diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json deleted file mode 100644 index 998e3bfea0bf..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Domain.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "autorun": true, - "color": "#8052f3", - "days": 0, - "daysR": 0, - "default": false, - "detached": false, - "disabled": false, - "extractSettings": { - "fieldCliNameToExtractSettings": { - "alertcategory": { - "extractAsIsIndicatorTypeId": "", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": false - }, - "gibphishingdomain": { - "extractAsIsIndicatorTypeId": "domainRepUnified", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": false - }, - "gibrelatedindicatorsdata": { - "extractAsIsIndicatorTypeId": "", - "extractIndicatorTypesIDs": [], - "isExtractingAllIndicatorTypes": true - } - }, - "mode": "Specific" - }, - "hours": 0, - "hoursR": 0, - "id": "GIB Brand Protection Domain", - "layout": "GIB Brand Protection Domain Layout", - "locked": false, - "name": "GIB Brand Protection Domain", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", - "readonly": false, - "reputationCalc": 2, - "system": false, - "version": -1, - "weeks": 0, - "weeksR": 0, - "fromVersion": "6.0.0" -} diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py index 67618c90838f..23f70cc56154 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py @@ -40,6 +40,9 @@ "add_fields": ["events.cnc.ipv4.asn", "events.cnc.ipv4.countryName", "events.cnc.ipv4.region"], "add_fields_types": ["asn", "geocountry", "geolocation"] }, + { + "main_field": "events.client.ipv4.ip", + } ] }, "compromised/card": { @@ -437,7 +440,7 @@ class Client(BaseClient): """ def _create_update_generator(self, collection_name: str, max_requests: int, - date_from: Optional[str] = None, seq_update: Union[int, str] = None, + date_from: str | None = None, seq_update: int | str = '', limit: int = 200) -> Generator: """ Creates generator of lists with feeds class objects for an update session @@ -839,7 +842,7 @@ def calculate_dbot_score(type_): return Common.DBotScore( indicator=value, indicator_type=type_, - integration_name="GIB TI", + integration_name="GIB TI&A", score=score ) @@ -904,8 +907,8 @@ def transform_some_fields_into_markdown(collection_name, feed: dict) -> dict: date = i.get("dateCreated") # file_diff = "[https://bt.group-ib.com/api/v2/osi/git_leak]({0})".format(i.get("fileDiff")) # info = find_element_by_key(i,'revisions.info') - author_email = ''.join(find_element_by_key(i, 'revisions.info.authorEmail')) - author_name = ''.join(find_element_by_key(i, 'revisions.info.authorName')) + author_email = ''.join(str(find_element_by_key(i, 'revisions.info.authorEmail'))) + author_name = ''.join(str(find_element_by_key(i, 'revisions.info.authorName'))) timestamp = ''.join(str(find_element_by_key(i, 'revisions.info.timestamp'))) # author_email, author_name, date = info.get("authorEmail"), info.get("authorName"), info.get("dateCreated") buffer += f"| {url} | {author_email} | {author_name} | {date} | {timestamp} |\n" @@ -1032,16 +1035,13 @@ def fetch_incidents_command(client: Client, last_run: dict, first_fetch_time: st :return: next_run will be last_run in the next fetch-incidents; incidents and indicators will be created in Demisto. """ incidents = [] - next_run: dict[str, dict[str, Union[int, Any]]] = {"last_fetch": {}} + next_run: dict[str, dict[str, int | Any]] = {"last_fetch": {}} for collection_name in incident_collections: last_fetch = last_run.get("last_fetch", {}).get(collection_name) portions = client.create_poll_generator(collection_name=collection_name, max_requests=requests_count, last_fetch=last_fetch, first_fetch_time=first_fetch_time) for portion, last_fetch in portions: - last_test = last_fetch - for last in last_test: - set(last) for feed in portion: mapping = MAPPING.get(collection_name, {}) if collection_name == "compromised/breached": diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml index c9bf3f82c7b3..3e02f97144b3 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml @@ -14,25 +14,27 @@ configuration: name: credentials required: true type: 9 -- additionalinfo: Whether to allow connections without verifying SSL certificates validity. +- additionalinfo: Whether to allow connections without verifying SSL certificates + validity. display: Trust any certificate (not secure) name: insecure - type: 8 required: false + type: 8 - additionalinfo: Whether to use XSOAR system proxy settings to connect to the API. display: Use system proxy settings name: proxy - type: 8 required: false + type: 8 - display: Fetch incidents name: isFetch - type: 8 required: false + type: 8 - additionalinfo: Type(s) of incidents to fetch from the third party API. display: Colletions to fetch + hidden: false name: incident_collections options: - - compromised/account + - compromised/account_group - compromised/card - compromised/breached - bp/phishing @@ -40,19 +42,21 @@ configuration: - osi/git_repository - osi/public_leak - malware/targeted_malware - type: 16 required: false - hidden: false + type: 16 - additionalinfo: Date to start fetching incidents from. defaultvalue: 3 days display: Incidents first fetch + hidden: false name: first_fetch - type: 0 required: false - hidden: false -- additionalinfo: A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 incidents). If you face some runtime errors, lower the value. + type: 0 +- additionalinfo: A number of requests per collection that integration sends in one + fetch iteration (each request picks up to 200 incidents). If you face some runtime + errors, lower the value. defaultvalue: '3' display: Number of requests per collection + hidden: false name: max_fetch options: - '1' @@ -60,28 +64,49 @@ configuration: - '3' - '4' - '5' - type: 15 required: false - hidden: false + type: 15 - display: Incident type name: incidentType - type: 13 required: false -description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. \nThe list of included collections: \nCompromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." + type: 13 +description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents\ + \ directly into Cortex XSOAR. \nThe list of included collections: \nCompromised\ + \ Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing\ + \ Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." +detaileddescription: "### Group-IB Threat Intelligence\n \n \n- This section explains\ + \ how to configure the instance of Threat Intelligence in Cortex XSOAR. \n \n\ + 1. Open Group-IB TI web interface. (It may be either new interface: [https://tap.group-ib.com](https://tap.group-ib.com))\ + \ \n2. To generate API key(password): \n2.1. In the new interface: click on your\ + \ name in the right upper corner -> choose **Profile** option -> switch to **Security\ + \ and Access** tab -> click **Personal token** -> follow instructions to generate\ + \ API token. \n3. Your server URL is the same as your TI web interface URL. \n\ + 4. Your username is the email that you use to enter in the web interface.\n5. Set\ + \ classifier and mapper with Group-IB Threat Intelligence classifier and mapper\ + \ or with our own if you want so.\n6. Go to Settings->Integrations->Pre-Processing\ + \ Rules and set up the pre-processing rule:\n* Set up conditions: \"gibid Is not\ + \ empty (General)\" and \"Type Doesn't equal(String) GIB Data Breach\".\n* Action:\ + \ \"Run a script\".\n* Script: \"GIBIncidentUpdate\" (will recreate closed incidents\ + \ if they get an update, in other cases will update the existing one) or \"GIBIncidentUpdateIncludingClosed\"\ + (will only update incidents). \n7. Don't forget to contact Group-IB to add to allow\ + \ list your Cortex IP or public IP of a proxy that you are using with Cortex." display: Group-IB Threat Intelligence name: Group-IB Threat Intelligence & Attribution script: commands: - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 253b9a136f0d574149fc43691eaf7ae27aff141a. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/account collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/account collection + with provided ID. + execution: false name: gibtia-get-compromised-account-info outputs: - contextPath: GIBTIA.CompromisedAccount.client.ipv4.asn @@ -153,18 +178,19 @@ script: - contextPath: GIBTIA.CompromisedAccount.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: ecda6f4dc85596f447314ce01e2152db9c9d3cbc. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/card collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/card collection + with provided ID. + execution: false name: gibtia-get-compromised-card-info outputs: - contextPath: GIBTIA.CompromisedCard.cardInfo.cvv @@ -230,22 +256,24 @@ script: - contextPath: GIBTIA.CompromisedCard.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 50a3b4abbfca5dcbec9c8b3a110598f61ba93r33. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/mule collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/mule collection + with provided ID. + execution: false name: gibtia-get-compromised-mule-info outputs: - contextPath: GIBTIA.CompromisedMule.account - description: Account number (card/phone), which was used by threat actor to cash out. + description: Account number (card/phone), which was used by threat actor to + cash out. type: String - contextPath: GIBTIA.CompromisedMule.cnc.ipv4.asn description: CNC ASN. @@ -292,18 +320,19 @@ script: - contextPath: GIBTIA.CompromisedMule.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 0c1426048474df19ada9d0089ef8b3efce906556. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/imei collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/imei collection + with provided ID. + execution: false name: gibtia-get-compromised-imei-info outputs: - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.asn @@ -363,18 +392,19 @@ script: - contextPath: GIBTIA.CompromisedIMEI.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 6fd344f340f4bdc08548cb36ded62bdf. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in compromised/breached collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in compromised/breached collection + with provided ID. + execution: false name: gibtia-get-compromised-breached-info outputs: - contextPath: GIBTIA.DataBreach.email @@ -395,18 +425,19 @@ script: - contextPath: GIBTIA.DataBreach.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: f201c253ac71f7d78db39fa111a2af9d7ee7a3f7. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/git_leak collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/git_leak collection + with provided ID. + execution: false name: gibtia-get-osi-git-leak-info outputs: - contextPath: GIBTIA.GitLeak.dateDetected @@ -442,18 +473,19 @@ script: - contextPath: GIBTIA.GitLeak.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: a9a5b5cb9b971a2a037e3a0a30654185ea148095. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/public_leak collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/public_leak collection + with provided ID. + execution: false name: gibtia-get-osi-public-leak-info outputs: - contextPath: GIBTIA.PublicLeak.created @@ -492,19 +524,20 @@ script: - contextPath: GIBTIA.PublicLeak.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: CVE-2021-27152. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in osi/vulnerability collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in osi/vulnerability collection + with provided ID. + execution: false name: gibtia-get-osi-vulnerability-info outputs: - contextPath: GIBTIA.OSIVulnerability.affectedSoftware.name @@ -546,18 +579,19 @@ script: - contextPath: GIBTIA.OSIVulnerability.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 044f3f2cb599228c1882884eb77eb073f68a25f2. - name: id - default: false isArray: false + name: id required: false secret: false - description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. + deprecated: false + description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit + collections with provided ID. + execution: false name: gibtia-get-phishing-kit-info outputs: - contextPath: GIBTIA.PhishingKit.dateDetected @@ -599,18 +633,19 @@ script: - contextPath: GIBTIA.PhishingKit.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: fce7f92d0b64946cf890842d083953649b259952. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. + deprecated: false + description: Command performs Group IB event lookup in bp/phishing and attacks/phishing + collections with provided ID. + execution: false name: gibtia-get-phishing-info outputs: - contextPath: GIBTIA.Phishing.dateDetected @@ -664,18 +699,19 @@ script: - contextPath: GIBTIA.Phishing.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 26a05baa4025edff367b058b13c6b43e820538a5. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in attacks/ddos collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in attacks/ddos collection + with provided ID. + execution: false name: gibtia-get-attacks-ddos-info outputs: - contextPath: GIBTIA.AttacksDDoS.cnc.url @@ -729,18 +765,19 @@ script: - contextPath: GIBTIA.AttacksDDoS.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 6009637a1135cd001ef46e21. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in attacks/deface collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in attacks/deface collection + with provided ID. + execution: false name: gibtia-get-attacks-deface-info outputs: - contextPath: GIBTIA.AttacksDeface.date @@ -773,29 +810,30 @@ script: - contextPath: GIBTIA.AttacksDeface.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 1b09d389d016121afbffe481a14b30ea995876e4. + isArray: false name: id required: true - default: false - isArray: false secret: false - auto: PREDEFINED + default: false defaultValue: 'false' description: Is threat APT. + isArray: false name: isAPT predefined: - 'true' - 'false' - default: false - isArray: false required: false secret: false - description: Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in hi/threat (or in apt/threat + if the APT flag is true) collection with provided ID. + execution: false name: gibtia-get-threat-info outputs: - contextPath: GIBTIA.Threat.contacts.account @@ -903,29 +941,30 @@ script: - contextPath: GIBTIA.Threat.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB internal threatActor ID. e.g.: 0d4496592ac3a0f5511cd62ef29887f48d9cb545. + isArray: false name: id required: true - default: false - isArray: false secret: false - auto: PREDEFINED + default: false defaultValue: 'false' description: Is threat actor APT group. + isArray: false name: isAPT predefined: - 'true' - 'false' - default: false - isArray: false required: false secret: false - description: Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in hi/threat_actor (or in + apt/threat_actor if the APT flag is true) collection with provided ID. + execution: false name: gibtia-get-threat-actor-info outputs: - contextPath: GIBTIA.ThreatActor.aliases @@ -985,18 +1024,19 @@ script: - contextPath: GIBTIA.ThreatActor.stat.sectors description: Sectors attacked by threat actor. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 109.70.100.46. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/tor_node + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-tor-node-info outputs: - contextPath: GIBTIA.SuspiciousIPTorNode.ipv4.asn @@ -1017,18 +1057,19 @@ script: - contextPath: GIBTIA.SuspiciousIPTorNode.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: cc6a2856da2806b03839f81aa214f22dbcfd7369. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/open_proxy + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-open-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPOpenProxy.ipv4.asn @@ -1058,18 +1099,19 @@ script: - contextPath: GIBTIA.SuspiciousIPOpenProxy.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in suspicious_ip/socks_proxy + collection with provided ID. + execution: false name: gibtia-get-suspicious-ip-socks-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPSocksProxy.ipv4.asn @@ -1090,18 +1132,19 @@ script: - contextPath: GIBTIA.SuspiciousIPSocksProxy.evaluation.severity description: Event severity. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: 5bbd38acf0b9e4f04123af494d485f6c49221e98. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in malware/targeted_malware collection with provided ID. + deprecated: false + description: Command performs Group IB event lookup in malware/targeted_malware + collection with provided ID. + execution: false name: gibtia-get-malware-targeted-malware-info outputs: - contextPath: GIBTIA.TargetedMalware.date @@ -1155,26 +1198,27 @@ script: - contextPath: GIBTIA.TargetedMalware.evaluation.severity description: Event severity. type: String - deprecated: false + - deprecated: false + description: Returns list of available collections. execution: false - - description: Returns list of available collections. name: gibtia-get-available-collections outputs: - contextPath: GIBTIA.OtherInfo.collections description: List of availiable collections. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- GIB event id. e.g.: aeed277396e27e375d030a91533aa232444d0089. + isArray: false name: id required: true - default: false - isArray: false secret: false - description: Command performs Group IB event lookup in malware/cnc collection by provided ID. + deprecated: false + description: Command performs Group IB event lookup in malware/cnc collection + by provided ID. + execution: false name: gibtia-get-malware-cnc-info outputs: - contextPath: GIBTIA.MalwareCNC.dateDetected @@ -1216,18 +1260,18 @@ script: - contextPath: GIBTIA.MalwareCNC.id description: GIB event ID. type: String - deprecated: false - execution: false - arguments: - - description: |- + - default: false + description: |- Query you want to search. e.g.: 8.8.8.8. + isArray: false name: query required: true - default: false - isArray: false secret: false + deprecated: false description: Command performs global Group IB search. + execution: false name: gibtia-global-search outputs: - contextPath: apiPath @@ -1239,11 +1283,11 @@ script: - contextPath: GIBLink description: Link to GIB TI&A interface. type: String - deprecated: false - execution: false - arguments: - auto: PREDEFINED + default: false description: Collection you want to search. + isArray: false name: collection_name predefined: - compromised/account @@ -1269,30 +1313,30 @@ script: - malware/cnc - malware/targeted_malware required: true - default: false - isArray: false secret: false - - description: |- + - default: false + description: |- Query you want to search. e.g.: 8.8.8.8. + isArray: false name: query required: true - default: false - isArray: false secret: false - - description: Start date of search session. - name: date_from - default: false + - default: false + description: Start date of search session. isArray: false + name: date_from required: false secret: false - - description: End date of search session. - name: date_to - default: false + - default: false + description: End date of search session. isArray: false + name: date_to required: false secret: false + deprecated: false description: Command performs Group IB search in selected collection. + execution: false name: gibtia-local-search outputs: - contextPath: id @@ -1301,17 +1345,15 @@ script: - contextPath: additional_info description: Additional info about feed. type: String - deprecated: false - execution: false - dockerimage: demisto/python3:3.10.13.78960 + dockerimage: demisto/python3:3.10.13.80593 + feed: false isfetch: true + longRunning: false + longRunningPort: false runonce: false script: '-' subtype: python3 type: python - feed: false - longRunning: false - longRunningPort: false tests: - Group-IB Threat Intelligence -Test fromversion: 6.0.0 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md index 817bda1a083f..050d2745288d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_description.md @@ -13,4 +13,4 @@ * Set up conditions: "gibid Is not empty (General)" and "Type Doesn't equal(String) GIB Data Breach". * Action: "Run a script". * Script: "GIBIncidentUpdate" (will recreate closed incidents if they get an update, in other cases will update the existing one) or "GIBIncidentUpdateIncludingClosed"(will only update incidents). -7. Don't forget to contact Group-IB to add to allow list your Cortex IP or public IP of a proxy that you are using with Cortex. +7. Don't forget to contact Group-IB to add to allow list your Cortex IP or public IP of a proxy that you are using with Cortex. \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md index ee4e3e4c4091..3ac87a0302ff 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md @@ -3,11 +3,12 @@ -Pack helps to integrate Group-IB Threat Intelligence & Attribution and get incidents directly into Cortex XSOAR. +Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. The list of included collections: Compromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware. -This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution -## Configure Group-IB Threat Intelligence & Attribution on Cortex XSOAR +This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence + +## Configure Group-IB Threat Intelligence on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. 2. Search for Group-IB Threat Intelligence. @@ -24,10 +25,14 @@ This integration was integrated and tested with version 1.0 of Group-IB Threat I | Number of requests per collection | A number of requests per collection that integration sends in one faetch iteration \(each request picks up to 200 incidents\). If you face some runtime errors, lower the value. | False | 4. Click **Test** to validate the URLs, token, and connection. + ## Commands + You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. + ### gibtia-get-compromised-account-info + *** Command performs Group IB event lookup in compromised/account collection with provided ID. @@ -35,6 +40,7 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Base Command `gibtia-get-compromised-account-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -72,9 +78,11 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Command Example + ```!gibtia-get-compromised-account-info id=253b9a136f0d574149fc43691eaf7ae27aff141a``` #### Context Example + ```json { "DBotScore": [ @@ -218,21 +226,25 @@ Command performs Group IB event lookup in compromised/account collection with pr #### Human Readable Output >### Feed from compromised/account with ID 253b9a136f0d574149fc43691eaf7ae27aff141a + >|client ipv4 ip|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|cnc url|companyId|dateDetected|domain|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|login|malware id|malware name|malware stixGuid|oldId|password|portalLink|silentInsert|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 0.0.0.0 | http://some.ru | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | https://bt.group-ib.com/cd/accounts?searchValue=id:253b9a136f0d574149fc43691eaf7ae27aff141a | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | +>| 0.0.0.0 | | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | http://some.ru | +>| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 253b9a136f0d574149fc43691eaf7ae27aff141a | red | some.ru | >### IP indicator + >|asn|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---|---| >| AS1111 | Russian Federation | Moscow | 253b9a136f0d574149fc43691eaf7ae27aff141a | red | 11.11.11.11 | @@ -240,6 +252,7 @@ Command performs Group IB event lookup in compromised/account collection with pr ### gibtia-get-compromised-card-info + *** Command performs Group IB event lookup in compromised/card collection with provided ID. @@ -247,6 +260,7 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Base Command `gibtia-get-compromised-card-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -282,9 +296,11 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Command Example + ```!gibtia-get-compromised-card-info id=ecda6f4dc85596f447314ce01e2152db9c9d3cbc``` #### Context Example + ```json { "DBotScore": [ @@ -421,16 +437,19 @@ Command performs Group IB event lookup in compromised/card collection with provi #### Human Readable Output >### Feed from compromised/card with ID ecda6f4dc85596f447314ce01e2152db9c9d3cbc + >|baseName|cardInfo issuer countryCode|cardInfo issuer countryName|cardInfo issuer issuer|cardInfo number|cardInfo system|cardInfo type|cardInfo validThru|cnc cnc|cnc domain|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|companyId|dateCompromised|dateDetected|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|externalId|id|isDump|isExpired|isIgnore|isMasked|malware id|malware name|malware stixGuid|oldId|owner city|owner countryCode|owner name|owner phone|owner state|portalLink|price currency|price value|silentInsert|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| United States | US | UNITED STATES | SOME BANK | XXXXXXXXXXXXXXXX | VISA | CLASSIC | 01/2021 | some.ru | some.ru | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2020-02-22T12:21:00+00:00 | 2020-01-11T10:12:49+00:00 | A2 | 80 | 90 | red | red | 90 | 26579 | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | false | false | false | true | 53013c863116aae720581ff2aa2b4f92d3cb2bd7 | mandarincc | 8c843ab8-f019-e455-c78b-47ee80f3bb0c | 396798216 | Some | US | Some Person | 111111 | Some | https://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbc | USD | 1 | 1 | Card shop | 00eccda0-aae6-c111-6080-c51f857450bf | +>| United States | US | UNITED STATES | SOME BANK | XXXXXXXXXXXXXXXX | VISA | CLASSIC | 01/2021 | some.ru | some.ru | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2020-02-22T12:21:00+00:00 | 2020-01-11T10:12:49+00:00 | A2 | 80 | 90 | red | red | 90 | 26579 | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | false | false | false | true | 53013c863116aae720581ff2aa2b4f92d3cb2bd7 | mandarincc | 8c843ab8-f019-e455-c78b-47ee80f3bb0c | 396798216 | Some | US | Some Person | 111111 | Some | | USD | 1 | 1 | Card shop | 00eccda0-aae6-c111-6080-c51f857450bf | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| ecda6f4dc85596f447314ce01e2152db9c9d3cbc | red | some.ru | >### IP indicator + >|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---| >| United States | Some | ecda6f4dc85596f447314ce01e2152db9c9d3cbc | red | 11.11.11.11 | @@ -438,6 +457,7 @@ Command performs Group IB event lookup in compromised/card collection with provi ### gibtia-get-compromised-breached-info + *** Command performs Group IB event lookup in compromised/breached collection with provided ID. @@ -445,6 +465,7 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Base Command `gibtia-get-compromised-breached-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -465,9 +486,11 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Command Example + ```!gibtia-get-compromised-breached-info id=277c4112d348c91f6dabe9467f0d18ba``` #### Context Example + ```json { "GIBTIA": { @@ -508,6 +531,7 @@ Command performs Group IB event lookup in compromised/breached collection with p #### Human Readable Output >### Feed from compromised/breached with ID 277c4112d348c91f6dabe9467f0d18ba + >|addInfo|email|evaluation|id|leakName|password|uploadTime| >|---|---|---|---|---|---|---| >| address:
