Group-IB Threat Intelligence

Details
Content
Dependencies
Version History

Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information.

Incident Postprocessing - Group-IB Threat Intelligence

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex XSIAM interface.

Incident Postprocessing - Group-IB Threat Intelligence

Automations

Name	Description
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Repository
GIB Downloaded From
GIB Drop Email
GIB Reliability	Reliability of the source
GIB Target Brand
GIB Revisions
GIB Phishing Domain
GIB Leaked File Name
GIB Inject Dump
GIB Data Hash
GIB Favicon
GIB ID	ID of event in GIB TIA
GIB Phishing Kit Emails
GIB Threat Actor Name
GIB Title
GIB Date of Detection
GIB Phishing Status
GIB HTML
GIB Drop Email Domain
GIB Card Issuer	Issuer of compromised card
GIB Leak Name
GIB Phishing Kit Hash
GIB Date Compromised
GIB Compromised Login
GIB Link List
GIB Card Valid Thru
GIB Target Domain
GIB Leaked Data
GIB Password
GIB Malware Name
GIB Phishing Type
GIB Related Indicators Data
GIB Email
GIB CVV	Compromised card CVV
GIB Card Number
GIB Phishing Date Blocked
GIB Person
GIB Name Servers
GIB Source	Where the feed comes from to GIB
GIB Portal Link
GIB Date Created
GIB Threat Actor is APT
GIB Inject MD5
GIB Screenshot
GIB Matches
GIB Card Type
GIB Threat Actor ID
GIB Severity
GIB Victim IP
GIB Payment System
GIB Credibility	Level of confidence on the information
GIB Date Expired
GIB Target Category
GIB Address

Incident Types

Name	Description
GIB OSI Public Leak
GIB Data Breach
GIB OSI Git Leak
GIB Compromised Card
GIB Compromised Account
GIB Brand Protection Phishing
GIB Targeted Malware
GIB Brand Protection Phishing Kit

Indicator Fields

Name	Description
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Software Mixed
GIB CVSS Vector
GIB Threat Actor Name
GIB Date Compromised
GIB Phishing Title
GIB Reliability	Reliability of the source
GIB File Name
GIB ID	ID of event in GIB TI&A
GIB Threat Actor is APT
GIB Severity
GIB Proxy Port
GIB Threat Actor ID
GIB Proxy Anonymous	Level of anonymous
GIB Target Category	What category was targeted by phishing
GIB Malware Name
GIB Target Domain	What domain was targeted by phishing
GIB Collection
GIB Credibility	Level of confidence on the information
GIB Target Brand	What brand was targeted by phishing

Integrations

Name	Description
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.

Layouts

Name	Description
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Compromised Card Layout	Layout for GIB Compromised Card
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB Brand Protection Phishing Layout	Layout for GIB Brand Protection Phishing
GIB Brand Protection Phishing Kit Layout	Layout for GIB Brand Protection Phishing Kit
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Data Breach Layout	Layout for GIB Data Breach
GIB Targeted Malware Layout	Layout for GIB Targeted Malware
GIB Compromised Account Layout	Layout for GIB Compromised Account

Playbooks

Name	Description
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.

Indicator Types

Name	Description
GIB Compromised Mule
GIB Victim IP
GIB Compromised IMEI

Automations

Name	Description
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBAlertUpdate	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBAlertUpdateIncludingClosed	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Date Compromised
GIB Malware Name
GIB Person
GIB Revisions
GIB CVV	Compromised card CVV
GIB Password
GIB Card Type
GIB Phishing Date Blocked
GIB ID	ID of event in GIB TIA
GIB Drop Email Domain
GIB Date Created
GIB Victim IP
GIB Threat Actor Name
GIB Phishing Kit Emails
GIB HTML
GIB Address
GIB Reliability	Reliability of the source
GIB Leak Name
GIB Repository
GIB Favicon
GIB Downloaded From
GIB Inject Dump
GIB Phishing Status
GIB Target Domain
GIB Portal Link
GIB Related Indicators Data
GIB Card Valid Thru
GIB Credibility	Level of confidence on the information
GIB Severity
GIB Card Number
GIB Phishing Type
GIB Card Issuer	Issuer of compromised card
GIB Matches
GIB Screenshot
GIB Threat Actor ID
GIB Date of Detection
GIB Phishing Domain
GIB Data Hash
GIB Leaked Data
GIB Email
GIB Drop Email
GIB Title
GIB Phishing Kit Hash
GIB Date Expired
GIB Threat Actor is APT
GIB Name Servers
GIB Target Category
GIB Target Brand
GIB Source	Where the feed comes from to GIB
GIB Link List
GIB Payment System
GIB Compromised Login
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.

Incident Types

Name	Description
GIB Brand Protection Phishing
GIB Data Breach
GIB OSI Git Leak
GIB Compromised Account
GIB OSI Public Leak
GIB Targeted Malware
GIB Brand Protection Phishing Kit
GIB Compromised Card

Indicator Fields

Name	Description
GIB Software Mixed
GIB Severity
GIB Date Compromised
GIB Threat Actor is APT
GIB Threat Actor Name
GIB Target Domain	What domain was targeted by phishing
GIB Phishing Title
GIB Malware Name
GIB Credibility	Level of confidence on the information
GIB Proxy Port
GIB Collection
GIB File Name
GIB CVSS Vector
GIB Target Category	What category was targeted by phishing
GIB Proxy Anonymous	Level of anonymous
GIB Target Brand	What brand was targeted by phishing
GIB Reliability	Reliability of the source
GIB Threat Actor ID
GIB ID	ID of event in GIB TI&A
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.

Integrations

Name	Description
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSIAM. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.

Layouts

Name	Description
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI

Playbooks

Name	Description
Alert Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the alert and associates related indicators to the alert.

Indicator Types

Name	Description
GIB Victim IP
GIB Compromised Mule
GIB Compromised IMEI

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 13, 2021
Last Release	November 20, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.

Group-IB Threat Intelligence

What does this pack do?

What does this pack do?

Integrations

Group-IB Threat Intelligence

Scripts

GIBIncidentUpdate

GIBIncidentUpdateIncludingClosed

Integrations

Group-IB Threat Intelligence Feed

GroupIB_ThreatIntelligenceAttribution

Integrations

Group-IB Threat Intelligence

Group-IB Threat Intelligence Feed

Scripts

GIBIncidentUpdate

GIBIncidentUpdateIncludingClosed

Classifiers

Group-IB Threat Intelligence (classifier)

Integrations

Group-IB Threat Intelligence

Group-IB Threat Intelligence Feed

Mappers

Group-IB Threat Intelligence (mapper)

Scripts

GIBIncidentUpdateIncludingClosed

GIBIncidentUpdate

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER