Apps need to register at the bus. Zeek can be scripted, and the relevant functionality for Zeek to subscribe to Threat Bus is implemented in this Zeek script. To connect Zeek with Threat Bus, download and load the Zeek script as follows.

curl -L -o threatbus.zeek
zeek -i <INTERFACE> -C threatbus.zeek

Request an IoC Snapshot with Zeek

Threat Bus allows apps to request snapshots of historic security content. The Zeek script implements this request functionality for indicators. Invoke it like this.

zeek -i <INTERFACE> -C threatbus.zeek -- "Tenzir::snapshot_intel=30 days"

Use the Docker Container

Threat Bus can be used in a containerized setup. The pre-built docker image comes with all required dependencies and all existing plugins pre-installed.

docker run tenzir/threatbus:latest --help