From 0d41a8322ab8935bac429794c719026a28de609e Mon Sep 17 00:00:00 2001 From: "tmizrahi@paloaltonetworks.com" Date: Thu, 5 Feb 2026 11:56:02 +0200 Subject: [PATCH 1/5] modeling rule files created, readme & metadata edited --- .../DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif | 20 +++++++ .../DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml | 6 ++ .../ModelingRules/DeCYFIR/DeCYFIR_schema.json | 56 +++++++++++++++++++ Packs/DeCYFIR/README.md | 35 +++++++++++- Packs/DeCYFIR/pack_metadata.json | 17 ++++-- 5 files changed, 128 insertions(+), 6 deletions(-) create mode 100644 Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif create mode 100644 Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml create mode 100644 Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif new file mode 100644 index 000000000000..6ac4f41cb42c --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.xif @@ -0,0 +1,20 @@ +[MODEL: dataset = "cyfirma_decyfir_raw"] +alter + user = trim(coalesce(modified_by, principal, uid)) +| alter + user_parsed = if(user ~= "^\[",arrayindex(regextract(user, "^\[([^|]+)\|"), 0),user) +| alter + xdm.event.original_event_type = coalesce(event_action, event_type), + xdm.event.description = coalesce(name,asset_comments), + xdm.source.user.username = user_parsed, + xdm.source.user.identifier = uid, + xdm.source.ipv4 = if(is_ipv4(ip),ip,null), + xdm.source.ipv6 = if(is_ipv6(ip),ip,null), + xdm.target.resource.name = asset_name, + xdm.target.resource.type = asset_type, + xdm.target.application.publisher = vendor, + xdm.target.application.version = version, + xdm.event.outcome = if(event_type ~= "SUCCESS", XDM_CONST.OUTCOME_SUCCESS,event_type ~= "FAILED",XDM_CONST.OUTCOME_FAILED, event_type ~= "AUTHENTICATION_ATTEMPT",XDM_CONST.OUTCOME_UNKNOWN,event_type), + xdm.source.user.upn = if(user_parsed ~= "@",user_parsed,null), + xdm.event.operation = if(event_action ~= "create", XDM_CONST.OPERATION_TYPE_CREATE, event_action ~= "delete", XDM_CONST.OPERATION_TYPE_DELETE, event_action ~= "update" or event_action ~= "modify", XDM_CONST.OPERATION_TYPE_UPDATE, event_action), + xdm.event.type = source_log_type; \ No newline at end of file diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml new file mode 100644 index 000000000000..e7743fb1679d --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR.yml @@ -0,0 +1,6 @@ +fromversion: 8.4.0 # Will be updated with XSIAM version updates +id: cyfirma_decyfir_ModelingRule +name: cyfirma decyfir Modeling Rule +rules: '' +schema: '' +tags: '' \ No newline at end of file diff --git a/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json new file mode 100644 index 000000000000..743da81188ed --- /dev/null +++ b/Packs/DeCYFIR/ModelingRules/DeCYFIR/DeCYFIR_schema.json @@ -0,0 +1,56 @@ +{ + "cyfirma_decyfir_raw": { + "principal": { + "type": "string", + "is_array": false + }, + "uid": { + "type": "string", + "is_array": false + }, + "event_type": { + "type": "string", + "is_array": false + }, + "ip": { + "type": "string", + "is_array": false + }, + "name": { + "type": "string", + "is_array": false + }, + "asset_comments": { + "type": "string", + "is_array": false + }, + "event_action": { + "type": "string", + "is_array": false + }, + "asset_name": { + "type": "string", + "is_array": false + }, + "vendor": { + "type": "string", + "is_array": false + }, + "modified_by": { + "type": "string", + "is_array": false + }, + "version": { + "type": "string", + "is_array": false + }, + "asset_type": { + "type": "string", + "is_array": false + }, + "source_log_type": { + "type": "string", + "is_array": false + } + } + } \ No newline at end of file diff --git a/Packs/DeCYFIR/README.md b/Packs/DeCYFIR/README.md index 99919d21e2a7..86c35401da69 100644 --- a/Packs/DeCYFIR/README.md +++ b/Packs/DeCYFIR/README.md @@ -1,4 +1,4 @@ -## DeCYFIR Content Pack for XSOAR +## Cyfirma DeCYFIR Content Pack CYFIRMA’s core platform, DeCYFIR, combines cyber threat intelligence with attack surface discovery and digital risk protection to deliver predictive, personalized, contextual, outside-in, and multi-layered cyber-intelligence. With DeCYFIR’s APIs, security teams obtain a complete view of their external threat landscape and receive actionable insights to ensure their cybersecurity posture is robust, resilient, and able to counter emerging cyber threats. @@ -9,9 +9,40 @@ With DeCYFIR’s