| some@gmail.com | admiraltyCode: C3
credibility: 50
reliability: 50
severity: green
tlp: amber
ttl: null | 277c4112d348c91f6dabe9467f0d18ba | some.com | AC91C480FDE9D7ACB8AC4B78310EB2TD,
1390DDDFA28AE085D23518A035703112 | 2021-06-12T03:02:00 | @@ -515,6 +539,7 @@ Command performs Group IB event lookup in compromised/breached collection with p ### gibtia-get-compromised-mule-info + *** Command performs Group IB event lookup in compromised/mule collection with provided ID. @@ -522,6 +547,7 @@ Command performs Group IB event lookup in compromised/mule collection with provi #### Base Command `gibtia-get-compromised-mule-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -552,9 +578,11 @@ Command performs Group IB event lookup in compromised/mule collection with provi #### Command Example + ```!gibtia-get-compromised-mule-info id=50a3b4abbfca5dcbec9c8b3a110598f61ba90a99``` #### Context Example + ```json { "DBotScore": [ @@ -673,27 +701,32 @@ Command performs Group IB event lookup in compromised/mule collection with provi >### Feed from compromised/mule with ID 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 + >|account|cnc cnc|cnc domain|cnc ipv4 ip|cnc url|dateAdd|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|malware id|malware name|malware stixGuid|oldId|organization name|portalLink|sourceType|stixGuid|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 1111111111111111 | http://some.ru | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | https://bt.group-ib.com/cd/mules?searchValue=id:50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | +>| 1111111111111111 | | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | http://some.ru | +>| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | some | >### IP indicator + >|gibid|severity|value| >|---|---|---| >| 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | red | 11.11.11.11 | ### gibtia-get-compromised-imei-info + *** Command performs Group IB event lookup in compromised/imei collection with provided ID. @@ -701,6 +734,7 @@ Command performs Group IB event lookup in compromised/imei collection with provi #### Base Command `gibtia-get-compromised-imei-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -734,9 +768,11 @@ Command performs Group IB event lookup in compromised/imei collection with provi #### Command Example + ```!gibtia-get-compromised-imei-info id=0c1426048474df19ada9d0089ef8b3efce906556``` #### Context Example + ```json { "DBotScore": [ @@ -856,27 +892,32 @@ Command performs Group IB event lookup in compromised/imei collection with provi >### Feed from compromised/imei with ID 0c1426048474df19ada9d0089ef8b3efce906556 + >|client ipv4 asn|client ipv4 countryCode|client ipv4 countryName|client ipv4 ip|client ipv4 provider|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc url|dateDetected|device iccid|device imei|device imsi|device model|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|malware id|malware name|malware stixGuid|oldId|operator number|portalLink|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | http://some.ru | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | https://bt.group-ib.com/cd/imei?searchValue=id:0c1426048474df19ada9d0089ef8b3efce906556 | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | +>| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 0c1426048474df19ada9d0089ef8b3efce906556 | red | http://some.ru | +>| 0c1426048474df19ada9d0089ef8b3efce906556 | red | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 0c1426048474df19ada9d0089ef8b3efce906556 | red | some.ru | >### IP indicator + >|asn|geocountry|gibid|severity|value| >|---|---|---|---|---| >| AS11111 | France | 0c1426048474df19ada9d0089ef8b3efce906556 | red | 11.11.11.11 | ### gibtia-get-osi-git-leak-info + *** Command performs Group IB event lookup in osi/git_leak collection with provided ID. @@ -884,6 +925,7 @@ Command performs Group IB event lookup in osi/git_leak collection with provided #### Base Command `gibtia-get-osi-git-leak-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -909,9 +951,11 @@ Command performs Group IB event lookup in osi/git_leak collection with provided #### Command Example + ```!gibtia-get-osi-git-leak-info id=ead0d8ae9f2347789941ebacde88ad2e3b1ef691``` #### Context Example + ```json { "GIBTIA": { @@ -1007,18 +1051,21 @@ Command performs Group IB event lookup in osi/git_leak collection with provided >### Feed from osi/git_leak with ID ead0d8ae9f2347789941ebacde88ad2e3b1ef691 + >|companyId|dateDetected|dateUpdated|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|file|fileId|id|matchesType|matchesTypeCount card|matchesTypeCount cisco|matchesTypeCount commonKeywords|matchesTypeCount domain|matchesTypeCount dsn|matchesTypeCount email|matchesTypeCount google|matchesTypeCount ip|matchesTypeCount keyword|matchesTypeCount login|matchesTypeCount metasploit|matchesTypeCount nmap|matchesTypeCount pgp|matchesTypeCount sha|matchesTypeCount slackAPI|matchesTypeCount ssh|name|repository|source| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 40,
1872,
2060,
2248,
2522,
2692 | 2020-03-12T01:12:00+00:00 | 2020-02-11T01:12:00+00:00 | A6 | 100 | 100 | green | amber | 30 | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/bWFpbi0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3 | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | commonKeywords,
keyword | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | some | some.ru | github | +>| 40,
1872,
2060,
2248,
2522,
2692 | 2020-03-12T01:12:00+00:00 | 2020-02-11T01:12:00+00:00 | A6 | 100 | 100 | green | amber | 30 | | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | commonKeywords,
keyword | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | some | some.ru | github | >### revisions table + >|bind|companyId|data|file|fileDiff|fileDiffId|fileId|hash|info|parentFileId| >|---|---|---|---|---|---|---|---|---|---| ->| {'bindBy': 'cert', 'companyId': [2692], 'data': 'cert', 'type': 'keyword'} | 2692 | commonKeywords: {"password": ["password"]} | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZS0zOTFkYjVkNWYxN2FiNmNiYmJmN2MzNWQxZjRkMDc2Y2I0YzgzMGYwOTdiMmE5ZWRkZDJkZjdiMDY1MDcwOWE3 | https://bt.group-ib.com/api/v2/osi/git_leak/ead0d8ae9f2347789941ebacde88ad2e3b1ef691/file/cmV2aXNpb24tZmlsZURpZmYtMzkxZGI1ZDVmMTdhYjZjYmJiZjdjMzVkMWY0ZDA3NmNiNGM4MzBmMDk3YjJhOWVkZGQyZGY3YjA2NTA3MDlhNw== | a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | Some | authorEmail: some@gmail.ru
authorName: some
dateCreated: 2020-01-03T11:17:52+00:00
timestamp: 1617794272 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | +>| {'bindBy': 'cert', 'companyId': [2692], 'data': 'cert', 'type': 'keyword'} | 2692 | commonKeywords: {"password": ["password"]} | | == | a2187ee179076a22e550e8f7fbc51840e87aba260431ab9cb2d4e0192ad4134c | 391db5d5f17ab6cbbbf7c35d1f4d076cb4c830f097b2a9eddd2df7b0650709a7 | Some | authorEmail: some@gmail.ru
authorName: some
dateCreated: 2020-01-03T11:17:52+00:00
timestamp: 1617794272 | ead0d8ae9f2347789941ebacde88ad2e3b1ef691 | ### gibtia-get-osi-public-leak-info + *** Command performs Group IB event lookup in osi/public_leak collection with provided ID. @@ -1026,6 +1073,7 @@ Command performs Group IB event lookup in osi/public_leak collection with provid #### Base Command `gibtia-get-osi-public-leak-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1052,9 +1100,11 @@ Command performs Group IB event lookup in osi/public_leak collection with provid #### Command Example + ```!gibtia-get-osi-public-leak-info id=a09f2354e52d5fa0a8697c8df0b4ed99cc956273``` #### Context Example + ```json { "GIBTIA": { @@ -1104,17 +1154,20 @@ Command performs Group IB event lookup in osi/public_leak collection with provid >### Feed from osi/public_leak with ID a11f2354e52d5fa0a8697c8df0b4ed99cc956211 + >|created|data|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|language|portalLink|size|updated|useful| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2020-02-02T13:52:01+03:00 | Big chunk of data | C3 | 50 | 50 | green | amber | 30 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | java | https://bt.group-ib.com/osi/public_leak?searchValue=id:a09f2354e52d5fa0a8697c8df0b4ed99cc956273 | 709 B | 2021-04-01T14:57:01+03:00 | 1 | +>| 2020-02-02T13:52:01+03:00 | Big chunk of data | C3 | 50 | 50 | green | amber | 30 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | a11f2354e52d5fa0a8697c8df0b4ed99cc956211 | java | | 709 B | 2021-04-01T14:57:01+03:00 | 1 | >### linkList table + >|dateDetected|datePublished|hash|itemSource|link|size|source|status| >|---|---|---|---|---|---|---|---| ->| 2021-04-01T14:57:01+03:00 | 2021-04-01T14:50:45+03:00 | 5d9657dbdf59487a6031820add2cacbe54e86814 | api | https://some.ru | 709 | some.ru | 1 | +>| 2021-04-01T14:57:01+03:00 | 2021-04-01T14:50:45+03:00 | 5d9657dbdf59487a6031820add2cacbe54e86814 | api | | 709 | some.ru | 1 | ### gibtia-get-osi-vulnerability-info + *** Command performs Group IB event lookup in osi/vulnerability collection with provided ID. @@ -1122,6 +1175,7 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Base Command `gibtia-get-osi-vulnerability-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1149,9 +1203,11 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Command Example + ```!gibtia-get-osi-vulnerability-info id=CVE-2021-27152``` #### Context Example + ```json { "CVE": { @@ -1251,17 +1307,20 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov #### Human Readable Output >### Feed from osi/vulnerability with ID CVE-2021-27152 + >|bulletinFamily|cvss score|cvss vector|dateLastSeen|dateModified|datePublished|description|displayOptions isFavourite|displayOptions isHidden|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|exploitCount|extCvss base|extCvss environmental|extCvss exploitability|extCvss impact|extCvss mImpact|extCvss overall|extCvss temporal|extCvss vector|extDescription|href|id|lastseen|modified|portalLink|provider|published|references|reporter|title|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | https://bt.group-ib.com/osi/vulnerabilities?searchValue=id:CVE-2021-27152 | some.ru | 2021-02-10T19:15:00+03:00 | https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | +>| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | | some.ru | 2021-02-10T19:15:00+03:00 | ,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | >### softwareMixed table + >|os|osVendor|osVersion|vendor| >|---|---|---|---| >| some_firmware | some | some | some | ### gibtia-get-phishing-kit-info + *** Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. @@ -1269,6 +1328,7 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Base Command `gibtia-get-phishing-kit-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1296,9 +1356,11 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Command Example + ```!gibtia-get-phishing-kit-info id=044f3f2cb599228c1882884eb77eb073f68a25f2``` #### Context Example + ```json { "GIBTIA": { @@ -1356,16 +1418,19 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k #### Human Readable Output >### Feed from attack/phishing_kit with ID 044f3f2cb599228c1882884eb77eb073f68a25f2 + >|companyId|dateDetected|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|login|oldId|path|portalLink|source| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| -1 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:12:17+00:00 | B2 | 70 | 80 | orange | amber | 30 | 8d7ea805fe20d6d77f57e2f0cadd17b1 | 044f3f2cb599228c1882884eb77eb073f68a25f2 | some | 396793696 | https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76 | https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2 | some | +>| -1 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:10:41+00:00 | 2021-01-21T10:12:17+00:00 | B2 | 70 | 80 | orange | amber | 30 | 8d7ea805fe20d6d77f57e2f0cadd17b1 | 044f3f2cb599228c1882884eb77eb073f68a25f2 | some | 396793696 | | | some | >### downloadedFrom table + >|date|domain|fileName|url| >|---|---|---|---| ->| 2021-01-21 10:10:41 | some.ru | some.ru| https://some.ru | +>| 2021-01-21 10:10:41 | some.ru | some.ru| | >### variables table + >|filePath|type|value| >|---|---|---| >| some.ru | DB | host: localhost | @@ -1373,6 +1438,7 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k ### gibtia-get-phishing-info + *** Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. @@ -1380,6 +1446,7 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Base Command `gibtia-get-phishing-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1411,9 +1478,11 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Command Example + ```!gibtia-get-phishing-info id=fce7f92d0b64946cf890842d083953649b259952``` #### Context Example + ```json { "DBotScore": [ @@ -1536,32 +1605,38 @@ Command performs Group IB event lookup in bp/phishing and attacks/phishing colle #### Human Readable Output >### Feed from attacks/phishing with ID fce7f92d0b64946cf890842d083953649b259952 + >|companyId|dateBlocked|dateDetected|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 city|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|ipv4 region|objective|oldId|phishingDomain dateRegistered|phishingDomain domain|phishingDomain local|phishingDomain registrar|portalLink|status|stixGuid|targetBrand|targetCategory|targetDomain|type|url| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2008 | 2021-01-25T22:58:10+00:00 | 2021-01-21T11:21:34+00:00 | A2 | 80 | 90 | red | amber | 30 | fce7f92d0b64946cf890842d083953649b259952 | Some | CA | Canada | 11.11.11.11 | Some | NA | Login harvest | 396798526 | 2021-01-20 13:41:30 | some.ru | some.ru | Some | https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952 | Responding completed | 4812358a-1de0-ab32-05e4-d91842d369e2 | Some | Finance > Banking | some.ru | Phishing | https://some.ru | +>| 2008 | 2021-01-25T22:58:10+00:00 | 2021-01-21T11:21:34+00:00 | A2 | 80 | 90 | red | amber | 30 | fce7f92d0b64946cf890842d083953649b259952 | Some | CA | Canada | 11.11.11.11 | Some | NA | Login harvest | 396798526 | 2021-01-20 13:41:30 | some.ru | some.ru | Some | | Responding completed | 4812358a-1de0-ab32-05e4-d91842d369e2 | Some | Finance > Banking | some.ru | Phishing | | >### history table + >|date|field|reason|reporter|value| >|---|---|---|---|---| >| 2021-01-21T11:20:50+00:00 | Detected | In response | Group-IB Intelligence | In response | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| fce7f92d0b64946cf890842d083953649b259952 | red | https://some.ru | +>| fce7f92d0b64946cf890842d083953649b259952 | red | | >### Domain indicator + >|creationdate|gibid|gibphishingtitle|gibtargetbrand|gibtargetcategory|gibtargetdomain|registrarname|severity|value| >|---|---|---|---|---|---|---|---|---| >| 2021-01-20T13:41:30Z | fce7f92d0b64946cf890842d083953649b259952 | | Some | Finance > Banking | some.ru | Some | red | some.ru | >### IP indicator + >|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---| >| Canada | NA | fce7f92d0b64946cf890842d083953649b259952 | red | 11.11.11.11 | ### gibtia-get-attacks-ddos-info + *** Command performs Group IB event lookup in attacks/ddos collection with provided ID. @@ -1569,6 +1644,7 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Base Command `gibtia-get-attacks-ddos-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1600,9 +1676,11 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Command Example + ```!gibtia-get-attacks-ddos-info id=26a05baa4025edff367b058b13c6b43e820538a5``` #### Context Example + ```json { "DBotScore": [ @@ -1704,22 +1782,26 @@ Command performs Group IB event lookup in attacks/ddos collection with provided #### Human Readable Output >### Feed from attacks/ddos with ID 26a05baa4025edff367b058b13c6b43e820538a5 + >|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|companyId|dateBegin|dateEnd|dateReg|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|oldId|portalLink|protocol|source|stixGuid|target domainsCount|target ipv4 asn|target ipv4 city|target ipv4 countryCode|target ipv4 countryName|target ipv4 ip|target ipv4 provider|target ipv4 region|target port|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| some.ru | some.ru | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2021-01-16T02:58:53+00:00 | 2021-01-16T02:58:55+00:00 | 2021-01-16 | A2 | 90 | 90 | red | green | 30 | 26a05baa4025edff367b058b13c6b43e820538a5 | 394657345 | https://bt.group-ib.com/attacks/ddos?searchValue=id:26a05baa4025edff367b058b13c6b43e820538a5 | udp | honeypot_logs:1 | ea05c117-2cca-b3cd-f033-a8e16e5db3c2 | 0 | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | 55843 | DNS Reflection | +>| some.ru | some.ru | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | -1 | 2021-01-16T02:58:53+00:00 | 2021-01-16T02:58:55+00:00 | 2021-01-16 | A2 | 90 | 90 | red | green | 30 | 26a05baa4025edff367b058b13c6b43e820538a5 | 394657345 | | udp | honeypot_logs:1 | ea05c117-2cca-b3cd-f033-a8e16e5db3c2 | 0 | AS11111 | Some | US | United States | 11.11.11.11 | Some | Some | 55843 | DNS Reflection | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 26a05baa4025edff367b058b13c6b43e820538a5 | red | some.ru | >### IP indicator + >|asn|geocountry|geolocation|gibid|severity|value| >|---|---|---|---|---|---| >| AS11111 | United States | Some | 26a05baa4025edff367b058b13c6b43e820538a5 | red | 11.11.11.11 | ### gibtia-get-attacks-deface-info + *** Command performs Group IB event lookup in attacks/deface collection with provided ID. @@ -1727,6 +1809,7 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Base Command `gibtia-get-attacks-deface-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1751,9 +1834,11 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Command Example + ```!gibtia-get-attacks-deface-info id=6009637a1135cd001ef46e21``` #### Context Example + ```json { "DBotScore": [ @@ -1834,27 +1919,32 @@ Command performs Group IB event lookup in attacks/deface collection with provide #### Human Readable Output >### Feed from attacks/deface with ID 6009637a1135cd001ef46e21 + >|date|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|mirrorLink|portalLink|providerDomain|siteUrl|source|targetDomain|targetIp countryName|targetIp ip|threatActor id|threatActor isAPT|threatActor name|tsCreate|url| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | https://some.ru/id:-6009637a1135cd001ef46e21: | https://bt.group-ib.com/attacks/deface?searchValue=id:6009637a1135cd001ef46e21 | some.ru | http://some.ru | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | +>| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | : | | some.ru | | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | >### URL indicator + >|gibid|severity|value| >|---|---|---| ->| 6009637a1135cd001ef46e21 | orange | http://some.ru | +>| 6009637a1135cd001ef46e21 | orange | | >### Domain indicator + >|gibid|severity|value| >|---|---|---| >| 6009637a1135cd001ef46e21 | orange | some.ru | >### IP indicator + >|geocountry|gibid|severity|value| >|---|---|---|---| >| Indonesia | 6009637a1135cd001ef46e21 | orange | 11.11.11.11 | ### gibtia-get-threat-info + *** Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. @@ -1862,6 +1952,7 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT #### Base Command `gibtia-get-threat-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -1912,9 +2003,11 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT #### Command Example + ```!gibtia-get-threat-info id=1b09d389d016121afbffe481a14b30ea995876e4 isAPT=true``` #### Context Example + ```json { "DBotScore": [ @@ -2089,11 +2182,13 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT >### Feed from threat with ID 1b09d389d016121afbffe481a14b30ea995876e4 + >|createdAt|dateFirstSeen|dateLastSeen|datePublished|deleted|description|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|id|isPublished|isTailored|langs|oldId|reportNumber|sectors|threatActor country|threatActor id|threatActor isAPT|threatActor name|title|type|updatedAt| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| >| 2021-01-15T16:53:20+03:00 | 2021-01-15 | 2021-01-15 | 2021-01-15 | false | Big description | B1 | 100 | 80 | orange | amber | 1b09d389d016121afbffe481a14b30ea995876e4 | true | false | en,
ru | 4c01c2d4-5ebb-44d8-9e91-be89231b0eb3 | CP-2501-1653 | financial-services,
finance | KP | 5e9f20fdcf5876b5772b3d09b432f4080711ac5f | true | Lazarus | Lazarus launches new attack with cryptocurrency trading platforms | threat | 2021-04-02T14:08:03+03:00 | >### files table + >|hash|mime|name|size| >|---|---|---|---| >| fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11 | image/png | fa5b6b2f074ba6eb58f8b093f0e92cb8ff44b655dc8e9ce93f850e71474e4e11 | 284731 | @@ -2102,25 +2197,29 @@ Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT >| 623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2 | image/png | 623102f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd2 | 209254 | >### mitreMatrix table + >|attackPatternId|attackTactic|attackType|id|params| >|---|---|---|---|---| >| attack-pattern--45242287-2964-4a3e-9373-159fad4d8195 | establish-&-maintain-infrastructure | pre_attack_tactics | PRE-T1105 | data: | >### indicatorRelationships table + >|sourceId|targetId| >|---|---| >| 9f3a2a244570a38e772a35d7c9171eed92bec6f7 | 12cad1ca535a92a2ed306c0edf3025e7d9776693 | >### indicators table + >|deleted|id|langs|params|seqUpdate|type| >|---|---|---|---|---|---| >| false | 9f3a2a244570a38e772a35d7c9171eed12bec6f7 | en | hashes: {"md4": "", "md5": "8397ea747d2ab50da4f876a36d631272", "md6": "", "ripemd160": "", "sha1": "48a6d5141e25b6c63ad8da20b954b56afe512031", "sha224": "", "sha256": "89b5e248c222ebf2cb3b525d3650259e01cf7d8fff5e1aa15ccd7512b1e63957", "sha384": "", "sha512": "", "whirlpool": ""}
name: some.ru
size: null | 16107188499162 | file | ->| false | 8b96c56cbc980c1e3362060ffa953e65281fb1df | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru | 16107188498393 | network | +>| false | 8b96c56cbc980c1e3362060ffa953e65281fb1df | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: | 16107188498393 | network | >| false | 42a9929807fd954918f9bb603135754be7a6e11c | en | hashes: {"md4": "", "md5": "5d43baf1c9e9e3a939e5defd8f3fbd1d", "md6": "", "ripemd120": "", "sha1": "d5ff73c043f3bb75dd749636307500b60a336150", "sha224": "", "sha256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc3dd12", "sha384": "", "sha512": "", "whirlpool": ""}
name: 5d43baf1c9e9e3a939e5defd8f8fbd1d
size: null | 16107188498634 | file | ->| false | 12cad1ca535a92a2ed306c0edf3025e7d9776612 | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: https://some.ru | 16107188498908 | network | +>| false | 12cad1ca535a92a2ed306c0edf3025e7d9776612 | en | domain: some.ru
ipv4:
ipv6:
ssl:
url: | 16107188498908 | network | ### gibtia-get-threat-actor-info + *** Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. @@ -2128,6 +2227,7 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto #### Base Command `gibtia-get-threat-actor-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2162,9 +2262,11 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto #### Command Example + ```!gibtia-get-threat-actor-info id=0d4496592ac3a0f5511cd62ef29887f48d9cb545 isAPT=true``` #### Context Example + ```json { "GIBTIA": { @@ -2232,16 +2334,19 @@ Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_acto >### Feed from threat_actor with ID 0d4496592ac3a0f5511cd62ef29887f48d9cb545 + >|aliases|country|createdAt|deleted|description|goals|id|isAPT|isPublished|labels|langs|name|roles|spokenOnLangs|stat countries|stat dateFirstSeen|stat dateLastSeen|stat regions|stat sectors|stixGuid|updatedAt| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| >| SectorC08 | RU | 2018-09-26T16:59:50+03:00 | false | Big description | Information | 0d4496592ac3a0f5511cd62ef29887f48d9cb545 | true | true | spy | en | Gamaredon | agent | ru | US | 2013-06-01 | 2021-03-19 | asia | non-profit | 63d0e4d4-9f55-4fa2-87af-b6c91ded80e0 | 2021-04-08T22:09:07+03:00 | >### stat reports table + >|datePublished|id|name| >|---|---|---| >| 2021-02-04 | 59dec5947c5adac898445e3958b1d05e1c260459 | en: Template injection attacks from the Gamaredon group continued: protocol topics | ### gibtia-get-suspicious-ip-tor-node-info + *** Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. @@ -2249,6 +2354,7 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Base Command `gibtia-get-suspicious-ip-tor-node-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2269,9 +2375,11 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Command Example + ```!gibtia-get-suspicious-ip-tor-node-info id=109.70.100.46``` #### Context Example + ```json { "DBotScore": { @@ -2316,17 +2424,20 @@ Command performs Group IB event lookup in suspicious_ip/tor_node collection with #### Human Readable Output >### Feed from suspicious_ip/tor_node with ID 11.11.11.11 + >|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 ip|portalLink|source| >|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2020-09-03T14:15:25+00:00 | 2021-04-25T03:15:29+00:00 | A1 | 90 | 90 | green | green | 30 | 11.11.11.11 | 11.11.11.11 | https://bt.group-ib.com/suspicious/tor?searchValue=id:11.11.11.11 | some.ru | +>| 2020-09-03T14:15:25+00:00 | 2021-04-25T03:15:29+00:00 | A1 | 90 | 90 | green | green | 30 | 11.11.11.11 | 11.11.11.11 | | some.ru | >### IP indicator + >|gibid|severity|value| >|---|---|---| >| 11.11.11.11 | green | 11.11.11.11 | ### gibtia-get-suspicious-ip-open-proxy-info + *** Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. @@ -2334,6 +2445,7 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Base Command `gibtia-get-suspicious-ip-open-proxy-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2357,9 +2469,11 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Command Example + ```!gibtia-get-suspicious-ip-open-proxy-info id=cc6a2856da2806b03839f81aa214f22dbcfd7369``` #### Context Example + ```json { "DBotScore": { @@ -2413,11 +2527,13 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi #### Human Readable Output >### Feed from suspicious_ip/open_proxy with ID cc6a2856da2806b03839f81aa214f22dbcfd7369 + >|anonymous|dateDetected|dateFirstSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|oldId|port|portalLink|source|stixGuid|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 11.11.11.11 | 2021-01-21T11:01:02+00:00 | 2020-03-19T23:01:01+00:00 | C3 | 50 | 50 | green | white | 15 | cc6a2856da2806b03839f81aa214f22dbcfd7369 | CZ | Czech Republic | 11.11.11.11 | Some | 241549215 | 80 | https://bt.group-ib.com/suspicious/proxies?searchValue=id:cc6a2856da2806b03839f81aa214f22dbcfd7369 | some.ru | c30604ac-94d5-b514-f1d1-7230ec13c739 | http | +>| 11.11.11.11 | 2021-01-21T11:01:02+00:00 | 2020-03-19T23:01:01+00:00 | C3 | 50 | 50 | green | white | 15 | cc6a2856da2806b03839f81aa214f22dbcfd7369 | CZ | Czech Republic | 11.11.11.11 | Some | 241549215 | 80 | | some.ru | c30604ac-94d5-b514-f1d1-7230ec13c739 | http | >### IP indicator + >|geocountry|gibid|gibproxyanonymous|gibproxyport|severity|source|value| >|---|---|---|---|---|---|---| >| Czech Republic | cc6a2856da2806b03839f81aa214f22dbcfd7369 | 11.11.11.11 | 80 | green | some.ru | 11.11.11.11 | @@ -2425,6 +2541,7 @@ Command performs Group IB event lookup in suspicious_ip/open_proxy collection wi ### gibtia-get-suspicious-ip-socks-proxy-info + *** Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. @@ -2432,6 +2549,7 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Base Command `gibtia-get-suspicious-ip-socks-proxy-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2452,9 +2570,11 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Command Example + ```!gibtia-get-suspicious-ip-socks-proxy-info id=02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e``` #### Context Example + ```json { "DBotScore": { @@ -2507,17 +2627,20 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w #### Human Readable Output >### Feed from suspicious_ip/socks_proxy with ID 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e + >|dateDetected|dateFirstSeen|dateLastSeen|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|ipv4 asn|ipv4 countryCode|ipv4 countryName|ipv4 ip|ipv4 provider|oldId|portalLink|source|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2021-01-19T07:41:11+00:00 | 2021-01-19T07:41:11+00:00 | 2021-02-23T20:58:51+00:00 | A1 | 100 | 90 | green | amber | 2 | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | AS11111 | LB | Lebanon | 11.11.11.11 | Some | 395880626 | https://bt.group-ib.com/suspicious/socks?searchValue=id:02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | awmproxy.com | 78cd5f78-e542-bf2c-fc40-e2a41b36dd97 | +>| 2021-01-19T07:41:11+00:00 | 2021-01-19T07:41:11+00:00 | 2021-02-23T20:58:51+00:00 | A1 | 100 | 90 | green | amber | 2 | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | AS11111 | LB | Lebanon | 11.11.11.11 | Some | 395880626 | | awmproxy.com | 78cd5f78-e542-bf2c-fc40-e2a41b36dd97 | >### IP indicator + >|asn|geocountry|gibid|severity|value| >|---|---|---|---|---| >| AS11111 | Lebanon | 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e | green | 11.11.11.11 | ### gibtia-get-malware-targeted-malware-info + *** Command performs Group IB event lookup in malware/targeted_malware collection with provided ID. @@ -2525,6 +2648,7 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Base Command `gibtia-get-malware-targeted-malware-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2556,9 +2680,11 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Command Example + ```!gibtia-get-malware-targeted-malware-info id=5bbd38acf0b9e4f04123af494d485f6c49221e98``` #### Context Example + ```json { "DBotScore": { @@ -2629,17 +2755,20 @@ Command performs Group IB event lookup in malware/targeted_malware collection wi #### Human Readable Output >### Feed from malware/targeted_malware with ID 5bbd38acf0b9e4f04123af494d485f6c49221e98 + >|company|companyId|date|dateAnalyzeEnded|dateAnalyzeStarted|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|fileName|fileType|hasReport|id|injectDump|injectMd5|malware id|malware name|md5|oldId|portalLink|sha1|sha256|size|source|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| some | -1,
38 | 2021-01-21T06:49:12+00:00 | 2021-01-21T09:53:23+00:00 | 2021-01-21T09:49:12+00:00 | A1 | 100 | 100 | red | red | some.txt | data | true | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | Big dump | 973cca2a0f04ced4cdb8128624d18de1 | b69fc9d439d2fd41e98a7e3c60b9a55340012eb6 | Cobalt Strike | 11702f92313f5f3413d129809ca4f11d | 396793259 | https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | Sandbox service | 937a940c-8b51-0fd8-c16f-973529bc4dd7 | +>| some | -1,
38 | 2021-01-21T06:49:12+00:00 | 2021-01-21T09:53:23+00:00 | 2021-01-21T09:49:12+00:00 | A1 | 100 | 100 | red | red | some.txt | data | true | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | Big dump | 973cca2a0f04ced4cdb8128624d18de1 | b69fc9d439d2fd41e98a7e3c60b9a55340012eb6 | Cobalt Strike | 11702f92313f5f3413d129809ca4f11d | 396793259 | Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | Sandbox service | 937a940c-8b51-0fd8-c16f-973529bc4dd7 | >### File indicator + >|filetype|gibfilename|gibid|md5|severity|sha1|sha256|size|value| >|---|---|---|---|---|---|---|---|---| >| data | some.txt | 5bbd38acf0b9e4f04123af494d485f6c49221e98 | 11702f92313f5f3413d129809ca4f11d | red | 93fce6228be5557c69d8eeeab5a5a2a643e7d110 | 630c88ca1d583f05283707740da5b1f4423807cd80cab108821157ad341b1001 | 208978 | 11702f92313f5f3413d129809ca4f11d | ### gibtia-get-malware-cnc-info + *** Command performs Group IB event lookup in malware/cnc collection by provided ID. @@ -2647,6 +2776,7 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Base Command `gibtia-get-malware-cnc-info` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2674,9 +2804,11 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Command Example + ```!gibtia-get-malware-cnc-info id=aeed277396e27e375d030a91533aa232444d0089``` #### Context Example + ```json { "DBotScore": [ @@ -2757,37 +2889,44 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. #### Human Readable Output >### Feed from malware/cnc with ID aeed277396e27e375d030a91533aa232444d0089 + >|cnc|dateDetected|dateLastSeen|domain|id|oldId|stixGuid|url| >|---|---|---|---|---|---|---|---| ->| https://some.ru | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | +>| | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | >### ipv4 table + >|asn|countryCode|countryName|ip|provider| >|---|---|---|---|---| >| AS1111 | US | United States | 11.11.11.11 | Some | >### malwareList table + >|id|name|stixGuid| >|---|---|---| >| e99c294ffe7b79655d6ef1f32add638d8a2d4b24 | JS Sniffer - Poter | 1ac5a303-ef6f-2d6a-ad20-a39196815a1a | >### URL indicator + >|gibid|value| >|---|---| ->| aeed277396e27e375d030a91533aa232444d0089 | https://some.ru | +>| aeed277396e27e375d030a91533aa232444d0089 | | >### Domain indicator + >|gibid|value| >|---|---| >| aeed277396e27e375d030a91533aa232444d0089 | some.ru | >### IP indicator + >|asn|geocountry|gibid|value| >|---|---|---|---| >| AS1111 | United States | aeed277396e27e375d030a91533aa232444d0089 | 11.11.11.11 | ### gibtia-get-available-collections + *** Returns list of available collections. @@ -2795,6 +2934,7 @@ Returns list of available collections. #### Base Command `gibtia-get-available-collections` + #### Input There are no input arguments for this command. @@ -2807,9 +2947,11 @@ There are no input arguments for this command. #### Command Example + ```!gibtia-get-available-collections``` #### Context Example + ```json { "GIBTIA": { @@ -2846,12 +2988,14 @@ There are no input arguments for this command. #### Human Readable Output >### Available collections + >|collections| >|---| >| compromised/account,
compromised/card,
bp/phishing,
bp/phishing_kit,
osi/git_leak,
osi/public_leak,
malware/targeted_malware,
compromised/mule,
compromised/imei,
attacks/ddos,
attacks/deface,
attacks/phishing,
attacks/phishing_kit,
apt/threat,
hi/threat,
suspicious_ip/tor_node,
suspicious_ip/open_proxy,
suspicious_ip/socks_proxy,
malware/cnc,
osi/vulnerability,
hi/threat_actor,
apt/threat_actor | ### gibtia-global-search + *** Command performs global Group IB search @@ -2859,6 +3003,7 @@ Command performs global Group IB search #### Base Command `gibtia-global-search` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2876,9 +3021,11 @@ Command performs global Group IB search #### Command Example + ```!gibtia-global-search query=100.100.100.100``` #### Context Example + ```json { "GIBTIA": { @@ -2923,6 +3070,7 @@ Command performs global Group IB search #### Human Readable Output >### Search results + >|apiPath|count|GIBLink| >|---|---|---| >| compromised/account | 14 | | @@ -2933,6 +3081,7 @@ Command performs global Group IB search ### gibtia-local-search + *** Command performs Group IB search in selected collection. @@ -2940,6 +3089,7 @@ Command performs Group IB search in selected collection. #### Base Command `gibtia-local-search` + #### Input | **Argument Name** | **Description** | **Required** | @@ -2959,9 +3109,11 @@ Command performs Group IB search in selected collection. #### Command Example + ```!gibtia-local-search collection_name=attacks/phishing query=100.100.100.100``` #### Context Example + ```json { "GIBTIA": { @@ -2978,6 +3130,7 @@ Command performs Group IB search in selected collection. #### Human Readable Output >### Search results + >|id|additional_info| >|---|---| >| 8bd7e5cef2290b0c3f04bf283586406dceffe25d | phishingDomain_domain: some.ru | diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py index 597c004af785..57750a977f68 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py @@ -1,13 +1,9 @@ -import requests +""" IMPORTS """ import demistomock as demisto -import demistomock from CommonServerPython import * from