Skip to main content

Group-IB Threat Intelligence & Attribution Feed

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution Feed

Configure Group-IB Threat Intelligence & Attribution Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Group-IB Threat Intelligence & Attribution Feed.

  3. Click Add instance to create and configure a new integration instance.

    GIB TI&A URLThe FQDN/IP the integration should connect to.True
    UsernameThe API Key and Username required to authenticate to the service.True
    Trust any certificate (not secure)Whether to allow connections without verifying SSL certificates validity.False
    Use system proxy settingsWhether to use XSOAR system proxy settings to connect to the API.False
    Incremental feedIncremental feeds pull only new or modified indicators that have been sent from the integration. The determination if the indicator is new or modified happens on the 3rd-party vendor's side, so only indicators that are new or modified are sent to Cortex XSOAR. Therefore, all indicators coming from these feeds are labeled new or modified.False
    Fetch indicatorsFalse
    Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
    Source ReliabilityReliability of the source providing the intelligence dataTrue
    Feed Fetch IntervalFalse
    Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
    Indicator collectionsCollections List to include for fetching.False
    Indicator first fetchDate to start fetching indicators from.False
    Number of requests per collectionA number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 objects with different amount of indicators). If you face some runtime errors, lower the value.False
    TagsSupports CSV values.False
    Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feedFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Get limited count of indicators for specified collection and get all indicators from particular events by id.

Base Command#



Argument NameDescriptionRequired
collectionGIB Collection to get indicators from. Possible values are: compromised/mule, compromised/imei, attacks/ddos, attacks/deface, attacks/phishing, attacks/phishing_kit, hi/threat, apt/threat, osi/vulnerability, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, malware/cnc.Required
idIncident Id to get indicators(if set, all the indicators will be provided from particular incident).Optional
limitLimit of indicators to display in War Room. Possible values are: 10, 20, 30, 40, 50. Default is 50.Optional

Context Output#

There is no context output for this command.

Command Example#

!gibtia-get-indicators collection=compromised/mule

Human Readable Output#

IP indicators#

valuetypeasngeocountrygibmalwarename StatesFlexNet