Details
Content
Dependencies
Version History

Cyble Threat Intelligence for Vision Users. Must have access to Vision Taxii feed to access the threat intelligence.

Cyble Threat Intelligence – Cortex XSOAR Integration

This integration enables Cortex XSOAR to ingest and query Indicators of
Compromise (IOCs) from the Cyble Vision API.
It supports two capabilities:

IOC Lookup (Interactive command for analysts)
IOC Fetching (Fetch Indicators)

Overview

The Cyble Vision platform provides enriched, high-fidelity threat
intelligence including malware associations, threat actor links,
behaviour tags, risk scoring, and more.
This integration allows XSOAR to:

Pull fresh IOCs at scheduled intervals
Tag, score, and store indicators in the Cortex XSOAR indicator store
Support analyst lookups for a single IOC via the command line or
playbooks

Configuration

Required Parameters

Parameter	Description	Example
Base URL	Cyble Vision API endpoint	`https://api.cyble.ai/engine/api/v4`
API Key (Access Token)	Cyble Vision API Bearer token	(stored securely in XSOAR)
First fetch time (hours)	Number of hours to fetch backward on first run	`2`
	(1–3 hours allowed)
Indicator Fetch Limit	Maximum indicators per API page	`100`

Fetch Behavior

Fetch is performed in 1-hour chunks until the full range is covered.
Each page of IOCs is inserted immediately using
demisto.createIndicators.
Fetch uses a retry mechanism (up to 5 attempts per page).
last_run is updated after every chunk.
Supported fetch window: 1–3 hours (anything outside is
automatically corrected).

Commands

📌 1. cyble-vision-ioc-lookup

Lookup a single IOC using the Cyble Vision API.

Command

!cyble-vision-ioc-lookup ioc=<IOC_VALUE>

Arguments

Name	Required	Description
ioc	Yes	IOC string (IP / Domain / URL / Hash)

Outputs

Prefix: CybleIntel.IOCLookup

Field	Description
IOC	IOC value
IOC Type	Type (IP / Domain / URL / Hash)
First Seen	UTC timestamp
Last Seen	UTC timestamp
Risk Score	0–100
Sources	Reporting sources
Behaviour Tags	Tags assigned by Cyble
Confidence Rating	Low / Medium / High
Target Countries	Target geography
Target Regions	Regions affected
Target Industries	Target verticals
Related Malware	Linked malware families
Related Threat Actors	Associated threat actors

Example

!cyble-vision-ioc-lookup ioc=45.67.23.9

📌 2. fetch-indicators

Fetch IOCs from Cyble Vision and insert them into XSOAR's indicator store.

Execution

This command is not run manually.
It is used by the XSOAR engine when Fetches Indicators is enabled.

Behavior

Builds indicators with:
- cybleverdict
- cybleriskscore
- cyblefirstseen
- cyblelastseen
- cyblebehaviourtags
- cyblesources
- cybletargetcountries
- cybletargetregions
- cybletargetindustries
- cyblerelatedmalware
- cyblerelatedthreatactors
Automatically maps each IOC into XSOAR Indicator fields.
Updates last_run after each successful chunk.

Known Limitations

Fetching supports hours only (days are not supported).
Maximum initial backfill is 3 hours.

Support

For issues, contact support@cyble.com
or your assigned Cyble Technical Advisor.

Cyble Threat Intelligence – Cortex Integration

This integration enables Cortex to ingest and query Indicators of
Compromise (IOCs) from the Cyble Vision API.
It supports two capabilities:

IOC Lookup (Interactive command for analysts)
IOC Fetching (Fetch Indicators)

Overview

Pull fresh IOCs at scheduled intervals
Tag, score, and store indicators in the Cortex indicator store
Support analyst lookups for a single IOC via the command line or
playbooks

Configuration

Required Parameters

Parameter	Description	Example
Base URL	Cyble Vision API endpoint	`https://api.cyble.ai/engine/api/v4`
API Key (Access Token)	Cyble Vision API Bearer token	(stored securely in XSOAR)
First fetch time (hours)	Number of hours to fetch backward on first run	`2`
	(1–3 hours allowed)
Indicator Fetch Limit	Maximum indicators per API page	`100`

Fetch Behavior

Fetch is performed in 1-hour chunks until the full range is covered.
Each page of IOCs is inserted immediately using
demisto.createIndicators.
Fetch uses a retry mechanism (up to 5 attempts per page).
last_run is updated after every chunk.
Supported fetch window: 1–3 hours (anything outside is
automatically corrected).

Commands

📌 1. cyble-vision-ioc-lookup

Lookup a single IOC using the Cyble Vision API.

