forked from demisto/content
/
CybleEventsV2.yml
172 lines (172 loc) · 5.84 KB
/
CybleEventsV2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
category: Data Enrichment & Threat Intelligence
commonfields:
id: cybleeventsv2
version: -1
configuration:
- additionalinfo: Server URL (e.g. <https://example.net>)
defaultvalue: <https://example.net>
display: URL
name: base_url
required: true
type: 0
- displaypassword: Access Token
name: credentials
required: true
hiddenusername: true
type: 9
- display: Trust any certificate (not secure)
name: insecure
type: 8
- display: Use system proxy settings
name: proxy
type: 8
- additionalinfo: Maximum incidents to be fetched every time. Upper limit is 1000 incidents.
defaultvalue: '1'
display: Incident Fetch Limit
name: max_fetch
type: 0
- display: Incident type
name: incidentType
type: 13
- display: Fetch incidents
name: isFetch
type: 8
- additionalinfo: Time interval for first fetch (retroactive), by days only. Maximum of 7 days for retroactive value is allowed.
defaultvalue: '1'
display: First fetch time (by days)
name: first_fetch_timestamp
type: 0
description: Cyble Events for Vision Users. Must have Vision API access to use the threat intelligence.
display: CybleEvents v2
name: cybleeventsv2
script:
commands:
- description: Get list of Subscribed services
name: cyble-vision-subscribed-services
outputs:
- contextPath: CybleEvents.SubscribedServices
description: A list of subscribed services from Cyble vision.
type: String
- arguments:
- auto: PREDEFINED
defaultValue: Domain
description: Returns records according to their type (Domain, FileHash-MD5, FileHash-SHA1, FileHash-SHA256, IPv4, IPv6, URL, Email).
isArray: true
name: ioc_type
predefined:
- Domain
- FileHash-MD5
- FileHash-SHA1
- FileHash-SHA256
- IPv4
- IPv6
- URL
- Emai
- description: Returns records for the specified indicator value
name: ioc
- defaultValue: '0'
description: Returns records that starts from the given page number (the value of the form parameter) in the results list.
name: from
- defaultValue: '1'
description: Number of records to return (max 1000). Using a smaller limit will get faster responses.
name: limit
- auto: PREDEFINED
defaultValue: last_seen
description: Sorting based on the column(last_seen,first_seen,ioc_type)
name: sort_by
predefined:
- last_seen
- first_seen
- ioc_type
- auto: PREDEFINED
default: true
defaultValue: desc
description: A sorting order for ioc. Either Ascending or Descending. The default value is Descending.
name: order
predefined:
- asc
- desc
- description: Returns records for the specified tags
name: tags
- description: Timeline start date in the format "YYYY-MM-DD". Should be used with start_date as timeline range.
name: start_date
- description: Timeline end date in the format "YYYY-MM-DD". Should be used with end_date as timeline range.
name: end_date
description: Fetch the indicators in the given timeline.
name: cyble-vision-fetch-iocs
outputs:
- contextPath: CybleEvents.IoCs.Data
description: Returns indicator with risk score, confident rating, first seen and last seen
type: String
- arguments:
- defaultValue: '5'
description: Number of records to return (max 50). Using a smaller limit will get faster responses.
name: limit
- description: Timeline start date in the format "%Y-%m-%dT%H:%M:%S%z" (iso-8601)
name: start_date
required: true
- description: Timeline end date in the format "%Y-%m-%dT%H:%M:%S%z" (iso-8601)
name: end_date
required: true
- auto: PREDEFINED
defaultValue: desc
description: A sorting order for the fetched alerts. Either Ascending or Descending. The default value is Descending.
name: order_by
predefined:
- asc
- desc
- defaultValue: '0'
description: Returns records for the timeline starting from the given indice.
name: from
description: Fetch alerts based on the given parameters. The alerts would have multiple events grouped into one, based on a specific service type. This way the user will see, in some cases, more events than the limit provides.
execution: true
name: cyble-vision-fetch-alerts
outputs:
- contextPath: CybleEvents.Events.name
description: Return Event name
type: String
- contextPath: CybleEvents.Events.alert_group_id
description: Return alert group id
type: String
- contextPath: CybleEvents.Events.event_id
description: Return event id.
type: String
- contextPath: CybleEvents.Events.keyword
description: Return keywords
type: Unknown
- arguments:
- auto: PREDEFINED
defaultValue: desc
description: A sorting order for the fetched alerts. Either Ascending or Descending. he default value is Descending.
name: order_by
predefined:
- asc
- desc
- defaultValue: '5'
description: Number of records to return (max 50). Using a smaller limit will get faster responses.
name: limit
- description: Timeline start date in the format "%Y-%m-%dT%H:%M:%S%z" (iso-8601)
name: start_date
required: true
- description: Timeline end date in the format "%Y-%m-%dT%H:%M:%S%z" (iso-8601)
name: end_date
required: true
- defaultValue: '0'
description: Returns records for the timeline starting from the given indice.
name: from
required: true
description: Fetch incident event group
name: cyble-vision-fetch-alert-groups
outputs:
- contextPath: CybleEvents.AlertGroup
description: Fetch all the alert groups
type: String
dockerimage: demisto/python3:3.10.12.63474
isfetch: true
runonce: false
script: '-'
subtype: python3
type: python
tests:
- No tests (auto formatted)
fromversion: 6.2.0