Group-IB Threat Intelligence & Attribution

Details
Content
Dependencies
Version History

Group-IB Threat Intelligence & Attribution is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly.

Group-IB Threat Intelligence & Attribution Pack can help you with managing your incident and indicators from Group-IB within the SOAR system.

What does this pack do?

Receive incidents and attribute them to adversaries.
Enrich security system with IOCs.
Provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.

As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information.

Incident Postprocessing - Group-IB Threat Intelligence & Attribution

Incident Types

Name	Description
GIB OSI Public Leak
GIB OSI Git Leak
GIB Brand Protection Phishing
GIB Compromised Card
GIB Brand Protection Phishing Kit
GIB Targeted Malware
GIB Brand Protection Domain
GIB Compromised Account
GIB Data Breach

Playbooks

Name	Description
Incident Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident.

Indicator Fields

Name	Description
GIB Collection
GIB Threat Actor is APT
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Phishing Title
GIB Threat Actor ID
GIB Proxy Anonymous	Level of anonymous
GIB CVSS Vector
GIB File Name
GIB Malware Name
GIB Date Compromised
GIB ID	ID of event in GIB TI&A
GIB Reliability	Reliability of the source
GIB Proxy Port
GIB Severity
GIB Target Brand	What brand was targeted by phishing
GIB Threat Actor Name
GIB Target Domain	What domain was targeted by phishing
GIB Software Mixed
GIB Credibility	Level of confidence on the information
GIB Target Category	What category was targeted by phishing

Indicator Types

Name	Description

Integrations

Name	Description
Group-IB Threat Intelligence & Attribution Feed (Partner Contribution)	Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections.
Group-IB Threat Intelligence & Attribution (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.

Layouts

Name	Description
GIB Targeted Malware Layout	Layout for GIB Targeted Malware
GIB Brand Protection Phishing Kit Layout	Layout for GIB Brand Protection Phishing Kit
GIB Compromised Account Layout	Layout for GIB Compromised Account
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Data Breach Layout	Layout for GIB Data Breach
GIB Compromised Card Layout	Layout for GIB Compromised Card
GIB OSI Public Leak Layout	Layout for GIB OSI Public Leak
GIB OSI Git Leak Layout	Layout for GIB OSI Git Leak
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Brand Protection Domain Layout	Layout for GIB Brand Protection Domain
GIB Brand Protection Phishing Layout	Layout for GIB Brand Protection Phishing
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI

Automations

Name	Description
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations

Classifiers

Name	Description
Group-IB Threat Intelligence & Attribution (mapper)
Group-IB Threat Intelligence & Attribution (classifier)

Incident Fields

Name	Description
GIB Date Expired
GIB Date Created
GIB Card Type
GIB Threat Actor ID
GIB Target Domain
GIB Email
GIB Card Valid Thru
GIB Phishing Status
GIB Phishing Domain
GIB Phishing Kit Hash
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Card Number
GIB Threat Actor Name
GIB Target Category
GIB Related Indicators Data
GIB Source	Where the feed comes from to GIB
GIB Link List
GIB Leaked Data
GIB Downloaded From
GIB Payment System
GIB Victim IP
GIB Password
GIB HTML
GIB Matches
GIB Data Hash
GIB Phishing Type
GIB Reliability	Reliability of the source
GIB Date Compromised
GIB Drop Email
GIB Revisions
GIB Name Servers
GIB CVV	Compromised card CVV
GIB Card Issuer	Issuer of compromised card
GIB Portal Link
GIB Inject MD5
GIB Credibility	Level of confidence on the information
GIB Date of Detection
GIB Title
GIB Drop Email Domain
GIB Person
GIB Threat Actor is APT
GIB Phishing Date Blocked
GIB Malware Name
GIB Severity
GIB ID	ID of event in GIB TIA
GIB Repository
GIB Screenshot
GIB Favicon
GIB Inject Dump
GIB Phishing Kit Emails
GIB Leaked File Name
GIB Target Brand
GIB Compromised Login
GIB Address
GIB Leak Name

Incident Types

Name	Description
GIB OSI Public Leak
GIB OSI Git Leak
GIB Brand Protection Phishing
GIB Compromised Card
GIB Brand Protection Phishing Kit
GIB Targeted Malware
GIB Brand Protection Domain
GIB Compromised Account
GIB Data Breach

Playbooks

Name	Description
Alert Postprocessing - Group-IB Threat Intelligence & Attribution	Obtains additional information on the threat actor involved in the alert and associates related indicators to the alert.

Indicator Fields

Name	Description
GIB Collection
GIB Threat Actor is APT
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Phishing Title
GIB Threat Actor ID
GIB Proxy Anonymous	Level of anonymous
GIB CVSS Vector
GIB File Name
GIB Malware Name
GIB Date Compromised
GIB ID	ID of event in GIB TI&A
GIB Reliability	Reliability of the source
GIB Proxy Port
GIB Severity
GIB Target Brand	What brand was targeted by phishing
GIB Threat Actor Name
GIB Target Domain	What domain was targeted by phishing
GIB Software Mixed
GIB Credibility	Level of confidence on the information
GIB Target Category	What category was targeted by phishing

Indicator Types

Name	Description

Integrations

Name	Description
Group-IB Threat Intelligence & Attribution Feed (Partner Contribution)	Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections.
Group-IB Threat Intelligence & Attribution (Partner Contribution)	Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSIAM. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware.

Layouts

Name	Description
GIB Compromised Mule Layout	Layout for GIB Compromised Mule
GIB Victim IP Layout	Layout for GIB Victim IP
GIB Compromised IMEI Layout	Layout for GIB Compromised IMEI

Automations

Name	Description
GIBIncidentUpdate	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBAlertUpdateIncludingClosed	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBAlertUpdate	This script prevents duplication of existing alerts. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
GIBIncidentUpdateIncludingClosed	This script prevents duplication of existing incidents. This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations

Classifiers

Name	Description
Group-IB Threat Intelligence & Attribution (mapper)
Group-IB Threat Intelligence & Attribution (classifier)

Incident Fields

Name	Description
GIB Date Expired
GIB Date Created
GIB Card Type
GIB Threat Actor ID
GIB Target Domain
GIB Email
GIB Card Valid Thru
GIB Phishing Status
GIB Phishing Domain
GIB Phishing Kit Hash
GIB Admiralty Code	The Admiralty System or NATO System is a method for evaluating collected items of intelligence. It consists of a two-character notation, evaluating the reliability of the source and the assessed level of confidence on the information.
GIB Card Number
GIB Threat Actor Name
GIB Target Category
GIB Related Indicators Data
GIB Source	Where the feed comes from to GIB
GIB Link List
GIB Leaked Data
GIB Downloaded From
GIB Payment System
GIB Victim IP
GIB Password
GIB HTML
GIB Matches
GIB Data Hash
GIB Phishing Type
GIB Reliability	Reliability of the source
GIB Date Compromised
GIB Drop Email
GIB Revisions
GIB Name Servers
GIB CVV	Compromised card CVV
GIB Card Issuer	Issuer of compromised card
GIB Portal Link
GIB Credibility	Level of confidence on the information
GIB Date of Detection
GIB Title
GIB Drop Email Domain
GIB Person
GIB Threat Actor is APT
GIB Phishing Date Blocked
GIB Malware Name
GIB Severity
GIB ID	ID of event in GIB TIA
GIB Repository
GIB Screenshot
GIB Favicon
GIB Inject Dump
GIB Phishing Kit Emails
GIB Target Brand
GIB Compromised Login
GIB Address
GIB Leak Name

Required Content Packs (2)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (1)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR

1.3.10 - R5450895 (June 5, 2023)

Scripts

GIBIncidentUpdate

Transform automation names from "incident" to "alert" in XSIAM.
Updated the Docker image to: demisto/python3:3.10.11.58677.

GIBIncidentUpdateIncludingClosed

Transform automation names from "incident" to "alert" in XSIAM.
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26365

Download

1.3.9 - R5170573 (May 2, 2023)

Scripts

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.10.10.48392.
Documentation and metadata improvements.

