Cyberint
Integration version: 2.0
Configure Cyberint integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://{instance}.cyberint.io | Yes | API root of the Cyberint instance. |
| API Key | Password | N/A | Yes | API key of the Cyberint instance. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify that the SSL certificate for the connection to the Cyberint server is valid. |
Use Cases
Ingestion of alerts
Actions
Ping
Description
Test connectivity to the Cyberint with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
The action doesn't use entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message\* | The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Cyberint server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Cyberint server! Error is {0}".format(exception.stacktrace) |
General |
Update Alert
Description
Update alert in Cyberint.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Alert ID | Name | N/A | Yes | Specify the ID of the alert that would need to have the status updated. |
| Status | DDL | Select One Possible Values:
|
No | Specify the status for the event. Note: If "Closed" is selected, the "Closure Reason" parameter needs to be provided as well. |
| Closure Reason | DDL | Select One Possible Values:
|
No | Specify the closure reason for closed status. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 200 status code is reported (is_success = true): "Successfully updated the alert with ID "{alert_id}" in Cyberint.". The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Update Alert Status". Reason: {0}''.format(error.Stacktrace) If "Select One" is provided: "Error executing action "Update Alert Status". Reason: "Status" needs to be provided.'' If the "Status" parameter is set to "Closed", but the "Closure Reason" parameter isn't provided: "Error executing action "Update Alert Status". Reason: if "Status" is "Closed" then you need to provide "Closure Reason".'' |
General |
Connectors
Cyberint - Alerts Connector
Description
Pull information about alerts from Cyberint.
Configure Cyberint - Alerts Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://{instance}.cyberint.io | Yes | API root of the Cyberint instance. |
| API Key | Password | N/A | Yes | API key of the Cyberint instance. |
| Lowest Severity To Fetch | Integer | N/A | No | Lowest risk that needs to be used to fetch alerts. Possible values: Low, Medium, High, Very High. If nothing is specified, the connector will ingest alerts with all severities. |
| Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch alerts. |
| Max Alerts To Fetch | Integer | 100 | No | How many alerts to process per one connector iteration. Default: 100. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verify the SSL certificate for the connection to the Cyberint server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports Proxy.