Group-IB Threat Intelligence

Details
Content
Dependencies
Version History

Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information.

Incident Postprocessing - Group-IB Threat Intelligence

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex interface.

Incident Postprocessing - Group-IB Threat Intelligence

Automations

Name	Description
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Name

Description

GIBIncidentUpdateIncludingClosed

This script prevents duplication of existing incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:

For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations
For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script
For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

GIBIncidentUpdate

This script prevents duplication of existing incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:

For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations
For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script
For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Nation-State Cybercriminals Threat Countries
GIB Extended Description
GIB Mirror Link
GIB Deface Date
GIB Deface Site URL
GIB CPE Table
GIB Deface Contacts
GIB Threat Actor Name
GIB Target Region
GIB Favicon
GIB Nation-State Cybercriminals Threat Actor Country
GIB DDOS Target Category
GIB Payment System
GIB Date Last Compromised
GIB Severity
GIB Downloaded From Table
GIB Phishing IP Table
GIB Proxy Type
GIB Scanner Sources
GIB Link List Table
GIB Source	Where the feed comes from to GIB
GIB Matches Table
GIB Date Modified
GIB Malware Langs
GIB Malware Name
GIB Phishing Kit Source
GIB DDOS Target IP
GIB Extended CVSS Base
GIB Address
GIB Target Domain
GIB Title
GIB Affected Software Table
GIB Nation-State Cybercriminals Threat Actor Reports Table
GIB Downloaded From
GIB Emails
GIB DDOS Source
GIB Date Created At
GIB Malware Source Countries
GIB DDOS Target Provider
GIB Phishing Objectives
GIB Repository
GIB Service Domain
GIB Compromised Account
GIB Has Exploit
GIB Malware Short Description
GIB DDOS Date Begin
GIB Revisions
GIB Date First Compromised
GIB VPN Sources
GIB Target Domain Provider
GIB Date Published
GIB Portal Link
GIB Phishing Date Updated
GIB Target ASN
GIB DDOS Request Body
GIB Extended CVSS Exploitability
GIB DDOS Request Data Link
GIB Parsed Login IP
GIB Malware Categories
GIB VPN Names
GIB Nation-State Cybercriminals Threat Actor CVE
GIB Cybercriminal Threat Actor Description
GIB Threat Actors Table
GIB ID	ID of event in GIB TIA
GIB Vulnerability Type
GIB Nation-State Cybercriminals Threat Sectors
GIB Organization SWIFT
GIB Phishing Domain Puny
GIB Date Last Seen
GIB DDOS Duration
GIB Card Issuer	Issuer of compromised card
GIB Phishing Brand
GIB Nation-State Cybercriminals Sectors
GIB Update Time
GIB Malware File hash
GIB Nation-State Cybercriminals Expertises
GIB Malware Description
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Threat Actor is APT
GIB Nation-State Cybercriminals Threat Actor Description
GIB Nation-State Cybercriminals Threat Description
GIB Phishing Domain
GIB Date Updated At
GIB DDOS Target City
GIB Phishing Registrar
GIB HTML
GIB Report Number
GIB Cybercriminal Threat Actor Aliases
GIB Organization BIC
GIB Proxy Source
GIB DDOS Type
GIB Parsed Login Domain
GIB DDOS Request Headers Hash
GIB Phishing Date Added
GIB Data Hash
GIB CVSS Score
GIB Organization BSB
GIB Extended CVSS Impact
GIB Malware CNC Domain
GIB Reliability	Reliability of the source
GIB GIT Source
GIB Is Tailored
GIB Bulletin Family
GIB DDOS Target Port
GIB Phishing Kit Table
GIB Victim IP
GIB Card Valid Thru
GIB Leak Name
GIB Phishing URLs
GIB Nation-State Cybercriminal Forums Table
GIB Country Name
GIB Person
GIB Drop Email
GIB Cybercriminal Malware
GIB Organization Name
GIB Reporter
GIB Leaked Data
GIB Phishing Kit Path
GIB Href
GIB Cybercriminal Threat Actor Report Authors
GIB Nation-State Cybercriminals Regions
GIB Inject MD5
GIB Target IP
GIB DDOS Target URL
GIB DDOS Date End
GIB Malware Table
GIB Card Type
GIB Phishing Sources
GIB DDOS Date Registration
GIB Socks Proxy Source
GIB Compromised Events Information Table
GIB Date Expired
GIB CNC URL
GIB CVV	Compromised card CVV
GIB DDOS Request Headers Body
GIB Service IP
GIB Date Compromised
GIB Proxy Sources
GIB Email
GIB Nation-State Cybercriminals Threat Actor Goals
GIB Service URL
GIB Nation-State Cybercriminals Threat Actor Labels
GIB Date of Detection
GIB Phishing Date Blocked
GIB Target City
GIB Proxy Port
GIB DDOS Target ASN
GIB Malware Platforms
GIB Phishing Date Detected
GIB Leaked File Name
GIB Leak Published
GIB Date Created
GIB Cybercriminal Threat Actor Reports Table
GIB Credibility	Level of confidence on the information
GIB Provider Domain
GIB DDOS Target Region
GIB Phishing Kit Hash
GIB Threat Actor ID
GIB Target Category
GIB CVSS Vector
GIB Nation-State Cybercriminals Malware
GIB Screenshot
GIB Cybercriminal Threat Description
GIB Target Provider
GIB Compromised Login
GIB DDOS Target Domain
GIB Inject Dump
GIB Cybercriminal Expertises
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB CNC
GIB Cybercriminal Forums Table
GIB Nation-State Cybercriminals Threat Title
GIB Name Servers
GIB Scanner Categories
GIB Phishing Kit Emails
GIB DDOS Request Body Hash
GIB Compromised Events Table
GIB CNC Port
GIB Drop Email Domain
GIB Threat Level
GIB Merged Cvss
GIB Link List
GIB Matches
GIB Phishing Kit Email
GIB Nation-State Cybercriminals Threat Regions
GIB Password
GIB Malware Regions
GIB DDOS Target Country Code
GIB Phishing Domain Expiration Date
GIB DDOS Target Country Name
GIB Nation-State Cybercriminals Threat Actor Roles
GIB Phishing Status
GIB Country Code
GIB DDOS Protocol
GIB Extended CVSS Temporal
GIB Card Number
GIB Date Incident
GIB Cybercriminal Threat Title
GIB Date Add
GIB Date First Seen
GIB Phishing Type
GIB Upload Time
GIB Threat Actor Country
GIB Extended CVSS Overall
GIB Nation-State Cybercriminals Threat Langs
GIB Email Domains
GIB Nation-State Cybercriminals Threat Report Number
GIB Related Indicators Data
GIB Cybercriminal Sectors
GIB Organization CLABE
GIB OSI Git Repository Files Table
GIB Organization IBAN
GIB Cybercriminal Regions
GIB Malware Aliases
GIB CNC Domain
GIB Passwords
GIB Nation-State Cybercriminals Threat Expertises
GIB Target Brand
GIB Deface Source

Incident Types

Name	Description
GIB Suspicious IP Socks Proxy
GIB Suspicious IP Open Proxy
GIB Nation-State Cybercriminals Threat
GIB Attacks Phishing Group
GIB Cybercriminal Threat
GIB Suspicious IP VPN
GIB Compromised Card Group
GIB Suspicious IP Scanner
GIB OSI Public Leak
GIB Targeted Malware
GIB Brand Protection Phishing
GIB Data Breach
GIB Compromised Mule
GIB Attacks DDOS
GIB Brand Protection Phishing Kit
GIB Nation-State Cybercriminals Threat Actor
GIB Suspicious IP TOR Node
GIB OSI Vulnerability
GIB Compromised Account Group
GIB Malware CNC
GIB OSI Git Leak
GIB Malware
GIB Cybercriminal Threat Actor
GIB Attacks Deface
GIB Compromised Account
GIB Attacks Phishing Kit
GIB APT Threat
GIB Compromised Card

Indicator Fields

Name	Description
GIB File Name
GIB Proxy Port
GIB Threat Actor ID
GIB Proxy Anonymous	Level of anonymous
GIB Threat Actor Name
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Target Brand	What brand was targeted by phishing
GIB Reliability	Reliability of the source
GIB Severity
GIB Threat Actor is APT
GIB Hash
GIB Target Domain	What domain was targeted by phishing
GIB Credibility	Level of confidence on the information
GIB Target Category	What category was targeted by phishing
GIB ID	ID of event in GIB TI&A
GIB Phishing Title
GIB Collection
GIB Malware Name
GIB CVSS Vector
GIB Date Compromised
GIB Software Mixed

Integrations

Name	Description
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.

Layouts

Name	Description
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Suspicious IP Socks Proxy Layout	Layout for GIB Suspicious IP Socks Proxy
GIB Attacks Deface Layout	Layout for GIB Attacks Deface
GIB Attacks Phishing Kit Layout	Layout for GIB Attacks Phishing Kit
GIB Suspicious IP TOR Node Layout	Layout for GIB Suspicious IP TOR Node
GIB Compromised Card Group Layout	Layout for GIB Compromised Card Group
GIB Nation-State Cybercriminals Threat Layout	Layout for Nation-State Cybercriminals Threat
GIB APT Threat Layout	Layout for GIB APT Threat
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Brand Protection Phishing Layout	Layout for GIB Brand Protection Phishing
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI
GIB Nation-State Cybercriminals Threat Actor Layout	Layout for Nation-State Cybercriminals Threat Actor
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB OSI Vulnerability Layout	Layout for GIB OSI Vulnerability
GIB Compromised Account Layout	Layout for GIB Compromised Account
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Suspicious IP VPN Layout	Layout for GIB Suspicious IP VPN
GIB Brand Protection Phishing Kit Layout	Layout for GIB Brand Protection Phishing Kit
GIB Attacks Phishing Group Layout	Layout for GIB Attacks Phishing Group
GIB Cybercriminal Threat Layout	Layout for GIB Cybercriminal Threat
GIB Compromised Account Group Layout	Layout for GIB Compromised Account Group
GIB Cybercriminal Threat Actor Layout	Layout for GIB Cybercriminal Threat Actor
GIB Malware CNC Layout	Layout for GIB Malware CNC
GIB Suspicious IP Open Proxy Layout	Layout for GIB Suspicious IP Open Proxy
GIB Data Breach Layout	Layout for GIB Data Breach
GIB Malware Layout	Layout for GIB Malware
GIB Targeted Malware Layout	Layout for GIB Targeted Malware
GIB Suspicious IP Scanner Layout	Layout for GIB Suspicious IP Scanner
GIB Attacks DDOS Layout	Layout for GIB Attacks DDOS
GIB Compromised Card Layout	Layout for GIB Compromised Card

Playbooks

Name	Description
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.

Preprocessrule

Name	Description
gib_rule

Indicator Types

Name	Description
GIB Victim IP
GIB Compromised IMEI
GIB Compromised Mule

Automations

Name	Description
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBAlertUpdate	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBAlertUpdateIncludingClosed	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Organization IBAN
GIB DDOS Target URL
GIB Name Servers
GIB Reliability	Reliability of the source
GIB Cybercriminal Regions
GIB Date of Detection
GIB DDOS Request Body Hash
GIB Compromised Events Table
GIB Target City
GIB Date Updated At
GIB Revisions
GIB Date First Seen
GIB Severity
GIB Malware Source Countries
GIB Nation-State Cybercriminals Threat Title
GIB Organization BSB
GIB DDOS Target Domain
GIB Malware Regions
GIB Nation-State Cybercriminals Threat Actor Description
GIB Cybercriminal Sectors
GIB Malware File hash
GIB Socks Proxy Source
GIB DDOS Target Country Code
GIB DDOS Source
GIB DDOS Target City
GIB Malware Description
GIB Link List Table
GIB Date Created
GIB Nation-State Cybercriminals Threat Regions
GIB CNC URL
GIB Service IP
GIB Phishing Domain
GIB Deface Source
GIB Scanner Categories
GIB Link List
GIB Date Last Seen
GIB Country Name
GIB Source	Where the feed comes from to GIB
GIB Deface Site URL
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Parsed Login Domain
GIB Target ASN
GIB Phishing Kit Email
GIB Date Compromised
GIB Drop Email Domain
GIB Compromised Login
GIB Victim IP
GIB Target Brand
GIB Malware Langs
GIB Bulletin Family
GIB DDOS Target IP
GIB VPN Sources
GIB DDOS Target ASN
GIB DDOS Target Category
GIB Screenshot
GIB Phishing Kit Source
GIB Date Add
GIB Nation-State Cybercriminal Forums Table
GIB Email Domains
GIB Proxy Source
GIB Related Indicators Data
GIB Leaked Data
GIB Has Exploit
GIB DDOS Request Data Link
GIB Portal Link
GIB Emails
GIB Cybercriminal Threat Title
GIB Malware Platforms
GIB Leak Published
GIB Matches
GIB Service Domain
GIB Phishing Date Blocked
GIB DDOS Duration
GIB Nation-State Cybercriminals Threat Actor Labels
GIB Target Region
GIB DDOS Protocol
GIB DDOS Target Region
GIB Vulnerability Type
GIB Is Tailored
GIB CVSS Score
GIB Date Modified
GIB Extended CVSS Base
GIB Nation-State Cybercriminals Sectors
GIB Nation-State Cybercriminals Threat Actor Goals
GIB Nation-State Cybercriminals Regions
GIB Extended CVSS Overall
GIB Date Incident
GIB Phishing IP Table
GIB VPN Names
GIB CNC Port
GIB DDOS Date Registration
GIB Nation-State Cybercriminals Threat Actor Roles
GIB CNC Domain
GIB Proxy Sources
GIB Phishing Kit Path
GIB Phishing Objectives
GIB Cybercriminal Threat Actor Description
GIB Data Hash
GIB CVV	Compromised card CVV
GIB DDOS Date End
GIB Cybercriminal Forums Table
GIB Update Time
GIB Cybercriminal Threat Actor Aliases
GIB DDOS Date Begin
GIB Credibility	Level of confidence on the information
GIB Card Number
GIB Nation-State Cybercriminals Threat Actor Country
GIB Nation-State Cybercriminals Threat Langs
GIB Phishing Domain Expiration Date
GIB Target Domain
GIB Nation-State Cybercriminals Threat Description
GIB Phishing Date Updated
GIB Malware Table
GIB Parsed Login IP
GIB Date Published
GIB Compromised Account
GIB Scanner Sources
GIB Extended CVSS Impact
GIB Favicon
GIB Upload Time
GIB Extended CVSS Exploitability
GIB Threat Actor Country
GIB Malware Aliases
GIB Href
GIB Cybercriminal Threat Description
GIB Nation-State Cybercriminals Threat Sectors
GIB Deface Date
GIB Phishing Kit Hash
GIB Organization BIC
GIB Matches Table
GIB Email
GIB Drop Email
GIB CPE Table
GIB Cybercriminal Expertises
GIB Person
GIB Service URL
GIB Repository
GIB Country Code
GIB Threat Level
GIB Threat Actor Name
GIB Extended CVSS Temporal
GIB Downloaded From
GIB DDOS Target Provider
GIB DDOS Request Headers Hash
GIB Downloaded From Table
GIB Password
GIB Phishing Date Detected
GIB Deface Contacts
GIB Title
GIB Malware CNC Domain
GIB Report Number
GIB Phishing Type
GIB Organization CLABE
GIB DDOS Target Country Name
GIB Date Last Compromised
GIB Address
GIB CVSS Vector
GIB Proxy Type
GIB Proxy Port
GIB OSI Git Repository Files Table
GIB Nation-State Cybercriminals Threat Actor CVE
GIB Malware Categories
GIB Date First Compromised
GIB Cybercriminal Threat Actor Report Authors
GIB Malware Short Description
GIB Organization Name
GIB Target Category
GIB Reporter
GIB Phishing Kit Emails
GIB ID	ID of event in GIB TIA
GIB Nation-State Cybercriminals Expertises
GIB DDOS Request Headers Body
GIB Target IP
GIB Cybercriminal Threat Actor Reports Table
GIB Merged Cvss
GIB Organization SWIFT
GIB Threat Actor is APT
GIB Phishing Sources
GIB Phishing Domain Puny
GIB Card Valid Thru
GIB Phishing URLs
GIB Cybercriminal Malware
GIB Provider Domain
GIB Inject Dump
GIB Date Expired
GIB Nation-State Cybercriminals Threat Countries
GIB Target Domain Provider
GIB Phishing Status
GIB Phishing Registrar
GIB Mirror Link
GIB Card Type
GIB HTML
GIB Payment System
GIB Extended Description
GIB Target Provider
GIB Date Created At
GIB Malware Name
GIB Nation-State Cybercriminals Malware
GIB Passwords
GIB Nation-State Cybercriminals Threat Expertises
GIB CNC
GIB Affected Software Table
GIB Threat Actor ID
GIB Phishing Kit Table
GIB Phishing Date Added
GIB Nation-State Cybercriminals Threat Report Number
GIB DDOS Type
GIB Phishing Brand
GIB DDOS Request Body
GIB Threat Actors Table
GIB Nation-State Cybercriminals Threat Actor Reports Table
GIB Leak Name
GIB DDOS Target Port
GIB Compromised Events Information Table
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB GIT Source
GIB Card Issuer	Issuer of compromised card

Incident Types

Name	Description
GIB Attacks Phishing Group
GIB Suspicious IP VPN
GIB Data Breach
GIB APT Threat
GIB OSI Git Leak
GIB Suspicious IP TOR Node
GIB Brand Protection Phishing Kit
GIB Suspicious IP Scanner
GIB Attacks Deface
GIB Nation-State Cybercriminals Threat Actor
GIB Brand Protection Phishing
GIB Cybercriminal Threat
GIB Cybercriminal Threat Actor
GIB Suspicious IP Open Proxy
GIB Malware
GIB OSI Vulnerability
GIB Compromised Account
GIB Targeted Malware
GIB Compromised Card Group
GIB Nation-State Cybercriminals Threat
GIB Compromised Card
GIB Compromised Mule
GIB Malware CNC
GIB Attacks DDOS
GIB Attacks Phishing Kit
GIB Suspicious IP Socks Proxy
GIB OSI Public Leak
GIB Compromised Account Group

Indicator Fields

Name	Description
GIB Credibility	Level of confidence on the information
GIB ID	ID of event in GIB TI&A
GIB Hash
GIB Target Brand	What brand was targeted by phishing
GIB Threat Actor is APT
GIB Software Mixed
GIB Proxy Anonymous	Level of anonymous
GIB Proxy Port
GIB Date Compromised
GIB CVSS Vector
GIB Severity
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB File Name
GIB Threat Actor ID
GIB Threat Actor Name
GIB Target Domain	What domain was targeted by phishing
GIB Reliability	Reliability of the source
GIB Malware Name
GIB Target Category	What category was targeted by phishing
GIB Collection
GIB Phishing Title

Integrations

Name	Description
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.

Layouts

Name	Description
GIB Attacks Deface Layout	Layout for GIB Attacks Deface
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Compromised Card Layout	Layout for GIB Compromised Card
GIB Suspicious IP VPN Layout	Layout for GIB Suspicious IP VPN
GIB Data Breach Layout	Layout for GIB Data Breach
GIB Compromised Account Group Layout	Layout for GIB Compromised Account Group
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Attacks DDOS Layout	Layout for GIB Attacks DDOS
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Suspicious IP TOR Node Layout	Layout for GIB Suspicious IP TOR Node
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB Suspicious IP Scanner Layout	Layout for GIB Suspicious IP Scanner
GIB Nation-State Cybercriminals Threat Layout	Layout for Nation-State Cybercriminals Threat
GIB Malware CNC Layout	Layout for GIB Malware CNC
GIB Attacks Phishing Group Layout	Layout for GIB Attacks Phishing Group
GIB Compromised Account Layout	Layout for GIB Compromised Account
GIB APT Threat Layout	Layout for GIB APT Threat
GIB Suspicious IP Open Proxy Layout	Layout for GIB Suspicious IP Open Proxy
GIB Compromised Card Group Layout	Layout for GIB Compromised Card Group
GIB OSI Vulnerability Layout	Layout for GIB OSI Vulnerability
GIB Attacks Phishing Kit Layout	Layout for GIB Attacks Phishing Kit
GIB Cybercriminal Threat Layout	Layout for GIB Cybercriminal Threat
GIB Suspicious IP Socks Proxy Layout	Layout for GIB Suspicious IP Socks Proxy
GIB Malware Layout	Layout for GIB Malware
GIB Cybercriminal Threat Actor Layout	Layout for GIB Cybercriminal Threat Actor
GIB Nation-State Cybercriminals Threat Actor Layout	Layout for Nation-State Cybercriminals Threat Actor
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI

Playbooks

Name	Description
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the alert and associates related indicators to the alert.

Indicator Types

Name	Description
GIB Compromised IMEI
GIB Compromised Mule
GIB Victim IP

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

2.0.0 - 3079234 (April 7, 2025)

Classifiers

Group-IB Threat Intelligence (classifier)

Updated the Group-IB Threat Intelligence (classifier) classifier to support new collections.

