Skip to main content

Cyble Threat Intel

This Integration is part of the Cyble Threat Intel Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

Cyble Threat Intel is an integration which will help users to fetch Cyble's TAXII Feed service into XSOAR Environment. User needs to contact their Cyble Account Manager for getting required pre-requisites to access the Cyble's TAXII Feed Service.

Configure Cyble Threat Intel on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Cyble Threat Intel.

  3. Click Add instance to create and configure a new integration instance.

    • Name: a textual name for the integration instance.
    • Fetch indicators: boolean flag. If set to true will fetch indicators.
    • Fetch Interval: Interval of the fetches.
    • Reliability: Reliability of the feed.
    • Traffic Light Protocol Color: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed
    • Discovery Service: TAXII discovery service endpoint.
    • Collection: Collection name to fetch indicators from.
    • Username: Username/Password (if required)
    • First Fetch Time: The time interval for the first fetch (retroactive). Maximum of 7 days for retroactive value is allowed.
    • Indicator Fetch Limit: The value to limit the indicator to be fetched per iteration
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

This integration provides following command(s) which can be used to access the Threat Intelligence


Fetch the indicators based on the taxii service

Base Command#



Argument NameDescriptionRequired
limitNumber of records to return, default value will be 50. Using a smaller limit will get faster responses.Optional
beginReturns records starting with given datetime (Format: %Y-%m-%d %H:%M:%S))Optional
endReturns records starting with given datetime (Format: %Y-%m-%d %H:%M:%S))Optional
collectionCollection name to fetch indicators fromRequired

Context Output#

CybleIntel.Threat.detailsStringReturns the Threat Intel details from the Taxii service


Fetch the available collection name for the taxii service

Base Command#


Context Output#

CybleIntel.collection.namesStringAvailable collection names for the feed service