Group-IB Threat Intelligence

Classifiers

Group-IB Threat Intelligence (classifier)

• Updated the Group-IB Threat Intelligence (classifier) classifier to support the GIB SPD incident type for the compromised/spd collection.
• Updated the Group-IB Threat Intelligence (classifier) classifier to map compromised/masked_card records to the new GIB Compromised Masked Card incident type.

Incident Fields

GIB Address

• Updated to connect to GIB Compromised Masked Card

GIB Base Name

• Created to use to the GIB Compromised Masked Card

GIB CNC

• Updated to connect to GIB Compromised Masked Card

GIB CNC ASN

• Created to use to the GIB Compromised Masked Card

GIB CNC City

• Created to use to the GIB Compromised Masked Card

GIB CNC Country Code

• Created to use to the GIB Compromised Masked Card

GIB CNC Country Name

• Created to use to the GIB Compromised Masked Card

GIB CNC Domain

• Created to use to the GIB Compromised Masked Card

GIB CNC IP

• Created to use to the GIB Compromised Masked Card

GIB CNC Provider

• Created to use to the GIB Compromised Masked Card

GIB CNC Region

• Created to use to the GIB Compromised Masked Card

GIB CNC URL

• Created to use to the GIB Compromised Masked Card

GIB CVV

• Updated to connect to GIB Compromised Masked Card

GIB Card BIN

• Created to use to the GIB Compromised Masked Card

GIB Card Category

• Created to use to the GIB Compromised Masked Card

GIB Card Dump

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer Country Code

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer Country Name

• Created to use to the GIB Compromised Masked Card

GIB Card Number

• Created to use to the GIB Compromised Masked Card

GIB Card PIN

• Created to use to the GIB Compromised Masked Card

GIB Card Type

• Created to use to the GIB Compromised Masked Card

GIB Card Valid Thru

• Created to use to the GIB Compromised Masked Card

GIB Card Valid Thru Date

• Created to use to the GIB Compromised Masked Card

GIB Client ASN

• Created to use to the GIB Compromised Masked Card

GIB Client City

• Created to use to the GIB Compromised Masked Card

GIB Client Country Code

• Created to use to the GIB Compromised Masked Card

GIB Client Country Name

• Created to use to the GIB Compromised Masked Card

GIB Client IP

• Created to use to the GIB Compromised Masked Card

GIB Client Provider

• Created to use to the GIB Compromised Masked Card

GIB Client Region

• Created to use to the GIB Compromised Masked Card

GIB Date Compromised

• Updated to connect to GIB Compromised Masked Card

GIB Date of Detection

• Updated to connect to GIB Compromised Masked Card

GIB Email

• Updated to connect to GIB Compromised Masked Card

GIB Is Dump

• Created to use to the GIB Compromised Masked Card

GIB Is Expired

• Created to use to the GIB Compromised Masked Card

GIB Is Masked

• Created to use to the GIB Compromised Masked Card

GIB Malware ID

• Created to use to the GIB Compromised Masked Card

GIB Malware Name

• Updated to connect to GIB Compromised Masked Card

GIB Malware STIX GUID

• Created to use to the GIB Compromised Masked Card

GIB Owner Birthday

• Created to use to the GIB Compromised Masked Card

GIB Owner City

• Created to use to the GIB Compromised Masked Card

GIB Owner Country Code

• Created to use to the GIB Compromised Masked Card

GIB Owner Passport

• Created to use to the GIB Compromised Masked Card

GIB Owner State

• Created to use to the GIB Compromised Masked Card

GIB Owner Tax Number

• Created to use to the GIB Compromised Masked Card

GIB Owner ZIP

• Created to use to the GIB Compromised Masked Card

GIB Payment System

• Updated to connect to GIB Compromised Masked Card

GIB Person

• Updated to connect to GIB Compromised Masked Card

GIB Price Currency

• Created to use to the GIB Compromised Masked Card

GIB Price Value

• Created to use to the GIB Compromised Masked Card

GIB Related Indicators Data

• Updated to connect to GIB Compromised Masked Card

GIB Source

• Updated to connect to GIB Compromised Masked Card

GIB Source Link

• Created to use to the GIB Compromised Masked Card

GIB Threat Actor Country

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor ID

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor Name

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor STIX GUID

• Created to use to the GIB Compromised Masked Card

GIB Threat Actor is APT

• Updated to connect to GIB Compromised Masked Card

GIB Track

• Created to use to the GIB Compromised Masked Card

• GIB Admiralty Code

• Updated the GIB Admiralty Code incident field to support for the new compromised/spd collection.

• GIB Credibility

• Updated the GIB Credibility incident field to support for the new compromised/spd collection.

• GIB Date Created At

• Updated the GIB Date Created At incident field to support for the new compromised/spd collection.

• GIB Date First Seen

• Updated the GIB Date First Seen incident field to support for the new compromised/spd collection.

• GIB Date Last Seen

• Updated the GIB Date Last Seen incident field to support for the new compromised/spd collection.

• GIB Nation-State Cybercriminals Threat Actor Aliases

• Updated the GIB Nation-State Cybercriminals Threat Actor Aliases incident field to correct the Incident Field ID.

• GIB Phishing Date Updated

• Updated the GIB Phishing Date Updated incident field to correct the Incident Field ID.