APIs, security teams obtain a complete view of their external t - Gain knowledge of vulnerabilities and understand the threat actors, campaigns, attack methods which could be used by adversaries. - Stay informed of data breach/leaks and this includes company email addresses, intellectual property info, confidential data. - Be alerted to impersonation of company domains and executives across public and social platforms. -- Prioritize remedial actions with insights from external threat landscape. +- Prioritize remedial actions with insights from external threat landscape.de - Use the insights to expedite threat hunting and accelerate incident response activities. +<~XSOAR> + **Note:** Support and maintenance for this integration is provided by **[Cyfirma](https://www.cyfirma.com)**. Please contact us for more details on this email **_contact@cyfirma.com_**. + + + +<~XSIAM> + +Collects event logs from DeCYFIR for ingestion into Cortex XSIAM. + +Once configured, the integration periodically fetches event logs from DeCYFIR’s APIs and sends them to **Cortex XSIAM** for ingestion, normalization and analysis. + +- Events are fetched in real time (starting from the moment the integration is enabled). + +- Each event type (`Access Logs`, `Assets Logs`, `Digital Risk Keywords Logs`) is fetched separately using its own pagination and limit. + +- The integration automatically tracks and stores the last fetched timestamp and event IDs to prevent duplication. + +## Configure DeCYFIR Event Collector in Cortex + +| **Parameter** | **Required** | +| --- | --- | +| Server URL | True | +| API Key | True | +| Event types to fetch | True | +| Maximum number of Access Logs events per fetch | False | +| Maximum number of Assets Logs events per fetch | False | +| Maximum number of Digital Risk Keywords Logs events per fetch | False | +| Trust any certificate (not secure) | False | +| Use system proxy settings | False | + + \ No newline at end of file diff --git a/Packs/DeCYFIR/pack_metadata.json b/Packs/DeCYFIR/pack_metadata.json index 562dc98f69c4..3d2fdc51e4cf 100644 --- a/Packs/DeCYFIR/pack_metadata.json +++ b/Packs/DeCYFIR/pack_metadata.json @@ -2,15 +2,24 @@ "name": "DeCYFIR", "description": "DeCYFIR API's provides External Threat Landscape Management insights", "support": "partner", - "currentVersion": "1.1.0", + "currentVersion": "1.0.20", "author": "Cyfirma", "url": "https://www.cyfirma.com/", "email": "contact@cyfirma.com", "categories": [ "Data Enrichment & Threat Intelligence" ], - "tags": [], - "useCases": [], + "tags": [ + "Alerts", + "Security", + "Threat Intelligence Management", + "Threat Intelligence" + ], + "useCases": [ + "Network Security", + "Threat Intelligence Management", + "Asset Management" + ], "keywords": [ "Attack Surface", "Digital Risk", @@ -55,7 +64,7 @@ "CommonTypes", "CoreAlertFields" ], - "defaultDataSource": "DecyfirEventCollector", + "defaultDataSource": "decyfir", "supportedModules": [ "X1", "X3", From e5d4227f752b65c8cd8551a903f3d521cac228b1 Mon Sep 17 00:00:00 2001 From: "tmizrahi@paloaltonetworks.com" Date: Thu, 5 Feb 2026 11:57:51 +0200 Subject: [PATCH 2/5] validate & pre-commit --- Packs/DeCYFIR/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/DeCYFIR/README.md b/Packs/DeCYFIR/README.md index 86c35401da69..ce24cdd75481 100644 --- a/Packs/DeCYFIR/README.md +++ b/Packs/DeCYFIR/README.md @@ -45,4 +45,4 @@ Once configured, the integration periodically fetches event logs from DeCYFIR’ | Trust any certificate (not secure) | False | | Use system proxy settings | False | - \ No newline at end of file + From a377e5defd0dcc4212a9fe6abfe05c5efb268eff Mon Sep 17 00:00:00 2001 From: "tmizrahi@paloaltonetworks.com" Date: Thu, 5 Feb 2026 15:04:41 +0200 Subject: [PATCH 3/5] readme modified following a review --- Packs/DeCYFIR/README.