Skip to main content

CybelAngel

This Integration is part of the CybelAngel Pack.#

Supported versions

Supported Cortex XSOAR versions: 8.0.0 and later.

CybelAngel receives reports from the CybelAngel platform, which specializes in external attack surface protection and management

Configure CybelAngel in Cortex#

Required Modules (For XSIAM)#

  • Account Takeover Protection module is required for Credentials watchlist events.
  • Domain Protection module is required for Domain events.
ParameterRequired
Server URLTrue
Client IDTrue
Client SecretTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch eventsTrue
Event Types To FetchTrue
The maximum number of report event per fetchFalse
The maximum number of Credential watchlist events per fetchFalse
The maximum number of Domain watchlist events per fetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cybelangel-get-events#


Send events from CybelAngel to XSIAM. Used mainly for debugging.

Base Command#

cybelangel-get-events

Input#

Argument NameDescriptionRequired
should_push_eventsSet to True in order to create events, otherwise will only display them. Possible values are: True, False. Default is False.Required
events_type_to_fetchWhich events to fetch. Possible values are: Reports, Domain wathclish, Credentials watchlist. Default is Reports.Optional
start_dateGet events from a specific start date formatted with ISO 8601, Example: "2025-01-14T10:22:45".Optional
end_dateGet events until a specific end date formatted with ISO 8601, Example: "2025-01-14T10:22:45".Optional
limitThe maximum number of events to return. Default is 50.Optional

Context Output#

There is no context output for this command.

cybelangel-report-status-update#


Update the status of one or multiple reports.

Base Command#

cybelangel-report-status-update

Input#

Argument NameDescriptionRequired
report_idsList of report IDs to update.Required
statusThe new status of the reports. Possible values are: draft, open, in_progress, resolved, discarded.Required

Context Output#

There is no context output for this command.

Command example#

!cybelangel-report-status-update report_ids=1234 status=open

Human Readable Output#

"The status of the following reports </report list> has been successfully updated to </report status>."

cybelangel-report-get#


Retrieve reports from CybelAngel.

Base Command#

cybelangel-report-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the report to retrieve.Required
pdfIf true, retrieves the report as a PDF file. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
CybelAngel.ReportunknownThe retrieved report.
InfoFile.EntryIDStringEntry ID of the saved PDF file.

Command example#

!cybelangel-report-get report_id=1234

Context Example#

{
"CybelAngel": {
"Report": {
"abstract": "Example Output.",
"abuse_email": "",
"analysis": "Example Output.",
"asset_urls": [],
"attachments": [
{
"attached_to": "report_id",
"id": "1234",
"name": "Example Output.csv"
}
],
"board": "",
"category": "leak",
"city": "",
"country_code": "",
"created_at": "2000-11-26T13:25:16.116453",
"detected_at": "2000-11-26T10:45:05+00:00",
"domain_registered_at": null,
"hostnames": [],
"id": "1234",
"incident_id": "1234",
"incident_type": "Test",
"investigation_id": "1234:1234",
"ip": "",
"keywords": [
{
"id": "1234",
"name": "aa.net"
}
],
"liveness": {
"last_checked_at": "2000-11-26T13:25:15.716702+00:00",
"online": true
},
"location": "",
"machine_name": null,
"malware_location": null,
"malware_name": null,
"module": "account_Test",
"mx_servers": [],
"ns_servers": [],
"origins": [
{
"type": "malicious_actor",
"value": ""
}
],
"port": null,
"registrant_email": "",
"registrar_name": "",
"report_content": "Example Output.",
"report_type": "incident_detection",
"risks": [
{
"message": "Example Output.",
"type": "account_takeover"
},
{
"message": "Example Output.",
"type": "spear_phishing"
},
{
"message": "Example Output.",
"type": "social_engineering"
}
],
"samples": [
{
"sample": "See attachment",
"type": "other"
}
],
"screenshots": [],
"sender": "Example Output@cybelangel.com",
"sender_tenant_id": "cybelangel",
"sent_at": "20200-11-26T13:25:57+00:00",
"severity": 1,
"source": "Example platform",
"status": "resolved",
"stream": "1234",
"suggestions": [
{
"message": "Example Output.",
"type": "other"
}
],
"tags": [],
"threat": null,
"title": "Example Output. platform",
"updated_at": "2000-02-23T13:07:17.214040",
"url": "https://platform.cybelangel.com/reports/1234",
"user_session": null,
"usergroups": [
"Example Output.",
"TVMExample Output.SOC"
],
"volume": {
"bins": null,
"documents": null,
"domain": null,
"emails": 1,
"ips": null,
"passwords": 1
},
"whois": ""
}
}
}

Human Readable Output#

Report ID example-id-6 details#

idreport_typesenderseveritystatusupdated_at
example-id-6incident_detectionexample@example.com1in_progress2025-03-03T09:13:33.253781

Command example#

!cybelangel-report-get report_id=1234 pdf=true

Context Example#

{
"InfoFile": {
"EntryID": "1234",
"Extension": "pdf",
"Info": "application/pdf",
"Name": "cybelangel_report_1234.pdf",
"Size": 127719,
"Type": "PDF document, version 1.4"
}
}

Human Readable Output#

Returned file: cybelangel_report_1234.pdf

cybelangel-report-remediation-request-create#


Create a remediation request for a report.

Base Command#

cybelangel-report-remediation-request-create

Input#

Argument NameDescriptionRequired
report_idThe ID of the report.Required
requestor_emailEmail of the requestor.Required
requestor_fullnameFull name of the requestor.Required

Context Output#

There is no context output for this command.

Command example#

!cybelangel-report-remediation-request-create report_id=1234 requestor_email=test@paloaltonetworks.com requestor_fullname="Example Test"

Context Example#

{
"CybelAngel": {
"Report": {
"RemediationRequest": {
"report_id": "1234"
}
}
}
}

Human Readable Output#

Remediation request was created for 1234.

cybelangel-report-attachment-get#


Retrieve an attachment from a report.

Base Command#

cybelangel-report-attachment-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the report.Required
attachment_idThe ID of the attachment.Required

Context Output#

PathTypeDescription
InfoFile.EntryIDunknownEntry ID of the retrieved file.

Command example#

!cybelangel-report-attachment-get report_id=1234 attachment_id=5678

Context Example#

{
"InfoFile": {
"EntryID": "1111",
"Extension": "csv",
"Info": "text/csv; charset=utf-8",
"Name": "cybelangel_report_1234_attachment_5678.csv",
"Size": 210,
"Type": "ASCII text"
}
}

Human Readable Output#

cybelangel-archive-report-by-id-get#


Retrieve an archived report by ID as a ZIP file.

Base Command#

cybelangel-archive-report-by-id-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the archived report.Required

Context Output#

PathTypeDescription
InfoFile.EntryIDunknownEntry ID of the saved ZIP file.

Command example#

!cybelangel-archive-report-by-id-get report_id=1234

Context Example#

{
"InfoFile": {
"EntryID": "1111",
"Extension": "zip",
"Info": "application/zip",
"Name": "cybelangel_archive_report_1234.zip",
"Size": 15604,
"Type": "Zip archive data, at least v2.0 to extract"
}
}

Human Readable Output#

cybelangel-mirror-report-get#


Retrieve the mirror details for the specified report.

Base Command#

cybelangel-mirror-report-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the report.Required
csvIf true, retrieves the mirror report in CSV format. Possible values are: True, False.Optional

Context Output#

PathTypeDescription
CybelAngel.ReportMirrorunknownMirror details of the report.
InfoFile.EntryIDunknownEntry ID of the saved CSV file.

Command example#

!cybelangel-mirror-report-get report_id=1234

Context Example#

{
"CybelAngel": {
"ReportMirror": {
"available_files_count": 1,
"created_at": "2000-07-11T12:50:20Z",
"files_count": 1,
"files_volume": 6871,
"report_id": "1234",
"status": "expired",
"stream_id": "1234",
"updated_at": "2000-01-12T03:26:49Z"
}
}
}

Human Readable Output#

Mirror details for Report ID example-id-7#

report_idcreated_atavailable_files_countupdated_at
example-id-72024-07-11T12:50:20Z12025-01-12T03:26:49Z

Command example#

!cybelangel-mirror-report-get report_id=1234 csv=true

Context Example#

{
"InfoFile": {
"EntryID": "1111",
"Extension": "csv",
"Info": "text/csv; charset=utf-8",
"Name": "cybelangel_mirror_report_1234.csv",
"Size": 212,
"Type": "ASCII text"
}
}

Human Readable Output#

cybelangel-report-comment-create#


Create a new comment on a report.

Base Command#

cybelangel-report-comment-create

Input#

Argument NameDescriptionRequired
discussion_idThe discussion_id is made of report id and tenant id like uuid:uuid. Example: [report_id]:[your-tenant-id].Required
contentThe content of the comment.Required
parent_idThe ID of the parent comment (for replies).Optional
assignedSpecifies if the comment is assigned to analysts (true/false).Optional

Context Output#

There is no context output for this command.

Command example#

!cybelangel-report-comment-create report_id=1234 content="Test Comment"

Human Readable Output#

Comment added to Report ID 1234.

cybelangel-report-list#


Retrieve reports from CybelAngel.

Base Command#

cybelangel-report-list

Input#

Argument NameDescriptionRequired
start_dateGet reports from a specific start date formatted with ISO 8601.Optional
end_dateGet reports until a specific end date formatted with ISO 8601.Optional

Context Output#

PathTypeDescription
CybelAngel.ReportunknownThe retrieved reports.

Command example#

!cybelangel-report-list start_date="19 hours ago" end_date="now"

Context Example#

{
"CybelAngel": {
"Report": {
"reports": [
{
"abstract": "Example Output.",
"abuse_email": "",
"analysis": "Example Output.",
"asset_urls": [],
"attachments": [
{
"attached_to": "report_id",
"id": "1234",
"name": "Example Output.csv"
}
],
"board": "",
"category": "leak",
"city": "",
"country_code": "",
"created_at": "2000-11-26T13:25:16.116453",
"detected_at": "2000-11-26T10:45:05+00:00",
"domain_registered_at": null,
"hostnames": [],
"id": "1234",
"incident_id": "1234",
"incident_type": "Test",
"investigation_id": "1234:1234",
"ip": "",
"keywords": [
{
"id": "1234",
"name": "aa.net"
}
],
"liveness": {
"last_checked_at": "2000-11-26T13:25:15.716702+00:00",
"online": true
},
"location": "",
"machine_name": null,
"malware_location": null,
"malware_name": null,
"module": "account_Test",
"mx_servers": [],
"ns_servers": [],
"origins": [
{
"type": "malicious_actor",
"value": ""
}
],
"port": null,
"registrant_email": "",
"registrar_name": "",
"report_content": "Example Output.",
"report_type": "incident_detection",
"risks": [
{
"message": "Example Output.",
"type": "account_takeover"
},
{
"message": "Example Output.",
"type": "spear_phishing"
},
{
"message": "Example Output.",
"type": "social_engineering"
}
],
"samples": [
{
"sample": "See attachment",
"type": "other"
}
],
"screenshots": [],
"sender": "Example Output@cybelangel.com",
"sender_tenant_id": "cybelangel",
"sent_at": "20200-11-26T13:25:57+00:00",
"severity": 1,
"source": "Example platform",
"status": "resolved",
"stream": "1234",
"suggestions": [
{
"message": "Example Output.",
"type": "other"
}
],
"tags": [],
"threat": null,
"title": "Example Output. platform",
"updated_at": "2000-02-23T13:07:17.214040",
"url": "https://platform.cybelangel.com/reports/1234",
"user_session": null,
"usergroups": [
"Example Output.",
"TVMExample Output.SOC"
],
"volume": {
"bins": null,
"documents": null,
"domain": null,
"emails": 1,
"ips": null,
"passwords": 1
},
"whois": ""
},
{
"abstract": "Example Output.",
"abuse_email": "",
"analysis": "Example Output.",
"asset_urls": [],
"attachments": [
{
"attached_to": "report_id",
"id": "1234",
"name": "Example Output.csv"
}
],
"board": "",
"category": "leak",
"city": "",
"country_code": "",
"created_at": "2000-11-26T13:25:16.116453",
"detected_at": "2000-11-26T10:45:05+00:00",
"domain_registered_at": null,
"hostnames": [],
"id": "1234",
"incident_id": "1234",
"incident_type": "Test",
"investigation_id": "1234:1234",
"ip": "",
"keywords": [
{
"id": "1234",
"name": "aa.net"
}
],
"liveness": {
"last_checked_at": "2000-11-26T13:25:15.716702+00:00",
"online": true
},
"location": "",
"machine_name": null,
"malware_location": null,
"malware_name": null,
"module": "account_Test",
"mx_servers": [],
"ns_servers": [],
"origins": [
{
"type": "malicious_actor",
"value": ""
}
],
"port": null,
"registrant_email": "",
"registrar_name": "",
"report_content": "Example Output.",
"report_type": "incident_detection",
"risks": [
{
"message": "Example Output.",
"type": "account_takeover"
},
{
"message": "Example Output.",
"type": "spear_phishing"
},
{
"message": "Example Output.",
"type": "social_engineering"
}
],
"samples": [
{
"sample": "See attachment",
"type": "other"
}
],
"screenshots": [],
"sender": "Example Output@cybelangel.com",
"sender_tenant_id": "cybelangel",
"sent_at": "20200-11-26T13:25:57+00:00",
"severity": 1,
"source": "Example platform",
"status": "resolved",
"stream": "1234",
"suggestions": [
{
"message": "Example Output.",
"type": "other"
}
],
"tags": [],
"threat": null,
"title": "Example Output. platform",
"updated_at": "2000-02-23T13:07:17.214040",
"url": "https://platform.cybelangel.com/reports/1234",
"user_session": null,
"usergroups": [
"Example Output.",
"TVMExample Output.SOC"
],
"volume": {
"bins": null,
"documents": null,
"domain": null,
"emails": 1,
"ips": null,
"passwords": 1
},
"whois": ""
}
]
}
}
}