• GIB Portal Link

• Updated the GIB Portal Link incident field to support for the new compromised/spd collection.

• GIB Reliability

• Updated the GIB Reliability incident field to support for the new compromised/spd collection.

• New: GIB SPD Events Table

• New: Added a new incident field- GIB SPD Events Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Illegal Score

• New: Added a new incident field- GIB SPD Illegal Score that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Malware Table

• New: Added a new incident field- GIB SPD Malware Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Owner Name

• New: Added a new incident field- GIB SPD Owner Name that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Service Type

• New: Added a new incident field- GIB SPD Service Type that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Sources Table

• New: Added a new incident field- GIB SPD Sources Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Threat Actor Table

• New: Added a new incident field- GIB SPD Threat Actor Table that required for the implementation of the new compromised/spd collection/

• New: GIB SPD Type

• New: Added a new incident field- GIB SPD Type that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Value

• New: Added a new incident field- GIB SPD Value that required for the implementation of the new compromised/spd collection.

• GIB Scanner Sources

• Updated the GIB Scanner Sources incident field to correct the Incident Field ID.

• GIB Severity

• Updated the GIB Severity incident to support for the new compromised/spd collection.

• New: GIB TTL

• New: Added a new incident field GIB TTL that stores the time-to-live (days) from Group-IB evaluation; associated with GIB SPD.

• GIB Compromised Events Table

• Updated the GIB Compromised Events Table incident field to include CVV.

• GIB ID

• Updated the GIB ID incident field description text.

• New: GIB TLP

• New: Added a new incident field- GIB TLP that stores the Traffic Light Protocol value from Group-IB.

Incident Types

• New: GIB SPD

• New: Added GIB SPD incident type for the compromised/spd (Suspicious Payment Details) collection, with dedicated layout.

• New: GIB Compromised Masked Card

• New: Added GIB Compromised Masked Card incident type for the compromised/masked_card collection, with a dedicated layout and the GIB Rule All Types Pre-Processing Rule applied.

Integrations

Group-IB Threat Intelligence

• Added built-in fetch-time incident deduplication for Group-IB incident IDs using the official Cortex XSOAR duplicate filtering utilities.

• Added support for Skip updated incidents (prevent duplicates) integration parameter. Disabled by default, it can be enabled in environments where Pre-Processing Rules do not work reliably and duplicate suppression must happen directly in fetch logic.

• Added support for Deduplication lookback (days) integration parameter to control how long fetched Group-IB incident IDs are retained in the deduplication cache while built-in deduplication is enabled. Recommended value is 365 days.

• Reworked the deduplication cache cleanup so the Deduplication lookback (days) parameter is honored 1:1: an ID added today is dropped exactly dedup_lookback_days days later, with no hidden multipliers and without pinning the most recent ID forever. The on-disk cache layout (found_incident_ids) is unchanged, preserving forward and backward compatibility with existing last_run state. Upgrade note: previous releases retained IDs for up to 2 × dedup_lookback_days and kept the latest ID indefinitely; after upgrade, IDs older than dedup_lookback_days are pruned on the next fetch. If long-tail duplicates are expected, raise the parameter (for example to 1095 for a three-year window).

• Removed compromised/mule from the Collections to fetch selector so it is no longer exposed as a fetch-incidents option in the integration instance configuration.

• Added first-class support for the new compromised/masked_card collection in the incident integration, including a dedicated incident type and lookup command.

• Added support for the compromised/masked_card collection in the feed integration so top-level CNC domain/IP values can be emitted as indicators.

• Cached the granted-collections check per integration instance to remove duplicate /user/granted_collections calls during fetch, info-by-id and search commands; collection availability is now validated once per command with a single, actionable error message listing all unknown collections.

• Added support for the compromised/spd (Suspicious Payment Details) collection: fetch incidents and map payment-related observables (e.g. cryptocurrency wallets) with type, value, events, sources, malware, threat actors, and evaluation (severity, TLP, TTL).

• Added support for gibti-get-compromised-masked-card-info command that performs Group-IB event lookup in the compromised/masked_card collection by provided ID.

• Added support for gibti-get-compromised-spd-info command that performs Group-IB event lookup in the compromised/spd collection by provided ID.

• Added support for Enable reputation commands parameter that select which reputation commands should be enabled for this integration instance.
  default is none enabled. only the selected commands will perform enrichment and return dbotscore.

• Added support for Ignore Source Reliability override parameter that if true, ignore the instance source reliability setting and use the integration’s computed reliability per indicator.

• Added support for Source Reliability parameter that reliability of the source providing the intelligence data.

• Added support for gibti-get-compromised-account-info command that command performs group ib event lookup in compromised/account collection with provided id.

• Added support for gibti-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.

• Added support for gibti-global-search command that command performs global group ib search.

• Added support for gibti-get-compromised-breached-info command that command performs group ib event lookup in compromised/breached collection with provided id.

• Added support for gibti-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.

• Added support for gibti-get-osi-public-leak-info command that command performs group ib event lookup in osi/public_leak collection with provided id.

• Added support for gibti-local-search command that command performs group ib search in selected collection.

• Deprecated the date_from and date_to arguments in gibti-local-search; they are now ignored and seq_update should be used for update-based iteration control.

• Added support for gibti-get-threat-info command that command performs group ib event lookup in hi/threat (or in apt/threat if the apt flag is true) collection with provided id.

• Added support for ip command that runs reputation on ips.

• Added support for gibti-get-osi-git-leak-info command that command performs group ib event lookup in osi/git_leak collection with provided id.

• Added support for gibti-get-suspicious-ip-socks-proxy-info command that command performs group ib event lookup in suspicious_ip/socks_proxy collection with provided id.

• Added support for file command that runs reputation on files.

• Added support for gibti-get-compromised-mule-info command that command performs group ib event lookup in compromised/mule collection with provided id.

• Added support for gibti-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.

• Added support for gibti-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.

• Added support for gibti-ip-scoring command that returns groupib scoring for ips (numeric and dbotscore).

• Added support for gibti-get-malware-cnc-info command that command performs group ib event lookup in malware/cnc collection by provided id.

• Added support for gibti-get-available-collections command that returns list of available collections.

• Added support for gibti-get-suspicious-ip-open-proxy-info command that command performs group ib event lookup in suspicious_ip/open_proxy collection with provided id.

• Added support for gibti-get-attacks-ddos-info command that command performs group ib event lookup in attacks/ddos collection with provided id.

• Added support for gibti-get-suspicious-ip-tor-node-info command that command performs group ib event lookup in suspicious_ip/tor_node collection with provided id.

• Added support for gibti-get-osi-vulnerability-info command that command performs group ib event lookup in osi/vulnerability collection with provided id.

• Added support for gibti-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.

• Added support for gibti-get-threat-actor-info command that command performs group ib event lookup in hi/threat_actor (or in apt/threat_actor if the apt flag is true) collection with provided id.

• Added support for gibti-get-attacks-deface-info command that command performs group ib event lookup in attacks/deface collection with provided id.

• Added support for domain command that runs reputation on domains.

• Added support for requests_limit argument in the gibtia-local-search command.

• Added support for include_raw_feed argument in the gibtia-local-search command.

• Added support for page_size_limit argument in the gibtia-local-search command.

• Added support for seq_update argument in the gibtia-local-search command.

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.8307504.

Group-IB Threat Intelligence Feed

• Updated the Group-IB Threat Intelligence & Attribution Feed integration to include TLP metadata in incident enrichment.
• Added support for Use TLP from source (per indicator) parameter.
• TLP from source is now supported for the following collections when Use TLP from source is enabled: compromised/account_group, compromised/bank_card_group, compromised/masked_card, attacks/ddos, attacks/deface, attacks/phishing_kit, attacks/phishing_group, apt/threat, hi/threat, osi/vulnerability, osi/git_repository, osi/public_leak, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, suspicious_ip/vpn, suspicious_ip/scanner. For ioc/common, TLP is always set to AMBER when the option is enabled.
• Fixed a long-standing mapping gap: source TLP (evaluation.tlp) is now propagated for osi/git_repository and osi/public_leak indicators (previously dropped during parsing).
• Aligned ipv4_country_mame parser keys for attacks/phishing_kit and suspicious_ip/scanner collections so geocountry enrichment is now actually populated on the resulting indicators.
• Cached granted-collections check per integration instance and replaced per-collection availability calls with a single batched validation that reports all unknown collections in one error.
• Updated the Docker image to: demisto/vendors-sdk:1.0.0.8307504.

Layouts

• GIB Attacks Deface Layout

• Updated the GIB Attacks Deface Layout layout to add support for GIB TLP.

• New: GIB SPD Layout

• New: Added GIB SPD Layout for the GIB SPD incident type.

• GIB SPD Layout

• Trimmed GIB SPD Layout by removing the unused Linked Incidents, Child Incidents, Evidence and Team Members widgets from the Incident Info tab and the Evidence Board / Related Incidents tabs to keep the layout focused on payment-detail context.

• New: GIB Compromised Masked Card Layout

• New: Added GIB Compromised Masked Card Layout for the GIB Compromised Masked Card incident type, surfacing card / client / CNC / owner / malware / threat actor / source / evaluation context with the related-indicators grid.

• GIB Attacks DDOS Layout

• Updated the GIB Attacks DDOS Layout to add the GIB TLP field.

• GIB Attacks Phishing Group Layout

• Updated the GIB Attacks Phishing Group Layout to add the GIB TLP field.

• GIB Attacks Phishing Kit Layout

• Updated the GIB Attacks Phishing Kit Layout to add the GIB TLP field.

• Updated the GIB Compromised Account Group Layout to add the GIB TLP field.

• GIB Compromised Account Group Layout

• Updated the GIB Compromised Card Group Layout to add the GIB TLP field.

• GIB Compromised Card Group Layout

• Updated the GIB Compromised Mule Layout to add the GIB TLP field.

• GIB Compromised Mule Layout

• Updated the GIB Cybercriminal Threat Layout to add the GIB TLP field.

• GIB Cybercriminal Threat Layout

• Updated the GIB Data Breach Layout to add the GIB TLP field.

• GIB Data Breach Layout

• Updated the GIB Nation-State Cybercriminals Threat Layout to add the GIB TLP field.

• GIB Nation-State Cybercriminals Threat Layout

• Updated the GIB OSI Git Leak Layout to add the GIB TLP field.

• GIB OSI Git Leak Layout

• Updated the GIB OSI Public Leak Layout to add the GIB TLP field.

• GIB OSI Public Leak Layout

• Updated the GIB OSI Vulnerability Layout to add the GIB TLP field.

• GIB OSI Vulnerability Layout

• Updated the GIB Suspicious IP Open Proxy Layout to add the GIB TLP field.

• GIB Suspicious IP Open Proxy Layout

• Updated the GIB Suspicious IP Scanner Layout to add the GIB TLP field.

• GIB Suspicious IP Scanner Layout

• Updated the GIB Suspicious IP Socks Proxy Layout to add the GIB TLP field.

• GIB Suspicious IP Socks Proxy Layout

• Updated the GIB Suspicious IP TOR Node Layout to add the GIB TLP field.

• GIB Suspicious IP TOR Node Layout

• Updated the GIB Suspicious IP TOR Node Layout to add the GIB TLP field.

• GIB Suspicious IP VPN Layout

• Updated the GIB Suspicious IP VPN Layout to add the GIB TLP field.

Mappers

Group-IB Threat Intelligence (mapper)

• Updated the Group-IB Threat Intelligence (mapper) mapper to populate the GIB TLP field from the source evaluation data.
• Updated the Group-IB Threat Intelligence (mapper) mapper to support GIB SPD incident type: full mapping for type, value, serviceType, ownerName, illegalScore, dates (createdAt, firstSeenAt, lastSeenAt), portalLink, events table, sources table, malware table, threat actor table, and evaluation (admiraltyCode, credibility, reliability, severity, TLP, TTL).
• Updated the Group-IB Threat Intelligence (mapper) mapper to support GIB Compromised Masked Card incident type: full mapping for card data (BIN, number, CVV, dump, PIN, type, category, payment system, valid-thru), client geo/network context, CNC observables (URL, domain, IPv4 with ASN/region/provider/country), owner data (name, address, birthday, passport, tax number, ZIP, state, city, country, email, phone), price (currency, value), source (sourceType, sourceLink, portalLink), malware (name, ID, STIX GUID), threat actor (name, ID, STIX GUID, country, isAPT), evaluation (admiraltyCode, credibility, reliability, severity, TLP, TTL), and the boolean status flags (isDump, isExpired, isMasked).

Pre Process Rules

GIB Rule

• Disabled by default

GIB Rule All Types

• Created to work with a new, improved script for a continuous process of deduplication and incident updates

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.13.8428455.

GIBIncidentUpdateAllTypes

• Bumped script fromversion to 6.10.0 to align with the rest of the pack.
• Added a new fallback Pre-Processing Rule script for customers who want the improved duplicate-handling logic without excluding the GIB Data Breach incident type in rule filters.
• Reworked existing-duplicate retrieval to stream getIncidents pages on demand instead of materializing up to MAX_INCIDENTS matches in memory. Memory usage is now bounded by PAGE_SIZE regardless of how many duplicates exist, and setIncident calls are interleaved with page fetches so failures on later pages do not waste work on already-collected updates.
• Hardened gibid extraction to look up the incoming incident in CustomFields → top-level → labels → rawJSON order, and guarded reserved keys (id, CustomFields) on setIncident calls so the update payload cannot accidentally redirect to the incoming incident.
• The public find_existing_incidents helper is preserved as a backward-compatible adapter (now backed by the new streaming iterator), so existing playbooks and tests continue to work unchanged.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.13.8428455.

Pre Process Rules

gib_rule

• Documentation and metadata improvements.

• Documentation and metadata improvements.

Integrations

Group-IB Threat Intelligence

• Breaking Changes: Removed the exclude_combolist parameter (previously named "Exclude All with Combolist type"). This parameter has been replaced with the new Include combolist type in data parameter.
• Added support for Include combolist type in data parameter that works only for compromised/account_group. if the parameter is enabled, the response contains combolist data. if you enable "include unique type in data" with this filter, the response will contain data of both types. if "include combolist type in data" and "include unique type in data" are disabled, the response will contain data of both types.
• Added support for Limit (items per request) parameter that number of items requested per api page. larger values reduce api roundtrips but may increase response size. serverside caps may apply.
• Added support for Include unique type in data parameter that works only for compromised/account_group. if the parameter is enabled, the response contains unique data. if you enable “include combolist type in data” with this filter, the response will contain data of both types. if “include combolist type in data” and “include unique type in data” are disabled, the response will contain data of both types.

Group-IB Threat Intelligence Feed

• Added support for Limit (items per request) parameter that number of items requested per api page. larger values reduce api roundtrips but may increase response size. serverside caps may apply.

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.12.5490952.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.12.5490952.

Changes are not relevant for XSOAR marketplace.

Integrations

Group-IB Threat Intelligence Feed

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.5505539.

Group-IB Threat Intelligence

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.5505539.

Integrations

Group-IB Threat Intelligence

• Added support for Exclude All with Combolist type parameter to exclude all data in the compromised/account_group collection whose SourceType is Combolist.
• Added support for Enable filter "Probable Corporate Access parameter allowing the “Probable Corporate Access” filter to be enabled for collection
• Fixed a bug with data collection from compromised/account_group and search.

Group-IB Threat Intelligence Feed

Documentation and metadata improvements.

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.8.3296088.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.8.3296088.

Classifiers

Group-IB Threat Intelligence (classifier)

• Updated the Group-IB Threat Intelligence (classifier) classifier to support the GIB SPD incident type for the compromised/spd collection.
• Updated the Group-IB Threat Intelligence (classifier) classifier to map compromised/masked_card records to the new GIB Compromised Masked Card incident type.

