Skip to main content

Cyberint Feed

This Integration is part of the Cyberint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Use the Cyberint Feed integration to get indicators from the feed.

Configure Cyberint Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cyberint Feed.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Cyberint API URLExample: https://yourcompany.cyberint.ioTrue
    API access tokenTrue
    Fetch indicatorsShould be checked (true)False
    Indicator TypeWhich indicator types to fetchTrue
    ConfidenceConfidence about the indicator details. The value of confidence to fetch indicators from. The value between 0-100.False
    SeveritySeverity about the indicator details. The value of severity to fetch indicators from. The value between 0-100.False
    TagsSupports CSV values.False
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cyberint-get-indicators#


Gets indicators from the feed.

Base Command#

cyberint-get-indicators

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return. The default value is 10. Default is 10.Optional

Context Output#

PathTypeDescription
Cyberint.indicator.ioc_valueStringThe indicator value.
Cyberint.indicator.ioc_typeStringThe indicator type.
Cyberint.indicator.descriptionStringThe feed description.
Cyberint.indicator.detected_activityStringThe feed detected activity.
Cyberint.indicator.observation_dateStringThe feed observation date.
Cyberint.indicator.severity_scoreStringThe feed severity score.
Cyberint.indicator.confidenceStringThe feed confidence.

Command example#

!cyberint-get-indicators limit=10 execution-timeout=700

Context Example#

{
"Cyberint": [
{
"fields": {
"Description": "Recognized as Malicious.",
"FirstSeenBySource": "2024-01-23T22:53:36+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as Malicious.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc1",
"observation_date": "2024-01-23T22:53:36+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc1"
},
{
"fields": {
"Description": "Recognized as zzz.",
"FirstSeenBySource": "2024-01-23T22:55:36+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as zzz.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc2",
"observation_date": "2024-01-23T22:55:36+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc2"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-23T22:53:35+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc3",
"observation_date": "2024-01-23T22:53:35+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc3"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-23T22:55:31+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc4",
"observation_date": "2024-01-23T22:55:31+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc4"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-23T22:55:35+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc5",
"observation_date": "2024-01-23T22:55:35+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc5"
},
{
"fields": {
"Description": "Recognized as Trojan.xxx.",
"FirstSeenBySource": "2024-01-23T22:55:39+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as Trojan.xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc6",
"observation_date": "2024-01-23T22:55:39+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc6"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-12T01:39:06+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc7",
"observation_date": "2024-01-12T01:39:06+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc7"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-23T22:55:36+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc8",
"observation_date": "2024-01-23T22:55:36+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc8"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2023-12-16T21:28:01+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 70,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc9",
"observation_date": "2023-12-16T21:28:01+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc9"
},
{
"fields": {
"Description": "Recognized as xxx.",
"FirstSeenBySource": "2024-01-23T22:55:35+00:00",
"reportedby": "Cyberint",
"trafficlightprotocol": "GREEN"
},
"rawJSON": {
"confidence": 80,
"description": "Recognized as xxx.",
"detected_activity": "malware_payload",
"ioc_type": "file/sha256",
"ioc_value": "ioc10",
"observation_date": "2024-01-23T22:55:35+00:00",
"severity_score": 100
},
"service": "Cyberint",
"type": "File",
"value": "ioc10"
}
]
}

Human Readable Output#

Indicators from Cyberint Feed#
NameTypeDescription
Detected activityStringType of detected activity.
IoC typeStringThe indicator type.
IoC valueStringThe indicator value.
Observation dateStringObservation date of detected activity.
Severity scoreNumberSeverity score of detected activity.
ConfidenceNumberConfidence of detected activity.
DescriptionStringDescription of detected activity.

cyberint-get-file-sha256#


Gets File SHA256 from the feed.

Base Command#

cyberint-get-file-sha256

Input#

Argument NameDescriptionRequired
valueFile SHA256 hashRequired

Context Output#

PathTypeDescription
Cyberint.file_sha256.entity.typeStringThe indicator type.
Cyberint.file_sha256.entity.valueStringThe indicator value.
Cyberint.file_sha256.enrichment.first_seenStringFirst seen.
Cyberint.file_sha256.enrichment.download_urlsStringDownload URLs.
Cyberint.file_sha256.enrichment.filenamesStringFilenames.
Cyberint.file_sha256.benignStringBenign.
Cyberint.file_sha256.risk.malicious_scoreStringMalicious score.
Cyberint.file_sha256.risk.occurrences_countStringOccurrences count.

Command example#

!cyberint-get-file-sha256 value=6a7b02c43837dcb8e40d271edb88d13d2e723c721a74931857aaef4853317789

Context Example#

{
"data": {
"entity": {
"type": "file/sha256",
"value": "6a7b02c43837dcb8e40d271edb88d13d2e723c721a74931857aaef4853317789"
},
"risk": {
"malicious_score": 100,
"detected_activities": [
{
"type": "malware",
"observation_date": "2025-03-05T14:47:43.994848+00:00",
"description": "",
"confidence": 100,
"occurrences_count": 1
},
{
"type": "malware_payload",
"observation_date": "2025-02-12T21:08:13+00:00",
"description": "Detected in 1 source(s). Recognized as Trojan.Agent.CYZT.",
"confidence": 80,
"occurrences_count": 1
}
],
"occurrences_count": 2
},
"enrichment": {
"related_entities": null,
"filenames": [
"rifaien2-TwxvxoHtj44icOI0.exe"
],
"first_seen": "2025-02-12T21:08:13+00:00",
"download_urls": []
},
"benign": false
}
}

Human Readable Output#

File SHA256 Entity#
NameTypeDescription
TypeStringThe indicator type.
ValueStringThe indicator value.
Malicious scoreNumberMalicious score.
BenignBooleanBenign.
File SHA256 Enrichment#
NameTypeDescription
FilenamesStringList of filenames.
First seenStringFirst seen.
Download URLsStringList of download URLs.
File SHA256 Detected activities#
NameTypeDescription
TypeStringType of detected activity.
Observation dateStringObservation date of detected activity.
DescriptionStringDescription of detected activity.
ConfidenceNumberConfidence of detected activity.
Occurrences countNumberOccurrences count of detected activity.

cyberint-get-domain#


Gets Domain from the feed.

Base Command#

cyberint-get-domain

Input#

Argument NameDescriptionRequired
valueDomainRequired

Context Output#

PathTypeDescription
Cyberint.domain.entity.typeStringThe indicator type.
Cyberint.domain.entity.valueStringThe indicator value.
Cyberint.domain.risk.malicious_scoreStringMalicious score.
Cyberint.domain.risk.occurrences_countStringOccurrences count.
Cyberint.domain.enrichment.ipsStringIPs.
Cyberint.domain.enrichment.whois.created_dateStringCreated date.
Cyberint.domain.enrichment.whois.updated_dateStringUpdated date.
Cyberint.domain.enrichment.whois.expiration_dateStringExpiration date.
Cyberint.domain.enrichment.whois.registrant_nameStringRegistrant name.
Cyberint.domain.enrichment.whois.registrant_emailStringRegistrant email.
Cyberint.domain.enrichment.whois.registrant_organizationStringRegistrant organization.
Cyberint.domain.enrichment.whois.registrant_countryStringRegistrant country.
Cyberint.domain.enrichment.whois.registrant_telephoneStringRegistrant telephone.
Cyberint.domain.enrichment.whois.technical_contact_emailStringTechnical contact email.
Cyberint.domain.enrichment.whois.technical_contact_nameStringTechnical contact name.
Cyberint.domain.enrichment.whois.technical_contact_organizationStringTechnical contact organization.
Cyberint.domain.enrichment.whois.registrar_nameStringRegistrar name.
Cyberint.domain.enrichment.whois.admin_contact_nameStringAdmin contact name.
Cyberint.domain.enrichment.whois.admin_contact_organizationStringAdmin contact organization.
Cyberint.domain.enrichment.whois.admin_contact_emailStringAdmin contact email.
Cyberint.domain.benignStringBenign.

Command example#

!cyberint-get-domain value=dummy.com

Context Example#

{
"data": {
"entity": {
"type": "domain",
"value": "domain.com"
},
"risk": {
"malicious_score": 80,
"detected_activities": [
{
"type": "infecting_url",
"observation_date": "2025-03-05T14:47:23.534044+00:00",
"description": "URL that may infect it’s visitors with malware.",
"confidence": 100,
"occurrences_count": 1
},
{
"type": "phishing_website",
"observation_date": "2024-09-16T06:26:16+00:00",
"description": "Detected phishing website targeting Dummy.",
"confidence": 20,
"occurrences_count": 1
}
],
"occurrences_count": 2
},
"enrichment": {
"related_entities": null,
"ips": [
"11.197.130.221"
],
"whois": {
"registrant_name": null,
"registrant_email": null,
"registrant_organization": null,
"registrant_country": "USA",
"registrant_telephone": null,
"technical_contact_email": null,
"technical_contact_name": null,
"technical_contact_organization": null,
"registrar_name": "Registrar.com",
"admin_contact_name": null,
"admin_contact_organization": null,
"admin_contact_email": null,
"created_date": "2024-09-10T09:29:58",
"updated_date": "2024-10-18T05:44:51",
"expiration_date": "2025-09-10T23:59:59"
}
},
"benign": false
}
}

Human Readable Output#

Domain Entity#
NameTypeDescription
TypeStringThe indicator type.
ValueStringThe indicator value.
Malicious scoreNumberMalicious score.
Occurrences countNumberOccurrences count.
BenignBooleanBenign.
Domain Enrichment#
NameTypeDescription
IPsStringList of IP addresses.
Whois registrant nameStringWhois registrant name.
Whois registrant emailStringWhois registrant email.
Whois registrant organizationStringWhois registrant organization.
Whois registrant countryStringWhois registrant country.
Whois registrant telephoneStringWhois registrant telephone.
Whois technical contact emailStringWhois technical contact email.
Whois technical contact nameStringWhois technical contact name.
Whois technical contact organizationStringWhois technical contact organization.
Whois registrar nameStringWhois registrar name.
Whois admin contact nameStringWhois admin contact name.
Whois admin contact organizationStringWhois admin contact organization.
Whois admin contact emailStringWhois admin contact email.
Whois admin contact emailStringWhois admin contact email.
Created dateStringCreated date.
Updated dateStringUpdated date.
Expiration dateStringExpiration date.
Domain Detected activities#
NameTypeDescription
TypeStringType of detected activity.
Observation dateStringObservation date of detected activity.
DescriptionStringDescription of detected activity.
ConfidenceNumberConfidence of detected activity.
Occurrences countNumberOccurrences count of detected activity.

cyberint-get-ipv4#


Gets Domain from the feed.

Base Command#

cyberint-get-ipv4

Input#

Argument NameDescriptionRequired
valueIPv4Required

Context Output#

PathTypeDescription
Cyberint.ipv4.entity.typeStringThe indicator type.
Cyberint.ipv4.entity.valueStringThe indicator value.
Cyberint.ipv4.risk.malicious_scoreStringMalicious score.
Cyberint.ipv4.risk.occurrences_countStringOccurrences count.
Cyberint.ipv4.enrichment.geo.countryStringCountry.
Cyberint.ipv4.enrichment.geo.cityStringCity.
Cyberint.ipv4.enrichment.asn.numberStringASN number.
Cyberint.ipv4.enrichment.asn.organizationStringASN organization.
Cyberint.ipv4.enrichment.suspicious_urlsStringSuspicious URLs.
Cyberint.ipv4.enrichment.suspicious_domainsStringSuspicious domains.
Cyberint.ipv4.benignStringBenign.

Command example#

!cyberint-get-ipv4 value=1.1.1.1

Context Example#

{
"data": {
"entity": {
"type": "ipv4",
"value": "11.197.130.221"
},
"risk": {
"malicious_score": 100,
"detected_activities": [
{
"type": "payload_delivery",
"observation_date": "2025-02-13T08:38:50+00:00",
"description": "Detected hosting malware.",
"confidence": 20,
"occurrences_count": 836
},
{
"type": "phishing_website",
"observation_date": "2025-03-05T10:17:32+00:00",
"description": "Detected phishing website targeting Dummy, ING Direct, genericcloudflare.",
"confidence": 20,
"occurrences_count": 143
},
{
"type": "cnc_server",
"observation_date": "2025-02-14T22:21:12.084000+00:00",
"description": "Detected in 21 source(s). Recognized as Quasar RAT. Detected activity linked to: Bumblebee (Malware), Cotton Sandstorm (Threat-Actor-Group), DadSec (Malware), GHOSTSPIDER (Malware), Quasar RAT (Malware), Salt Typhoon (Threat-Actor-Group), Sneaky 2FA (Malware), Vidar (Malware)",
"confidence": 90,
"occurrences_count": 21
}
],
"occurrences_count": 1000
},
"enrichment": {
"related_entities": [
{
"entity_id": "c654837d-444e-4f5c-a444-09fd8250696c",
"entity_type": "Malware",
"entity_name": "GHOSTSPIDER"
},
{
"entity_id": "70b54325-05ea-46c6-b4e9-b25bc3617104",
"entity_type": "Threat-Actor-Group",
"entity_name": "Salt Typhoon"
},
{
"entity_id": "baffd4c4-4483-4b84-96eb-0d19af94d2e8",
"entity_type": "Malware",
"entity_name": "DadSec"
},
{
"entity_id": "862341a5-1951-4e09-b3c1-baac41dc7bcb",
"entity_type": "Malware",
"entity_name": "Vidar"
},
{
"entity_id": "7b0a986f-733e-4497-8867-6aed00b802b8",
"entity_type": "Threat-Actor-Group",
"entity_name": "Cotton Sandstorm"
},
{
"entity_id": "58cbb47d-176d-4937-9ebc-5121ceb36cf9",
"entity_type": "Malware",
"entity_name": "Sneaky 2FA"
},
{
"entity_id": "2728ad3e-d870-4654-afd3-9a839f97dd72",
"entity_type": "Malware",
"entity_name": "Bumblebee"
},
{
"entity_id": "fc26b8a7-a7cc-47b8-be1e-92b7a969543b",
"entity_type": "Malware",
"entity_name": "Quasar RAT"
}
],
"geo": {
"country": "United States",
"city": null
},
"asn": {
"number": 16509,
"organization": "AMAZON-02"
},
"suspicious_urls": [],
"suspicious_domains": []
},
"benign": false
}
}

Human Readable Output#

IPv4 Entity#
NameTypeDescription
TypeStringThe indicator type.
ValueStringThe indicator value.
Malicious scoreNumberMalicious score.
Occurrences countNumberOccurrences count.
IPsStringList of IP addresses.
HostnameStringHostname.
DomainStringDomain.
BenignBooleanBenign.
IPv4 Enrichment#
NameTypeDescription
Suspicious UrlsStringList of Suspicious Urls.
Suspicious DomainsStringList of Suspicious domains.
IPv4 Detected activities#
NameTypeDescription
TypeStringType of detected activity.
Observation dateStringObservation date of detected activity.
DescriptionStringDescription of detected activity.
ConfidenceNumberConfidence of detected activity.
Occurrences countNumberOccurrences count of detected activity.

cyberint-get-url#


Gets Domain from the feed.

Base Command#

cyberint-get-url

Input#

Argument NameDescriptionRequired
valueURLRequired

Context Output#

PathTypeDescription
Cyberint.url.entity.typeStringThe indicator type.
Cyberint.url.entity.valueStringThe indicator value.
Cyberint.url.risk.malicious_scoreStringMalicious score.
Cyberint.url.risk.occurrences_countStringOccurrences count.
Cyberint.url.enrichment.ipsStringIPs.
Cyberint.url.enrichment.hostnameStringHostname.
Cyberint.url.enrichment.domainStringDomain.
Cyberint.url.benignStringBenign.

Command example#

!cyberint-get-url value=http://dummy.com

Context Example#

{
"data": {
"entity": {
"type": "url",
"value": "http://dummy.com"
},
"risk": {
"malicious_score": 80,
"detected_activities": [
{
"type": "infecting_url",
"observation_date": "2025-03-05T11:18:01.941280+00:00",
"description": "URL that may infect it’s visitors with malware.",
"confidence": 100,
"occurrences_count": 1
}
],
"occurrences_count": 1
},
"enrichment": {
"related_entities": null,
"ips": [],
"hostname": null,
"domain": null
},
"benign": false
}
}

Human Readable Output#

URL Entity#
NameTypeDescription
TypeStringThe indicator type.
ValueStringThe indicator value.
Malicious scoreNumberMalicious score.
Occurrences countNumberOccurrences count.
IPsStringList of IP addresses.
HostnameStringHostname.
DomainStringDomain.
BenignBooleanBenign.
URL Detected activities#
NameTypeDescription
TypeStringType of detected activity.
Observation dateStringObservation date of detected activity.
DescriptionStringDescription of detected activity.
ConfidenceNumberConfidence of detected activity.
Occurrences countNumberOccurrences count of detected activity.