Cyberint

cyberint is a cybersecurity platform that provides advanced threat intelligence and protection against cyber threats cyberint is a leading threat intelligence platform that provides comprehensive insights into cyber threats and vulnerabilities the cyberint connector for swimlane turbine enables seamless integration, allowing users to automate the retrieval and analysis of threat intelligence data with this integration, users can efficiently download daily ioc feeds, retrieve detailed alert reports, and update alert statuses, enhancing their security operations this empowers security teams to proactively manage threats, streamline incident response, and improve overall security posture prerequisites before you can use the cyberint connector for turbine, you'll need access to the cyberint api this requires the following an api key authentication using the following parameters url the endpoint url for accessing cyberint's api api key a unique key provided by cyberint to authenticate api requests capabilities this plugin provides the following capabilities capabilities go here e g manage firewall policies instead of listing each individual tasks limitations include information about known limitations here, including supported or minimum versions, especially known unsupported versions asset setup the content here should discuss asset setup in a conversational manner be sure to include any known login and test connection errors tasks setup special task setup as needed depending on plugin, exclude if empty known available allowed input options from enum type selection notes any other notes not fitting other sections go here any reference urls to external docs or other resources additional documentation https //docs swimlane com/connectors/cyberint https //api cyberint com/ configurations cyberint api key authentication authenticates cyberint using an api key configuration parameters parameter description type required url a url to the target host string required access token api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions download daily ioc feed by type and activity download a daily json lines document from cyberint by specifying the desired date, ioc type, and detected activity endpoint url /ioc/api/v1/feed/daily method get input argument name type required description parameters detected activity string required parameters for the download daily ioc feed by type and activity action parameters ioc type string required parameters for the download daily ioc feed by type and activity action parameters date string required parameters for the download daily ioc feed by type and activity action parameters format string optional parameters for the download daily ioc feed by type and activity action input example {"parameters" {"detected activity" "malware payload","ioc type" "ipv4","date" "2024 02 28","format" "json1"}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file file file name string name of the resource file file string output field file file output example {"status code" 200,"reason" "ok","response headers" {},"json body" {}} get alert analysis report retrieve an analysis report for a specific alert in cyberint using the alert reference id endpoint url /alert/api/v1/alerts/{{alert ref id}}/analysis report method get input argument name type required description path parameters alert ref id string required alert ref id input example {"path parameters" {"alert ref id" "string"}} output parameter type description status code number http status code of the response status string status value file array output field file file file name string name of the resource file file string output field file file output example {"status code" 302,"status" "ok","response headers" {},"json body" {}} get alert attachment retrieve an attachment from cyberint using the alert reference id and attachment internal id endpoint url /alert/api/v1/alerts/{{alert ref id}}/attachments/{{attachment id}} method get input argument name type required description path parameters alert ref id string required alert ref id path parameters attachment id string required attachment id input example {"path parameters" {"alert ref id" "string","attachment id" "string"}} output parameter type description status code number http status code of the response status string status value file array output field file file file name string name of the resource file file string output field file file output example {"status code" 302,"status" "ok","response headers" {},"file" \[]} get alerts retrieve up to 100 alerts from cyberint, sorted by modification date use filters like modification date and created date for specific results, or get alerts modified in the past 24 hours if no filters are applied endpoint url /alert/api/v1/alerts method post input argument name type required description page number optional page number to retrieve size number optional number of alerts per page filters object optional filters to retrieve alerts by filters created date object optional query alerts by creation date if specified filters created date from string required parameter for get alerts filters created date to string required parameter for get alerts filters modification date object optional query alerts by modification date if specified filters modification date from string required parameter for get alerts filters modification date to string required parameter for get alerts filters environments array optional filter alerts by environments if not specified, retrieves all alerts in customer environment and all sub environments filters status array optional filter alerts by status filters severity array optional filter alerts by severity filters type array optional filter alerts by type input example {"json body" {"page" 1,"size" 10,"filters" {"created date" {"from" "2019 08 24t14 15 22z","to" "2019 08 24t14 15 22z"},"modification date" {"from" "2019 08 24t14 15 22z","to" "2019 08 24t14 15 22z"},"environments" \["string"],"status" \["open"],"severity" \["low"],"type" \["refund fraud"]}}} output parameter type description status code number http status code of the response status string status value total number output field total alerts array output field alerts alerts environment string output field alerts environment alerts ref id string unique identifier alerts confidence number unique identifier alerts status string status value alerts severity string output field alerts severity alerts created date string date value alerts created by object output field alerts created by alerts created by email string output field alerts created by email alerts category string output field alerts category alerts type string type of the resource alerts source category string output field alerts source category alerts source string output field alerts source alerts targeted vectors array output field alerts targeted vectors alerts targeted vectors file name string name of the resource alerts targeted vectors file string output field alerts targeted vectors file alerts targeted brands array output field alerts targeted brands alerts targeted brands file name string name of the resource alerts targeted brands file string output field alerts targeted brands file alerts related entities array output field alerts related entities alerts related entities file name string name of the resource alerts related entities file string output field alerts related entities file output example {"status code" 200,"status" "ok","response headers" {},"json body" {"total" 0,"alerts" \[{}]}} get domain ioc retrieve domain indicators of compromise (ioc) from cyberint using specified parameters and value endpoint url /ioc/api/v1/domain method get input argument name type required description parameters value string required parameters for the get domain