Supported Cortex XSOAR versions: 5.5.0 and later.
The feed allows customers to pull indicators of compromise from cyber incidents (IP addresses, URLs, domains, CVE, and file hashes).
- Log in to Cyjax threat intelligence portal.
- On the top navigation bar, hover the cursor over your user icon and go to Developer settings.
- Open the personal access token tab.
- Generate a new token
- Record the API token, as it will not be accessible after the window is closed.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Cyjax Feed.
- Click Add instance to create and configure a new integration instance.
- Enter feed name eg.
- API URL
- Enter Cyjax API token
- Set proxy if required by your installation
- Indicator reputation (the reputation set to the indicators fetched from this feed, default is Suspicious)
- Source reliability: A - Completely reliable
- Traffic Light Protocol Color - The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed.
- Use Cyjax feed TLP (selected by default) - Whether to use TLP set by Cyjax. Will override TLP set above.
- Set feed tags. (optional, comma delimited, eg. MyTag, YourTag)
- Set Indicator Expiration Method (default is never)
- Set fetch interval (default is to fetch every 1 hour)
- First fetch time. The time interval for the first fetch (retroactive). The default is 3 days.
- Test connection.
- Click done to save.
You can execute these commands from the Demisto CLI, as part of automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Get indicators from Cyjax API
|since||The start date time in ISO 8601 format||Optional|
|until||The end date time in ISO 8601 format||Optional|
|type||The indicator type. If not specified all indicators are returned. Allowed values are IPv4, IPv6, Domain, Hostname, Email, FileHash-SHA1, FileHash-SHA256, FileHash-MD5, FileHash-SSDEEP||Optional|
|source_type||The indicators source type. Allowed values are incidnet-report, my-report||Optional|
|source_id||The indicators source ID||Optional|
|limit||The maximum number of indicators to get. The default value is 50.||Optional|
!cyjax-get-indicators since=2020-10-23T00:00:00 type=IPv4
Get Cyjax sighting of a indicator
|value||The indicator value||Required|
Unset the indicators feed last fetch date. Should only be used if user needs to use
and wants to fetch old indicators from Cyjax. Next feed will use date set in first_fetch (default is last 3 days)