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/Packs/DeCYFIR/README.md b/Packs/DeCYFIR/README.md index ce24cdd75481..daccaa0f8e49 100644 --- a/Packs/DeCYFIR/README.md +++ b/Packs/DeCYFIR/README.md @@ -1,4 +1,4 @@ -## Cyfirma DeCYFIR Content Pack +# Cyfirma DeCYFIR Content Pack CYFIRMA’s core platform, DeCYFIR, combines cyber threat intelligence with attack surface discovery and digital risk protection to deliver predictive, personalized, contextual, outside-in, and multi-layered cyber-intelligence. With DeCYFIR’s APIs, security teams obtain a complete view of their external threat landscape and receive actionable insights to ensure their cybersecurity posture is robust, resilient, and able to counter emerging cyber threats. @@ -6,8 +6,8 @@ With DeCYFIR’s APIs, security teams obtain a complete view of their external t #### This packs empowers security teams with the following capabilities - Monitor your entire external attack surfaces as they emerge. -- Gain knowledge of vulnerabilities and understand the threat actors, campaigns, attack methods which could be used by adversaries. -- Stay informed of data breach/leaks and this includes company email addresses, intellectual property info, confidential data. +- Gain knowledge of vulnerabilities and understand the threat actors, campaigns, and attack methods used by adversaries. +- Stay informed of data breach/leaks, including company email addresses, intellectual property information, and confidential data. - Be alerted to impersonation of company domains and executives across public and social platforms. - Prioritize remedial actions with insights from external threat landscape.de - Use the insights to expedite threat hunting and accelerate incident response activities. @@ -15,24 +15,23 @@ With DeCYFIR’s APIs, security teams obtain a complete view of their external t <~XSOAR> **Note:** -Support and maintenance for this integration is provided by **[Cyfirma](https://www.cyfirma.com)**. -Please contact us for more details on this email **_contact@cyfirma.com_**. +Support and maintenance for this content pack is provided by **[Cyfirma](https://www.cyfirma.com)**. <~XSIAM> -Collects event logs from DeCYFIR for ingestion into Cortex XSIAM. +This content pack contains an integration that collects event logs from DeCYFIR for ingestion into Cortex XSIAM. -Once configured, the integration periodically fetches event logs from DeCYFIR’s APIs and sends them to **Cortex XSIAM** for ingestion, normalization and analysis. +Once configured, the integration periodically fetches event logs from DeCYFIR’s APIs and sends them to Cortex XSIAM for ingestion, normalization and analysis. - Events are fetched in real time (starting from the moment the integration is enabled). - Each event type (`Access Logs`, `Assets Logs`, `Digital Risk Keywords Logs`) is fetched separately using its own pagination and limit. -- The integration automatically tracks and stores the last fetched timestamp and event IDs to prevent duplication. +- - To prevent duplication, the integration automatically tracks and stores the last fetched timestamp and event IDs. -## Configure DeCYFIR Event Collector in Cortex +## Configure the DeCYFIR Event Collector Integration in Cortex | **Parameter** | **Required** | | --- | --- | From eb9b1f7466e4438a2ea8dd3214c49c6cb38791d8 Mon Sep 17 00:00:00 2001 From: Content Bot Date: Thu, 5 Feb 2026 13:13:30 +0000 Subject: [PATCH 4/5] Trigger AI Reviewer From 42d2f806c58d91902d023af4f57529d135eb97a0 Mon Sep 17 00:00:00 2001 From: "tmizrahi@paloaltonetworks.com" Date: Thu, 5 Feb 2026 15:30:29 +0200 Subject: [PATCH 5/5] fixed metadata & add release notes --- Packs/DeCYFIR/ReleaseNotes/1_1_1.md | 7 +++++++ Packs/DeCYFIR/pack_metadata.json | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 Packs/DeCYFIR/ReleaseNotes/1_1_1.md diff --git a/Packs/DeCYFIR/ReleaseNotes/1_1_1.md b/Packs/DeCYFIR/ReleaseNotes/1_1_1.md new file mode 100644 index 000000000000..05b600397543 --- /dev/null +++ b/Packs/DeCYFIR/ReleaseNotes/1_1_1.md @@ -0,0 +1,7 @@ + +#### Modeling Rules + +##### New: cyfirma decyfir Modeling Rule + +- New: Added a new modeling rule- cyfirma decyfir Modeling Rule that provides data normalization for Access Logs, Asset Logs and DR Keywords Logs +<~XSIAM> (Available from Cortex XSIAM 8.4.0). diff --git a/Packs/DeCYFIR/pack_metadata.json b/Packs/DeCYFIR/pack_metadata.json index 3d2fdc51e4cf..e5a4690fc8dd 100644 --- a/Packs/DeCYFIR/pack_metadata.json +++ b/Packs/DeCYFIR/pack_metadata.json @@ -2,7 +2,7 @@ "name": "DeCYFIR", "description": "DeCYFIR API's provides External Threat Landscape Management insights", "support": "partner", - "currentVersion": "1.0.20", + "currentVersion": "1.1.1", "author": "Cyfirma", "url": "https://www.cyfirma.com/", "email": "contact@cyfirma.com", @@ -64,7 +64,7 @@ "CommonTypes", "CoreAlertFields" ], - "defaultDataSource": "decyfir", + "defaultDataSource": "DecyfirEventCollector", "supportedModules": [ "X1", "X3",