Skip to main content
Skip table of contents

Cyberint

LAST UPDATED: OCTOBER 9, 2025

Overview

Cyberint, the Impactful Intelligence company, fuses threat intelligence with attack surface management, providing organizations with extensive integrated visibility into their external risk exposure. Leveraging autonomous discovery of all external-facing assets, coupled with open, deep dark web intelligence, the solution allows cybersecurity teams to uncover their most relevant known and unknown digital risks - earlier.

D3 SOAR is providing REST operations to function with Cyberint.

Cyberint is available for use in:

D3 SOAR

V15.3+

Category

Threat Intelligence

Deployment Options

Option II, Option IV

Connection

Gather the following information to connect D3 SOAR to Cyberint.

Parameter

Description

Example

Server URL

The server URL used for accessing the Cyberint API.

https://company.Cyberint.io

API Key

The API Key used to authenticate the API connection.

*****

API Version

The version of the API to use for this connection.

v1

Configuring D3 SOAR to Work with Cyberint

  1. Log in to D3 SOAR.

  2. Find the Cyberint integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Cyberint in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Cyberint.

    1. Connection Name: The desired name for the connection.

    2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

    4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): The description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Active: The checkbox that enables the connection to be used when selected.

    8. Configure User Permissions: Defines which users have access to the connection.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Server URL.

      2. Input the API Key from the Cyberint platform.

      3. Input the API Version. The default value is v1.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

  4. Test the connection.

    1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Cyberint includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

  1. Navigate to Configuration Application Settings. Select Date/Time Format.

  2. Choose the desired date and time format, then click on the Save button.

The selected time format will now be visible when configuring Date/Time command input parameters.

Get Alert Analysis Reports

Retrieves alert analysis reports.

READER NOTE

Alert IDs is a required parameter to run this command.

  • Run the Get Alerts command to obtain the Alert IDs. Alert IDs can be found in the raw data at $.alerts[*].ref_id.

Input

Input Parameter

Required/Optional

Description

Example

Alert IDs

Required

The reference IDs of the requested alerts. Alert IDs can be obtained using the Get Alerts command.

JSON 
[
  "D***2"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alert Analysis Reports failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cyberint portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Alert Analysis Reports failed.

Status Code: 401.

Message: Unauthorized.

Get Alert Attachments

Retrieves alert attachments.

READER NOTE

Alert ID and Attachment IDs are required parameters to run this command.

  • Run the Get Alerts command to obtain the Alert ID and Attachment IDs. Alert ID and Attachment IDs can be found in the raw data at:

    • $.alerts[*].ref_id (Alert ID)

    • $.alerts[*].attachments (Attachment IDs)

Input

Input Parameter

Required/Optional

Description

Example

Alert ID

Required

The reference ID of the requested alerts. Alert ID can be obtained using the Get Alerts command.

D*****2

Attachment IDs

Required

The internal IDs of the attachments associated with the specified alerts. Attachment IDs can be obtained using the Get Alerts command.

JSON 
[
  "1*****4"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alert Attachments failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cyberint portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Alert Attachments failed.

Status Code: 401.

Message: Unauthorized.

Get Alerts

Retrieves up to 100 alerts. Results are sorted by modification date. If no filters are applied, all alerts modified in the past 24 hours across all environments are returned.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time (in UTC) used to filter alerts by their modification date. The time range between Start Time and End Time cannot exceed one year.

2023-02-14T14:28:29Z

End Time

Required

The end time (in UTC) used to filter alerts by their modification date. The time range between Start Time and End Time cannot exceed one year.

2023-02-16T14:28:29Z

Status

Optional

Filters alerts by status. Valid options are:

  • "open"

  • "acknowledged"

  • "closed"

JSON 
[
  "open"
]

Severity

Optional

Filters alerts by severity. Valid options are:

  • "low"

  • "medium"

  • "high"

  • "very_high"

JSON 
[
  "high"
]

Type

Optional

Filters alerts by type. Valid values are:

  • "refund_fraud"

  • "carding"

  • "coupon_fraud"

  • "money_laundering"

  • "victim_report"

  • "malicious_insider"

  • "extortion"

  • "phishing_email"

  • "phishing_kit"

  • "phishing_website"

  • "lookalike_domain"

  • "phishing_target_list"

  • "malicious_file"

  • "reconnaissance"

  • "automated_attack_tools"

  • "business_logic_bypass"

  • "target_list"

  • "official_social_media_profile"

  • "impersonation"

  • "intellectual_property_infringement"

  • "unauthorized_trading"

  • "negative_sentiment"

  • "fake_job_posting"

  • "defacement"

  • "compromised_pii"

  • "internal_information_disclosure"

  • "compromised_payment_cards"

  • "compromised_employee_credentials"

  • "compromised_customer_credentials"

  • "compromised_access_token"

  • "ransomware"

  • "exposed_web_interfaces"

  • "hijackable_subdomains"

  • "website_vulnerabilities"

  • "exposed_cloud_storage"

  • "exploitable_ports"

  • "mail_servers_in_blacklist"

  • "server_connected_to_botnet"

  • "email_security_issues"

  • "certificate_authority_issues"

  • "other"

JSON 
[
  "carding"
]

Environment

Optional

Filters alerts by environment. By default, alerts from all customer environments and sub-environments are retrieved.

JSON 
[
  "D3securitySandBox"
]

Limit

Optional

The number of alerts to return. Valid values are integers between 10 and 100.

10

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alerts failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cyberint portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Alerts failed.

Status Code: 401.

Message: Unauthorized.

Update Alert Status

Updates the status of up to 100 alerts.

READER NOTE

Alert IDs is a required parameter to run this command.

  • Run the Get Alerts command to obtain the Alert IDs. Alert IDs can be found in the raw data at $.alerts[*].ref_id.

Input

Input Parameter

Required/Optional

Description

Example

Alert IDs

Required

The reference IDs of the alerts to be updated. Alert IDs can be obtained using the Get Alerts command.

JSON 
[
  "D*****3"
]

Status

Required

The updated status to apply to the specified alerts. Valid options are:

  • Open

  • Acknowledged

  • Closed

Closed

Closure Reason

Optional

The reason for updating the alert status to "Closed". Valid options are:

  • Resolved

  • Irrelevant

  • False Positive

If Status is set to "Closed" and this parameter is not specified, the Closure Reason defaults to "Resolved".

Resolved

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Alert Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cyberint portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Update Alert Status failed.

Status Code: 401.

Message: Unauthorized.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cyberint portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Unauthorized.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close