Cyble Threat Intel
This Integration is part of the Cyble Threat Intel Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.2.0 and later.
Cyble Threat Intel is an integration which will help users to fetch Cyble's TAXII Feed service into XSOAR Environment. User needs to contact their Cyble Account Manager for getting required pre-requisites to access the Cyble's TAXII Feed Service.
Configure Cyble Threat Intel on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Cyble Threat Intel.
Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Fetch indicators: boolean flag. If set to true will fetch indicators.
- Fetch Interval: Interval of the fetches.
- Reliability: Reliability of the feed.
- Traffic Light Protocol Color: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
- Discovery Service: TAXII discovery service endpoint.
- Collection: Collection name to fetch indicators from.
- Username: Username/Password (if required)
- First Fetch Time: The time interval for the first fetch (retroactive). Maximum of 7 days for retroactive value is allowed.
- Indicator Fetch Limit: The value to limit the indicator to be fetched per iteration
Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
This integration provides following command(s) which can be used to access the Threat Intelligence
cyble-vision-fetch-taxii#
Fetch the indicators based on the taxii service
Base Command#
cyble-vision-fetch-taxii
Input#
| Argument Name | Description | Required |
|---|---|---|
| limit | Number of records to return, default value will be 50. Using a smaller limit will get faster responses. | Optional |
| begin | Returns records starting with given datetime (Format: %Y-%m-%d %H:%M:%S)) | Optional |
| end | Returns records starting with given datetime (Format: %Y-%m-%d %H:%M:%S)) | Optional |
| collection | Collection name to fetch indicators from | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CybleIntel.Threat.details | String | Returns the Threat Intel details from the Taxii service |
cyble-vision-get-collection-names#
Fetch the available collection name for the taxii service
Base Command#
cyble-vision-get-collection-names
Context Output#
| Path | Type | Description |
|---|---|---|
| CybleIntel.collection.names | String | Available collection names for the feed service |