Incident Fields

GIB Address

• Updated to connect to GIB Compromised Masked Card

GIB Base Name

• Created to use to the GIB Compromised Masked Card

GIB CNC

• Updated to connect to GIB Compromised Masked Card

GIB CNC ASN

• Created to use to the GIB Compromised Masked Card

GIB CNC City

• Created to use to the GIB Compromised Masked Card

GIB CNC Country Code

• Created to use to the GIB Compromised Masked Card

GIB CNC Country Name

• Created to use to the GIB Compromised Masked Card

GIB CNC Domain

• Created to use to the GIB Compromised Masked Card

GIB CNC IP

• Created to use to the GIB Compromised Masked Card

GIB CNC Provider

• Created to use to the GIB Compromised Masked Card

GIB CNC Region

• Created to use to the GIB Compromised Masked Card

GIB CNC URL

• Created to use to the GIB Compromised Masked Card

GIB CVV

• Updated to connect to GIB Compromised Masked Card

GIB Card BIN

• Created to use to the GIB Compromised Masked Card

GIB Card Category

• Created to use to the GIB Compromised Masked Card

GIB Card Dump

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer Country Code

• Created to use to the GIB Compromised Masked Card

GIB Card Issuer Country Name

• Created to use to the GIB Compromised Masked Card

GIB Card Number

• Created to use to the GIB Compromised Masked Card

GIB Card PIN

• Created to use to the GIB Compromised Masked Card

GIB Card Type

• Created to use to the GIB Compromised Masked Card

GIB Card Valid Thru

• Created to use to the GIB Compromised Masked Card

GIB Card Valid Thru Date

• Created to use to the GIB Compromised Masked Card

GIB Client ASN

• Created to use to the GIB Compromised Masked Card

GIB Client City

• Created to use to the GIB Compromised Masked Card

GIB Client Country Code

• Created to use to the GIB Compromised Masked Card

GIB Client Country Name

• Created to use to the GIB Compromised Masked Card

GIB Client IP

• Created to use to the GIB Compromised Masked Card

GIB Client Provider

• Created to use to the GIB Compromised Masked Card

GIB Client Region

• Created to use to the GIB Compromised Masked Card

GIB Date Compromised

• Updated to connect to GIB Compromised Masked Card

GIB Date of Detection

• Updated to connect to GIB Compromised Masked Card

GIB Email

• Updated to connect to GIB Compromised Masked Card

GIB Is Dump

• Created to use to the GIB Compromised Masked Card

GIB Is Expired

• Created to use to the GIB Compromised Masked Card

GIB Is Masked

• Created to use to the GIB Compromised Masked Card

GIB Malware ID

• Created to use to the GIB Compromised Masked Card

GIB Malware Name

• Updated to connect to GIB Compromised Masked Card

GIB Malware STIX GUID

• Created to use to the GIB Compromised Masked Card

GIB Owner Birthday

• Created to use to the GIB Compromised Masked Card

GIB Owner City

• Created to use to the GIB Compromised Masked Card

GIB Owner Country Code

• Created to use to the GIB Compromised Masked Card

GIB Owner Passport

• Created to use to the GIB Compromised Masked Card

GIB Owner State

• Created to use to the GIB Compromised Masked Card

GIB Owner Tax Number

• Created to use to the GIB Compromised Masked Card

GIB Owner ZIP

• Created to use to the GIB Compromised Masked Card

GIB Payment System

• Updated to connect to GIB Compromised Masked Card

GIB Person

• Updated to connect to GIB Compromised Masked Card

GIB Price Currency

• Created to use to the GIB Compromised Masked Card

GIB Price Value

• Created to use to the GIB Compromised Masked Card

GIB Related Indicators Data

• Updated to connect to GIB Compromised Masked Card

GIB Source

• Updated to connect to GIB Compromised Masked Card

GIB Source Link

• Created to use to the GIB Compromised Masked Card

GIB Threat Actor Country

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor ID

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor Name

• Updated to connect to GIB Compromised Masked Card

GIB Threat Actor STIX GUID

• Created to use to the GIB Compromised Masked Card

GIB Threat Actor is APT

• Updated to connect to GIB Compromised Masked Card

GIB Track

• Created to use to the GIB Compromised Masked Card

• GIB Admiralty Code

• Updated the GIB Admiralty Code incident field to support for the new compromised/spd collection.

• GIB Credibility

• Updated the GIB Credibility incident field to support for the new compromised/spd collection.

• GIB Date Created At

• Updated the GIB Date Created At incident field to support for the new compromised/spd collection.

• GIB Date First Seen

• Updated the GIB Date First Seen incident field to support for the new compromised/spd collection.

• GIB Date Last Seen

• Updated the GIB Date Last Seen incident field to support for the new compromised/spd collection.

• GIB Nation-State Cybercriminals Threat Actor Aliases

• Updated the GIB Nation-State Cybercriminals Threat Actor Aliases incident field to correct the Incident Field ID.

• GIB Phishing Date Updated

• Updated the GIB Phishing Date Updated incident field to correct the Incident Field ID.

• GIB Portal Link

• Updated the GIB Portal Link incident field to support for the new compromised/spd collection.

