Data Source
Cyren Cyber Threat Intelligence (CTI) platform offering two commercial feeds:
- IP Reputation feed — malicious IP addresses with threat scores
- Malware URL feed — weaponised URLs delivering malware payloads
Feeds delivered via Cyren CCF (Codeless Connector Framework) API with NDJSON parsing.
Automation Mechanism
Playbook: CyrenToSentinelOne
- 6-hour polling cycle from Cyren CCF feed endpoints
- PersistentToken pagination for large result sets
- Dual-feed support — customers can purchase one or both feeds
- Optional JWT tokens per feed (single-feed deployments supported)
- IOC push to SentinelOne via /web/api/v2.1/threat-intelligence/iocs endpoint
SentinelOne Integration
- Creates IOC indicators directly in SentinelOne Threat Intelligence module
- Establishes STAR (SentinelOne Threat Analysis and Response) detection rule: “Cyren IOC Detection”
- Rule query: IndicatorSource = “Cyren” with High severity classification
- Automated endpoint protection against Cyren-flagged threats
Detection Surface Unlocked
Organizations gain automated threat detection for:
- Malicious IP communications (network sessions, DNS queries, firewall logs)
- Drive-by download attempts and malware distribution URLs
- Command and control infrastructure identified by Cyren threat research
- Known attacker infrastructure with recent activity (2-day freshness filter)
Field mapping preserves threat context — IP indicators maintain confidence scores, URL indicators include categorisation metadata for security team triage.
Affected Files
Solutions/Cyren-SentinelOne-ThreatIntelligence/Package/testParameters.json
Solutions/Cyren-SentinelOne-ThreatIntelligence/Playbooks/CyrenToSentinelOne_Playbook.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenSentinelOne.json, createUiDefinition.json, mainTemplate.json)