Volon (Deprecated)
Volon integration with CTIX helps analysts to fetch malware, bin, SSH attack, SIP attack, APT, Bruteforce Telnet, anonymizers, Elastic search attack, spam, web spam, web attack, phishing, compromised IP, ransomware, CnC, DDoS, Botnet infection, and email breach feeds.
This integration helps add contextual information to seemingly isolated threat data, gives you visibility into the digital attack surface, and makes threat investigations easier. You could also gain insights into attackers, their tools and systems, and indicators of compromise.
About Volon
Volon provides adversary-centric actionable cyber threat intelligence to help threat intelligence teams in advanced threat detection and planning effective breach response.
Configure Volon App in CTIX
Volon is available as an out-of-the-box integration in the CTIX application.
Before you Start
You must have the URL, username, and password of your Volon account. The user configuring the integration should have View & Update Tool Integration permission.
Steps
Use the following steps to configure the app in CTIX:
From Administration, open Integration Management and select APIs under FEED SOURCES.
Click Add API source.
Use the search bar to locate VOLON and click on the app.
Click Add Instance to add a Volon instance.
Enter the Instance name, Base URL, and API key.
Note
Use https://api.threat-feeds.com/dev/ as the base URL.
To encrypt the connection between CTIX and Volon server, select Verify SSL.
Click Save.
Configure Feed Channels for the Volon Integration
You can configure Volon feed channels using the following steps:
From Administration, open Integration Management, and select APIs under FEED SOURCES.
Use the search bar to locate VOLON and click on the app to open the configuration page.
Click the ellipses on the top right corner and select Manage.
On the Manage Instance page, click Manage Feed Channels.
Select the Feed Channel to add.
Enable the Feed Channel and enter the last polled date.
Enter the name of the collection into which the feed data will go. The system creates this collection and put all the feeds collected from this Feed Channel into this collection.
Select from one of the following Polling Cron Schedule types to poll the data:
Manual - Allows you to manually poll from the source collection.
Auto - Allows you to automatically poll for threat intel from sources at specific time intervals. Enter a frequency in seconds greater than or equal to 600 in the Polling Time field.
Select a default TLP that you want to assign for the feeds.
Set a default confidence score for the feeds received from this integration.
Select any tags to associate with the feeds received from this integration.
Enable Broken connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your Volon account. The system will attempt to connect 10 times.
You can enter the retry interval units in minutes, days, or weeks and also specify the retry interval and the retry count.
Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses.
For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on till the retry count is met. Use this option to give your system resources some breathing time and resolve any service overload issues.
Note
You must have View/UpdateTool Integrations permissions to receive failed connection notifications.
Click Save.
You can configure multiple instances of this integration by clicking Manage and Add More on the Manage Instance screen.
Poll for Feeds Manually
If you enable Auto Polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for information manually, use the following process:
From Administration, open Integration Management and select APIs under FEED SOURCES.
Select Volon.
Select the feed channel.
Click the vertical ellipsis and select Poll Now.
Note
You can poll data only from the enabled feeds.
View Feeds on the CTIX Application
After configuring the Volon integration on the CTIX application, view the intel received on the CTIX application.
On the Volon integration configuration page, select View Intel.
View the IOCs received in the feeds from this source in Threat Data. Some IOCs received in the feeds can not be mapped to the STIX domain objects and are mapped to the STIX custom objects.