Group-IB Threat Intelligence

Details
Content
Dependencies
Version History

Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information.

Incident Postprocessing - Group-IB Threat Intelligence

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex interface.

Incident Postprocessing - Group-IB Threat Intelligence

Automations

Name	Description
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Name

Description

GIBIncidentUpdate

This script prevents duplication of existing incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:

For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations
For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script
For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

GIBIncidentUpdateIncludingClosed

This script prevents duplication of existing incidents.

This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:

For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations
For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script
For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Link List
GIB Proxy Source
GIB Date Created
GIB Emails
GIB Nation-State Cybercriminals Threat Langs
GIB DDOS Target Domain
GIB DDOS Request Data Link
GIB Date Created At
GIB ID	ID of event in GIB TIA
GIB Cybercriminal Expertises
GIB Extended CVSS Base
GIB Cybercriminal Threat Title
GIB Threat Actors Table
GIB Proxy Port
GIB DDOS Target Provider
GIB Nation-State Cybercriminal Forums Table
GIB Cybercriminal Threat Actor Reports Table
GIB Link List Table
GIB Cybercriminal Sectors
GIB Passwords
GIB Cybercriminal Threat Actor Report Authors
GIB DDOS Protocol
GIB DDOS Target IP
GIB Title
GIB GIT Source
GIB Password
GIB DDOS Target Port
GIB Deface Date
GIB Nation-State Cybercriminals Threat Actor Reports Table
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Reporter
GIB Malware Short Description
GIB Update Time
GIB Repository
GIB Phishing Kit Email
GIB Inject MD5
GIB Threat Actor is APT
GIB DDOS Date Begin
GIB Payment System
GIB Date Add
GIB Drop Email Domain
GIB Phishing Domain
GIB Phishing Kit Emails
GIB Threat Actor Name
GIB Cybercriminal Threat Actor Description
GIB Email
GIB Extended Description
GIB Source	Where the feed comes from to GIB
GIB Screenshot
GIB Address
GIB Parsed Login Domain
GIB Phishing Date Updated
GIB Date Expired
GIB Merged Cvss
GIB Malware Platforms
GIB Downloaded From
GIB Malware Categories
GIB CNC Port
GIB Nation-State Cybercriminals Sectors
GIB Drop Email
GIB Target Region
GIB Phishing Sources
GIB Phishing Date Added
GIB Nation-State Cybercriminals Threat Title
GIB Provider Domain
GIB Phishing Objectives
GIB Cybercriminal Malware
GIB Target City
GIB DDOS Type
GIB DDOS Request Body Hash
GIB Malware Aliases
GIB Phishing Domain Puny
GIB Malware Name
GIB Socks Proxy Source
GIB Downloaded From Table
GIB Cybercriminal Regions
GIB Malware Source Countries
GIB Phishing Kit Table
GIB Href
GIB Matches Table
GIB Upload Time
GIB Target Brand
GIB CPE Table
GIB Proxy Type
GIB Extended CVSS Overall
GIB Phishing Date Detected
GIB Compromised Events Table
GIB Compromised Account
GIB Data Hash
GIB Service URL
GIB Reliability	Reliability of the source
GIB Phishing Brand
GIB Organization SWIFT
GIB Date Last Seen
GIB DDOS Target Country Name
GIB Compromised Login
GIB Threat Level
GIB Target Domain Provider
GIB Organization BIC
GIB Phishing Status
GIB Date Compromised
GIB CNC Domain
GIB Date Updated At
GIB DDOS Source
GIB Target IP
GIB Card Issuer	Issuer of compromised card
GIB DDOS Duration
GIB Cybercriminal Threat Description
GIB Date First Compromised
GIB DDOS Request Body
GIB DDOS Target Region
GIB Malware Langs
GIB Phishing Domain Expiration Date
GIB Organization BSB
GIB DDOS Request Headers Hash
GIB Organization IBAN
GIB Date Modified
GIB Nation-State Cybercriminals Threat Description
GIB Nation-State Cybercriminals Malware
GIB Phishing Date Blocked
GIB Cybercriminal Threat Actor Aliases
GIB CVSS Score
GIB DDOS Request Headers Body
GIB Has Exploit
GIB Nation-State Cybercriminals Threat Report Number
GIB Related Indicators Data
GIB CNC URL
GIB Malware File hash
GIB Inject Dump
GIB VPN Sources
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Email Domains
GIB VPN Names
GIB Card Number
GIB Extended CVSS Temporal
GIB Card Type
GIB Nation-State Cybercriminals Threat Actor CVE
GIB Favicon
GIB Proxy Sources
GIB Target Category
GIB Revisions
GIB Nation-State Cybercriminals Threat Actor Roles
GIB Affected Software Table
GIB Service IP
GIB Date First Seen
GIB DDOS Target ASN
GIB Nation-State Cybercriminals Threat Actor Description
GIB Credibility	Level of confidence on the information
GIB HTML
GIB Scanner Categories
GIB Organization CLABE
GIB Phishing IP Table
GIB Card Valid Thru
GIB Compromised Events Information Table
GIB Malware Table
GIB Phishing Kit Source
GIB Matches
GIB Leaked Data
GIB Malware CNC Domain
GIB Person
GIB Extended CVSS Impact
GIB Country Name
GIB Date Published
GIB Cybercriminal Forums Table
GIB Malware Regions
GIB DDOS Target City
GIB CVSS Vector
GIB Vulnerability Type
GIB Portal Link
GIB DDOS Target URL
GIB Nation-State Cybercriminals Threat Actor Goals
GIB Malware Description
GIB Mirror Link
GIB Parsed Login IP
GIB Deface Source
GIB Phishing Registrar
GIB DDOS Target Country Code
GIB Nation-State Cybercriminals Threat Regions
GIB Phishing URLs
GIB Severity
GIB Leak Name
GIB Organization Name
GIB DDOS Date Registration
GIB Deface Site URL
GIB Threat Actor Country
GIB Target ASN
GIB Leak Published
GIB Phishing Kit Hash
GIB Nation-State Cybercriminals Threat Countries
GIB Leaked File Name
GIB Threat Actor ID
GIB Service Domain
GIB DDOS Target Category
GIB DDOS Date End
GIB Is Tailored
GIB OSI Git Repository Files Table
GIB Nation-State Cybercriminals Regions
GIB Extended CVSS Exploitability
GIB Date Incident
GIB Date Last Compromised
GIB Bulletin Family
GIB Country Code
GIB Report Number
GIB CNC
GIB Target Provider
GIB CVV	Compromised card CVV
GIB Phishing Kit Path
GIB Nation-State Cybercriminals Threat Sectors
GIB Name Servers
GIB Nation-State Cybercriminals Expertises
GIB Victim IP
GIB Deface Contacts
GIB Date of Detection
GIB Nation-State Cybercriminals Threat Actor Labels
GIB Phishing Type
GIB Target Domain
GIB Nation-State Cybercriminals Threat Actor Country
GIB Nation-State Cybercriminals Threat Expertises
GIB Scanner Sources

Incident Types

Name	Description
GIB Attacks DDOS
GIB Cybercriminal Threat
GIB APT Threat
GIB Data Breach
GIB OSI Vulnerability
GIB Compromised Account
GIB Suspicious IP Open Proxy
GIB Brand Protection Phishing Kit
GIB Nation-State Cybercriminals Threat
GIB Suspicious IP VPN
GIB Attacks Deface
GIB Targeted Malware
GIB Compromised Account Group
GIB Suspicious IP Socks Proxy
GIB Malware
GIB Suspicious IP Scanner
GIB Attacks Phishing Kit
GIB Compromised Card
GIB Brand Protection Phishing
GIB OSI Git Leak
GIB Nation-State Cybercriminals Threat Actor
GIB Attacks Phishing Group
GIB Suspicious IP TOR Node
GIB Cybercriminal Threat Actor
GIB Compromised Card Group
GIB Compromised Mule
GIB Malware CNC
GIB OSI Public Leak

Indicator Fields

Name	Description
GIB Target Domain	What domain was targeted by phishing
GIB File Name
GIB Collection
GIB Reliability	Reliability of the source
GIB Threat Actor ID
GIB Credibility	Level of confidence on the information
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB ID	ID of event in GIB TI&A
GIB Threat Actor Name
GIB Software Mixed
GIB Phishing Title
GIB Malware Name
GIB Hash
GIB Proxy Port
GIB Proxy Anonymous	Level of anonymous
GIB CVSS Vector
GIB Severity
GIB Target Category	What category was targeted by phishing
GIB Target Brand	What brand was targeted by phishing
GIB Date Compromised
GIB Threat Actor is APT

Integrations

Name	Description
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.