• GIB Reliability

• Updated the GIB Reliability incident field to support for the new compromised/spd collection.

• New: GIB SPD Events Table

• New: Added a new incident field- GIB SPD Events Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Illegal Score

• New: Added a new incident field- GIB SPD Illegal Score that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Malware Table

• New: Added a new incident field- GIB SPD Malware Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Owner Name

• New: Added a new incident field- GIB SPD Owner Name that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Service Type

• New: Added a new incident field- GIB SPD Service Type that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Sources Table

• New: Added a new incident field- GIB SPD Sources Table that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Threat Actor Table

• New: Added a new incident field- GIB SPD Threat Actor Table that required for the implementation of the new compromised/spd collection/

• New: GIB SPD Type

• New: Added a new incident field- GIB SPD Type that required for the implementation of the new compromised/spd collection.

• New: GIB SPD Value

• New: Added a new incident field- GIB SPD Value that required for the implementation of the new compromised/spd collection.

• GIB Scanner Sources

• Updated the GIB Scanner Sources incident field to correct the Incident Field ID.

• GIB Severity

• Updated the GIB Severity incident to support for the new compromised/spd collection.

• New: GIB TTL

• New: Added a new incident field GIB TTL that stores the time-to-live (days) from Group-IB evaluation; associated with GIB SPD.

• GIB Compromised Events Table

• Updated the GIB Compromised Events Table incident field to include CVV.

• GIB ID

• Updated the GIB ID incident field description text.

• New: GIB TLP

• New: Added a new incident field- GIB TLP that stores the Traffic Light Protocol value from Group-IB.

Incident Types

• New: GIB SPD

• New: Added GIB SPD incident type for the compromised/spd (Suspicious Payment Details) collection, with dedicated layout.

• New: GIB Compromised Masked Card

• New: Added GIB Compromised Masked Card incident type for the compromised/masked_card collection, with a dedicated layout and the GIB Rule All Types Pre-Processing Rule applied.

Integrations

Group-IB Threat Intelligence

• Added built-in fetch-time incident deduplication for Group-IB incident IDs using the official Cortex XSOAR duplicate filtering utilities.

• Added support for Skip updated incidents (prevent duplicates) integration parameter. Disabled by default, it can be enabled in environments where Pre-Processing Rules do not work reliably and duplicate suppression must happen directly in fetch logic.

• Added support for Deduplication lookback (days) integration parameter to control how long fetched Group-IB incident IDs are retained in the deduplication cache while built-in deduplication is enabled. Recommended value is 365 days.

• Reworked the deduplication cache cleanup so the Deduplication lookback (days) parameter is honored 1:1: an ID added today is dropped exactly dedup_lookback_days days later, with no hidden multipliers and without pinning the most recent ID forever. The on-disk cache layout (found_incident_ids) is unchanged, preserving forward and backward compatibility with existing last_run state. Upgrade note: previous releases retained IDs for up to 2 × dedup_lookback_days and kept the latest ID indefinitely; after upgrade, IDs older than dedup_lookback_days are pruned on the next fetch. If long-tail duplicates are expected, raise the parameter (for example to 1095 for a three-year window).

• Removed compromised/mule from the Collections to fetch selector so it is no longer exposed as a fetch-incidents option in the integration instance configuration.

• Added first-class support for the new compromised/masked_card collection in the incident integration, including a dedicated incident type and lookup command.

• Added support for the compromised/masked_card collection in the feed integration so top-level CNC domain/IP values can be emitted as indicators.

• Cached the granted-collections check per integration instance to remove duplicate /user/granted_collections calls during fetch, info-by-id and search commands; collection availability is now validated once per command with a single, actionable error message listing all unknown collections.

• Added support for the compromised/spd (Suspicious Payment Details) collection: fetch incidents and map payment-related observables (e.g. cryptocurrency wallets) with type, value, events, sources, malware, threat actors, and evaluation (severity, TLP, TTL).

• Added support for gibti-get-compromised-masked-card-info command that performs Group-IB event lookup in the compromised/masked_card collection by provided ID.

• Added support for gibti-get-compromised-spd-info command that performs Group-IB event lookup in the compromised/spd collection by provided ID.

• Added support for Enable reputation commands parameter that select which reputation commands should be enabled for this integration instance.
  default is none enabled. only the selected commands will perform enrichment and return dbotscore.

• Added support for Ignore Source Reliability override parameter that if true, ignore the instance source reliability setting and use the integration’s computed reliability per indicator.

• Added support for Source Reliability parameter that reliability of the source providing the intelligence data.

• Added support for gibti-get-compromised-account-info command that command performs group ib event lookup in compromised/account collection with provided id.

• Added support for gibti-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.

• Added support for gibti-global-search command that command performs global group ib search.

• Added support for gibti-get-compromised-breached-info command that command performs group ib event lookup in compromised/breached collection with provided id.

• Added support for gibti-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.

• Added support for gibti-get-osi-public-leak-info command that command performs group ib event lookup in osi/public_leak collection with provided id.

• Added support for gibti-local-search command that command performs group ib search in selected collection.

• Deprecated the date_from and date_to arguments in gibti-local-search; they are now ignored and seq_update should be used for update-based iteration control.

• Added support for gibti-get-threat-info command that command performs group ib event lookup in hi/threat (or in apt/threat if the apt flag is true) collection with provided id.

• Added support for ip command that runs reputation on ips.

• Added support for gibti-get-osi-git-leak-info command that command performs group ib event lookup in osi/git_leak collection with provided id.

• Added support for gibti-get-suspicious-ip-socks-proxy-info command that command performs group ib event lookup in suspicious_ip/socks_proxy collection with provided id.

• Added support for file command that runs reputation on files.

• Added support for gibti-get-compromised-mule-info command that command performs group ib event lookup in compromised/mule collection with provided id.

• Added support for gibti-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.

• Added support for gibti-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.

• Added support for gibti-ip-scoring command that returns groupib scoring for ips (numeric and dbotscore).

• Added support for gibti-get-malware-cnc-info command that command performs group ib event lookup in malware/cnc collection by provided id.

• Added support for gibti-get-available-collections command that returns list of available collections.

• Added support for gibti-get-suspicious-ip-open-proxy-info command that command performs group ib event lookup in suspicious_ip/open_proxy collection with provided id.

• Added support for gibti-get-attacks-ddos-info command that command performs group ib event lookup in attacks/ddos collection with provided id.

• Added support for gibti-get-suspicious-ip-tor-node-info command that command performs group ib event lookup in suspicious_ip/tor_node collection with provided id.

• Added support for gibti-get-osi-vulnerability-info command that command performs group ib event lookup in osi/vulnerability collection with provided id.

• Added support for gibti-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.

• Added support for gibti-get-threat-actor-info command that command performs group ib event lookup in hi/threat_actor (or in apt/threat_actor if the apt flag is true) collection with provided id.

• Added support for gibti-get-attacks-deface-info command that command performs group ib event lookup in attacks/deface collection with provided id.

• Added support for domain command that runs reputation on domains.

• Added support for requests_limit argument in the gibtia-local-search command.

• Added support for include_raw_feed argument in the gibtia-local-search command.

• Added support for page_size_limit argument in the gibtia-local-search command.

• Added support for seq_update argument in the gibtia-local-search command.

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.8307504.

Group-IB Threat Intelligence Feed

• Updated the Group-IB Threat Intelligence & Attribution Feed integration to include TLP metadata in incident enrichment.
• Added support for Use TLP from source (per indicator) parameter.
• TLP from source is now supported for the following collections when Use TLP from source is enabled: compromised/account_group, compromised/bank_card_group, compromised/masked_card, attacks/ddos, attacks/deface, attacks/phishing_kit, attacks/phishing_group, apt/threat, hi/threat, osi/vulnerability, osi/git_repository, osi/public_leak, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, suspicious_ip/vpn, suspicious_ip/scanner. For ioc/common, TLP is always set to AMBER when the option is enabled.
• Fixed a long-standing mapping gap: source TLP (evaluation.tlp) is now propagated for osi/git_repository and osi/public_leak indicators (previously dropped during parsing).
• Aligned ipv4_country_mame parser keys for attacks/phishing_kit and suspicious_ip/scanner collections so geocountry enrichment is now actually populated on the resulting indicators.
• Cached granted-collections check per integration instance and replaced per-collection availability calls with a single batched validation that reports all unknown collections in one error.
• Updated the Docker image to: demisto/vendors-sdk:1.0.0.8307504.

Layouts

• GIB Attacks Deface Layout

• Updated the GIB Attacks Deface Layout layout to add support for GIB TLP.

• New: GIB SPD Layout

• New: Added GIB SPD Layout for the GIB SPD incident type.

• GIB SPD Layout

• Trimmed GIB SPD Layout by removing the unused Linked Incidents, Child Incidents, Evidence and Team Members widgets from the Incident Info tab and the Evidence Board / Related Incidents tabs to keep the layout focused on payment-detail context.

• New: GIB Compromised Masked Card Layout

• New: Added GIB Compromised Masked Card Layout for the GIB Compromised Masked Card incident type, surfacing card / client / CNC / owner / malware / threat actor / source / evaluation context with the related-indicators grid.

• GIB Attacks DDOS Layout

• Updated the GIB Attacks DDOS Layout to add the GIB TLP field.

• GIB Attacks Phishing Group Layout

• Updated the GIB Attacks Phishing Group Layout to add the GIB TLP field.

• GIB Attacks Phishing Kit Layout

• Updated the GIB Attacks Phishing Kit Layout to add the GIB TLP field.

• Updated the GIB Compromised Account Group Layout to add the GIB TLP field.

• GIB Compromised Account Group Layout

• Updated the GIB Compromised Card Group Layout to add the GIB TLP field.

• GIB Compromised Card Group Layout

• Updated the GIB Compromised Mule Layout to add the GIB TLP field.

• GIB Compromised Mule Layout

• Updated the GIB Cybercriminal Threat Layout to add the GIB TLP field.

• GIB Cybercriminal Threat Layout

• Updated the GIB Data Breach Layout to add the GIB TLP field.

• GIB Data Breach Layout

• Updated the GIB Nation-State Cybercriminals Threat Layout to add the GIB TLP field.

• GIB Nation-State Cybercriminals Threat Layout

• Updated the GIB OSI Git Leak Layout to add the GIB TLP field.

• GIB OSI Git Leak Layout

• Updated the GIB OSI Public Leak Layout to add the GIB TLP field.

• GIB OSI Public Leak Layout

• Updated the GIB OSI Vulnerability Layout to add the GIB TLP field.

• GIB OSI Vulnerability Layout

• Updated the GIB Suspicious IP Open Proxy Layout to add the GIB TLP field.

• GIB Suspicious IP Open Proxy Layout

• Updated the GIB Suspicious IP Scanner Layout to add the GIB TLP field.

• GIB Suspicious IP Scanner Layout

• Updated the GIB Suspicious IP Socks Proxy Layout to add the GIB TLP field.

• GIB Suspicious IP Socks Proxy Layout

• Updated the GIB Suspicious IP TOR Node Layout to add the GIB TLP field.

• GIB Suspicious IP TOR Node Layout

• Updated the GIB Suspicious IP TOR Node Layout to add the GIB TLP field.

• GIB Suspicious IP VPN Layout

• Updated the GIB Suspicious IP VPN Layout to add the GIB TLP field.

Mappers

Group-IB Threat Intelligence (mapper)

• Updated the Group-IB Threat Intelligence (mapper) mapper to populate the GIB TLP field from the source evaluation data.
• Updated the Group-IB Threat Intelligence (mapper) mapper to support GIB SPD incident type: full mapping for type, value, serviceType, ownerName, illegalScore, dates (createdAt, firstSeenAt, lastSeenAt), portalLink, events table, sources table, malware table, threat actor table, and evaluation (admiraltyCode, credibility, reliability, severity, TLP, TTL).
• Updated the Group-IB Threat Intelligence (mapper) mapper to support GIB Compromised Masked Card incident type: full mapping for card data (BIN, number, CVV, dump, PIN, type, category, payment system, valid-thru), client geo/network context, CNC observables (URL, domain, IPv4 with ASN/region/provider/country), owner data (name, address, birthday, passport, tax number, ZIP, state, city, country, email, phone), price (currency, value), source (sourceType, sourceLink, portalLink), malware (name, ID, STIX GUID), threat actor (name, ID, STIX GUID, country, isAPT), evaluation (admiraltyCode, credibility, reliability, severity, TLP, TTL), and the boolean status flags (isDump, isExpired, isMasked).

Pre Process Rules

GIB Rule

• Disabled by default

GIB Rule All Types

• Created to work with a new, improved script for a continuous process of deduplication and incident updates

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.13.8428455.

GIBIncidentUpdateAllTypes

• Bumped script fromversion to 6.10.0 to align with the rest of the pack.
• Added a new fallback Pre-Processing Rule script for customers who want the improved duplicate-handling logic without excluding the GIB Data Breach incident type in rule filters.
• Reworked existing-duplicate retrieval to stream getIncidents pages on demand instead of materializing up to MAX_INCIDENTS matches in memory. Memory usage is now bounded by PAGE_SIZE regardless of how many duplicates exist, and setIncident calls are interleaved with page fetches so failures on later pages do not waste work on already-collected updates.
• Hardened gibid extraction to look up the incoming incident in CustomFields → top-level → labels → rawJSON order, and guarded reserved keys (id, CustomFields) on setIncident calls so the update payload cannot accidentally redirect to the incoming incident.
• The public find_existing_incidents helper is preserved as a backward-compatible adapter (now backed by the new streaming iterator), so existing playbooks and tests continue to work unchanged.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.13.8428455.

Changes are not relevant for XSIAM marketplace.

• Documentation and metadata improvements.

Integrations

Group-IB Threat Intelligence

• Breaking Changes: Removed the exclude_combolist parameter (previously named "Exclude All with Combolist type"). This parameter has been replaced with the new Include combolist type in data parameter.
• Added support for Include combolist type in data parameter that works only for compromised/account_group. if the parameter is enabled, the response contains combolist data. if you enable "include unique type in data" with this filter, the response will contain data of both types. if "include combolist type in data" and "include unique type in data" are disabled, the response will contain data of both types.
• Added support for Limit (items per request) parameter that number of items requested per api page. larger values reduce api roundtrips but may increase response size. serverside caps may apply.
• Added support for Include unique type in data parameter that works only for compromised/account_group. if the parameter is enabled, the response contains unique data. if you enable “include combolist type in data” with this filter, the response will contain data of both types. if “include combolist type in data” and “include unique type in data” are disabled, the response will contain data of both types.

Group-IB Threat Intelligence Feed

• Added support for Limit (items per request) parameter that number of items requested per api page. larger values reduce api roundtrips but may increase response size. serverside caps may apply.

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.12.5490952.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.12.5490952.

Changes are not relevant for XSIAM marketplace.

Integrations

Group-IB Threat Intelligence Feed

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.5505539.

Group-IB Threat Intelligence

• Updated the Docker image to: demisto/vendors-sdk:1.0.0.5505539.

Integrations

Group-IB Threat Intelligence

• Added support for Exclude All with Combolist type parameter to exclude all data in the compromised/account_group collection whose SourceType is Combolist.
• Added support for Enable filter "Probable Corporate Access parameter allowing the “Probable Corporate Access” filter to be enabled for collection
• Fixed a bug with data collection from compromised/account_group and search.

Group-IB Threat Intelligence Feed

Documentation and metadata improvements.

Scripts

GIBIncidentUpdate

• Updated the Docker image to: demisto/python3:3.12.8.3296088.

GIBIncidentUpdateIncludingClosed

• Updated the Docker image to: demisto/python3:3.12.8.3296088.