Related pull requests:
- 23716

Download

1.3.8 - R4718798 (March 1, 2023)

Layouts

GIB Brand Protection Phishing Kit Layout
This item is no longer supported in XSIAM.
GIB Targeted Malware Layout
This item is no longer supported in XSIAM.
GIB OSI Public Leak Layout
This item is no longer supported in XSIAM.
GIB Data Breach Layout
This item is no longer supported in XSIAM.
GIB Brand Protection Domain Layout
This item is no longer supported in XSIAM.
GIB Brand Protection Phishing Layout
This item is no longer supported in XSIAM.
GIB Compromised Account Layout
This item is no longer supported in XSIAM.
GIB OSI Git Leak Layout
This item is no longer supported in XSIAM.
GIB Compromised Card Layout
This item is no longer supported in XSIAM.

Related pull requests:
- 24221

Download

1.3.7 - R3994332 (November 8, 2022)

Incident Fields

GIB Severity
GIB Admiralty Code
GIB Credibility
GIB Reliability

Indicator Fields

GIB Collection
GIB Target Domain
GIB Software Mixed
GIB File Name
GIB Reliability
GIB CVSS Vector
GIB Proxy Anonymous
GIB Phishing Title
GIB Malware Name
GIB ID
GIB Proxy Port
GIB Threat Actor is APT
GIB Admiralty Code
GIB Threat Actor ID
GIB Credibility
GIB Threat Actor Name
GIB Target Brand
GIB Severity
GIB Target Category

Integrations

Group-IB Threat Intelligence & Attribution

Updated the Docker image to: demisto/python3:3.10.4.29342.

Group-IB Threat Intelligence & Attribution Feed

Added more evaluation data.
Updated the Docker image to: demisto/python3:3.10.4.29342.

Mappers

Group-IB Threat Intelligence & Attribution (mapper)

Added more evaluation data.

Scripts

GIBIncidentUpdateIncludingClosed

Updated the Docker image to: demisto/python3:3.10.4.29342.

GIBIncidentUpdate

Updated the Docker image to: demisto/python3:3.10.4.29342.

Related pull requests:
- 18931
- 18389

Download

1.3.6 - 2674843 (March 30, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

Group-IB Threat Intelligence & Attribution Feed

Added type validations and other internal code improvements.

Group-IB Threat Intelligence & Attribution

Added type validations and other internal code improvements.

Related pull requests:
- 18028
- 20109

Download

1.3.5 - 2387690 (February 9, 2022)

Incident Fields

GIB Leaked File Name
GIB Inject MD5

Download

1.3.4 - R2146019 (December 21, 2021)

Integrations

Group-IB Threat Intelligence & Attribution

Updated the Docker image to: demisto/python3:3.9.8.24399.

Group-IB Threat Intelligence & Attribution Feed

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

1.3.3 - 2059220 (December 5, 2021)

Integrations

Group-IB Threat Intelligence & Attribution

Added new logo.

Group-IB Threat Intelligence & Attribution Feed

Added new logo.

Download

1.3.2 - 2042391 (December 2, 2021)

Integrations

Group-IB Threat Intelligence & Attribution Feed

Documentation fixes

Group-IB Threat Intelligence & Attribution

Documentation fixes

Download

1.3.1 - 2020903 (November 28, 2021)

Scripts

Multiple Scrips Changes:

Added reference to required permissions in automation's description and README.

GIBIncidentUpdate
GIBIncidentUpdateIncludingClosed

Download

1.3.0 - 1882648 (November 2, 2021)

Scripts

Breaking Change: DBotRole has been removed from these automations.
This change will affect any playbook that is dependent on, or runs, these automations.
These automations will now run using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/automations.html
##### GIBIncidentUpdateIncludingClosed
##### GIBIncidentUpdate

Download

1.2.1 - 1830765 (October 22, 2021)

Integrations

Group-IB Threat Intelligence & Attribution

Maintenance and stability enhancements.

Download

PUBLISHER

Group-IB

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 13, 2021
Last Release	June 5, 2023

WORKS WITH THE FOLLOWING INTEGRATIONS:

Group-IB Threat Intelligence & Attribution

Group-IB Threat Intelligence & Attribution Feed

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.