Cortex XSOAR

The Cyberpion content pack allows you to seamlessly receive all your Cyberpion Action Items and supportive information into Cortex XSOAR, and thus create and view dashboards, create custom alerts, streamline remediation and improve investigations. Integration between Cyberpion and Cortex XSOAR makes use of REST API.

Cortex XSOAR Integration Guide

Cyberpion can export incidents and relevant information directly to Cortex XSOAR. The integration involves having the Cortex XSOAR make calls to Cyberpion API endpoints in order to retrieve the information. Thus, you will need to enter the Cyberpion Server URL as well as a valid Cyberpion API key to Cortex.

The server URL is https://<your portal’s name at Cyberpion>, e.g.,

Generating a new API key:


Log into the Cyberpion portal


Click the API Settings button


Provide a name for the token, specify if the token is read-write or read-only (only the latter is necessary), and set an expiry date.


Click “Create Token”


Copy the generated token to a secure file. You’ll need it later.

Configuring your Cortex XSOAR:


Head to the XSOAR Marketplace:


Find and install Cyberpion:


Go to Settings:


Search for Cyberpion and click on “Add Instance”:


Fill in the server URL and API key that were provided by the Cyberpion portal (located within setting -> Integration settings):


Form field names, explanations and tips:

Field  Explanation 
Fetches incidents Should be checked (this determines whether to get Cyberpion’s action items from the server)
Make sure “Fetches incidents” is enabled
Do not fetch Should be false
Classifier Should be (by default) Cyberpion – Classifier
Incident type (if classifier doesn’t exist) Should be (by default) N/A
Mapper (incoming) Should be (by default) Cyberpion – Mapper
Server URL Paste here the Cyberpion URL as described above
API Key Paste here the Cyberpion API key as described above
Maximum number of incidents per fetch Determines how many action items are fetched every minute The default is set for 200 and we recommend leaving it as such
Action items category to fetch as incidents Action items categories to fetch
Options are DNS, PKI, Cloud and Vulnerabilities
Default is set to include all Action Item types
Show only active issues We recommend that this checkbox be marked

If not enabled, closed issues (resolved action items) will be fetched in addition to the active ones

Trust any certificate N/A
Use system proxy settings N/A
Do not use by default N/A

After clicking “save”, Action items will start to appear at the ‘incidents’ section:


Cortex XSOAR pulls Action Items at a rate of 200 every minute until all Action Items are uploaded


Click on “Investigate” to see the Action Item details:


Action Items will include the following information:

  • Cyberpion title
  • Cyberpion category
  • Cyberpion domain (AKA asset)
  • Cyberpion incident description
  • Technical data
  • Cyberpion Solution


The playbook added within this content package will allow you to request additional information relating to the Action Items that were reported, in order to help with context, investigation, and effective remediation.

The default playbooks intention is basic, it allows the user to create customized playbooks and/or connect the offered playbook template to a more general playbook.

Users can view the playbook within an incident by clicking the “Work Plan” tab and following the steps presented:

Let Us
Show You.

Discover Your Exposure So You Can Protect It

Request a free hyper external attack surface scan today.