Cyble Events
This Integration is part of the Cyble Events (Deprecated) Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Cyble Events is an integration which will help Existing Cyble Vision users. This integration would allow users to access the API available as part of Vision Licensing and integrate the data into XSOAR.
Configure Cyble Events on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Cyble Events.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g. https://example.net) True Access Token True Trust any certificate (not secure) False Use system proxy settings False Fetch incidents False Incidents Fetch Interval False Incident Fetch Limit Maximum incidents to be fetched every time. Upper limit is 50 incidents. True Incident type False Priority Fetch the events based on priority. All priorities will be considered by default. False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
This integration provides the following command(s) which can be used to access Threat Intelligence
cyble-vision-fetch-iocs#
Fetch the indicators for the given timeline
Base Command#
cyble-vision-fetch-iocs
Input#
| Argument Name | Description | Required |
|---|---|---|
| from | Returns records started with given value. Default is 0. | Optional |
| limit | Number of records to return (max 1000). Using a smaller limit will get faster responses. Default is 1. | Optional |
| start_date | Timeline start date in the format "YYYY-MM-DD". Need to used with end_date as timeline range. | Optional |
| end_date | Timeline end date in the format "YYYY-MM-DD". Need to used with start_date as timeline range. | Optional |
| type | Returns record by type like (CIDR, CVE, domain, email, FileHash-IMPHASH, FileHash-MD5, FileHash-PEHASH, FileHash-SHA1, FileHash-SHA256, FilePath, hostname, IPv4, IPv6, Mutex, NIDS, URI, URL, YARA, osquery, Ja3, Bitcoinaddress, Sslcertfingerprint). | Optional |
| keyword | Returns records for the specified keyword. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CybleEvents.IoCs.data | String | Returns indicator inital creation date |
cyble-vision-fetch-alerts#
Fetch Incident Event alerts based on the given parameters. Alerts would have multiple events grouped into one based on specific service type. So users would see, in certain cases, more events than the limit provides.
Base Command#
cyble-vision-fetch-alerts
Input#
| Argument Name | Description | Required |
|---|---|---|
| from | Returns records for the timeline starting from given indice. Default is 0. | Required |
| limit | Number of records to return (max 50). Using a smaller limit will get faster responses. Default is 5. | Required |
| start_date | Timeline start date in the format "YYYY/MM/DD". | Required |
| end_date | Timeline end date in the format "YYYY/MM/DD". | Required |
| order_by | Sorting order for alert fetch either Ascending or Descending. Possible values are: Ascending, Descending. Default is Ascending. | Required |
| priority | Fetch the events based on priority. Possible values are: high,medium,low,informational. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CybleEvents.Events.eventid | String | Returns the event ID |
| CybleEvents.Events.eventtype | String | Returns the event type |
| CybleEvents.Events.severity | Number | Returns the event severity |
| CybleEvents.Events.occurred | Date | Returns the event occurred timeline |
| CybleEvents.Events.name | String | Returns the alert title |
| CybleEvents.Events.cybleeventsname | String | Returns the event name |
| CybleEvents.Events.cybleeventsbucket | String | Returns the event bucket name |
| CybleEvents.Events.cybleeventskeyword | String | Returns the event keyword |
| CybleEvents.Events.cybleeventsalias | String | Returns the event type alias name |
cyble-vision-fetch-event-detail#
Fetch Incident detail based on event type and event ID
Base Command#
cyble-vision-fetch-event-detail
Input#
| Argument Name | Description | Required |
|---|---|---|
| event_type | Event Type of the Incident. | Required |
| event_id | Event ID of the incident. | Required |
| from | The value in the field represents the position of records that are retrieved | Required |
| limit | The value in the field represents the number of events that can be returned, maximum allowed is 1000 | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CybleEvents.Events.Details | String | Returns details for given event of specific type |