Human Readable Output#

Reports list#

idurlreport_typesenderseveritystatusupdated_atreport_content
example-id-1https://platform.example.com/reports/example-id-1incident_detectionexample@example.com1open2025-02-25T13:06:06.821922### Sample content… Example
example-id-2https://platform.example.com/reports/example-id-2incident_detectionexample@example.com1resolved2025-02-26T18:58:50.303598### Sample content… Example
example-id-3https://platform.example.com/reports/example-id-3incident_detectionexample@example.com1in_progress2025-02-26T12:17:42.241832### Sample content… Example
example-id-4https://platform.example.com/reports/example-id-4incident_detectionexample@example.com1open2025-02-26T13:29:54.520708### Sample content… Example
example-id-5https://platform.example.com/reports/example-id-5incident_detectionexample@example.com2open2025-02-25T16:29:32.696281### Sample content… Example
example-id-6https://platform.example.com/reports/example-id-6incident_detectionexample@example.com1in_progress2025-03-03T09:13:33.253781### Sample content… Example
example-id-7https://platform.example.com/reports/example-id-7incident_detectionexample@example.com1in_progress2025-03-03T09:13:33.253781### Sample content… Example
example-id-8https://platform.example.com/reports/example-id-8incident_detectionexample@example.com1open2025-03-03T14:26:11.424002### Sample content… Example
example-id-9https://platform.example.com/reports/example-id-9incident_detectionexample@example.com1open2025-03-03T14:22:14.184243### Sample content… Example
example-id-10https://platform.example.com/reports/example-id-10incident_detectionexample@example.com1open2025-03-03T14:28:22.089922### Sample content… Example

cybelangel-report-comments-get#


Retrieve comments from a report.

Base Command#

cybelangel-report-comments-get

Input#

Argument NameDescriptionRequired
report_idThe ID of the report.Required

Context Output#

PathTypeDescription
CybelAngel.Report.CommentunknownThe list of comments for the report.

Command example#

!cybelangel-report-comments-get report_id=1234

Context Example#

{
"CybelAngel": {
"Report": {
"Comments": {
"comments": [
{
"assigned": false,
"author": {
"firstname": "Example",
"id": "1234",
"lastname": "Test"
},
"content": "Test Comment 2",
"created_at": "2000-07-11T15:29:05Z",
"discussion_id": "1234:5678",
"discussion_tenant_name": "Test",
"id": "1234",
"isNew": false,
"last_updated_at": "2000-07-11T15:29:05Z"
},
{
"assigned": false,
"author": {
"firstname": "Example",
"id": "1234",
"lastname": "Test"
},
"content": "Test Comment 2",
"created_at": "2000-07-11T15:29:05Z",
"discussion_id": "1234:5678",
"discussion_tenant_name": "Test",
"id": "1234",
"isNew": false,
"last_updated_at": "2000-07-11T15:29:05Z"
}
],
"new": 0,
"total": 2,
"id": "1234"
}
}
}
}

Human Readable Output#

Comments for Report ID example-id-8#

contentcreated_atdiscussion_idassignedauthor_firstnameauthor_lastnamelast_updated_at
This is a comment message2025-02-27T11:04:05Zexample-id-8:example-tenant-idfalseExampleFirstExampleLast2025-02-27T11:04:05Z