Command

!cyble-vision-ioc-lookup ioc=<IOC_VALUE>

Arguments

Name	Required	Description
ioc	Yes	IOC string (IP / Domain / URL / Hash)

Outputs

Prefix: CybleIntel.IOCLookup

Field	Description
IOC	IOC value
IOC Type	Type (IP / Domain / URL / Hash)
First Seen	UTC timestamp
Last Seen	UTC timestamp
Risk Score	0–100
Sources	Reporting sources
Behaviour Tags	Tags assigned by Cyble
Confidence Rating	Low / Medium / High
Target Countries	Target geography
Target Regions	Regions affected
Target Industries	Target verticals
Related Malware	Linked malware families
Related Threat Actors	Associated threat actors

Example

!cyble-vision-ioc-lookup ioc=45.67.23.9

📌 2. fetch-indicators

Fetch IOCs from Cyble Vision and insert them into XSOAR's indicator store.

Execution

This command is not run manually.
It is used by the XSOAR engine when Fetches Indicators is enabled.

Behavior

Builds indicators with:
- cybleverdict
- cybleriskscore
- cyblefirstseen
- cyblelastseen
- cyblebehaviourtags
- cyblesources
- cybletargetcountries
- cybletargetregions
- cybletargetindustries
- cyblerelatedmalware
- cyblerelatedthreatactors
Automatically maps each IOC into XSOAR Indicator fields.
Updates last_run after each successful chunk.

Known Limitations

Fetching supports hours only (days are not supported).
Maximum initial backfill is 3 hours.

Support

For issues, contact support@cyble.com
or your assigned Cyble Technical Advisor.

Indicator Fields

Name	Description
Cyble Sources
Cyble Verdict
Cyble Related Threat Actors
Cyble First Seen
Cyble Target Countries
Cyble Behaviour Tags
Cyble Risk Score
Cyble Last Seen
Cyble Target Industries
Cyble Target Regions
Cyble Related Malware

Integrations

Name	Description
Cyble Threat Intel (Partner Contribution)	Cyble Threat Intelligence integration for Vision Users. Provides IOC lookup and an IOC feed from the Cyble Vision API.

Indicator Fields

Name	Description
Cyble Verdict
Cyble Behaviour Tags
Cyble Target Countries
Cyble Sources
Cyble Related Malware
Cyble First Seen
Cyble Target Regions
Cyble Target Industries
Cyble Last Seen
Cyble Related Threat Actors
Cyble Risk Score

Integrations

Name	Description
Cyble Threat Intel (Partner Contribution)	Cyble Threat Intelligence integration for Vision Users. Provides IOC lookup and an IOC feed from the Cyble Vision API.

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

3.0.0 - 6565142 (January 5, 2026)

Indicator Fields

New: Cyble Behaviour Tags

Added a new indicator field Cyble Behaviour Tags that stores behavioural
classifications associated with an indicator, such as malicious activity
patterns observed by Cyble.

New: Cyble First Seen

Added a new indicator field Cyble First Seen that represents the earliest
timestamp at which the indicator was first observed by Cyble.

New: Cyble Last Seen

Added a new indicator field Cyble Last Seen that represents the most
recent timestamp at which the indicator was observed by Cyble.

Added a new indicator field Cyble Related Malware that lists malware
families associated with the indicator, when available.

Added a new indicator field Cyble Related Threat Actors that identifies
known threat actors linked to the indicator.

New: Cyble Sources

Added a new indicator field Cyble Sources that specifies the intelligence
sources reporting the indicator.

New: Cyble Target Countries

Added a new indicator field Cyble Target Countries that indicates the
countries targeted by campaigns associated with the indicator.

New: Cyble Target Industries

Added a new indicator field Cyble Target Industries that identifies the
industry sectors targeted by activity related to the indicator.

New: Cyble Target Regions

Added a new indicator field Cyble Target Regions that specifies geographic
regions affected by activity associated with the indicator.

New: Cyble Verdict

Added a new indicator field Cyble Verdict that represents Cyble’s
assessment of the indicator’s maliciousness.

New: Cyble Risk Score

Added the Cyble Risk Score indicator field to represent Cyble’s numeric
risk assessment score for an indicator.

Integrations

Cyble Threat Intel

Deprecated TAXII-based commands:
cyble-vision-fetch-taxii and
cyble-vision-get-collection-names.
Deprecated all TAXII ingestion logic. The integration now uses REST API
endpoints for fetching IOCs.
Updated command outputs and internal logic to match the new REST API model.
Added a new lookup command for querying indicators.
Improved IOC feed performance and reliability by switching to REST-based
ingestion.
Added new indicator fields for more detailed information.
Added support for the cyble-vision-ioc-lookup command to look up a single
IOC using the Cyble Vision API.
Deprecated the cyble-vision-get-collection-names command.
Deprecated the cyble-vision-fetch-taxii command.
Breaking Changes: Removed the Collection Name, Discovery Service, First fetch time and Indicator Fetch Limit parameters, as the indicators ingestion is no longer depends on them.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 42084
- 42524

Download

2.0.27 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.26 - R3474673 (May 20, 2025)

Integrations

Cyble Threat Intel

Metadata and documentation improvements.

Related pull requests:
- 39077

Download

2.0.25 - R2988287 (March 26, 2025)

Integrations

Cyble Threat Intel

Code functionality improvements.
Updated the Docker image to: demisto/taxii-server:1.0.0.1860835.

Related pull requests:
- 38048

Download

2.0.24 - 1834150 (December 18, 2024)

Integrations

Cyble Threat Intel

Fixed an issue where the fetch-indicators command failed sometimes due to connection timeout

Related pull requests:
- 37758
- 37595

Download

3.0.0 - 6565142 (January 5, 2026)

Indicator Fields

New: Cyble Behaviour Tags

Added a new indicator field Cyble Behaviour Tags that stores behavioural
classifications associated with an indicator, such as malicious activity
patterns observed by Cyble.

New: Cyble First Seen

Added a new indicator field Cyble First Seen that represents the earliest
timestamp at which the indicator was first observed by Cyble.

New: Cyble Last Seen

Added a new indicator field Cyble Last Seen that represents the most
recent timestamp at which the indicator was observed by Cyble.

Added a new indicator field Cyble Related Malware that lists malware
families associated with the indicator, when available.

Added a new indicator field Cyble Related Threat Actors that identifies
known threat actors linked to the indicator.

New: Cyble Sources

Added a new indicator field Cyble Sources that specifies the intelligence
sources reporting the indicator.

New: Cyble Target Countries

Added a new indicator field Cyble Target Countries that indicates the
countries targeted by campaigns associated with the indicator.

New: Cyble Target Industries

Added a new indicator field Cyble Target Industries that identifies the
industry sectors targeted by activity related to the indicator.

New: Cyble Target Regions

Added a new indicator field Cyble Target Regions that specifies geographic
regions affected by activity associated with the indicator.

New: Cyble Verdict

Added a new indicator field Cyble Verdict that represents Cyble’s
assessment of the indicator’s maliciousness.

New: Cyble Risk Score

Added the Cyble Risk Score indicator field to represent Cyble’s numeric
risk assessment score for an indicator.

Integrations

Cyble Threat Intel

Deprecated TAXII-based commands:
cyble-vision-fetch-taxii and
cyble-vision-get-collection-names.
Deprecated all TAXII ingestion logic. The integration now uses REST API
endpoints for fetching IOCs.
Updated command outputs and internal logic to match the new REST API model.
Added a new lookup command for querying indicators.
Improved IOC feed performance and reliability by switching to REST-based
ingestion.
Added new indicator fields for more detailed information.
Added support for the cyble-vision-ioc-lookup command to look up a single
IOC using the Cyble Vision API.
Deprecated the cyble-vision-get-collection-names command.
Deprecated the cyble-vision-fetch-taxii command.
Breaking Changes: Removed the Collection Name, Discovery Service, First fetch time and Indicator Fetch Limit parameters, as the indicators ingestion is no longer depends on them.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 42084
- 42524

Download

2.0.27 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.26 - R3474673 (May 20, 2025)

Integrations

Cyble Threat Intel

Metadata and documentation improvements.

Related pull requests:
- 39077

Download

2.0.25 - R2988287 (March 26, 2025)

Integrations

Cyble Threat Intel

Code functionality improvements.
Updated the Docker image to: demisto/taxii-server:1.0.0.1860835.

Related pull requests:
- 38048

Download

2.0.24 - 1834150 (December 18, 2024)

Integrations

Cyble Threat Intel

Fixed an issue where the fetch-indicators command failed sometimes due to connection timeout

Related pull requests:
- 37758
- 37595

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	April 15, 2022
Last Release	January 5, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.

Cyble Threat Intel

Cyble Threat Intelligence – Cortex XSOAR Integration

Overview

Configuration

Required Parameters

Fetch Behavior

Commands

📌 1. cyble-vision-ioc-lookup

Command

Arguments

Outputs

Example

📌 2. fetch-indicators

Execution

Behavior

Known Limitations

Support

Cyble Threat Intelligence – Cortex Integration

Overview

Configuration

Required Parameters

Fetch Behavior

Commands

📌 1. cyble-vision-ioc-lookup

Command

Arguments

Outputs

Example

📌 2. fetch-indicators

Execution

Behavior

Known Limitations

Support

Indicator Fields

New: Cyble Behaviour Tags

New: Cyble First Seen

New: Cyble Last Seen

New: Cyble Related Malware

New: Cyble Related Threat Actors

New: Cyble Sources

New: Cyble Target Countries

New: Cyble Target Industries

New: Cyble Target Regions

New: Cyble Verdict

New: Cyble Risk Score

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

Indicator Fields

New: Cyble Behaviour Tags

New: Cyble First Seen

New: Cyble Last Seen

New: Cyble Related Malware

New: Cyble Related Threat Actors

New: Cyble Sources

New: Cyble Target Countries

New: Cyble Target Industries

New: Cyble Target Regions

New: Cyble Verdict

New: Cyble Risk Score

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

Integrations

Cyble Threat Intel

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER