Bambenek
By integrating with Bambenek, you can import domain and IP address feed data into the CTIX platform. This integration can help you add contextual information to seemingly isolated threat data, give you visibility into the digital attack surface, and make threat investigations easier. You also gain insights as to who is attacking you, their tools and systems, and the indicators of compromise.
About Bambenek
Bambenek Consulting is a cybersecurity investigations and intelligence consulting firm focusing on tackling major criminal threats.
Configure Bambenek app in CTIX
Bambenek is available as an out-of-the-box integration in the CTIX application. You must have the Base URL and the Access Key of your Bambenek account. Use the following steps to configure the app in the CTIX application and get started:
Prerequisites:
Your user group must have permissions to view, update, and create feed sources.
Sign in to the CTIX application.
Navigate to the Integration Management module and select the APIs section. This section displays the list of all available apps.
Click Add API source.
Use the search bar to locate Bambenek and click on the app to open the configuration page.
Click Add Instance to add a Bambenek instance.
Enter the Instance name, Base URL, user name, and password here.
Click Save.
Configure Feed Channels for the Bambenek integration
Use feed channels in CTIX to configure the feeds that you receive through this integration. The data received from the feed channels are stored in separate collections. Mostly, indicators are fetched into CTIX from Bambenek.
Use the following procedure to configure the feed channels.
Navigate to the Integration Management module and select the APIs section.
Use the search bar to locate Bambenek and click on the app to open the configuration page.
Click the ellipses on the right-hand side and select Manage.
On the Manage Instance page, click Manage Feed Channels.
Select a feed channel.
Enable the feed channel and enter the last polled date.
Enter the name of the collection to collect the feed’s data. The system will create this collection and put all the feeds into this collection.
Select the Polling cron schedule to specify how to poll your Bambenek account.
Select Manual if you want to manually poll for the feeds.
Select Auto to automatically poll for the feeds. Enter a frequency in minutes for automatic polling.
Select a default TLP that you want to assign for the feeds.
Set a default confidence score for the feeds.
Select any tags that you may want to associate with the feeds.
Enable Broken connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your Bambenek account. The system will attempt to connect 10 times.
You can enter the retry interval units in days, minutes, or weeks and also specify the retry interval and the retry count.
Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system re-attempts to connect in 10, 100, 1000, 10000, and so on till the retry count is met. Use this option to give your system resources some breathing time and resolve any service overload issues.
Click Save.
You can configure multiple instances of this integration by clicking Manage and Add more.
Poll for Feeds Manually
If you enable Auto polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for information manually, use the following process.
Sign in to the CTIX application.
Navigate to the Integration Management module and select the APIs section.
Select Bambenek.
You can see the configured feed channels. Select the Feed Channel.
Click the Vertical Ellipsis and choose Poll Now.
View the feeds on CTIX
After configuring the Bambenek integration on the CTIX application, you can view the intel package received on the CTIX application.
From Administration, open Integration Management, and select APIs under FEED SOURCES.
Select Bambenek, and select the feed channel.
Click the vertical ellipsis, and select View Intel. You can view the IOCs received in the feeds from this source in Threat Data. Some IOCs received in the feeds can not be mapped to the STIX domain objects and are mapped to the STIX custom objects.