Incident Fields

New: GIB Cybercriminal Forums Table
New: Added a new incident field- GIB Cybercriminal Forums Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CVSS Score
New: Added a new incident field- GIB CVSS Score that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Country Code
New: Added a new incident field- GIB Country Code that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Report Authors
New: Added a new incident field- GIB Cybercriminal Threat Actor Report Authors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Last Seen
New: Added a new incident field- GIB Date Last Seen that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Brand
Updated the GIB Target Brand incident field to support new collections.
New: GIB CVSS Vector
New: Added a new incident field- GIB CVSS Vector that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Is Tailored
New: Added a new incident field- GIB Is Tailored that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Platforms
New: Added a new incident field- GIB Malware Platforms that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Email Domains
New: Added a new incident field- GIB Email Domains that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Country Name
New: Added a new incident field- GIB DDOS Target Country Name that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Inject Dump
Updated the GIB Inject Dump incident field to support new collections.
New: GIB Organization Name
New: Added a new incident field- GIB Organization Name that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Proxy Port
New: Added a new incident field- GIB Proxy Port that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Port
New: Added a new incident field- GIB DDOS Target Port that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Kit Hash
Updated the GIB Phishing Kit Hash incident field to support new collections.
GIB Malware Name
Updated the GIB Malware Name incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Langs
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Langs that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Email
New: Added a new incident field- GIB Phishing Kit Email that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Domain
New: Added a new incident field- GIB DDOS Target Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target Provider
New: Added a new incident field- GIB Target Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Source Countries
New: Added a new incident field- GIB Malware Source Countries that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Published
New: Added a new incident field- GIB Date Published that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Country Code
New: Added a new incident field- GIB DDOS Target Country Code that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Drop Email Domain
Updated the GIB Drop Email Domain incident field to support new collections.
New: GIB Date First Compromised
New: Added a new incident field- GIB Date First Compromised that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Payment System
Updated the GIB Payment System incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Roles
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Roles that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Path
New: Added a new incident field- GIB Phishing Kit Path that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Table
New: Added a new incident field- GIB Malware Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Sources
New: Added a new incident field- GIB Phishing Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Headers Body
New: Added a new incident field- GIB DDOS Request Headers Body that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminal Forums Table
New: Added a new incident field- GIB Nation-State Cybercriminal Forums Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Countries
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Countries that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB OSI Git Repository Files Table
New: Added a new incident field- GIB OSI Git Repository Files Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Emails
New: Added a new incident field- GIB Emails that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target City
New: Added a new incident field- GIB DDOS Target City that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Drop Email
Updated the GIB Drop Email incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor CVE
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor CVE that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Deface Contacts
New: Added a new incident field- GIB Deface Contacts that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization IBAN
New: Added a new incident field- GIB Organization IBAN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Events Table
New: Added a new incident field- GIB Compromised Events Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Repository
Updated the GIB Repository incident field to support new collections.
New: GIB Deface Source
New: Added a new incident field- GIB Deface Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization BSB
New: Added a new incident field- GIB Organization BSB that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Description
New: Added a new incident field- GIB Cybercriminal Threat Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Brand
New: Added a new incident field- GIB Phishing Brand that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Valid Thru
Updated the GIB Card Valid Thru incident field to support new collections.
New: GIB Downloaded From Table
New: Added a new incident field- GIB Downloaded From Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC
New: Added a new incident field- GIB CNC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Events Information Table
New: Added a new incident field- GIB Compromised Events Information Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Body
New: Added a new incident field- GIB DDOS Request Body that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC URL
New: Added a new incident field- GIB CNC URL that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Email
Updated the GIB Email incident field to support new collections.
New: GIB Date First Seen
New: Added a new incident field- GIB Date First Seen that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Passwords
New: Added a new incident field- GIB Passwords that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target Region
New: Added a new incident field- GIB Target Region that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB HTML
Updated the GIB HTML incident field to support new collections.
New: GIB Nation-State Cybercriminals Malware
New: Added a new incident field- GIB Nation-State Cybercriminals Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Admiralty Code
Updated the GIB Admiralty Code incident field to support new collections.
New: GIB Mirror Link
New: Added a new incident field- GIB Mirror Link that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Source
New: Added a new incident field- GIB Phishing Kit Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Regions
New: Added a new incident field- GIB Cybercriminal Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Issuer
Updated the GIB Card Issuer incident field to support new collections.
New: GIB Phishing Objectives
New: Added a new incident field- GIB Phishing Objectives that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Source
Updated the GIB Source incident field to support new collections.
New: GIB Cybercriminal Malware
New: Added a new incident field- GIB Cybercriminal Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Type
Updated the GIB Card Type incident field to support new collections.
New: GIB DDOS Date Registration
New: Added a new incident field- GIB DDOS Date Registration that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Title
Updated the GIB Title incident field to support new collections.
New: GIB Malware Aliases
New: Added a new incident field- GIB Malware Aliases that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Report Number
New: Added a new incident field- GIB Report Number that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Provider Domain
New: Added a new incident field- GIB Provider Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Registrar
New: Added a new incident field- GIB Phishing Registrar that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Created At
New: Added a new incident field- GIB Date Created At that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Actor Country
New: Added a new incident field- GIB Threat Actor Country that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service IP
New: Added a new incident field- GIB Service IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Goals
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Goals that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Reporter
New: Added a new incident field- GIB Reporter that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Favicon
Updated the GIB Favicon incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Detected
New: Added a new incident field- GIB Phishing Date Detected that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Data Hash
Updated the GIB Data Hash incident field to support new collections.
New: GIB VPN Names
New: Added a new incident field- GIB VPN Names that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Matches Table
New: Added a new incident field- GIB Matches Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Country
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Country that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Added
New: Added a new incident field- GIB Phishing Date Added that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization SWIFT
New: Added a new incident field- GIB Organization SWIFT that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CPE Table
New: Added a new incident field- GIB CPE Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Exploitability
New: Added a new incident field- GIB Extended CVSS Exploitability that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date Compromised
Updated the GIB Date Compromised incident field to support new collections.
New: GIB Extended CVSS Base
New: Added a new incident field- GIB Extended CVSS Base that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Regions
New: Added a new incident field- GIB Malware Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date Expired
Updated the GIB Date Expired incident field to support new collections.
New: GIB Organization BIC
New: Added a new incident field- GIB Organization BIC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service Domain
New: Added a new incident field- GIB Service Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Reports Table
New: Added a new incident field- GIB Cybercriminal Threat Actor Reports Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Date Begin
New: Added a new incident field- GIB DDOS Date Begin that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Screenshot
Updated the GIB Screenshot incident field to support new collections.
New: GIB DDOS Date End
New: Added a new incident field- GIB DDOS Date End that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Overall
New: Added a new incident field- GIB Extended CVSS Overall that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Name Servers
Updated the GIB Name Servers incident field to support new collections.
New: GIB Deface Date
New: Added a new incident field- GIB Deface Date that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Affected Software Table
New: Added a new incident field- GIB Affected Software Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Short Description
New: Added a new incident field- GIB Malware Short Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Related Indicators Data
Updated the GIB Related Indicators Data incident field to support new collections.
GIB Downloaded From
Updated the GIB Downloaded From incident field to support new collections.
New: GIB Target Domain Provider
New: Added a new incident field- GIB Target Domain Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Protocol
New: Added a new incident field- GIB DDOS Protocol that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target ASN
New: Added a new incident field- GIB DDOS Target ASN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Last Compromised
New: Added a new incident field- GIB Date Last Compromised that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Expertises
New: Added a new incident field- GIB Cybercriminal Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Langs
New: Added a new incident field- GIB Malware Langs that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Login
Updated the GIB Compromised Login incident field to support new collections.
New: GIB Extended CVSS Temporal
New: Added a new incident field- GIB Extended CVSS Temporal that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leaked Data
Updated the GIB Leaked Data incident field to support new collections.
GIB Password
Updated the GIB Password incident field to support new collections.
GIB Threat Actor ID
Updated the GIB Threat Actor ID incident field to support new collections.
New: GIB Href
New: Added a new incident field- GIB Href that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Domain Puny
New: Added a new incident field- GIB Phishing Domain Puny that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Proxy Source
New: Added a new incident field- GIB Proxy Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing URLs
New: Added a new incident field- GIB Phishing URLs that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Domain
Updated the GIB Phishing Domain incident field to support new collections.
New: GIB Phishing IP Table
New: Added a new incident field- GIB Phishing IP Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Impact
New: Added a new incident field- GIB Extended CVSS Impact that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Parsed Login Domain
New: Added a new incident field- GIB Parsed Login Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Description
New: Added a new incident field- GIB Malware Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leak Name
Updated the GIB Leak Name incident field to support new collections.
GIB Threat Actor is APT
Updated the GIB Threat Actor is APT incident field to support new collections.
New: GIB Proxy Sources
New: Added a new incident field- GIB Proxy Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Deface Site URL
New: Added a new incident field- GIB Deface Site URL that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware CNC Domain
New: Added a new incident field- GIB Malware CNC Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Parsed Login IP
New: Added a new incident field- GIB Parsed Login IP that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Category
Updated the GIB Target Category incident field to support new collections.
New: GIB Bulletin Family
New: Added a new incident field- GIB Bulletin Family that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target URL
New: Added a new incident field- GIB DDOS Target URL that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Duration
New: Added a new incident field- GIB DDOS Duration that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Title
New: Added a new incident field- GIB Cybercriminal Threat Title that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target City
New: Added a new incident field- GIB Target City that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Leak Published
New: Added a new incident field- GIB Leak Published that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target IP
New: Added a new incident field- GIB DDOS Target IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC Domain
New: Added a new incident field- GIB CNC Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Aliases
New: Added a new incident field- GIB Cybercriminal Threat Actor Aliases that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Category
New: Added a new incident field- GIB DDOS Target Category that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target ASN
New: Added a new incident field- GIB Target ASN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Source
New: Added a new incident field- GIB DDOS Source that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Number
Updated the GIB Card Number incident field to support new collections.
New: GIB Malware File hash
New: Added a new incident field- GIB Malware File hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Categories
New: Added a new incident field- GIB Malware Categories that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Description
New: Added a new incident field- GIB Cybercriminal Threat Actor Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Title
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Title that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Status
Updated the GIB Phishing Status incident field to support new collections.
New: GIB Has Exploit
New: Added a new incident field- GIB Has Exploit that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Table
New: Added a new incident field- GIB Phishing Kit Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service URL
New: Added a new incident field- GIB Service URL that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Inject MD5
Updated the GIB Inject MD5 incident field to support new collections.
GIB Phishing Type
Updated the GIB Phishing Type incident field to support new collections.
New: GIB Date Add
New: Added a new incident field- GIB Date Add that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB CVV
Updated the GIB CVV incident field to support new collections.
New: GIB Phishing Domain Expiration Date
New: Added a new incident field- GIB Phishing Domain Expiration Date that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Portal Link
Updated the GIB Portal Link incident field to support new collections.
New: GIB Date Updated At
New: Added a new incident field- GIB Date Updated At that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Actors Table
New: Added a new incident field- GIB Threat Actors Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Person
Updated the GIB Person incident field to support new collections.
New: GIB Compromised Account
New: Added a new incident field- GIB Compromised Account that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Credibility
Updated the GIB Credibility incident field to support new collections.
GIB Severity
Updated the GIB Severity incident field to support new collections.
New: GIB DDOS Target Region
New: Added a new incident field- GIB DDOS Target Region that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Domain
Updated the GIB Target Domain incident field to support new collections.
New: GIB Extended Description
New: Added a new incident field- GIB Extended Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Threat Actor Name
Updated the GIB Threat Actor Name incident field to support new collections.
New: GIB Date Incident
New: Added a new incident field- GIB Date Incident that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Socks Proxy Source
New: Added a new incident field- GIB Socks Proxy Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Link List Table
New: Added a new incident field- GIB Link List Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Merged Cvss
New: Added a new incident field- GIB Merged Cvss that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Update Time
New: Added a new incident field- GIB Update Time that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB GIT Source
New: Added a new incident field- GIB GIT Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC Port
New: Added a new incident field- GIB CNC Port that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date of Detection
Updated the GIB Date of Detection incident field to support new collections.
New: GIB Cybercriminal Sectors
New: Added a new incident field- GIB Cybercriminal Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Address
Updated the GIB Address incident field to support new collections.
New: GIB Proxy Type
New: Added a new incident field- GIB Proxy Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Reports Table
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Reports Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Kit Emails
Updated the GIB Phishing Kit Emails incident field to support new collections.
GIB Date Created
Updated the GIB Date Created incident field to support new collections.
New: GIB DDOS Request Body Hash
New: Added a new incident field- GIB DDOS Request Body Hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Data Link
New: Added a new incident field- GIB DDOS Request Data Link that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Report Number
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Report Number that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Victim IP
Updated the GIB Victim IP incident field to support new collections.
New: GIB Upload Time
New: Added a new incident field- GIB Upload Time that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Provider
New: Added a new incident field- GIB DDOS Target Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Reliability
Updated the GIB Reliability incident field to support new collections.
New: GIB Nation-State Cybercriminals Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Type
New: Added a new incident field- GIB DDOS Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Labels
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Labels that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization CLABE
New: Added a new incident field- GIB Organization CLABE that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB ID
Updated the GIB ID incident field to support new collections.
New: GIB Date Modified
New: Added a new incident field- GIB Date Modified that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target IP
New: Added a new incident field- GIB Target IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Scanner Categories
New: Added a new incident field- GIB Scanner Categories that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Country Name
New: Added a new incident field- GIB Country Name that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leaked File Name
Updated the GIB Leaked File Name incident field to support new collections.
New: GIB DDOS Request Headers Hash
New: Added a new incident field- GIB DDOS Request Headers Hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Level
New: Added a new incident field- GIB Threat Level that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Date Blocked
Updated the GIB Phishing Date Blocked incident field to support new collections.
New: GIB Vulnerability Type
New: Added a new incident field- GIB Vulnerability Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB VPN Sources
New: Added a new incident field- GIB VPN Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Updated
New: Added a new incident field- GIB Phishing Date Updated that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections

(Available from Cortex XSOAR 6.10.0).

GIB Scanner Sources
GIB Scanner Sources now supports new collections
(Available from Cortex XSOAR 6.10.0).

