Skip to main content

Cyren Threat InDepth Threat Intelligence Feed

This Integration is part of the Cyren Threat InDepth Threat Intelligence Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Threat InDepth's correlated and contextualized intelligence helps enterprises improve their threat detection and response by providing unprecedented visibility into new email-borne security threats and actionable insights to make meaningful response decisions. By correlating insights gathered across email content, web traffic, and suspicious files; Cyren provides security teams with a multi-dimensional presentation of critical threat characteristics.

Benefits include#
  • Access to Cyren's GlobalView™ Threat Intelligence Cloud that provides the earliest visibility into new and evolving attacks on a global basis
  • Comprehensive, multi-dimensional presentation of critical threat characteristics to help analysts understand the evolving threat landscape
  • Timely, Correlated, & Contextualized intelligence that helps reduce mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) for security analysts
  • Improved threat detection for existing security products such as SIEM and SOAR solutions
Feeds included in Cyren Threat InDepth content pack#

The Cyren Threat InDepth content pack includes access to these streams of indicators:

  • IP Reputation Intelligence
  • Phishing & Fraud URL Intelligence
  • Malware URL Intelligence
  • Malware File Intelligence

Configure Cyren Threat InDepth Threat Intelligence Feed In Cortex#

ParameterDescriptionRequired
apikeyAPI JWT token that has been issued to youTrue
feed_nameName of the particular feed that matches your API JWT tokenTrue
max_indicatorsThe maximum number of indicators to fetchFalse
feedFetch indicators.False
feedIncrementalIs incremental or notFalse
feedReputationThe reputation to apply to the fetched indicators.False
feedReliabilityThe reliability of the this feed.True
tlp_colorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlpFalse
feedExpirationPolicyFalse
feedExpirationIntervalFalse
feedFetchIntervalFeed Fetch IntervalFalse
feedBypassExclusionListBypass exclusion listFalse

The underlying Cyren Threat InDepth API provides you with an incremental feed, meaning it provides new or modified indicators. It also works with an offset value that keeps track of your currently processed indicators. Your current offset defaults at the globally known maximum offset on your first setup and is being stored and updated for you in the integration instance context. The integration then uses the "Maximum number of indicators" parameter as the count in each request. It is recommended to set it to a high enough value so that you get all the feed indicators for maximum product value, to handle bursts etc. (the value cannot be higher than 100.000 and it will be capped at that value if you set a higher one).

In case you want to want to reset the offset value, use the cyren-threat-indepth-reset-client-offset command.

You can retrieve the current offset value using the cyren-threat-indepth-get-client-offset command.

Commands#

You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Fetch indicators#

Fetching Cyren Threat InDepth indicators

Required Permissions#
  • A valid API JWT token and a matching feed name
Base Command#

cyren-threat-indepth-get-indicators

Input#
Argument NameDescriptionRequired
max_indicatorsThe maximum number of results to return.True
Context Output#

There is no context output for this command.

Command Example#

!cyren-threat-indepth-get-indicators max_indicators=2

Human Readable Output#

Indicators from Cyren Threat InDepth:

valuetyperawJSONscore
http://nu4vs0m.u5jkzm4r.i2wd30t.bpbp9c7d.b7ni2cio.auz8x15h.freshoff.euURLpayload: {"action": "+", "type": "url", "identifier": "f59ef036-a790-5193-b942-24a8618c936a", "first_seen": "2020-10-25T13:41:36.000Z", "last_seen": "2021-01-05T13:54:41.000Z", "detection": {"category": ["phishing"], "detection_ts": "2020-10-25T13:41:36.000Z"}, "meta": {"port": 80, "protocol": "http"}, "relationships": [{"relationship_type": "resolves to", "relationship_ts": "2020-10-25T13:41:36.000Z", "ip": "217.70.142.108", "related_entity_category": "phishing", "relationship_description": "resolves to phishing ip"}], "detection_methods": ["URL Categorization"], "url": "http://nu4vs0m.u5jkzm4r.i2wd30t.bpbp9c7d.b7ni2cio.auz8x15h.freshoff.eu"} offset: 57006380 timestamp: 2021-01-05T14:00:48.919Z3

Reset Client Offset#

This command allows you to update the stored client offset for the feed API.

Required Permissions#
  • A valid API JWT token and a matching feed name
Base Command#

cyren-threat-indepth-reset-client-offset

Input#
Argument NameDescriptionRequired
offsetOptional The offset you want to use as your baseline for future fetches (if not provided, the global max offset from the API is used)False
Context Output#

There is no context output for this command.

Command Example#

!cyren-threat-indepth-reset-client-offset !cyren-threat-indepth-reset-client-offset offset = 34234234

Human Readable Output#

Reset Cyren Threat InDepth ip_reputation feed client offset to 1000 (API provided max offset of 1000, was 500).

Get Client Offset#

This command allows you to retrieve the stored client offset for the feed API.

Required Permissions#
  • A valid API JWT token and a matching feed name
Base Command#

cyren-threat-indepth-get-client-offset

Input#

There is not input for this command.

Context Output#

There is no context output for this command.

Command Example#

!cyren-threat-indepth-get-client-offset

Human Readable Output#

Cyren Threat InDepth ip_reputation feed client offset is 500 (API provided max offset of 1000).

Additional Information#

Contact us: support@cyren.com