Group-IB Threat Intelligence Feed

This Integration is part of the Group-IB Threat Intelligence Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution Feed

Configure Group-IB Threat Intelligence & Attribution Feed on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for Group-IB Threat Intelligence & Attribution Feed.

Click Add instance to create and configure a new integration instance.

Parameter	Description	Required
GIB TI&A URL	The FQDN/IP the integration should connect to.	True
Username	The API Key and Username required to authenticate to the service.	True
Trust any certificate (not secure)	Whether to allow connections without verifying SSL certificates validity.	False
Use system proxy settings	Whether to use XSOAR system proxy settings to connect to the API.	False
Incremental feed	Incremental feeds pull only new or modified indicators that have been sent from the integration. The determination if the indicator is new or modified happens on the 3rd-party vendor's side, so only indicators that are new or modified are sent to Cortex XSOAR. Therefore, all indicators coming from these feeds are labeled new or modified.	False
Fetch indicators		False
Indicator Reputation	Indicators from this integration instance will be marked with this reputation	False
Source Reliability	Reliability of the source providing the intelligence data	True
Feed Fetch Interval		False
Bypass exclusion list	When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.	False
Indicator collections	Collections List to include for fetching.	False
Indicator first fetch	Date to start fetching indicators from.	False
Number of requests per collection	A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 objects with different amount of indicators). If you face some runtime errors, lower the value.	False
Tags	Supports CSV values.	False
Traffic Light Protocol Color	The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed	False
		False
		False

Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

gibtia-get-indicators#

Get limited count of indicators for specified collection and get all indicators from particular events by id.

Base Command#

gibtia-get-indicators

Input#

Argument Name	Description	Required
collection	GIB Collection to get indicators from. Possible values are: compromised/mule, compromised/imei, attacks/ddos, attacks/deface, attacks/phishing, attacks/phishing_kit, hi/threat, apt/threat, osi/vulnerability, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, malware/cnc.	Required
id	Incident Id to get indicators(if set, all the indicators will be provided from particular incident).	Optional
limit	Limit of indicators to display in War Room. Possible values are: 10, 20, 30, 40, 50. Default is 50.	Optional

Context Output#

There is no context output for this command.

Command Example#

!gibtia-get-indicators collection=compromised/mule

Human Readable Output#

IP indicators#

value type asn geocountry gibmalwarename
11.11.11.11 IP Anubis
11.11.11.11 IP AS12121 France FlexNet
11.11.11.11 IP AS1313 United States FlexNet

value	type	asn	geocountry	gibmalwarename
11.11.11.11	IP			Anubis
11.11.11.11	IP	AS12121	France	FlexNet
11.11.11.11	IP	AS1313	United States	FlexNet