Incident Types

New: GIB Cybercriminal Threat Actor
New: Added a new incident type- GIB Cybercriminal Threat Actor that supports new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Kit
New: Added a new incident type- GIB Attacks Phishing Kit that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware
New: Added a new incident type- GIB Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat
New: Added a new incident type- GIB Nation-State Cybercriminals Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Account Group
New: Added a new incident type- GIB Compromised Account Group that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Card
Updated the GIB Compromised Card incident type to support new collections.
New: GIB Compromised Mule
New: Added a new incident type- GIB Compromised Mule that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP TOR Node
New: Added a new incident type- GIB Suspicious IP TOR Node that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor
New: Added a new incident type- GIB Nation-State Cybercriminals Threat Actor that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Socks Proxy
New: Added a new incident type- GIB Suspicious IP Socks Proxy that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Targeted Malware
Updated the GIB Targeted Malware incident type to support new collections.
GIB Brand Protection Phishing
Updated the GIB Brand Protection Phishing incident type to support new collections.
GIB Compromised Account
Updated the GIB Compromised Account incident type to support new collections.
New: GIB Malware CNC
New: Added a new incident type- GIB Malware CNC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks DDOS
New: Added a new incident type- GIB Attacks DDOS that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Scanner
New: Added a new incident type- GIB Suspicious IP Scanner that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Card Group
New: Added a new incident type- GIB Compromised Card Group that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Open Proxy
New: Added a new incident type- GIB Suspicious IP Open Proxy that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP VPN
New: Added a new incident type- GIB Suspicious IP VPN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB APT Threat
New: Added a new incident type- GIB APT Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat
New: Added a new incident type- GIB Cybercriminal Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Group
New: Added a new incident type- GIB Attacks Phishing Group that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB OSI Git Leak
Updated the GIB OSI Git Leak incident type to support new collections.
GIB Brand Protection Phishing Kit
Updated the GIB Brand Protection Phishing Kit incident type to support new collections.
GIB Data Breach
Updated the GIB Data Breach incident type to support new collections.
GIB OSI Public Leak
Updated the GIB OSI Public Leak incident type to support new collections.
New: GIB OSI Vulnerability
New: Added a new incident type- GIB OSI Vulnerability that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Deface
New: Added a new incident type- GIB Attacks Deface that support new collections
(Available from Cortex XSOAR 6.10.0).

Indicator Fields

New: GIB Hash

New: Added a new indicator field- GIB Hash that support new collections
(Available from Cortex XSOAR 6.10.0).

GIB Threat Actor is APT

Updated the GIB Threat Actor is APT indicator field to support new collections.

GIB Admiralty Code

Updated the GIB Admiralty Code indicator field to support new collections.

GIB Proxy Anonymous

Updated the GIB Proxy Anonymous indicator field to support new collections.

GIB Threat Actor Name

Updated the GIB Threat Actor Name indicator field to support new collections.

GIB Collection

Updated the GIB Collection indicator field to support new collections.

GIB Severity

Updated the GIB Severity indicator field to support new collections.

GIB Reliability

Updated the GIB Reliability indicator field to support new collections.

GIB ID

Updated the GIB ID indicator field to support new collections.

GIB Credibility

Updated the GIB Credibility indicator field to support new collections.

GIB Threat Actor ID

Updated the GIB Threat Actor ID indicator field to support new collections.

GIB Malware Name

Updated the GIB Malware Name indicator field to support new collections.

Indicator Types

GIB Compromised Mule
Updated the GIB Compromised Mule indicator type to support new collections.
GIB Victim IP
Updated the GIB Victim IP indicator type to support new collections.
GIB Compromised IMEI
Updated the GIB Compromised IMEI. indicator type to support new collections.

Integrations

Group-IB Threat Intelligence

Added support for Hunting Rules parameter that to enable the collection of data using hunting rules, please select this parameter.
Deleted the gibtia-get-malware-targeted-malware-info command.
Deleted the gibtia-get-compromised-card-info command.
Deleted the gibtia-get-phishing-kit-info command.
Deleted the gibtia-get-phishing-info command.
Deleted the gibtia-get-compromised-imei-info command.
Added support for gibtia-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.
Added support for gibtia-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.
Added support for gibtia-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.
Added support for gibtia-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.
Added support for gibtia-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Group-IB Threat Intelligence Feed

Updated the Group-IB Threat Intelligence & Attribution Feed integration to support new collections.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Layouts

GIB Compromised IMEI Layout
Updated the GIB Compromised IMEI Layout layout to support new collections.
New: GIB Cybercriminal Threat Layout
New: Added a new layout- GIB Cybercriminal Threat Layout that Layout for GIB Cybercriminal Threat
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Card Layout
Updated the GIB Compromised Card Layout layout to support new collections.
New: GIB Cybercriminal Threat Actor Layout
New: Added a new layout- GIB Cybercriminal Threat Actor Layout that Layout for GIB Cybercriminal Threat Actor
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP VPN Layout
New: Added a new layout- GIB Suspicious IP VPN Layout that Layout for GIB Suspicious IP VPN
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Group Layout
New: Added a new layout- GIB Attacks Phishing Group Layout that Layout for GIB Attacks Phishing Group
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Deface Layout
New: Added a new layout- GIB Attacks Deface Layout that Layout for GIB Attacks Deface
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Kit Layout
New: Added a new layout- GIB Attacks Phishing Kit Layout that Layout for GIB Attacks Phishing Kit
(Available from Cortex XSOAR 6.10.0).
GIB Brand Protection Phishing Kit Layout
Updated the GIB Brand Protection Phishing Kit Layout layout to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Actor Layout that Layout for Nation-State Cybercriminals Threat Actor
(Available from Cortex XSOAR 6.10.0).
GIB Data Breach Layout
Updated the GIB Data Breach Layout layout to support new collections.
New: GIB OSI Vulnerability Layout
New: Added a new layout- GIB OSI Vulnerability Layout that Layout for GIB OSI Vulnerability
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Card Group Layout
New: Added a new layout- GIB Compromised Card Group Layout that Layout for GIB Compromised Card Group
(Available from Cortex XSOAR 6.10.0).
GIB OSI Git Leak Layout
Updated the GIB OSI Git Leak Layout layout to support new collections.
New: GIB Attacks DDOS Layout
New: Added a new layout- GIB Attacks DDOS Layout that Layout for GIB Attacks DDOS
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Layout
New: Added a new layout- GIB Malware Layout that Layout for GIB Malware
(Available from Cortex XSOAR 6.10.0).
GIB OSI Public Leak Layout
Updated the GIB OSI Public Leak Layout layout to support new collections.
New: GIB Suspicious IP Scanner Layout
New: Added a new layout- GIB Suspicious IP Scanner Layout that Layout for GIB Suspicious IP Scanner
(Available from Cortex XSOAR 6.10.0).
GIB Targeted Malware Layout
Updated the GIB Targeted Malware Layout layout to support new collections.
New: GIB Nation-State Cybercriminals Threat Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Layout that Layout for Nation-State Cybercriminals Threat
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Account Group Layout
New: Added a new layout- GIB Compromised Account Group Layout that Layout for GIB Compromised Account Group
(Available from Cortex XSOAR 6.10.0).
New: GIB APT Threat Layout
New: Added a new layout- GIB APT Threat Layout that Layout for GIB APT Threat
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware CNC Layout
New: Added a new layout- GIB Malware CNC Layout that Layout for GIB Malware CNC
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP TOR Node Layout
New: Added a new layout- GIB Suspicious IP TOR Node Layout that Layout for GIB Suspicious IP TOR Node
(Available from Cortex XSOAR 6.10.0).
GIB Victim IP Layout
Updated the GIB Victim IP Layout layout to support new collections.
New: GIB Suspicious IP Socks Proxy Layout
New: Added a new layout- GIB Suspicious IP Socks Proxy Layout that Layout for GIB Suspicious IP Socks Proxy
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Open Proxy Layout
New: Added a new layout- GIB Suspicious IP Open Proxy Layout that Layout for GIB Suspicious IP Open Proxy
(Available from Cortex XSOAR 6.10.0).
GIB Brand Protection Phishing Layout
Updated the GIB Brand Protection Phishing Layout layout to support new collections.
GIB Compromised Mule Layout
Updated the GIB Compromised Mule Layout layout to support new collections.
GIB Compromised Account Layout
Updated the GIB Compromised Account Layout layout to support new collections.

Mappers

Group-IB Threat Intelligence (mapper)

Updated the Group-IB Threat Intelligence (mapper) mapper to support new collections.

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Updated the Incident Postprocessing - Group-IB Threat Intelligence & Attribution playbook to support new collections.

Pre Process Rules

New: gib_rule

New: Added a new preprocess rule- gib_rule that support new collections
(Available from Cortex XSOAR 6.10.0).

Scripts

GIBIncidentUpdateIncludingClosed

Updated the GIBIncidentUpdateIncludingClosed script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

GIBIncidentUpdate

Updated the GIBIncidentUpdate script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39414
- 37239
- 38416
- 39402
- 38930
- 39389

Download

1.4.10 - 3042633 (April 2, 2025)

Integrations

Group-IB Threat Intelligence Feed

Metadata and documentation improvements.

Group-IB Threat Intelligence

Metadata and documentation improvements.

Scripts

GIBIncidentUpdateIncludingClosed

Metadata and documentation improvements.

GIBIncidentUpdate

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

1.4.9 - R2988527 (March 26, 2025)

Group-IB Threat Intelligence

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.4.8 - 1935630 (January 6, 2025)

Integrations

Group-IB Threat Intelligence

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

1.4.7 - 1931958 (January 6, 2025)

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Documentation and metadata improvements.

Related pull requests:
- 37492

Download

1.4.6 - 1834150 (December 18, 2024)

Scripts

GIBIncidentUpdate

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

GIBIncidentUpdateIncludingClosed

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37754

Download

1.4.4 - 1809308 (December 15, 2024)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

1.4.3 - R1741355 (December 3, 2024)

Integrations

Group-IB Threat Intelligence

Updated the Docker image to: demisto/python3:3.11.10.116439.

Scripts

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.11.10.116439.

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37271

Download

1.4.2 - 1304994 (August 25, 2024)

Integrations

Group-IB Threat Intelligence Feed

Removed When removed from the feed option from Indicator Expiration Method
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35873

Download

1.4.1 - R995825 (May 5, 2024)

GroupIB_ThreatIntelligenceAttribution

Fixed an issue where images with special chars were not displyed properly in the pack README file.

Related pull requests:
- 31421

Download

2.0.0 - 3079234 (April 7, 2025)

Classifiers

Group-IB Threat Intelligence (classifier)

Updated the Group-IB Threat Intelligence (classifier) classifier to support new collections.

Incident Fields

New: GIB Cybercriminal Forums Table
New: Added a new incident field- GIB Cybercriminal Forums Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CVSS Score
New: Added a new incident field- GIB CVSS Score that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Country Code
New: Added a new incident field- GIB Country Code that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Report Authors
New: Added a new incident field- GIB Cybercriminal Threat Actor Report Authors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Last Seen
New: Added a new incident field- GIB Date Last Seen that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Brand
Updated the GIB Target Brand incident field to support new collections.
New: GIB CVSS Vector
New: Added a new incident field- GIB CVSS Vector that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Is Tailored
New: Added a new incident field- GIB Is Tailored that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Platforms
New: Added a new incident field- GIB Malware Platforms that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Email Domains
New: Added a new incident field- GIB Email Domains that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Country Name
New: Added a new incident field- GIB DDOS Target Country Name that support new collections
(Available from Cortex XSIAM 2.0).
GIB Inject Dump
Updated the GIB Inject Dump incident field to support new collections.
New: GIB Organization Name
New: Added a new incident field- GIB Organization Name that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Proxy Port
New: Added a new incident field- GIB Proxy Port that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Port
New: Added a new incident field- GIB DDOS Target Port that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Kit Hash
Updated the GIB Phishing Kit Hash incident field to support new collections.
GIB Malware Name
Updated the GIB Malware Name incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Langs
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Langs that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Email
New: Added a new incident field- GIB Phishing Kit Email that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Domain
New: Added a new incident field- GIB DDOS Target Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Regions that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target Provider
New: Added a new incident field- GIB Target Provider that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Source Countries
New: Added a new incident field- GIB Malware Source Countries that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Published
New: Added a new incident field- GIB Date Published that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Country Code
New: Added a new incident field- GIB DDOS Target Country Code that support new collections
(Available from Cortex XSIAM 2.0).
GIB Drop Email Domain
Updated the GIB Drop Email Domain incident field to support new collections.
New: GIB Date First Compromised
New: Added a new incident field- GIB Date First Compromised that support new collections
(Available from Cortex XSIAM 2.0).
GIB Payment System
Updated the GIB Payment System incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Roles
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Roles that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Path
New: Added a new incident field- GIB Phishing Kit Path that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Table
New: Added a new incident field- GIB Malware Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Sources
New: Added a new incident field- GIB Phishing Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Headers Body
New: Added a new incident field- GIB DDOS Request Headers Body that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminal Forums Table
New: Added a new incident field- GIB Nation-State Cybercriminal Forums Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Countries
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Countries that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB OSI Git Repository Files Table
New: Added a new incident field- GIB OSI Git Repository Files Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Emails
New: Added a new incident field- GIB Emails that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target City
New: Added a new incident field- GIB DDOS Target City that support new collections
(Available from Cortex XSIAM 2.0).
GIB Drop Email
Updated the GIB Drop Email incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor CVE
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor CVE that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Deface Contacts
New: Added a new incident field- GIB Deface Contacts that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization IBAN
New: Added a new incident field- GIB Organization IBAN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Events Table
New: Added a new incident field- GIB Compromised Events Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Repository
Updated the GIB Repository incident field to support new collections.
New: GIB Deface Source
New: Added a new incident field- GIB Deface Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization BSB
New: Added a new incident field- GIB Organization BSB that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Description
New: Added a new incident field- GIB Cybercriminal Threat Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Brand
New: Added a new incident field- GIB Phishing Brand that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Valid Thru
Updated the GIB Card Valid Thru incident field to support new collections.
New: GIB Downloaded From Table
New: Added a new incident field- GIB Downloaded From Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC
New: Added a new incident field- GIB CNC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Events Information Table
New: Added a new incident field- GIB Compromised Events Information Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Body
New: Added a new incident field- GIB DDOS Request Body that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC URL
New: Added a new incident field- GIB CNC URL that support new collections
(Available from Cortex XSIAM 2.0).
GIB Email
Updated the GIB Email incident field to support new collections.
New: GIB Date First Seen
New: Added a new incident field- GIB Date First Seen that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Passwords
New: Added a new incident field- GIB Passwords that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target Region
New: Added a new incident field- GIB Target Region that support new collections
(Available from Cortex XSIAM 2.0).
GIB HTML
Updated the GIB HTML incident field to support new collections.
New: GIB Nation-State Cybercriminals Malware
New: Added a new incident field- GIB Nation-State Cybercriminals Malware that support new collections
(Available from Cortex XSIAM 2.0).
GIB Admiralty Code
Updated the GIB Admiralty Code incident field to support new collections.
New: GIB Mirror Link
New: Added a new incident field- GIB Mirror Link that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Source
New: Added a new incident field- GIB Phishing Kit Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Regions
New: Added a new incident field- GIB Cybercriminal Regions that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Issuer
Updated the GIB Card Issuer incident field to support new collections.
New: GIB Phishing Objectives
New: Added a new incident field- GIB Phishing Objectives that support new collections
(Available from Cortex XSIAM 2.0).
GIB Source
Updated the GIB Source incident field to support new collections.
New: GIB Cybercriminal Malware
New: Added a new incident field- GIB Cybercriminal Malware that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Type
Updated the GIB Card Type incident field to support new collections.
New: GIB DDOS Date Registration
New: Added a new incident field- GIB DDOS Date Registration that support new collections
(Available from Cortex XSIAM 2.0).
GIB Title
Updated the GIB Title incident field to support new collections.
New: GIB Malware Aliases
New: Added a new incident field- GIB Malware Aliases that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Report Number
New: Added a new incident field- GIB Report Number that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Provider Domain
New: Added a new incident field- GIB Provider Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Registrar
New: Added a new incident field- GIB Phishing Registrar that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Created At
New: Added a new incident field- GIB Date Created At that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Actor Country
New: Added a new incident field- GIB Threat Actor Country that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service IP
New: Added a new incident field- GIB Service IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Goals
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Goals that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Reporter
New: Added a new incident field- GIB Reporter that support new collections
(Available from Cortex XSIAM 2.0).
GIB Favicon
Updated the GIB Favicon incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Detected
New: Added a new incident field- GIB Phishing Date Detected that support new collections
(Available from Cortex XSIAM 2.0).
GIB Data Hash
Updated the GIB Data Hash incident field to support new collections.
New: GIB VPN Names
New: Added a new incident field- GIB VPN Names that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Matches Table
New: Added a new incident field- GIB Matches Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Country
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Country that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Added
New: Added a new incident field- GIB Phishing Date Added that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization SWIFT
New: Added a new incident field- GIB Organization SWIFT that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CPE Table
New: Added a new incident field- GIB CPE Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Exploitability
New: Added a new incident field- GIB Extended CVSS Exploitability that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date Compromised
Updated the GIB Date Compromised incident field to support new collections.
New: GIB Extended CVSS Base
New: Added a new incident field- GIB Extended CVSS Base that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Regions
New: Added a new incident field- GIB Malware Regions that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date Expired
Updated the GIB Date Expired incident field to support new collections.
New: GIB Organization BIC
New: Added a new incident field- GIB Organization BIC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service Domain
New: Added a new incident field- GIB Service Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Reports Table
New: Added a new incident field- GIB Cybercriminal Threat Actor Reports Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Date Begin
New: Added a new incident field- GIB DDOS Date Begin that support new collections
(Available from Cortex XSIAM 2.0).
GIB Screenshot
Updated the GIB Screenshot incident field to support new collections.
New: GIB DDOS Date End
New: Added a new incident field- GIB DDOS Date End that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Overall
New: Added a new incident field- GIB Extended CVSS Overall that support new collections
(Available from Cortex XSIAM 2.0).
GIB Name Servers
Updated the GIB Name Servers incident field to support new collections.
New: GIB Deface Date
New: Added a new incident field- GIB Deface Date that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Affected Software Table
New: Added a new incident field- GIB Affected Software Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Short Description
New: Added a new incident field- GIB Malware Short Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Related Indicators Data
Updated the GIB Related Indicators Data incident field to support new collections.
GIB Downloaded From
Updated the GIB Downloaded From incident field to support new collections.
New: GIB Target Domain Provider
New: Added a new incident field- GIB Target Domain Provider that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Protocol
New: Added a new incident field- GIB DDOS Protocol that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target ASN
New: Added a new incident field- GIB DDOS Target ASN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Last Compromised
New: Added a new incident field- GIB Date Last Compromised that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Expertises
New: Added a new incident field- GIB Cybercriminal Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Langs
New: Added a new incident field- GIB Malware Langs that support new collections
(Available from Cortex XSIAM 2.0).
GIB Compromised Login
Updated the GIB Compromised Login incident field to support new collections.
New: GIB Extended CVSS Temporal
New: Added a new incident field- GIB Extended CVSS Temporal that support new collections
(Available from Cortex XSIAM 2.0).
GIB Leaked Data
Updated the GIB Leaked Data incident field to support new collections.
GIB Password
Updated the GIB Password incident field to support new collections.
GIB Threat Actor ID
Updated the GIB Threat Actor ID incident field to support new collections.
New: GIB Href
New: Added a new incident field- GIB Href that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Domain Puny
New: Added a new incident field- GIB Phishing Domain Puny that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Proxy Source
New: Added a new incident field- GIB Proxy Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing URLs
New: Added a new incident field- GIB Phishing URLs that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Domain
Updated the GIB Phishing Domain incident field to support new collections.
New: GIB Phishing IP Table
New: Added a new incident field- GIB Phishing IP Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Impact
New: Added a new incident field- GIB Extended CVSS Impact that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Parsed Login Domain
New: Added a new incident field- GIB Parsed Login Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Description
New: Added a new incident field- GIB Malware Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Leak Name
Updated the GIB Leak Name incident field to support new collections.
GIB Threat Actor is APT
Updated the GIB Threat Actor is APT incident field to support new collections.
New: GIB Proxy Sources
New: Added a new incident field- GIB Proxy Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Deface Site URL
New: Added a new incident field- GIB Deface Site URL that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware CNC Domain
New: Added a new incident field- GIB Malware CNC Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Parsed Login IP
New: Added a new incident field- GIB Parsed Login IP that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Category
Updated the GIB Target Category incident field to support new collections.
New: GIB Bulletin Family
New: Added a new incident field- GIB Bulletin Family that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target URL
New: Added a new incident field- GIB DDOS Target URL that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Duration
New: Added a new incident field- GIB DDOS Duration that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Sectors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Title
New: Added a new incident field- GIB Cybercriminal Threat Title that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target City
New: Added a new incident field- GIB Target City that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Leak Published
New: Added a new incident field- GIB Leak Published that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target IP
New: Added a new incident field- GIB DDOS Target IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC Domain
New: Added a new incident field- GIB CNC Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Aliases
New: Added a new incident field- GIB Cybercriminal Threat Actor Aliases that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Category
New: Added a new incident field- GIB DDOS Target Category that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target ASN
New: Added a new incident field- GIB Target ASN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Source
New: Added a new incident field- GIB DDOS Source that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Number
Updated the GIB Card Number incident field to support new collections.
New: GIB Malware File hash
New: Added a new incident field- GIB Malware File hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Categories
New: Added a new incident field- GIB Malware Categories that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Description
New: Added a new incident field- GIB Cybercriminal Threat Actor Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Title
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Title that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Status
Updated the GIB Phishing Status incident field to support new collections.
New: GIB Has Exploit
New: Added a new incident field- GIB Has Exploit that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Table
New: Added a new incident field- GIB Phishing Kit Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service URL
New: Added a new incident field- GIB Service URL that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Type
Updated the GIB Phishing Type incident field to support new collections.
New: GIB Date Add
New: Added a new incident field- GIB Date Add that support new collections
(Available from Cortex XSIAM 2.0).
GIB CVV
Updated the GIB CVV incident field to support new collections.
New: GIB Phishing Domain Expiration Date
New: Added a new incident field- GIB Phishing Domain Expiration Date that support new collections
(Available from Cortex XSIAM 2.0).
GIB Portal Link
Updated the GIB Portal Link incident field to support new collections.
New: GIB Date Updated At
New: Added a new incident field- GIB Date Updated At that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Actors Table
New: Added a new incident field- GIB Threat Actors Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Person
Updated the GIB Person incident field to support new collections.
New: GIB Compromised Account
New: Added a new incident field- GIB Compromised Account that support new collections
(Available from Cortex XSIAM 2.0).
GIB Credibility
Updated the GIB Credibility incident field to support new collections.
GIB Severity
Updated the GIB Severity incident field to support new collections.
New: GIB DDOS Target Region
New: Added a new incident field- GIB DDOS Target Region that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Domain
Updated the GIB Target Domain incident field to support new collections.
New: GIB Extended Description
New: Added a new incident field- GIB Extended Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Threat Actor Name
Updated the GIB Threat Actor Name incident field to support new collections.
New: GIB Date Incident
New: Added a new incident field- GIB Date Incident that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Socks Proxy Source
New: Added a new incident field- GIB Socks Proxy Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Link List Table
New: Added a new incident field- GIB Link List Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Merged Cvss
New: Added a new incident field- GIB Merged Cvss that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Update Time
New: Added a new incident field- GIB Update Time that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB GIT Source
New: Added a new incident field- GIB GIT Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Sectors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC Port
New: Added a new incident field- GIB CNC Port that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date of Detection
Updated the GIB Date of Detection incident field to support new collections.
New: GIB Cybercriminal Sectors
New: Added a new incident field- GIB Cybercriminal Sectors that support new collections
(Available from Cortex XSIAM 2.0).
GIB Address
Updated the GIB Address incident field to support new collections.
New: GIB Proxy Type
New: Added a new incident field- GIB Proxy Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Reports Table
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Reports Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Kit Emails
Updated the GIB Phishing Kit Emails incident field to support new collections.
GIB Date Created
Updated the GIB Date Created incident field to support new collections.
New: GIB DDOS Request Body Hash
New: Added a new incident field- GIB DDOS Request Body Hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Data Link
New: Added a new incident field- GIB DDOS Request Data Link that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Report Number
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Report Number that support new collections
(Available from Cortex XSIAM 2.0).
GIB Victim IP
Updated the GIB Victim IP incident field to support new collections.
New: GIB Upload Time
New: Added a new incident field- GIB Upload Time that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Provider
New: Added a new incident field- GIB DDOS Target Provider that support new collections
(Available from Cortex XSIAM 2.0).
GIB Reliability
Updated the GIB Reliability incident field to support new collections.
New: GIB Nation-State Cybercriminals Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Regions that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Type
New: Added a new incident field- GIB DDOS Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Labels
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Labels that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization CLABE
New: Added a new incident field- GIB Organization CLABE that support new collections
(Available from Cortex XSIAM 2.0).
GIB ID
Updated the GIB ID incident field to support new collections.
New: GIB Date Modified
New: Added a new incident field- GIB Date Modified that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target IP
New: Added a new incident field- GIB Target IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Scanner Categories
New: Added a new incident field- GIB Scanner Categories that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Country Name
New: Added a new incident field- GIB Country Name that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Headers Hash
New: Added a new incident field- GIB DDOS Request Headers Hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Level
New: Added a new incident field- GIB Threat Level that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Date Blocked
Updated the GIB Phishing Date Blocked incident field to support new collections.
New: GIB Vulnerability Type
New: Added a new incident field- GIB Vulnerability Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB VPN Sources
New: Added a new incident field- GIB VPN Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Updated
New: Added a new incident field- GIB Phishing Date Updated that support new collections
(Available from Cortex XSIAM 2.0).
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections

(Available from Cortex XSIAM 2.0).

GIB Scanner Sources
GIB Scanner Sources now supports new collections
(Available from Cortex XSIAM 2.0).

Incident Types

New: GIB Cybercriminal Threat Actor
New: Added a new incident type- GIB Cybercriminal Threat Actor that supports new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Kit
New: Added a new incident type- GIB Attacks Phishing Kit that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware
New: Added a new incident type- GIB Malware that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat
New: Added a new incident type- GIB Nation-State Cybercriminals Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Account Group
New: Added a new incident type- GIB Compromised Account Group that support new collections
(Available from Cortex XSIAM 2.0).
GIB Compromised Card
Updated the GIB Compromised Card incident type to support new collections.
New: GIB Compromised Mule
New: Added a new incident type- GIB Compromised Mule that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP TOR Node
New: Added a new incident type- GIB Suspicious IP TOR Node that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor
New: Added a new incident type- GIB Nation-State Cybercriminals Threat Actor that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Socks Proxy
New: Added a new incident type- GIB Suspicious IP Socks Proxy that support new collections
(Available from Cortex XSIAM 2.0).
GIB Targeted Malware
Updated the GIB Targeted Malware incident type to support new collections.
GIB Brand Protection Phishing
Updated the GIB Brand Protection Phishing incident type to support new collections.
GIB Compromised Account
Updated the GIB Compromised Account incident type to support new collections.
New: GIB Malware CNC
New: Added a new incident type- GIB Malware CNC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks DDOS
New: Added a new incident type- GIB Attacks DDOS that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Scanner
New: Added a new incident type- GIB Suspicious IP Scanner that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Card Group
New: Added a new incident type- GIB Compromised Card Group that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Open Proxy
New: Added a new incident type- GIB Suspicious IP Open Proxy that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP VPN
New: Added a new incident type- GIB Suspicious IP VPN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB APT Threat
New: Added a new incident type- GIB APT Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat
New: Added a new incident type- GIB Cybercriminal Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Group
New: Added a new incident type- GIB Attacks Phishing Group that support new collections
(Available from Cortex XSIAM 2.0).
GIB OSI Git Leak
Updated the GIB OSI Git Leak incident type to support new collections.
GIB Brand Protection Phishing Kit
Updated the GIB Brand Protection Phishing Kit incident type to support new collections.
GIB Data Breach
Updated the GIB Data Breach incident type to support new collections.
GIB OSI Public Leak
Updated the GIB OSI Public Leak incident type to support new collections.
New: GIB OSI Vulnerability
New: Added a new incident type- GIB OSI Vulnerability that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Deface
New: Added a new incident type- GIB Attacks Deface that support new collections
(Available from Cortex XSIAM 2.0).

Indicator Fields

New: GIB Hash

New: Added a new indicator field- GIB Hash that support new collections
(Available from Cortex XSIAM 2.0).

GIB Threat Actor is APT

Updated the GIB Threat Actor is APT indicator field to support new collections.

GIB Admiralty Code

Updated the GIB Admiralty Code indicator field to support new collections.

GIB Proxy Anonymous

Updated the GIB Proxy Anonymous indicator field to support new collections.

GIB Threat Actor Name

Updated the GIB Threat Actor Name indicator field to support new collections.

GIB Collection

Updated the GIB Collection indicator field to support new collections.

GIB Severity

Updated the GIB Severity indicator field to support new collections.

GIB Reliability

Updated the GIB Reliability indicator field to support new collections.

GIB ID

Updated the GIB ID indicator field to support new collections.

GIB Credibility

Updated the GIB Credibility indicator field to support new collections.

GIB Threat Actor ID

Updated the GIB Threat Actor ID indicator field to support new collections.

GIB Malware Name

Updated the GIB Malware Name indicator field to support new collections.

Indicator Types

GIB Compromised Mule
Updated the GIB Compromised Mule indicator type to support new collections.
GIB Victim IP
Updated the GIB Victim IP indicator type to support new collections.
GIB Compromised IMEI
Updated the GIB Compromised IMEI. indicator type to support new collections.

Integrations

Group-IB Threat Intelligence

Added support for Hunting Rules parameter that to enable the collection of data using hunting rules, please select this parameter.
Deleted the gibtia-get-malware-targeted-malware-info command.
Deleted the gibtia-get-compromised-card-info command.
Deleted the gibtia-get-phishing-kit-info command.
Deleted the gibtia-get-phishing-info command.
Deleted the gibtia-get-compromised-imei-info command.
Added support for gibtia-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.
Added support for gibtia-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.
Added support for gibtia-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.
Added support for gibtia-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.
Added support for gibtia-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Group-IB Threat Intelligence Feed

Updated the Group-IB Threat Intelligence & Attribution Feed integration to support new collections.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Layouts

GIB Compromised IMEI Layout
Updated the GIB Compromised IMEI Layout layout to support new collections.
New: GIB Cybercriminal Threat Layout
New: Added a new layout- GIB Cybercriminal Threat Layout that Layout for GIB Cybercriminal Threat
(Available from Cortex XSIAM 2.0).
GIB Compromised Card Layout
Updated the GIB Compromised Card Layout layout to support new collections.
New: GIB Cybercriminal Threat Actor Layout
New: Added a new layout- GIB Cybercriminal Threat Actor Layout that Layout for GIB Cybercriminal Threat Actor
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP VPN Layout
New: Added a new layout- GIB Suspicious IP VPN Layout that Layout for GIB Suspicious IP VPN
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Group Layout
New: Added a new layout- GIB Attacks Phishing Group Layout that Layout for GIB Attacks Phishing Group
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Deface Layout
New: Added a new layout- GIB Attacks Deface Layout that Layout for GIB Attacks Deface
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Kit Layout
New: Added a new layout- GIB Attacks Phishing Kit Layout that Layout for GIB Attacks Phishing Kit
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Actor Layout that Layout for Nation-State Cybercriminals Threat Actor
(Available from Cortex XSIAM 2.0).
GIB Data Breach Layout
Updated the GIB Data Breach Layout layout to support new collections.
New: GIB OSI Vulnerability Layout
New: Added a new layout- GIB OSI Vulnerability Layout that Layout for GIB OSI Vulnerability
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Card Group Layout
New: Added a new layout- GIB Compromised Card Group Layout that Layout for GIB Compromised Card Group
(Available from Cortex XSIAM 2.0).
GIB OSI Git Leak Layout
Updated the GIB OSI Git Leak Layout layout to support new collections.
New: GIB Attacks DDOS Layout
New: Added a new layout- GIB Attacks DDOS Layout that Layout for GIB Attacks DDOS
(Available from Cortex XSIAM 2.0).
New: GIB Malware Layout
New: Added a new layout- GIB Malware Layout that Layout for GIB Malware
(Available from Cortex XSIAM 2.0).
GIB OSI Public Leak Layout
Updated the GIB OSI Public Leak Layout layout to support new collections.
New: GIB Suspicious IP Scanner Layout
New: Added a new layout- GIB Suspicious IP Scanner Layout that Layout for GIB Suspicious IP Scanner
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Layout that Layout for Nation-State Cybercriminals Threat
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Account Group Layout
New: Added a new layout- GIB Compromised Account Group Layout that Layout for GIB Compromised Account Group
(Available from Cortex XSIAM 2.0).
New: GIB APT Threat Layout
New: Added a new layout- GIB APT Threat Layout that Layout for GIB APT Threat
(Available from Cortex XSIAM 2.0).
New: GIB Malware CNC Layout
New: Added a new layout- GIB Malware CNC Layout that Layout for GIB Malware CNC
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP TOR Node Layout
New: Added a new layout- GIB Suspicious IP TOR Node Layout that Layout for GIB Suspicious IP TOR Node
(Available from Cortex XSIAM 2.0).
GIB Victim IP Layout
Updated the GIB Victim IP Layout layout to support new collections.
New: GIB Suspicious IP Socks Proxy Layout
New: Added a new layout- GIB Suspicious IP Socks Proxy Layout that Layout for GIB Suspicious IP Socks Proxy
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Open Proxy Layout
New: Added a new layout- GIB Suspicious IP Open Proxy Layout that Layout for GIB Suspicious IP Open Proxy
(Available from Cortex XSIAM 2.0).
GIB Compromised Mule Layout
Updated the GIB Compromised Mule Layout layout to support new collections.
GIB Compromised Account Layout
Updated the GIB Compromised Account Layout layout to support new collections.

Mappers

Group-IB Threat Intelligence (mapper)

Updated the Group-IB Threat Intelligence (mapper) mapper to support new collections.

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Updated the Incident Postprocessing - Group-IB Threat Intelligence & Attribution playbook to support new collections.

Scripts

GIBIncidentUpdateIncludingClosed

Updated the GIBIncidentUpdateIncludingClosed script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

GIBIncidentUpdate

Updated the GIBIncidentUpdate script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39414
- 37239
- 38416
- 39402
- 38930
- 39389

Download

1.4.10 - 3042633 (April 2, 2025)

Integrations

Group-IB Threat Intelligence Feed

Metadata and documentation improvements.

Group-IB Threat Intelligence

Metadata and documentation improvements.

Scripts

GIBIncidentUpdateIncludingClosed

Metadata and documentation improvements.

GIBIncidentUpdate

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

1.4.9 - R2988527 (March 26, 2025)

Group-IB Threat Intelligence

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.4.8 - 1935630 (January 6, 2025)

Integrations

Group-IB Threat Intelligence

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

1.4.7 - 1931958 (January 6, 2025)

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Documentation and metadata improvements.

Related pull requests:
- 37492

Download

1.4.6 - 1834150 (December 18, 2024)

Scripts

GIBIncidentUpdate

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

GIBIncidentUpdateIncludingClosed

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37754

Download

1.4.4 - 1809308 (December 15, 2024)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

1.4.3 - R1741355 (December 3, 2024)

Integrations

Group-IB Threat Intelligence

Updated the Docker image to: demisto/python3:3.11.10.116439.

Scripts

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.11.10.116439.

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37271

Download

1.4.2 - 1304994 (August 25, 2024)

Integrations

Group-IB Threat Intelligence Feed

Removed When removed from the feed option from Indicator Expiration Method
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35873

Download

1.4.1 - R995825 (May 5, 2024)

GroupIB_ThreatIntelligenceAttribution

Fixed an issue where images with special chars were not displyed properly in the pack README file.

Related pull requests:
- 31421

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 13, 2021
Last Release	April 7, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.