Cyble Events is an integration which will help Existing Cyble Vision users. This integration would allow users to access
the API available as part of Vision Licensing and integrate the data into XSOAR.
Configure Cyble Events on Cortex XSOAR
Navigate to Settings > Integrations > Servers & Services.
Search for Cyble Events.
Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
| --- | --- | --- |
| Server URL (e.g. https://example.net) | | True |
| Access Token | | True |
| Trust any certificate (not secure) | | False |
| Use system proxy settings | | False |
| Fetch incidents | | False |
| Incidents Fetch Interval | | False |
| Incident Fetch Limit | Maximum incidents to be fetched every time. Upper limit is 50 incidents. | True |
| Incident type | | False |
| Priority | Fetch the events based on priority. All priorities will be considered by default. | False |
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you
successfully execute a command, a DBot message appears in the War Room with the command details.
This integration provides the following command(s) which can be used to access Threat Intelligence
Fetch the indicators for the given timeline
|from||Returns records started with given value. Default is 0.||Optional|
|limit||Number of records to return (max 1000). Using a smaller limit will get faster responses. Default is 1.||Optional|
|start_date||Timeline start date in the format "YYYY-MM-DD". Need to used with end_date as timeline range.||Optional|
|end_date||Timeline end date in the format "YYYY-MM-DD". Need to used with start_date as timeline range.||Optional|
|type||Returns record by type like (CIDR, CVE, domain, email, FileHash-IMPHASH, FileHash-MD5, FileHash-PEHASH, FileHash-SHA1, FileHash-SHA256, FilePath, hostname, IPv4, IPv6, Mutex, NIDS, URI, URL, YARA, osquery, Ja3, Bitcoinaddress, Sslcertfingerprint).||Optional|
|keyword||Returns records for the specified keyword.||Optional|
|CybleEvents.IoCs.data||String||Returns indicator inital creation date|
Fetch Incident Event alerts based on the given parameters. Alerts would have multiple events grouped into one based on
specific service type. So users would see, in certain cases, more events than the limit provides.
|from||Returns records for the timeline starting from given indice. Default is 0.||Required|
|limit||Number of records to return (max 50). Using a smaller limit will get faster responses. Default is 5.||Required|
|start_date||Timeline start date in the format "YYYY/MM/DD".||Required|
|end_date||Timeline end date in the format "YYYY/MM/DD".||Required|
|order_by||Sorting order for alert fetch either Ascending or Descending. Possible values are: Ascending, Descending. Default is Ascending.||Required|
|priority||Fetch the events based on priority. Possible values are: high,medium,low,informational.||Optional|
|CybleEvents.Events.eventid||String||Returns the event ID|
|CybleEvents.Events.eventtype||String||Returns the event type|
|CybleEvents.Events.severity||Number||Returns the event severity|
|CybleEvents.Events.occurred||Date||Returns the event occurred timeline|
|CybleEvents.Events.name||String||Returns the alert title|
|CybleEvents.Events.cybleeventsname||String||Returns the event name|
|CybleEvents.Events.cybleeventsbucket||String||Returns the event bucket name|
|CybleEvents.Events.cybleeventskeyword||String||Returns the event keyword|
|CybleEvents.Events.cybleeventsalias||String||Returns the event type alias name|
Fetch Incident detail based on event type and event ID
|event_type||Event Type of the Incident.||Required|
|event_id||Event ID of the incident.||Required|
|from||The value in the field represents the position of records that are retrieved||Required|
|limit||The value in the field represents the number of events that can be returned, maximum allowed is 1000||Required|
|CybleEvents.Events.Details||String||Returns details for given event of specific type|