Layouts

Name	Description
GIB Attacks DDOS Layout	Layout for GIB Attacks DDOS
GIB Compromised Card Group Layout	Layout for GIB Compromised Card Group
GIB Cybercriminal Threat Actor Layout	Layout for GIB Cybercriminal Threat Actor
GIB Suspicious IP Open Proxy Layout	Layout for GIB Suspicious IP Open Proxy
GIB OSI Vulnerability Layout	Layout for GIB OSI Vulnerability
GIB Data Breach Layout	Layout for GIB Data Breach
GIB Attacks Phishing Kit Layout	Layout for GIB Attacks Phishing Kit
GIB Attacks Phishing Group Layout	Layout for GIB Attacks Phishing Group
GIB Compromised Account Layout	Layout for GIB Compromised Account
GIB Suspicious IP Scanner Layout	Layout for GIB Suspicious IP Scanner
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Compromised Card Layout	Layout for GIB Compromised Card
GIB Suspicious IP Socks Proxy Layout	Layout for GIB Suspicious IP Socks Proxy
GIB Brand Protection Phishing Layout	Layout for GIB Brand Protection Phishing
GIB Compromised Account Group Layout	Layout for GIB Compromised Account Group
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB Suspicious IP VPN Layout	Layout for GIB Suspicious IP VPN
GIB Malware Layout	Layout for GIB Malware
GIB Nation-State Cybercriminals Threat Actor Layout	Layout for Nation-State Cybercriminals Threat Actor
GIB APT Threat Layout	Layout for GIB APT Threat
GIB Malware CNC Layout	Layout for GIB Malware CNC
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Cybercriminal Threat Layout	Layout for GIB Cybercriminal Threat
GIB Brand Protection Phishing Kit Layout	Layout for GIB Brand Protection Phishing Kit
GIB Nation-State Cybercriminals Threat Layout	Layout for Nation-State Cybercriminals Threat
GIB Suspicious IP TOR Node Layout	Layout for GIB Suspicious IP TOR Node
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI
GIB Targeted Malware Layout	Layout for GIB Targeted Malware
GIB Attacks Deface Layout	Layout for GIB Attacks Deface
GIB Victim IP Layout	Layout for GIB Victim IP

Playbooks

Name	Description
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.

Preprocessrule

Name	Description
gib_rule

Indicator Types

Name	Description
GIB Compromised Mule
GIB Victim IP
GIB Compromised IMEI

Automations

Name	Description
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBAlertUpdateIncludingClosed	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script
GIBAlertUpdate	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

Classifiers

Name	Description
Group-IB Threat Intelligence (classifier)
Group-IB Threat Intelligence (mapper)

Incident Fields

Name	Description
GIB Phishing Date Added
GIB DDOS Type
GIB Compromised Events Information Table
GIB Card Number
GIB Phishing Status
GIB Proxy Port
GIB Target Region
GIB Extended CVSS Overall
GIB Target Domain Provider
GIB Malware Aliases
GIB Revisions
GIB Organization SWIFT
GIB Cybercriminal Threat Actor Aliases
GIB Emails
GIB Date of Detection
GIB Matches
GIB Nation-State Cybercriminals Threat Actor Country
GIB Phishing Domain Expiration Date
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Compromised Login
GIB Socks Proxy Source
GIB Malware File hash
GIB Threat Actor Country
GIB Malware Platforms
GIB Date Created
GIB Target City
GIB Target ASN
GIB Provider Domain
GIB CNC Port
GIB Nation-State Cybercriminals Threat Countries
GIB Service Domain
GIB Organization BSB
GIB Nation-State Cybercriminals Threat Description
GIB Nation-State Cybercriminals Threat Expertises
GIB Nation-State Cybercriminals Expertises
GIB Deface Source
GIB Extended CVSS Exploitability
GIB Phishing Domain Puny
GIB Credibility	Level of confidence on the information
GIB ID	ID of event in GIB TIA
GIB Date Published
GIB Extended CVSS Impact
GIB Extended Description
GIB Threat Actors Table
GIB Has Exploit
GIB Nation-State Cybercriminals Threat Actor Labels
GIB Mirror Link
GIB DDOS Target IP
GIB Phishing Kit Emails
GIB Country Code
GIB Proxy Type
GIB Malware Description
GIB Leak Published
GIB Affected Software Table
GIB CNC Domain
GIB Malware Name
GIB Card Type
GIB DDOS Target Country Name
GIB Malware Regions
GIB Proxy Source
GIB Threat Actor ID
GIB Scanner Sources
GIB Country Name
GIB DDOS Target Provider
GIB DDOS Target Country Code
GIB Proxy Sources
GIB Person
GIB Nation-State Cybercriminals Threat Actor Reports Table
GIB Target Brand
GIB Link List Table
GIB Nation-State Cybercriminals Sectors
GIB Leaked Data
GIB Phishing Registrar
GIB Password
GIB Extended CVSS Temporal
GIB DDOS Target Category
GIB Malware Table
GIB Email Domains
GIB Screenshot
GIB DDOS Source
GIB CVSS Vector
GIB DDOS Request Body Hash
GIB Card Issuer	Issuer of compromised card
GIB Drop Email
GIB CNC
GIB Parsed Login Domain
GIB Nation-State Cybercriminals Regions
GIB Malware Langs
GIB Payment System
GIB Malware Categories
GIB Cybercriminal Forums Table
GIB Nation-State Cybercriminal Forums Table
GIB DDOS Target City
GIB Phishing Type
GIB Malware Short Description
GIB Passwords
GIB Target Domain
GIB Deface Contacts
GIB Href
GIB Date First Seen
GIB Email
GIB Parsed Login IP
GIB Nation-State Cybercriminals Threat Actor Roles
GIB Service IP
GIB Organization IBAN
GIB Phishing Date Detected
GIB Service URL
GIB Threat Actor Name
GIB Cybercriminal Threat Actor Reports Table
GIB Deface Site URL
GIB Phishing Objectives
GIB Malware CNC Domain
GIB Nation-State Cybercriminals Threat Langs
GIB Nation-State Cybercriminals Threat Actor CVE
GIB DDOS Duration
GIB Cybercriminal Sectors
GIB Phishing Kit Source
GIB Date Created At
GIB DDOS Target Region
GIB Portal Link
GIB Date Compromised
GIB Repository
GIB Cybercriminal Threat Title
GIB DDOS Request Data Link
GIB Organization BIC
GIB DDOS Request Headers Hash
GIB CNC URL
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Phishing Kit Hash
GIB Nation-State Cybercriminals Threat Regions
GIB Target Provider
GIB VPN Names
GIB Compromised Events Table
GIB Date Last Seen
GIB Source	Where the feed comes from to GIB
GIB OSI Git Repository Files Table
GIB DDOS Target Port
GIB Inject Dump
GIB CPE Table
GIB CVV	Compromised card CVV
GIB Malware Source Countries
GIB DDOS Target URL
GIB Threat Actor is APT
GIB Threat Level
GIB Related Indicators Data
GIB Phishing Date Blocked
GIB Target Category
GIB Nation-State Cybercriminals Threat Title
GIB Phishing URLs
GIB Favicon
GIB DDOS Protocol
GIB Date Expired
GIB DDOS Request Headers Body
GIB Nation-State Cybercriminals Threat Sectors
GIB Phishing Kit Path
GIB VPN Sources
GIB Address
GIB Cybercriminal Threat Actor Description
GIB Update Time
GIB Cybercriminal Expertises
GIB Date Modified
GIB DDOS Date End
GIB Cybercriminal Threat Description
GIB Compromised Account
GIB DDOS Target Domain
GIB DDOS Request Body
GIB Reporter
GIB Bulletin Family
GIB Name Servers
GIB Scanner Categories
GIB Phishing Sources
GIB Cybercriminal Regions
GIB Upload Time
GIB Target IP
GIB Reliability	Reliability of the source
GIB Deface Date
GIB Victim IP
GIB Nation-State Cybercriminals Malware
GIB Is Tailored
GIB Downloaded From Table
GIB Phishing Kit Email
GIB Downloaded From
GIB Extended CVSS Base
GIB CVSS Score
GIB Phishing IP Table
GIB HTML
GIB DDOS Target ASN
GIB DDOS Date Registration
GIB Date Incident
GIB Card Valid Thru
GIB Date First Compromised
GIB Phishing Brand
GIB Phishing Domain
GIB GIT Source
GIB Severity
GIB Organization Name
GIB Link List
GIB Merged Cvss
GIB Nation-State Cybercriminals Threat Report Number
GIB Cybercriminal Threat Actor Report Authors
GIB Phishing Date Updated
GIB Leak Name
GIB Matches Table
GIB Drop Email Domain
GIB Date Updated At
GIB Nation-State Cybercriminals Threat Actor Goals
GIB DDOS Date Begin
GIB Phishing Kit Table
GIB Date Last Compromised
GIB Organization CLABE
GIB Date Add
GIB Vulnerability Type
GIB Cybercriminal Malware
GIB Title
GIB Nation-State Cybercriminals Threat Actor Description
GIB Data Hash
GIB Report Number

Incident Types

Name	Description
GIB Compromised Mule
GIB Brand Protection Phishing Kit
GIB Malware CNC
GIB Malware
GIB Nation-State Cybercriminals Threat Actor
GIB OSI Public Leak
GIB Nation-State Cybercriminals Threat
GIB Data Breach
GIB Compromised Account
GIB Suspicious IP TOR Node
GIB Compromised Account Group
GIB Compromised Card
GIB Attacks DDOS
GIB Cybercriminal Threat Actor
GIB Attacks Deface
GIB Brand Protection Phishing
GIB Attacks Phishing Group
GIB Compromised Card Group
GIB APT Threat
GIB Attacks Phishing Kit
GIB Suspicious IP Open Proxy
GIB Cybercriminal Threat
GIB OSI Vulnerability
GIB OSI Git Leak
GIB Suspicious IP VPN
GIB Targeted Malware
GIB Suspicious IP Scanner
GIB Suspicious IP Socks Proxy

Indicator Fields

Name	Description
GIB Software Mixed
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Reliability	Reliability of the source
GIB Proxy Port
GIB Target Domain	What domain was targeted by phishing
GIB Severity
GIB Malware Name
GIB Target Brand	What brand was targeted by phishing
GIB ID	ID of event in GIB TI&A
GIB Phishing Title
GIB Collection
GIB File Name
GIB CVSS Vector
GIB Threat Actor ID
GIB Date Compromised
GIB Hash
GIB Proxy Anonymous	Level of anonymous
GIB Threat Actor Name
GIB Target Category	What category was targeted by phishing
GIB Threat Actor is APT
GIB Credibility	Level of confidence on the information

Integrations

Name	Description
Group-IB Threat Intelligence (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.
Group-IB Threat Intelligence Feed (Partner Contribution)	Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections.

Layouts

Name	Description
GIB Compromised Card Group Layout	Layout for GIB Compromised Card Group
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI
GIB APT Threat Layout	Layout for GIB APT Threat
GIB OSI Vulnerability Layout	Layout for GIB OSI Vulnerability
GIB Nation-State Cybercriminals Threat Actor Layout	Layout for Nation-State Cybercriminals Threat Actor
GIB Malware CNC Layout	Layout for GIB Malware CNC
GIB Suspicious IP TOR Node Layout	Layout for GIB Suspicious IP TOR Node
GIB Suspicious IP Scanner Layout	Layout for GIB Suspicious IP Scanner
GIB Suspicious IP VPN Layout	Layout for GIB Suspicious IP VPN
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Suspicious IP Open Proxy Layout	Layout for GIB Suspicious IP Open Proxy
GIB Compromised Account Layout	Layout for GIB Compromised Account
GIB Attacks Phishing Kit Layout	Layout for GIB Attacks Phishing Kit
GIB Cybercriminal Threat Layout	Layout for GIB Cybercriminal Threat
GIB Attacks DDOS Layout	Layout for GIB Attacks DDOS
GIB Attacks Deface Layout	Layout for GIB Attacks Deface
GIB Malware Layout	Layout for GIB Malware
GIB Nation-State Cybercriminals Threat Layout	Layout for Nation-State Cybercriminals Threat
GIB Compromised Account Group Layout	Layout for GIB Compromised Account Group
GIB Cybercriminal Threat Actor Layout	Layout for GIB Cybercriminal Threat Actor
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB Compromised Card Layout	Layout for GIB Compromised Card
GIB Suspicious IP Socks Proxy Layout	Layout for GIB Suspicious IP Socks Proxy
GIB Attacks Phishing Group Layout	Layout for GIB Attacks Phishing Group
GIB Data Breach Layout	Layout for GIB Data Breach
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Compromised Mule Layout	Layout for GIB Compromised Mule

Playbooks

Name	Description
Alert Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the alert and associates related indicators to the alert.
Alert Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the alert and associates related indicators to the alert.

Indicator Types

Name	Description
GIB Victim IP
GIB Compromised Mule
GIB Compromised IMEI

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

2.0.1 - R3398781 (May 13, 2025)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/vendors-sdk:1.0.0.3242986.

Group-IB Threat Intelligence

Updated the Docker image to: demisto/vendors-sdk:1.0.0.3242986.

Related pull requests:
- 39725

Download

2.0.0 - 3079234 (April 7, 2025)

Classifiers

Group-IB Threat Intelligence (classifier)

Updated the Group-IB Threat Intelligence (classifier) classifier to support new collections.

Incident Fields

New: GIB Cybercriminal Forums Table
New: Added a new incident field- GIB Cybercriminal Forums Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CVSS Score
New: Added a new incident field- GIB CVSS Score that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Country Code
New: Added a new incident field- GIB Country Code that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Report Authors
New: Added a new incident field- GIB Cybercriminal Threat Actor Report Authors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Last Seen
New: Added a new incident field- GIB Date Last Seen that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Brand
Updated the GIB Target Brand incident field to support new collections.
New: GIB CVSS Vector
New: Added a new incident field- GIB CVSS Vector that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Is Tailored
New: Added a new incident field- GIB Is Tailored that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Platforms
New: Added a new incident field- GIB Malware Platforms that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Email Domains
New: Added a new incident field- GIB Email Domains that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Country Name
New: Added a new incident field- GIB DDOS Target Country Name that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Inject Dump
Updated the GIB Inject Dump incident field to support new collections.
New: GIB Organization Name
New: Added a new incident field- GIB Organization Name that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Proxy Port
New: Added a new incident field- GIB Proxy Port that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Port
New: Added a new incident field- GIB DDOS Target Port that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Kit Hash
Updated the GIB Phishing Kit Hash incident field to support new collections.
GIB Malware Name
Updated the GIB Malware Name incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Langs
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Langs that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Email
New: Added a new incident field- GIB Phishing Kit Email that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Domain
New: Added a new incident field- GIB DDOS Target Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target Provider
New: Added a new incident field- GIB Target Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Source Countries
New: Added a new incident field- GIB Malware Source Countries that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Published
New: Added a new incident field- GIB Date Published that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Country Code
New: Added a new incident field- GIB DDOS Target Country Code that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Drop Email Domain
Updated the GIB Drop Email Domain incident field to support new collections.
New: GIB Date First Compromised
New: Added a new incident field- GIB Date First Compromised that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Payment System
Updated the GIB Payment System incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Roles
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Roles that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Path
New: Added a new incident field- GIB Phishing Kit Path that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Table
New: Added a new incident field- GIB Malware Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Sources
New: Added a new incident field- GIB Phishing Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Headers Body
New: Added a new incident field- GIB DDOS Request Headers Body that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminal Forums Table
New: Added a new incident field- GIB Nation-State Cybercriminal Forums Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Countries
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Countries that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB OSI Git Repository Files Table
New: Added a new incident field- GIB OSI Git Repository Files Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Emails
New: Added a new incident field- GIB Emails that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target City
New: Added a new incident field- GIB DDOS Target City that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Drop Email
Updated the GIB Drop Email incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor CVE
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor CVE that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Deface Contacts
New: Added a new incident field- GIB Deface Contacts that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization IBAN
New: Added a new incident field- GIB Organization IBAN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Events Table
New: Added a new incident field- GIB Compromised Events Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Repository
Updated the GIB Repository incident field to support new collections.
New: GIB Deface Source
New: Added a new incident field- GIB Deface Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization BSB
New: Added a new incident field- GIB Organization BSB that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Description
New: Added a new incident field- GIB Cybercriminal Threat Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Brand
New: Added a new incident field- GIB Phishing Brand that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Valid Thru
Updated the GIB Card Valid Thru incident field to support new collections.
New: GIB Downloaded From Table
New: Added a new incident field- GIB Downloaded From Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC
New: Added a new incident field- GIB CNC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Events Information Table
New: Added a new incident field- GIB Compromised Events Information Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Body
New: Added a new incident field- GIB DDOS Request Body that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC URL
New: Added a new incident field- GIB CNC URL that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Email
Updated the GIB Email incident field to support new collections.
New: GIB Date First Seen
New: Added a new incident field- GIB Date First Seen that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Passwords
New: Added a new incident field- GIB Passwords that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target Region
New: Added a new incident field- GIB Target Region that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB HTML
Updated the GIB HTML incident field to support new collections.
New: GIB Nation-State Cybercriminals Malware
New: Added a new incident field- GIB Nation-State Cybercriminals Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Admiralty Code
Updated the GIB Admiralty Code incident field to support new collections.
New: GIB Mirror Link
New: Added a new incident field- GIB Mirror Link that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Source
New: Added a new incident field- GIB Phishing Kit Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Regions
New: Added a new incident field- GIB Cybercriminal Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Issuer
Updated the GIB Card Issuer incident field to support new collections.
New: GIB Phishing Objectives
New: Added a new incident field- GIB Phishing Objectives that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Source
Updated the GIB Source incident field to support new collections.
New: GIB Cybercriminal Malware
New: Added a new incident field- GIB Cybercriminal Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Type
Updated the GIB Card Type incident field to support new collections.
New: GIB DDOS Date Registration
New: Added a new incident field- GIB DDOS Date Registration that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Title
Updated the GIB Title incident field to support new collections.
New: GIB Malware Aliases
New: Added a new incident field- GIB Malware Aliases that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Report Number
New: Added a new incident field- GIB Report Number that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Provider Domain
New: Added a new incident field- GIB Provider Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Registrar
New: Added a new incident field- GIB Phishing Registrar that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Created At
New: Added a new incident field- GIB Date Created At that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Actor Country
New: Added a new incident field- GIB Threat Actor Country that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service IP
New: Added a new incident field- GIB Service IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Goals
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Goals that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Reporter
New: Added a new incident field- GIB Reporter that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Favicon
Updated the GIB Favicon incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Detected
New: Added a new incident field- GIB Phishing Date Detected that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Data Hash
Updated the GIB Data Hash incident field to support new collections.
New: GIB VPN Names
New: Added a new incident field- GIB VPN Names that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Matches Table
New: Added a new incident field- GIB Matches Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Country
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Country that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Added
New: Added a new incident field- GIB Phishing Date Added that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization SWIFT
New: Added a new incident field- GIB Organization SWIFT that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CPE Table
New: Added a new incident field- GIB CPE Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Exploitability
New: Added a new incident field- GIB Extended CVSS Exploitability that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date Compromised
Updated the GIB Date Compromised incident field to support new collections.
New: GIB Extended CVSS Base
New: Added a new incident field- GIB Extended CVSS Base that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Regions
New: Added a new incident field- GIB Malware Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date Expired
Updated the GIB Date Expired incident field to support new collections.
New: GIB Organization BIC
New: Added a new incident field- GIB Organization BIC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service Domain
New: Added a new incident field- GIB Service Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Reports Table
New: Added a new incident field- GIB Cybercriminal Threat Actor Reports Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Date Begin
New: Added a new incident field- GIB DDOS Date Begin that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Screenshot
Updated the GIB Screenshot incident field to support new collections.
New: GIB DDOS Date End
New: Added a new incident field- GIB DDOS Date End that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Overall
New: Added a new incident field- GIB Extended CVSS Overall that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Name Servers
Updated the GIB Name Servers incident field to support new collections.
New: GIB Deface Date
New: Added a new incident field- GIB Deface Date that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Affected Software Table
New: Added a new incident field- GIB Affected Software Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Short Description
New: Added a new incident field- GIB Malware Short Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Related Indicators Data
Updated the GIB Related Indicators Data incident field to support new collections.
GIB Downloaded From
Updated the GIB Downloaded From incident field to support new collections.
New: GIB Target Domain Provider
New: Added a new incident field- GIB Target Domain Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Protocol
New: Added a new incident field- GIB DDOS Protocol that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target ASN
New: Added a new incident field- GIB DDOS Target ASN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Date Last Compromised
New: Added a new incident field- GIB Date Last Compromised that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Expertises
New: Added a new incident field- GIB Cybercriminal Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Langs
New: Added a new incident field- GIB Malware Langs that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Login
Updated the GIB Compromised Login incident field to support new collections.
New: GIB Extended CVSS Temporal
New: Added a new incident field- GIB Extended CVSS Temporal that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leaked Data
Updated the GIB Leaked Data incident field to support new collections.
GIB Password
Updated the GIB Password incident field to support new collections.
GIB Threat Actor ID
Updated the GIB Threat Actor ID incident field to support new collections.
New: GIB Href
New: Added a new incident field- GIB Href that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Domain Puny
New: Added a new incident field- GIB Phishing Domain Puny that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Proxy Source
New: Added a new incident field- GIB Proxy Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing URLs
New: Added a new incident field- GIB Phishing URLs that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Domain
Updated the GIB Phishing Domain incident field to support new collections.
New: GIB Phishing IP Table
New: Added a new incident field- GIB Phishing IP Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Extended CVSS Impact
New: Added a new incident field- GIB Extended CVSS Impact that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Parsed Login Domain
New: Added a new incident field- GIB Parsed Login Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Description
New: Added a new incident field- GIB Malware Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leak Name
Updated the GIB Leak Name incident field to support new collections.
GIB Threat Actor is APT
Updated the GIB Threat Actor is APT incident field to support new collections.
New: GIB Proxy Sources
New: Added a new incident field- GIB Proxy Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Deface Site URL
New: Added a new incident field- GIB Deface Site URL that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware CNC Domain
New: Added a new incident field- GIB Malware CNC Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Parsed Login IP
New: Added a new incident field- GIB Parsed Login IP that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Category
Updated the GIB Target Category incident field to support new collections.
New: GIB Bulletin Family
New: Added a new incident field- GIB Bulletin Family that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target URL
New: Added a new incident field- GIB DDOS Target URL that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Duration
New: Added a new incident field- GIB DDOS Duration that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Title
New: Added a new incident field- GIB Cybercriminal Threat Title that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target City
New: Added a new incident field- GIB Target City that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Leak Published
New: Added a new incident field- GIB Leak Published that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target IP
New: Added a new incident field- GIB DDOS Target IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC Domain
New: Added a new incident field- GIB CNC Domain that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Aliases
New: Added a new incident field- GIB Cybercriminal Threat Actor Aliases that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Category
New: Added a new incident field- GIB DDOS Target Category that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target ASN
New: Added a new incident field- GIB Target ASN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Source
New: Added a new incident field- GIB DDOS Source that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Card Number
Updated the GIB Card Number incident field to support new collections.
New: GIB Malware File hash
New: Added a new incident field- GIB Malware File hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Categories
New: Added a new incident field- GIB Malware Categories that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat Actor Description
New: Added a new incident field- GIB Cybercriminal Threat Actor Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Title
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Title that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Status
Updated the GIB Phishing Status incident field to support new collections.
New: GIB Has Exploit
New: Added a new incident field- GIB Has Exploit that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Kit Table
New: Added a new incident field- GIB Phishing Kit Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Service URL
New: Added a new incident field- GIB Service URL that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Inject MD5
Updated the GIB Inject MD5 incident field to support new collections.
GIB Phishing Type
Updated the GIB Phishing Type incident field to support new collections.
New: GIB Date Add
New: Added a new incident field- GIB Date Add that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB CVV
Updated the GIB CVV incident field to support new collections.
New: GIB Phishing Domain Expiration Date
New: Added a new incident field- GIB Phishing Domain Expiration Date that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Portal Link
Updated the GIB Portal Link incident field to support new collections.
New: GIB Date Updated At
New: Added a new incident field- GIB Date Updated At that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Actors Table
New: Added a new incident field- GIB Threat Actors Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Person
Updated the GIB Person incident field to support new collections.
New: GIB Compromised Account
New: Added a new incident field- GIB Compromised Account that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Credibility
Updated the GIB Credibility incident field to support new collections.
GIB Severity
Updated the GIB Severity incident field to support new collections.
New: GIB DDOS Target Region
New: Added a new incident field- GIB DDOS Target Region that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Target Domain
Updated the GIB Target Domain incident field to support new collections.
New: GIB Extended Description
New: Added a new incident field- GIB Extended Description that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Threat Actor Name
Updated the GIB Threat Actor Name incident field to support new collections.
New: GIB Date Incident
New: Added a new incident field- GIB Date Incident that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Socks Proxy Source
New: Added a new incident field- GIB Socks Proxy Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Link List Table
New: Added a new incident field- GIB Link List Table that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Merged Cvss
New: Added a new incident field- GIB Merged Cvss that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Update Time
New: Added a new incident field- GIB Update Time that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB GIT Source
New: Added a new incident field- GIB GIT Source that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB CNC Port
New: Added a new incident field- GIB CNC Port that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Date of Detection
Updated the GIB Date of Detection incident field to support new collections.
New: GIB Cybercriminal Sectors
New: Added a new incident field- GIB Cybercriminal Sectors that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Address
Updated the GIB Address incident field to support new collections.
New: GIB Proxy Type
New: Added a new incident field- GIB Proxy Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Reports Table
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Reports Table that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Kit Emails
Updated the GIB Phishing Kit Emails incident field to support new collections.
GIB Date Created
Updated the GIB Date Created incident field to support new collections.
New: GIB DDOS Request Body Hash
New: Added a new incident field- GIB DDOS Request Body Hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Request Data Link
New: Added a new incident field- GIB DDOS Request Data Link that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Report Number
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Report Number that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Victim IP
Updated the GIB Victim IP incident field to support new collections.
New: GIB Upload Time
New: Added a new incident field- GIB Upload Time that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Target Provider
New: Added a new incident field- GIB DDOS Target Provider that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Reliability
Updated the GIB Reliability incident field to support new collections.
New: GIB Nation-State Cybercriminals Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Regions that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB DDOS Type
New: Added a new incident field- GIB DDOS Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor Labels
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Labels that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Organization CLABE
New: Added a new incident field- GIB Organization CLABE that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB ID
Updated the GIB ID incident field to support new collections.
New: GIB Date Modified
New: Added a new incident field- GIB Date Modified that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Target IP
New: Added a new incident field- GIB Target IP that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Expertises that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Scanner Categories
New: Added a new incident field- GIB Scanner Categories that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Description that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Country Name
New: Added a new incident field- GIB Country Name that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Leaked File Name
Updated the GIB Leaked File Name incident field to support new collections.
New: GIB DDOS Request Headers Hash
New: Added a new incident field- GIB DDOS Request Headers Hash that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Threat Level
New: Added a new incident field- GIB Threat Level that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Phishing Date Blocked
Updated the GIB Phishing Date Blocked incident field to support new collections.
New: GIB Vulnerability Type
New: Added a new incident field- GIB Vulnerability Type that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB VPN Sources
New: Added a new incident field- GIB VPN Sources that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Phishing Date Updated
New: Added a new incident field- GIB Phishing Date Updated that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections

(Available from Cortex XSOAR 6.10.0).

GIB Scanner Sources
GIB Scanner Sources now supports new collections
(Available from Cortex XSOAR 6.10.0).

Incident Types

New: GIB Cybercriminal Threat Actor
New: Added a new incident type- GIB Cybercriminal Threat Actor that supports new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Kit
New: Added a new incident type- GIB Attacks Phishing Kit that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware
New: Added a new incident type- GIB Malware that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat
New: Added a new incident type- GIB Nation-State Cybercriminals Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Account Group
New: Added a new incident type- GIB Compromised Account Group that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Card
Updated the GIB Compromised Card incident type to support new collections.
New: GIB Compromised Mule
New: Added a new incident type- GIB Compromised Mule that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP TOR Node
New: Added a new incident type- GIB Suspicious IP TOR Node that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Nation-State Cybercriminals Threat Actor
New: Added a new incident type- GIB Nation-State Cybercriminals Threat Actor that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Socks Proxy
New: Added a new incident type- GIB Suspicious IP Socks Proxy that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB Targeted Malware
Updated the GIB Targeted Malware incident type to support new collections.
GIB Brand Protection Phishing
Updated the GIB Brand Protection Phishing incident type to support new collections.
GIB Compromised Account
Updated the GIB Compromised Account incident type to support new collections.
New: GIB Malware CNC
New: Added a new incident type- GIB Malware CNC that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks DDOS
New: Added a new incident type- GIB Attacks DDOS that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Scanner
New: Added a new incident type- GIB Suspicious IP Scanner that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Card Group
New: Added a new incident type- GIB Compromised Card Group that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Open Proxy
New: Added a new incident type- GIB Suspicious IP Open Proxy that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP VPN
New: Added a new incident type- GIB Suspicious IP VPN that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB APT Threat
New: Added a new incident type- GIB APT Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Cybercriminal Threat
New: Added a new incident type- GIB Cybercriminal Threat that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Group
New: Added a new incident type- GIB Attacks Phishing Group that support new collections
(Available from Cortex XSOAR 6.10.0).
GIB OSI Git Leak
Updated the GIB OSI Git Leak incident type to support new collections.
GIB Brand Protection Phishing Kit
Updated the GIB Brand Protection Phishing Kit incident type to support new collections.
GIB Data Breach
Updated the GIB Data Breach incident type to support new collections.
GIB OSI Public Leak
Updated the GIB OSI Public Leak incident type to support new collections.
New: GIB OSI Vulnerability
New: Added a new incident type- GIB OSI Vulnerability that support new collections
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Deface
New: Added a new incident type- GIB Attacks Deface that support new collections
(Available from Cortex XSOAR 6.10.0).

Indicator Fields

New: GIB Hash

New: Added a new indicator field- GIB Hash that support new collections
(Available from Cortex XSOAR 6.10.0).

GIB Threat Actor is APT

Updated the GIB Threat Actor is APT indicator field to support new collections.

GIB Admiralty Code

Updated the GIB Admiralty Code indicator field to support new collections.

GIB Proxy Anonymous

Updated the GIB Proxy Anonymous indicator field to support new collections.

GIB Threat Actor Name

Updated the GIB Threat Actor Name indicator field to support new collections.

GIB Collection

Updated the GIB Collection indicator field to support new collections.

GIB Severity

Updated the GIB Severity indicator field to support new collections.

GIB Reliability

Updated the GIB Reliability indicator field to support new collections.

GIB ID

Updated the GIB ID indicator field to support new collections.

GIB Credibility

Updated the GIB Credibility indicator field to support new collections.

GIB Threat Actor ID

Updated the GIB Threat Actor ID indicator field to support new collections.

GIB Malware Name

Updated the GIB Malware Name indicator field to support new collections.

Indicator Types

GIB Compromised Mule
Updated the GIB Compromised Mule indicator type to support new collections.
GIB Victim IP
Updated the GIB Victim IP indicator type to support new collections.
GIB Compromised IMEI
Updated the GIB Compromised IMEI. indicator type to support new collections.

Integrations

Group-IB Threat Intelligence

Added support for Hunting Rules parameter that to enable the collection of data using hunting rules, please select this parameter.
Deleted the gibtia-get-malware-targeted-malware-info command.
Deleted the gibtia-get-compromised-card-info command.
Deleted the gibtia-get-phishing-kit-info command.
Deleted the gibtia-get-phishing-info command.
Deleted the gibtia-get-compromised-imei-info command.
Added support for gibtia-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.
Added support for gibtia-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.
Added support for gibtia-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.
Added support for gibtia-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.
Added support for gibtia-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Group-IB Threat Intelligence Feed

Updated the Group-IB Threat Intelligence & Attribution Feed integration to support new collections.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Layouts

GIB Compromised IMEI Layout
Updated the GIB Compromised IMEI Layout layout to support new collections.
New: GIB Cybercriminal Threat Layout
New: Added a new layout- GIB Cybercriminal Threat Layout that Layout for GIB Cybercriminal Threat
(Available from Cortex XSOAR 6.10.0).
GIB Compromised Card Layout
Updated the GIB Compromised Card Layout layout to support new collections.
New: GIB Cybercriminal Threat Actor Layout
New: Added a new layout- GIB Cybercriminal Threat Actor Layout that Layout for GIB Cybercriminal Threat Actor
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP VPN Layout
New: Added a new layout- GIB Suspicious IP VPN Layout that Layout for GIB Suspicious IP VPN
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Group Layout
New: Added a new layout- GIB Attacks Phishing Group Layout that Layout for GIB Attacks Phishing Group
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Deface Layout
New: Added a new layout- GIB Attacks Deface Layout that Layout for GIB Attacks Deface
(Available from Cortex XSOAR 6.10.0).
New: GIB Attacks Phishing Kit Layout
New: Added a new layout- GIB Attacks Phishing Kit Layout that Layout for GIB Attacks Phishing Kit
(Available from Cortex XSOAR 6.10.0).
GIB Brand Protection Phishing Kit Layout
Updated the GIB Brand Protection Phishing Kit Layout layout to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Actor Layout that Layout for Nation-State Cybercriminals Threat Actor
(Available from Cortex XSOAR 6.10.0).
GIB Data Breach Layout
Updated the GIB Data Breach Layout layout to support new collections.
New: GIB OSI Vulnerability Layout
New: Added a new layout- GIB OSI Vulnerability Layout that Layout for GIB OSI Vulnerability
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Card Group Layout
New: Added a new layout- GIB Compromised Card Group Layout that Layout for GIB Compromised Card Group
(Available from Cortex XSOAR 6.10.0).
GIB OSI Git Leak Layout
Updated the GIB OSI Git Leak Layout layout to support new collections.
New: GIB Attacks DDOS Layout
New: Added a new layout- GIB Attacks DDOS Layout that Layout for GIB Attacks DDOS
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware Layout
New: Added a new layout- GIB Malware Layout that Layout for GIB Malware
(Available from Cortex XSOAR 6.10.0).
GIB OSI Public Leak Layout
Updated the GIB OSI Public Leak Layout layout to support new collections.
New: GIB Suspicious IP Scanner Layout
New: Added a new layout- GIB Suspicious IP Scanner Layout that Layout for GIB Suspicious IP Scanner
(Available from Cortex XSOAR 6.10.0).
GIB Targeted Malware Layout
Updated the GIB Targeted Malware Layout layout to support new collections.
New: GIB Nation-State Cybercriminals Threat Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Layout that Layout for Nation-State Cybercriminals Threat
(Available from Cortex XSOAR 6.10.0).
New: GIB Compromised Account Group Layout
New: Added a new layout- GIB Compromised Account Group Layout that Layout for GIB Compromised Account Group
(Available from Cortex XSOAR 6.10.0).
New: GIB APT Threat Layout
New: Added a new layout- GIB APT Threat Layout that Layout for GIB APT Threat
(Available from Cortex XSOAR 6.10.0).
New: GIB Malware CNC Layout
New: Added a new layout- GIB Malware CNC Layout that Layout for GIB Malware CNC
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP TOR Node Layout
New: Added a new layout- GIB Suspicious IP TOR Node Layout that Layout for GIB Suspicious IP TOR Node
(Available from Cortex XSOAR 6.10.0).
GIB Victim IP Layout
Updated the GIB Victim IP Layout layout to support new collections.
New: GIB Suspicious IP Socks Proxy Layout
New: Added a new layout- GIB Suspicious IP Socks Proxy Layout that Layout for GIB Suspicious IP Socks Proxy
(Available from Cortex XSOAR 6.10.0).
New: GIB Suspicious IP Open Proxy Layout
New: Added a new layout- GIB Suspicious IP Open Proxy Layout that Layout for GIB Suspicious IP Open Proxy
(Available from Cortex XSOAR 6.10.0).
GIB Brand Protection Phishing Layout
Updated the GIB Brand Protection Phishing Layout layout to support new collections.
GIB Compromised Mule Layout
Updated the GIB Compromised Mule Layout layout to support new collections.
GIB Compromised Account Layout
Updated the GIB Compromised Account Layout layout to support new collections.

Mappers

Group-IB Threat Intelligence (mapper)

Updated the Group-IB Threat Intelligence (mapper) mapper to support new collections.

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Updated the Incident Postprocessing - Group-IB Threat Intelligence & Attribution playbook to support new collections.

Pre Process Rules

New: gib_rule

New: Added a new preprocess rule- gib_rule that support new collections
(Available from Cortex XSOAR 6.10.0).

Scripts

GIBIncidentUpdateIncludingClosed

Updated the GIBIncidentUpdateIncludingClosed script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

GIBIncidentUpdate

Updated the GIBIncidentUpdate script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39414
- 37239
- 38416
- 39402
- 38930
- 39389

Download

1.4.10 - 3042633 (April 2, 2025)

Integrations

Group-IB Threat Intelligence Feed

Metadata and documentation improvements.

Group-IB Threat Intelligence

Metadata and documentation improvements.

Scripts

GIBIncidentUpdateIncludingClosed

Metadata and documentation improvements.

GIBIncidentUpdate

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

1.4.9 - R2988527 (March 26, 2025)

Group-IB Threat Intelligence

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.4.8 - 1935630 (January 6, 2025)

Integrations

Group-IB Threat Intelligence

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

1.4.7 - 1931958 (January 6, 2025)

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Documentation and metadata improvements.

Related pull requests:
- 37492

Download

1.4.6 - 1834150 (December 18, 2024)

Scripts

GIBIncidentUpdate

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

GIBIncidentUpdateIncludingClosed

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37754

Download

1.4.4 - 1809308 (December 15, 2024)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

1.4.3 - R1741355 (December 3, 2024)

Integrations

Group-IB Threat Intelligence

Updated the Docker image to: demisto/python3:3.11.10.116439.

Scripts

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.11.10.116439.