ioc action input example {"parameters" {"value" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data entity object response data data entity type string response data data entity value string response data data risk object response data data risk malicious score number response data data risk detected activities array response data data risk detected activities type string response data data risk detected activities observation date string response data data risk detected activities description string response data data risk detected activities confidence number response data data risk detected activities occurrences count number response data data risk occurrences count number response data data enrichment object response data data enrichment ips array response data data enrichment whois object response data data enrichment whois registrant name string response data data enrichment whois registrant email string response data data enrichment whois registrant organization string response data data enrichment whois registrant country string response data data enrichment whois registrant telephone string response data data enrichment whois technical contact email string response data data enrichment whois technical contact name string response data output example {"status code" 200,"reason" "ok","response headers" {},"json body" {"data" {"entity" {},"risk" {},"enrichment" {}}}} get enriched cve retrieve enriched common vulnerabilities and exposures (cve) details from cyberint using the specified cve id endpoint url /cve intel/get enriched cve/{{cve id}} method get input argument name type required description path parameters cve id string required cve id input example {"path parameters" {"cve id" "string"}} output parameter type description status code number http status code of the response status string status value data object response data data id string response data data cve object response data data configurations object response data data impact object response data data published date string response data data last modified date string response data data cyberint score number response data data research content object response data data known exploited vulnerability boolean response data data epss object response data data cwes array response data data indicators array response data data tags array response data data indicators histogram object response data output example {"status code" 200,"status" "ok","response headers" {},"json body" {"data" {"id" "string","cve" {},"configurations" {},"impact" {},"published date" "2019 08 24t14 15 22z","last modified date" "2019 08 24t14 15 22z","cyberint score" 10,"research content" {},"known exploited vulnerability"\ true,"epss" {},"cwes" \[],"indicators" \[],"tags" \[],"indicators histogram" {}}}} get file sha256 ioc retrieve the sha256 indicator of compromise (ioc) for a specified file in cyberint using the provided parameters endpoint url /ioc/api/v1/file/sha256 method get input argument name type required description parameters value string required parameters for the get file sha256 ioc action input example {"parameters" {"value" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data entity object response data data entity type string response data data entity value string response data data risk object response data data risk malicious score number response data data risk detected activities array response data data risk detected activities type string response data data risk detected activities observation date string response data data risk detected activities description string response data data risk detected activities confidence number response data data risk detected activities occurrences count number response data data risk occurrences count number response data data enrichment object response data data enrichment filenames array response data data enrichment first seen string response data data enrichment download urls array response data output example {"status code" 200,"reason" "ok","response headers" {},"json body" {"data" {"entity" {},"risk" {},"enrichment" {}}}} get ipv4 ioc retrieve information on an ipv4 indicator of compromise (ioc) from cyberint using the specified value parameter endpoint url /ioc/api/v1/ipv4 method get input argument name type required description parameters value string required parameters for the get ipv4 ioc action input example {"parameters" {"value" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data entity object response data data entity type string response data data entity value string response data data risk object response data data risk malicious score number response data data risk detected activities array response data data risk detected activities type string response data data risk detected activities observation date string response data data risk detected activities description string response data data risk detected activities confidence number response data data risk detected activities occurrences count number response data data risk occurrences count number response data data enrichment object response data data enrichment geo object response data data enrichment geo country string response data data enrichment geo city string response data data enrichment asn object response data data enrichment asn number number response data data enrichment asn organization string response data data enrichment suspicious urls array response data data enrichment suspicious domains array response data output example {"status code" 200,"reason" "ok","response headers" {},"json body" {"data" {"entity" {},"risk" {},"enrichment" {}}}} get url ioc retrieve url indicators of compromise (ioc) from cyberint using specified parameters, including the value parameter endpoint url /ioc/api/v1/url method get input argument name type required description parameters value string required parameters for the get url ioc action input example {"parameters" {"value" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data entity object response data data entity type string response data data entity value string response data data risk object response data data risk malicious score number response data data risk detected activities array response data data risk detected activities type string response data data risk detected activities observation date string response data data risk detected activities description string response data data risk detected activities confidence number response data data risk detected activities occurrences count number response data data risk occurrences count number response data data enrichment object response data data enrichment ips array response data data enrichment hostname string response data data enrichment domain string response data output example {"status code" 200,"reason" "ok","response headers" {},"json body" {"data" {"entity" {},"risk" {},"enrichment" {}}}} update alert status update the status of up to 100 alerts in cyberint when setting the status to 'close', a closure reason is required this action requires alert ref ids and data in the json body endpoint url /alert/api/v1/alerts/status method put input argument name type required description alert ref ids array optional ref id of the requested alerts data object optional response data data status string optional desired status to update for the alerts data closure reason string optional reason for updating the alerts status to close input example {"json body" {"alert ref ids" \["1","2"],"data" {"status" "closed","closure reason" "resolved"}}} output parameter type description status code number http status code of the response status string status value output example {"status code" 200,"status" "ok","response headers" {},"json body" {}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt