Cyberint Feed
Cyberint Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.9.0 and later.
Use the Cyberint Feed integration to get indicators from the feed.
#
Configure Cyberint Feed on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Cyberint Feed.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Cyberint API URL Example: https://yourcompany.cyberint.io
True API access token True Fetch indicators Should be checked (true) False Indicator Type Which indicator types to fetch True Confidence Confidence about the indicator details. The value of confidence to fetch indicators from. The value between 0-100. False Severity Severity about the indicator details. The value of severity to fetch indicators from. The value between 0-100. False Tags Supports CSV values. False Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. False Trust any certificate (not secure) False Use system proxy settings False Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cyberint-get-indicatorsGets indicators from the feed.
#
Base Commandcyberint-get-indicators
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of results to return. The default value is 10. Default is 10. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberint.indicator.ioc_value | String | The indicator value. |
Cyberint.indicator.ioc_type | String | The indicator type. |
Cyberint.indicator.description | String | The feed description. |
Cyberint.indicator.detected_activity | String | The feed detected activity. |
Cyberint.indicator.observation_date | String | The feed observation date. |
Cyberint.indicator.severity_score | String | The feed severity score. |
Cyberint.indicator.confidence | String | The feed confidence. |
#
Command example!cyberint-get-indicators limit=10 execution-timeout=700
#
Context Example#
Human Readable Output#
Indicators from Cyberint FeedName | Type | Description |
---|---|---|
Detected activity | String | Type of detected activity. |
IoC type | String | The indicator type. |
IoC value | String | The indicator value. |
Observation date | String | Observation date of detected activity. |
Severity score | Number | Severity score of detected activity. |
Confidence | Number | Confidence of detected activity. |
Description | String | Description of detected activity. |
#
cyberint-get-file-sha256Gets File SHA256 from the feed.
#
Base Commandcyberint-get-file-sha256
#
InputArgument Name | Description | Required |
---|---|---|
value | File SHA256 hash | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberint.file_sha256.entity.type | String | The indicator type. |
Cyberint.file_sha256.entity.value | String | The indicator value. |
Cyberint.file_sha256.enrichment.first_seen | String | First seen. |
Cyberint.file_sha256.enrichment.download_urls | String | Download URLs. |
Cyberint.file_sha256.enrichment.filenames | String | Filenames. |
Cyberint.file_sha256.benign | String | Benign. |
Cyberint.file_sha256.risk.malicious_score | String | Malicious score. |
Cyberint.file_sha256.risk.occurrences_count | String | Occurrences count. |
#
Command example!cyberint-get-file-sha256 value=6a7b02c43837dcb8e40d271edb88d13d2e723c721a74931857aaef4853317789
#
Context Example#
Human Readable Output#
File SHA256 EntityName | Type | Description |
---|---|---|
Type | String | The indicator type. |
Value | String | The indicator value. |
Malicious score | Number | Malicious score. |
Benign | Boolean | Benign. |
#
File SHA256 EnrichmentName | Type | Description |
---|---|---|
Filenames | String | List of filenames. |
First seen | String | First seen. |
Download URLs | String | List of download URLs. |
#
File SHA256 Detected activitiesName | Type | Description |
---|---|---|
Type | String | Type of detected activity. |
Observation date | String | Observation date of detected activity. |
Description | String | Description of detected activity. |
Confidence | Number | Confidence of detected activity. |
Occurrences count | Number | Occurrences count of detected activity. |
#
cyberint-get-domainGets Domain from the feed.
#
Base Commandcyberint-get-domain
#
InputArgument Name | Description | Required |
---|---|---|
value | Domain | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberint.domain.entity.type | String | The indicator type. |
Cyberint.domain.entity.value | String | The indicator value. |
Cyberint.domain.risk.malicious_score | String | Malicious score. |
Cyberint.domain.risk.occurrences_count | String | Occurrences count. |
Cyberint.domain.enrichment.ips | String | IPs. |
Cyberint.domain.enrichment.whois.created_date | String | Created date. |
Cyberint.domain.enrichment.whois.updated_date | String | Updated date. |
Cyberint.domain.enrichment.whois.expiration_date | String | Expiration date. |
Cyberint.domain.enrichment.whois.registrant_name | String | Registrant name. |
Cyberint.domain.enrichment.whois.registrant_email | String | Registrant email. |
Cyberint.domain.enrichment.whois.registrant_organization | String | Registrant organization. |
Cyberint.domain.enrichment.whois.registrant_country | String | Registrant country. |
Cyberint.domain.enrichment.whois.registrant_telephone | String | Registrant telephone. |
Cyberint.domain.enrichment.whois.technical_contact_email | String | Technical contact email. |
Cyberint.domain.enrichment.whois.technical_contact_name | String | Technical contact name. |
Cyberint.domain.enrichment.whois.technical_contact_organization | String | Technical contact organization. |
Cyberint.domain.enrichment.whois.registrar_name | String | Registrar name. |
Cyberint.domain.enrichment.whois.admin_contact_name | String | Admin contact name. |
Cyberint.domain.enrichment.whois.admin_contact_organization | String | Admin contact organization. |
Cyberint.domain.enrichment.whois.admin_contact_email | String | Admin contact email. |
Cyberint.domain.benign | String | Benign. |
#
Command example!cyberint-get-domain value=dummy.com
#
Context Example#
Human Readable Output#
Domain EntityName | Type | Description |
---|---|---|
Type | String | The indicator type. |
Value | String | The indicator value. |
Malicious score | Number | Malicious score. |
Occurrences count | Number | Occurrences count. |
Benign | Boolean | Benign. |
#
Domain EnrichmentName | Type | Description |
---|---|---|
IPs | String | List of IP addresses. |
Whois registrant name | String | Whois registrant name. |
Whois registrant email | String | Whois registrant email. |
Whois registrant organization | String | Whois registrant organization. |
Whois registrant country | String | Whois registrant country. |
Whois registrant telephone | String | Whois registrant telephone. |
Whois technical contact email | String | Whois technical contact email. |
Whois technical contact name | String | Whois technical contact name. |
Whois technical contact organization | String | Whois technical contact organization. |
Whois registrar name | String | Whois registrar name. |
Whois admin contact name | String | Whois admin contact name. |
Whois admin contact organization | String | Whois admin contact organization. |
Whois admin contact email | String | Whois admin contact email. |
Whois admin contact email | String | Whois admin contact email. |
Created date | String | Created date. |
Updated date | String | Updated date. |
Expiration date | String | Expiration date. |
#
Domain Detected activitiesName | Type | Description |
---|---|---|
Type | String | Type of detected activity. |
Observation date | String | Observation date of detected activity. |
Description | String | Description of detected activity. |
Confidence | Number | Confidence of detected activity. |
Occurrences count | Number | Occurrences count of detected activity. |
#
cyberint-get-ipv4Gets Domain from the feed.
#
Base Commandcyberint-get-ipv4
#
InputArgument Name | Description | Required |
---|---|---|
value | IPv4 | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberint.ipv4.entity.type | String | The indicator type. |
Cyberint.ipv4.entity.value | String | The indicator value. |
Cyberint.ipv4.risk.malicious_score | String | Malicious score. |
Cyberint.ipv4.risk.occurrences_count | String | Occurrences count. |
Cyberint.ipv4.enrichment.geo.country | String | Country. |
Cyberint.ipv4.enrichment.geo.city | String | City. |
Cyberint.ipv4.enrichment.asn.number | String | ASN number. |
Cyberint.ipv4.enrichment.asn.organization | String | ASN organization. |
Cyberint.ipv4.enrichment.suspicious_urls | String | Suspicious URLs. |
Cyberint.ipv4.enrichment.suspicious_domains | String | Suspicious domains. |
Cyberint.ipv4.benign | String | Benign. |
#
Command example!cyberint-get-ipv4 value=1.1.1.1
#
Context Example#
Human Readable Output#
IPv4 EntityName | Type | Description |
---|---|---|
Type | String | The indicator type. |
Value | String | The indicator value. |
Malicious score | Number | Malicious score. |
Occurrences count | Number | Occurrences count. |
IPs | String | List of IP addresses. |
Hostname | String | Hostname. |
Domain | String | Domain. |
Benign | Boolean | Benign. |
#
IPv4 EnrichmentName | Type | Description |
---|---|---|
Suspicious Urls | String | List of Suspicious Urls. |
Suspicious Domains | String | List of Suspicious domains. |
#
IPv4 Detected activitiesName | Type | Description |
---|---|---|
Type | String | Type of detected activity. |
Observation date | String | Observation date of detected activity. |
Description | String | Description of detected activity. |
Confidence | Number | Confidence of detected activity. |
Occurrences count | Number | Occurrences count of detected activity. |
#
cyberint-get-urlGets Domain from the feed.
#
Base Commandcyberint-get-url
#
InputArgument Name | Description | Required |
---|---|---|
value | URL | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Cyberint.url.entity.type | String | The indicator type. |
Cyberint.url.entity.value | String | The indicator value. |
Cyberint.url.risk.malicious_score | String | Malicious score. |
Cyberint.url.risk.occurrences_count | String | Occurrences count. |
Cyberint.url.enrichment.ips | String | IPs. |
Cyberint.url.enrichment.hostname | String | Hostname. |
Cyberint.url.enrichment.domain | String | Domain. |
Cyberint.url.benign | String | Benign. |
#
Command example!cyberint-get-url value=http://dummy.com
#
Context Example#
Human Readable Output#
URL EntityName | Type | Description |
---|---|---|
Type | String | The indicator type. |
Value | String | The indicator value. |
Malicious score | Number | Malicious score. |
Occurrences count | Number | Occurrences count. |
IPs | String | List of IP addresses. |
Hostname | String | Hostname. |
Domain | String | Domain. |
Benign | Boolean | Benign. |
#
URL Detected activitiesName | Type | Description |
---|---|---|
Type | String | Type of detected activity. |
Observation date | String | Observation date of detected activity. |
Description | String | Description of detected activity. |
Confidence | Number | Confidence of detected activity. |
Occurrences count | Number | Occurrences count of detected activity. |