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37271

Download

1.4.2 - 1304994 (August 25, 2024)

Integrations

Group-IB Threat Intelligence Feed

Removed When removed from the feed option from Indicator Expiration Method
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35873

Download

2.0.1 - R3398781 (May 13, 2025)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/vendors-sdk:1.0.0.3242986.

Group-IB Threat Intelligence

Updated the Docker image to: demisto/vendors-sdk:1.0.0.3242986.

Related pull requests:
- 39725

Download

2.0.0 - 3079234 (April 7, 2025)

Classifiers

Group-IB Threat Intelligence (classifier)

Updated the Group-IB Threat Intelligence (classifier) classifier to support new collections.

Incident Fields

New: GIB Cybercriminal Forums Table
New: Added a new incident field- GIB Cybercriminal Forums Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CVSS Score
New: Added a new incident field- GIB CVSS Score that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Country Code
New: Added a new incident field- GIB Country Code that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Report Authors
New: Added a new incident field- GIB Cybercriminal Threat Actor Report Authors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Last Seen
New: Added a new incident field- GIB Date Last Seen that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Brand
Updated the GIB Target Brand incident field to support new collections.
New: GIB CVSS Vector
New: Added a new incident field- GIB CVSS Vector that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Is Tailored
New: Added a new incident field- GIB Is Tailored that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Platforms
New: Added a new incident field- GIB Malware Platforms that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Email Domains
New: Added a new incident field- GIB Email Domains that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Country Name
New: Added a new incident field- GIB DDOS Target Country Name that support new collections
(Available from Cortex XSIAM 2.0).
GIB Inject Dump
Updated the GIB Inject Dump incident field to support new collections.
New: GIB Organization Name
New: Added a new incident field- GIB Organization Name that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Proxy Port
New: Added a new incident field- GIB Proxy Port that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Port
New: Added a new incident field- GIB DDOS Target Port that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Kit Hash
Updated the GIB Phishing Kit Hash incident field to support new collections.
GIB Malware Name
Updated the GIB Malware Name incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Langs
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Langs that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Email
New: Added a new incident field- GIB Phishing Kit Email that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Domain
New: Added a new incident field- GIB DDOS Target Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Regions that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target Provider
New: Added a new incident field- GIB Target Provider that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Source Countries
New: Added a new incident field- GIB Malware Source Countries that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Published
New: Added a new incident field- GIB Date Published that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Country Code
New: Added a new incident field- GIB DDOS Target Country Code that support new collections
(Available from Cortex XSIAM 2.0).
GIB Drop Email Domain
Updated the GIB Drop Email Domain incident field to support new collections.
New: GIB Date First Compromised
New: Added a new incident field- GIB Date First Compromised that support new collections
(Available from Cortex XSIAM 2.0).
GIB Payment System
Updated the GIB Payment System incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Roles
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Roles that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Path
New: Added a new incident field- GIB Phishing Kit Path that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Table
New: Added a new incident field- GIB Malware Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Sources
New: Added a new incident field- GIB Phishing Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Headers Body
New: Added a new incident field- GIB DDOS Request Headers Body that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminal Forums Table
New: Added a new incident field- GIB Nation-State Cybercriminal Forums Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Countries
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Countries that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB OSI Git Repository Files Table
New: Added a new incident field- GIB OSI Git Repository Files Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Emails
New: Added a new incident field- GIB Emails that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target City
New: Added a new incident field- GIB DDOS Target City that support new collections
(Available from Cortex XSIAM 2.0).
GIB Drop Email
Updated the GIB Drop Email incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor CVE
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor CVE that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Deface Contacts
New: Added a new incident field- GIB Deface Contacts that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization IBAN
New: Added a new incident field- GIB Organization IBAN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Events Table
New: Added a new incident field- GIB Compromised Events Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Repository
Updated the GIB Repository incident field to support new collections.
New: GIB Deface Source
New: Added a new incident field- GIB Deface Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization BSB
New: Added a new incident field- GIB Organization BSB that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Description
New: Added a new incident field- GIB Cybercriminal Threat Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Brand
New: Added a new incident field- GIB Phishing Brand that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Valid Thru
Updated the GIB Card Valid Thru incident field to support new collections.
New: GIB Downloaded From Table
New: Added a new incident field- GIB Downloaded From Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC
New: Added a new incident field- GIB CNC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Events Information Table
New: Added a new incident field- GIB Compromised Events Information Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Body
New: Added a new incident field- GIB DDOS Request Body that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC URL
New: Added a new incident field- GIB CNC URL that support new collections
(Available from Cortex XSIAM 2.0).
GIB Email
Updated the GIB Email incident field to support new collections.
New: GIB Date First Seen
New: Added a new incident field- GIB Date First Seen that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Passwords
New: Added a new incident field- GIB Passwords that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target Region
New: Added a new incident field- GIB Target Region that support new collections
(Available from Cortex XSIAM 2.0).
GIB HTML
Updated the GIB HTML incident field to support new collections.
New: GIB Nation-State Cybercriminals Malware
New: Added a new incident field- GIB Nation-State Cybercriminals Malware that support new collections
(Available from Cortex XSIAM 2.0).
GIB Admiralty Code
Updated the GIB Admiralty Code incident field to support new collections.
New: GIB Mirror Link
New: Added a new incident field- GIB Mirror Link that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Source
New: Added a new incident field- GIB Phishing Kit Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Regions
New: Added a new incident field- GIB Cybercriminal Regions that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Issuer
Updated the GIB Card Issuer incident field to support new collections.
New: GIB Phishing Objectives
New: Added a new incident field- GIB Phishing Objectives that support new collections
(Available from Cortex XSIAM 2.0).
GIB Source
Updated the GIB Source incident field to support new collections.
New: GIB Cybercriminal Malware
New: Added a new incident field- GIB Cybercriminal Malware that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Type
Updated the GIB Card Type incident field to support new collections.
New: GIB DDOS Date Registration
New: Added a new incident field- GIB DDOS Date Registration that support new collections
(Available from Cortex XSIAM 2.0).
GIB Title
Updated the GIB Title incident field to support new collections.
New: GIB Malware Aliases
New: Added a new incident field- GIB Malware Aliases that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Report Number
New: Added a new incident field- GIB Report Number that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Provider Domain
New: Added a new incident field- GIB Provider Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Registrar
New: Added a new incident field- GIB Phishing Registrar that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Created At
New: Added a new incident field- GIB Date Created At that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Actor Country
New: Added a new incident field- GIB Threat Actor Country that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service IP
New: Added a new incident field- GIB Service IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Goals
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Goals that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Reporter
New: Added a new incident field- GIB Reporter that support new collections
(Available from Cortex XSIAM 2.0).
GIB Favicon
Updated the GIB Favicon incident field to support new collections.
New: GIB Nation-State Cybercriminals Threat Actor Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Detected
New: Added a new incident field- GIB Phishing Date Detected that support new collections
(Available from Cortex XSIAM 2.0).
GIB Data Hash
Updated the GIB Data Hash incident field to support new collections.
New: GIB VPN Names
New: Added a new incident field- GIB VPN Names that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Matches Table
New: Added a new incident field- GIB Matches Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Country
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Country that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Added
New: Added a new incident field- GIB Phishing Date Added that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization SWIFT
New: Added a new incident field- GIB Organization SWIFT that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CPE Table
New: Added a new incident field- GIB CPE Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Exploitability
New: Added a new incident field- GIB Extended CVSS Exploitability that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date Compromised
Updated the GIB Date Compromised incident field to support new collections.
New: GIB Extended CVSS Base
New: Added a new incident field- GIB Extended CVSS Base that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Regions
New: Added a new incident field- GIB Malware Regions that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date Expired
Updated the GIB Date Expired incident field to support new collections.
New: GIB Organization BIC
New: Added a new incident field- GIB Organization BIC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service Domain
New: Added a new incident field- GIB Service Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Reports Table
New: Added a new incident field- GIB Cybercriminal Threat Actor Reports Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Date Begin
New: Added a new incident field- GIB DDOS Date Begin that support new collections
(Available from Cortex XSIAM 2.0).
GIB Screenshot
Updated the GIB Screenshot incident field to support new collections.
New: GIB DDOS Date End
New: Added a new incident field- GIB DDOS Date End that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Overall
New: Added a new incident field- GIB Extended CVSS Overall that support new collections
(Available from Cortex XSIAM 2.0).
GIB Name Servers
Updated the GIB Name Servers incident field to support new collections.
New: GIB Deface Date
New: Added a new incident field- GIB Deface Date that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Affected Software Table
New: Added a new incident field- GIB Affected Software Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Short Description
New: Added a new incident field- GIB Malware Short Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Related Indicators Data
Updated the GIB Related Indicators Data incident field to support new collections.
GIB Downloaded From
Updated the GIB Downloaded From incident field to support new collections.
New: GIB Target Domain Provider
New: Added a new incident field- GIB Target Domain Provider that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Protocol
New: Added a new incident field- GIB DDOS Protocol that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target ASN
New: Added a new incident field- GIB DDOS Target ASN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Date Last Compromised
New: Added a new incident field- GIB Date Last Compromised that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Expertises
New: Added a new incident field- GIB Cybercriminal Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Langs
New: Added a new incident field- GIB Malware Langs that support new collections
(Available from Cortex XSIAM 2.0).
GIB Compromised Login
Updated the GIB Compromised Login incident field to support new collections.
New: GIB Extended CVSS Temporal
New: Added a new incident field- GIB Extended CVSS Temporal that support new collections
(Available from Cortex XSIAM 2.0).
GIB Leaked Data
Updated the GIB Leaked Data incident field to support new collections.
GIB Password
Updated the GIB Password incident field to support new collections.
GIB Threat Actor ID
Updated the GIB Threat Actor ID incident field to support new collections.
New: GIB Href
New: Added a new incident field- GIB Href that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Domain Puny
New: Added a new incident field- GIB Phishing Domain Puny that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Proxy Source
New: Added a new incident field- GIB Proxy Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing URLs
New: Added a new incident field- GIB Phishing URLs that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Domain
Updated the GIB Phishing Domain incident field to support new collections.
New: GIB Phishing IP Table
New: Added a new incident field- GIB Phishing IP Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Extended CVSS Impact
New: Added a new incident field- GIB Extended CVSS Impact that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Parsed Login Domain
New: Added a new incident field- GIB Parsed Login Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Description
New: Added a new incident field- GIB Malware Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Leak Name
Updated the GIB Leak Name incident field to support new collections.
GIB Threat Actor is APT
Updated the GIB Threat Actor is APT incident field to support new collections.
New: GIB Proxy Sources
New: Added a new incident field- GIB Proxy Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Deface Site URL
New: Added a new incident field- GIB Deface Site URL that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware CNC Domain
New: Added a new incident field- GIB Malware CNC Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Parsed Login IP
New: Added a new incident field- GIB Parsed Login IP that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Category
Updated the GIB Target Category incident field to support new collections.
New: GIB Bulletin Family
New: Added a new incident field- GIB Bulletin Family that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target URL
New: Added a new incident field- GIB DDOS Target URL that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Duration
New: Added a new incident field- GIB DDOS Duration that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Sectors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Title
New: Added a new incident field- GIB Cybercriminal Threat Title that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target City
New: Added a new incident field- GIB Target City that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Leak Published
New: Added a new incident field- GIB Leak Published that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target IP
New: Added a new incident field- GIB DDOS Target IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC Domain
New: Added a new incident field- GIB CNC Domain that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Aliases
New: Added a new incident field- GIB Cybercriminal Threat Actor Aliases that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Category
New: Added a new incident field- GIB DDOS Target Category that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target ASN
New: Added a new incident field- GIB Target ASN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Source
New: Added a new incident field- GIB DDOS Source that support new collections
(Available from Cortex XSIAM 2.0).
GIB Card Number
Updated the GIB Card Number incident field to support new collections.
New: GIB Malware File hash
New: Added a new incident field- GIB Malware File hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware Categories
New: Added a new incident field- GIB Malware Categories that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat Actor Description
New: Added a new incident field- GIB Cybercriminal Threat Actor Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Title
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Title that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Status
Updated the GIB Phishing Status incident field to support new collections.
New: GIB Has Exploit
New: Added a new incident field- GIB Has Exploit that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Kit Table
New: Added a new incident field- GIB Phishing Kit Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Service URL
New: Added a new incident field- GIB Service URL that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Type
Updated the GIB Phishing Type incident field to support new collections.
New: GIB Date Add
New: Added a new incident field- GIB Date Add that support new collections
(Available from Cortex XSIAM 2.0).
GIB CVV
Updated the GIB CVV incident field to support new collections.
New: GIB Phishing Domain Expiration Date
New: Added a new incident field- GIB Phishing Domain Expiration Date that support new collections
(Available from Cortex XSIAM 2.0).
GIB Portal Link
Updated the GIB Portal Link incident field to support new collections.
New: GIB Date Updated At
New: Added a new incident field- GIB Date Updated At that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Actors Table
New: Added a new incident field- GIB Threat Actors Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Person
Updated the GIB Person incident field to support new collections.
New: GIB Compromised Account
New: Added a new incident field- GIB Compromised Account that support new collections
(Available from Cortex XSIAM 2.0).
GIB Credibility
Updated the GIB Credibility incident field to support new collections.
GIB Severity
Updated the GIB Severity incident field to support new collections.
New: GIB DDOS Target Region
New: Added a new incident field- GIB DDOS Target Region that support new collections
(Available from Cortex XSIAM 2.0).
GIB Target Domain
Updated the GIB Target Domain incident field to support new collections.
New: GIB Extended Description
New: Added a new incident field- GIB Extended Description that support new collections
(Available from Cortex XSIAM 2.0).
GIB Threat Actor Name
Updated the GIB Threat Actor Name incident field to support new collections.
New: GIB Date Incident
New: Added a new incident field- GIB Date Incident that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Socks Proxy Source
New: Added a new incident field- GIB Socks Proxy Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Link List Table
New: Added a new incident field- GIB Link List Table that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Merged Cvss
New: Added a new incident field- GIB Merged Cvss that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Update Time
New: Added a new incident field- GIB Update Time that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB GIT Source
New: Added a new incident field- GIB GIT Source that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Sectors
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Sectors that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB CNC Port
New: Added a new incident field- GIB CNC Port that support new collections
(Available from Cortex XSIAM 2.0).
GIB Date of Detection
Updated the GIB Date of Detection incident field to support new collections.
New: GIB Cybercriminal Sectors
New: Added a new incident field- GIB Cybercriminal Sectors that support new collections
(Available from Cortex XSIAM 2.0).
GIB Address
Updated the GIB Address incident field to support new collections.
New: GIB Proxy Type
New: Added a new incident field- GIB Proxy Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Reports Table
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Reports Table that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Kit Emails
Updated the GIB Phishing Kit Emails incident field to support new collections.
GIB Date Created
Updated the GIB Date Created incident field to support new collections.
New: GIB DDOS Request Body Hash
New: Added a new incident field- GIB DDOS Request Body Hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Data Link
New: Added a new incident field- GIB DDOS Request Data Link that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Report Number
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Report Number that support new collections
(Available from Cortex XSIAM 2.0).
GIB Victim IP
Updated the GIB Victim IP incident field to support new collections.
New: GIB Upload Time
New: Added a new incident field- GIB Upload Time that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Target Provider
New: Added a new incident field- GIB DDOS Target Provider that support new collections
(Available from Cortex XSIAM 2.0).
GIB Reliability
Updated the GIB Reliability incident field to support new collections.
New: GIB Nation-State Cybercriminals Regions
New: Added a new incident field- GIB Nation-State Cybercriminals Regions that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Type
New: Added a new incident field- GIB DDOS Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Labels
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Labels that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Organization CLABE
New: Added a new incident field- GIB Organization CLABE that support new collections
(Available from Cortex XSIAM 2.0).
GIB ID
Updated the GIB ID incident field to support new collections.
New: GIB Date Modified
New: Added a new incident field- GIB Date Modified that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Target IP
New: Added a new incident field- GIB Target IP that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Expertises
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Expertises that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Scanner Categories
New: Added a new incident field- GIB Scanner Categories that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Description
New: Added a new incident field- GIB Nation-State Cybercriminals Threat Description that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Country Name
New: Added a new incident field- GIB Country Name that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB DDOS Request Headers Hash
New: Added a new incident field- GIB DDOS Request Headers Hash that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Threat Level
New: Added a new incident field- GIB Threat Level that support new collections
(Available from Cortex XSIAM 2.0).
GIB Phishing Date Blocked
Updated the GIB Phishing Date Blocked incident field to support new collections.
New: GIB Vulnerability Type
New: Added a new incident field- GIB Vulnerability Type that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB VPN Sources
New: Added a new incident field- GIB VPN Sources that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Phishing Date Updated
New: Added a new incident field- GIB Phishing Date Updated that support new collections
(Available from Cortex XSIAM 2.0).
GIB Nation-State Cybercriminals Threat Actor Aliases
GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections

(Available from Cortex XSIAM 2.0).

GIB Scanner Sources
GIB Scanner Sources now supports new collections
(Available from Cortex XSIAM 2.0).

Incident Types

New: GIB Cybercriminal Threat Actor
New: Added a new incident type- GIB Cybercriminal Threat Actor that supports new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Kit
New: Added a new incident type- GIB Attacks Phishing Kit that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Malware
New: Added a new incident type- GIB Malware that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat
New: Added a new incident type- GIB Nation-State Cybercriminals Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Account Group
New: Added a new incident type- GIB Compromised Account Group that support new collections
(Available from Cortex XSIAM 2.0).
GIB Compromised Card
Updated the GIB Compromised Card incident type to support new collections.
New: GIB Compromised Mule
New: Added a new incident type- GIB Compromised Mule that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP TOR Node
New: Added a new incident type- GIB Suspicious IP TOR Node that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor
New: Added a new incident type- GIB Nation-State Cybercriminals Threat Actor that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Socks Proxy
New: Added a new incident type- GIB Suspicious IP Socks Proxy that support new collections
(Available from Cortex XSIAM 2.0).
GIB Targeted Malware
Updated the GIB Targeted Malware incident type to support new collections.
GIB Brand Protection Phishing
Updated the GIB Brand Protection Phishing incident type to support new collections.
GIB Compromised Account
Updated the GIB Compromised Account incident type to support new collections.
New: GIB Malware CNC
New: Added a new incident type- GIB Malware CNC that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks DDOS
New: Added a new incident type- GIB Attacks DDOS that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Scanner
New: Added a new incident type- GIB Suspicious IP Scanner that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Card Group
New: Added a new incident type- GIB Compromised Card Group that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Open Proxy
New: Added a new incident type- GIB Suspicious IP Open Proxy that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP VPN
New: Added a new incident type- GIB Suspicious IP VPN that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB APT Threat
New: Added a new incident type- GIB APT Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Cybercriminal Threat
New: Added a new incident type- GIB Cybercriminal Threat that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Group
New: Added a new incident type- GIB Attacks Phishing Group that support new collections
(Available from Cortex XSIAM 2.0).
GIB OSI Git Leak
Updated the GIB OSI Git Leak incident type to support new collections.
GIB Brand Protection Phishing Kit
Updated the GIB Brand Protection Phishing Kit incident type to support new collections.
GIB Data Breach
Updated the GIB Data Breach incident type to support new collections.
GIB OSI Public Leak
Updated the GIB OSI Public Leak incident type to support new collections.
New: GIB OSI Vulnerability
New: Added a new incident type- GIB OSI Vulnerability that support new collections
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Deface
New: Added a new incident type- GIB Attacks Deface that support new collections
(Available from Cortex XSIAM 2.0).

Indicator Fields

New: GIB Hash

New: Added a new indicator field- GIB Hash that support new collections
(Available from Cortex XSIAM 2.0).

GIB Threat Actor is APT

Updated the GIB Threat Actor is APT indicator field to support new collections.

GIB Admiralty Code

Updated the GIB Admiralty Code indicator field to support new collections.

GIB Proxy Anonymous

Updated the GIB Proxy Anonymous indicator field to support new collections.

GIB Threat Actor Name

Updated the GIB Threat Actor Name indicator field to support new collections.

GIB Collection

Updated the GIB Collection indicator field to support new collections.

GIB Severity

Updated the GIB Severity indicator field to support new collections.

GIB Reliability

Updated the GIB Reliability indicator field to support new collections.

GIB ID

Updated the GIB ID indicator field to support new collections.

GIB Credibility

Updated the GIB Credibility indicator field to support new collections.

GIB Threat Actor ID

Updated the GIB Threat Actor ID indicator field to support new collections.

GIB Malware Name

Updated the GIB Malware Name indicator field to support new collections.

Indicator Types

GIB Compromised Mule
Updated the GIB Compromised Mule indicator type to support new collections.
GIB Victim IP
Updated the GIB Victim IP indicator type to support new collections.
GIB Compromised IMEI
Updated the GIB Compromised IMEI. indicator type to support new collections.

Integrations

Group-IB Threat Intelligence

Added support for Hunting Rules parameter that to enable the collection of data using hunting rules, please select this parameter.
Deleted the gibtia-get-malware-targeted-malware-info command.
Deleted the gibtia-get-compromised-card-info command.
Deleted the gibtia-get-phishing-kit-info command.
Deleted the gibtia-get-phishing-info command.
Deleted the gibtia-get-compromised-imei-info command.
Added support for gibtia-get-suspicious-ip-vpn-info command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id.
Added support for gibtia-get-suspicious-ip-scanner-info command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id.
Added support for gibtia-get-phishing-group-info command that command performs group ib event lookup in attacks/phishing_group collection by provided id.
Added support for gibtia-get-compromised-card-group-info command that command performs group ib event lookup in compromised/bank_card_group collection by provided id.
Added support for gibtia-get-malware-malware-info command that command performs group ib event lookup in malware/malware collection by provided id.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Group-IB Threat Intelligence Feed

Updated the Group-IB Threat Intelligence & Attribution Feed integration to support new collections.
Updated the Docker image to: demisto/vendors-sdk:1.0.0.2073752.

Layouts

GIB Compromised IMEI Layout
Updated the GIB Compromised IMEI Layout layout to support new collections.
New: GIB Cybercriminal Threat Layout
New: Added a new layout- GIB Cybercriminal Threat Layout that Layout for GIB Cybercriminal Threat
(Available from Cortex XSIAM 2.0).
GIB Compromised Card Layout
Updated the GIB Compromised Card Layout layout to support new collections.
New: GIB Cybercriminal Threat Actor Layout
New: Added a new layout- GIB Cybercriminal Threat Actor Layout that Layout for GIB Cybercriminal Threat Actor
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP VPN Layout
New: Added a new layout- GIB Suspicious IP VPN Layout that Layout for GIB Suspicious IP VPN
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Group Layout
New: Added a new layout- GIB Attacks Phishing Group Layout that Layout for GIB Attacks Phishing Group
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Deface Layout
New: Added a new layout- GIB Attacks Deface Layout that Layout for GIB Attacks Deface
(Available from Cortex XSIAM 2.0).
New: GIB Attacks Phishing Kit Layout
New: Added a new layout- GIB Attacks Phishing Kit Layout that Layout for GIB Attacks Phishing Kit
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Actor Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Actor Layout that Layout for Nation-State Cybercriminals Threat Actor
(Available from Cortex XSIAM 2.0).
GIB Data Breach Layout
Updated the GIB Data Breach Layout layout to support new collections.
New: GIB OSI Vulnerability Layout
New: Added a new layout- GIB OSI Vulnerability Layout that Layout for GIB OSI Vulnerability
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Card Group Layout
New: Added a new layout- GIB Compromised Card Group Layout that Layout for GIB Compromised Card Group
(Available from Cortex XSIAM 2.0).
GIB OSI Git Leak Layout
Updated the GIB OSI Git Leak Layout layout to support new collections.
New: GIB Attacks DDOS Layout
New: Added a new layout- GIB Attacks DDOS Layout that Layout for GIB Attacks DDOS
(Available from Cortex XSIAM 2.0).
New: GIB Malware Layout
New: Added a new layout- GIB Malware Layout that Layout for GIB Malware
(Available from Cortex XSIAM 2.0).
GIB OSI Public Leak Layout
Updated the GIB OSI Public Leak Layout layout to support new collections.
New: GIB Suspicious IP Scanner Layout
New: Added a new layout- GIB Suspicious IP Scanner Layout that Layout for GIB Suspicious IP Scanner
(Available from Cortex XSIAM 2.0).
New: GIB Nation-State Cybercriminals Threat Layout
New: Added a new layout- GIB Nation-State Cybercriminals Threat Layout that Layout for Nation-State Cybercriminals Threat
(Available from Cortex XSIAM 2.0).
New: GIB Compromised Account Group Layout
New: Added a new layout- GIB Compromised Account Group Layout that Layout for GIB Compromised Account Group
(Available from Cortex XSIAM 2.0).
New: GIB APT Threat Layout
New: Added a new layout- GIB APT Threat Layout that Layout for GIB APT Threat
(Available from Cortex XSIAM 2.0).
New: GIB Malware CNC Layout
New: Added a new layout- GIB Malware CNC Layout that Layout for GIB Malware CNC
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP TOR Node Layout
New: Added a new layout- GIB Suspicious IP TOR Node Layout that Layout for GIB Suspicious IP TOR Node
(Available from Cortex XSIAM 2.0).
GIB Victim IP Layout
Updated the GIB Victim IP Layout layout to support new collections.
New: GIB Suspicious IP Socks Proxy Layout
New: Added a new layout- GIB Suspicious IP Socks Proxy Layout that Layout for GIB Suspicious IP Socks Proxy
(Available from Cortex XSIAM 2.0).
New: GIB Suspicious IP Open Proxy Layout
New: Added a new layout- GIB Suspicious IP Open Proxy Layout that Layout for GIB Suspicious IP Open Proxy
(Available from Cortex XSIAM 2.0).
GIB Compromised Mule Layout
Updated the GIB Compromised Mule Layout layout to support new collections.
GIB Compromised Account Layout
Updated the GIB Compromised Account Layout layout to support new collections.

Mappers

Group-IB Threat Intelligence (mapper)

Updated the Group-IB Threat Intelligence (mapper) mapper to support new collections.

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Updated the Incident Postprocessing - Group-IB Threat Intelligence & Attribution playbook to support new collections.

Scripts

GIBIncidentUpdateIncludingClosed

Updated the GIBIncidentUpdateIncludingClosed script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

GIBIncidentUpdate

Updated the GIBIncidentUpdate script to support new collections.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39414
- 37239
- 38416
- 39402
- 38930
- 39389

Download

1.4.10 - 3042633 (April 2, 2025)

Integrations

Group-IB Threat Intelligence Feed

Metadata and documentation improvements.

Group-IB Threat Intelligence

Metadata and documentation improvements.

Scripts

GIBIncidentUpdateIncludingClosed

Metadata and documentation improvements.

GIBIncidentUpdate

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

1.4.9 - R2988527 (March 26, 2025)

Group-IB Threat Intelligence

Documentation and metadata improvements.

Related pull requests:
- 38999

Download

1.4.8 - 1935630 (January 6, 2025)

Integrations

Group-IB Threat Intelligence

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

1.4.7 - 1931958 (January 6, 2025)

Playbooks

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Documentation and metadata improvements.

Related pull requests:
- 37492

Download

1.4.6 - 1834150 (December 18, 2024)

Scripts

GIBIncidentUpdate

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

GIBIncidentUpdateIncludingClosed

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37754

Download

1.4.4 - 1809308 (December 15, 2024)

Integrations

Group-IB Threat Intelligence Feed

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37567
- 37564
- 37565

Download

1.4.3 - R1741355 (December 3, 2024)

Integrations

Group-IB Threat Intelligence

Updated the Docker image to: demisto/python3:3.11.10.116439.

Scripts

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.11.10.116439.

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37271

Download

1.4.2 - 1304994 (August 25, 2024)

Integrations

Group-IB Threat Intelligence Feed

Removed When removed from the feed option from Indicator Expiration Method
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 35873

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 13, 2021
Last Release	May 13, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.