CommonServerUserPython import * -""" IMPORTS """ - from collections.abc import Generator - import dateparser import urllib3 from requests.auth import HTTPBasicAuth @@ -161,18 +157,18 @@ 'firstseenbysource', 'lastseenbysource' ] }, - # { - # "main_field": 'target.ipv4.ip', "main_field_type": 'GIB Victim IP', - # "add_fields": [ - # 'target.ipv4.asn', 'target.ipv4.countryName', 'target.ipv4.region', - # *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, - # 'dateBegin', 'dateEnd', *EVALUATION_FIELDS - # ], - # "add_fields_types": [ - # *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, - # 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - # ] - # } + { + "main_field": 'target.ipv4.ip', "main_field_type": 'GIB Victim IP', + "add_fields": [ + 'target.ipv4.asn', 'target.ipv4.countryName', 'target.ipv4.region', + *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, + 'dateBegin', 'dateEnd', *EVALUATION_FIELDS + ], + "add_fields_types": [ + *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, + 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES + ] + } ] }, "attacks/deface": { diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml index 865da9b44ada..107e83c6f95b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml @@ -190,7 +190,7 @@ script: name: gibtia-get-indicators deprecated: false execution: false - dockerimage: demisto/python3:3.10.13.78960 + dockerimage: demisto/python3:3.10.13.80593 feed: true runonce: false script: '-' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md index 8a9107131592..5e3ff7703784 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/README.md @@ -2,6 +2,7 @@ Use Group-IB Threat Intelligence & Attribution Feed integration to fetch IOCs from various Group-IB collections. This integration was integrated and tested with version 1.0 of Group-IB Threat Intelligence & Attribution Feed + ## Configure Group-IB Threat Intelligence & Attribution Feed on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. @@ -29,10 +30,14 @@ This integration was integrated and tested with version 1.0 of Group-IB Threat I | | | False | 4. Click **Test** to validate the URLs, token, and connection. + ## Commands + You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. + ### gibtia-get-indicators + *** Get limited count of indicators for specified collection and get all indicators from particular events by id. @@ -40,6 +45,7 @@ Get limited count of indicators for specified collection and get all indicators #### Base Command `gibtia-get-indicators` + #### Input | **Argument Name** | **Description** | **Required** | @@ -54,11 +60,13 @@ Get limited count of indicators for specified collection and get all indicators There is no context output for this command. #### Command Example + ```!gibtia-get-indicators collection=compromised/mule``` #### Human Readable Output >### IP indicators + >|value|type|asn|geocountry|gibmalwarename| >|---|---|---|---|---| >| 11.11.11.11 | IP | | | Anubis | diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json deleted file mode 100644 index 9f60bab17b9b..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Domain_Layout.json +++ /dev/null @@ -1,540 +0,0 @@ -{ - "description": "Layout for GIB Brand Protection Domain", - "detailsV2": { - "tabs": [ - { - "id": "summary", - "name": "Legacy Summary", - "type": "summary" - }, - { - "id": "caseinfoid", - "name": "Incident Info", - "sections": [ - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "type", - "height": 22, - "id": "incident-type-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "severity", - "height": 22, - "id": "incident-severity-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "owner", - "height": 22, - "id": "incident-owner-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotsource", - "height": 22, - "id": "incident-source-field", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourcebrand", - "height": 22, - "id": "incident-sourceBrand-field", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "sourceinstance", - "height": 22, - "id": "incident-sourceInstance-field", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "playbookid", - "height": 22, - "id": "incident-playbookId-field", - "index": 6, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Case Details", - "static": false, - "w": 1, - "x": 0, - "y": 0 - }, - { - "h": 2, - "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Notes", - "static": false, - "type": "notes", - "w": 1, - "x": 2, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Work Plan", - "static": false, - "type": "workplan", - "w": 1, - "x": 1, - "y": 0 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", - "isVisible": true, - "maxW": 3, - "moved": false, - "name": "Linked Incidents", - "static": false, - "type": "linkedIncidents", - "w": 1, - "x": 1, - "y": 10 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", - "maxW": 3, - "moved": false, - "name": "Child Incidents", - "static": false, - "type": "childInv", - "w": 1, - "x": 2, - "y": 4 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", - "maxW": 3, - "moved": false, - "name": "Evidence", - "static": false, - "type": "evidence", - "w": 1, - "x": 2, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", - "maxW": 3, - "moved": false, - "name": "Team Members", - "static": false, - "type": "team", - "w": 1, - "x": 2, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", - "maxW": 3, - "moved": false, - "name": "Indicators", - "query": "", - "queryType": "input", - "static": false, - "type": "indicators", - "w": 2, - "x": 0, - "y": 8 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", - "items": [ - { - "endCol": 1, - "fieldId": "occurred", - "height": 22, - "id": "incident-occurred-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 1, - "fieldId": "dbotmodified", - "height": 22, - "id": "incident-modified-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotduedate", - "height": 22, - "id": "incident-dueDate-field", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "dbotcreated", - "height": 22, - "id": "incident-created-field", - "index": 0, - "sectionItemType": "field", - "startCol": 1 - }, - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-closed-field", - "index": 1, - "sectionItemType": "field", - "startCol": 1 - } - ], - "maxW": 3, - "moved": false, - "name": "Timeline Information", - "static": false, - "w": 1, - "x": 0, - "y": 6 - }, - { - "displayType": "ROW", - "h": 2, - "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "dbotclosed", - "height": 22, - "id": "incident-dbotClosed-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closereason", - "height": 22, - "id": "incident-closeReason-field", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "closenotes", - "height": 44, - "id": "incident-closeNotes-field", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Closing Information", - "static": false, - "w": 1, - "x": 0, - "y": 10 - }, - { - "displayType": "CARD", - "h": 2, - "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", - "isVisible": true, - "items": [ - { - "endCol": 2, - "fieldId": "details", - "height": 22, - "id": "incident-details-field", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "moved": false, - "name": "Investigation Data", - "static": false, - "w": 1, - "x": 1, - "y": 6 - }, - { - "description": "", - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "items": [ - { - "endCol": 4, - "fieldId": "gibnameservers", - "height": 22, - "id": "ec5ba620-0f12-11ec-b4dd-539628da0f41", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibtitle", - "height": 22, - "id": "8c7ce9e0-0f11-11ec-b4dd-539628da0f41", - "index": 3, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibphishingtype", - "height": 22, - "id": "01126220-0f13-11ec-b4dd-539628da0f41", - "index": 4, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibphishingstatus", - "height": 22, - "id": "29a76e80-7362-11eb-8aef-c39e29f029fe", - "index": 5, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "Phishing Information from GIB TIA", - "static": false, - "w": 1, - "x": 1, - "y": 4 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-69c7f3b0-0f1e-11ec-b4dd-539628da0f41", - "items": [ - { - "endCol": 4, - "fieldId": "gibdatecreated", - "height": 22, - "id": "d3f80ec0-0f12-11ec-b4dd-539628da0f41", - "index": 0, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibdateexpired", - "height": 22, - "id": "dd41d5b0-0f12-11ec-b4dd-539628da0f41", - "index": 1, - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibid", - "height": 22, - "id": "5ff80ed0-72c8-11eb-9bde-efbce7414b24", - "index": 2, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibscreenshot", - "height": 22, - "id": "c59fe0a0-0f12-11ec-b4dd-539628da0f41", - "index": 3, - "listId": "caseinfoid-69c7f3b0-0f1e-11ec-b4dd-539628da0f41", - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibhtml", - "height": 22, - "id": "b57b7e00-0f12-11ec-b4dd-539628da0f41", - "index": 4, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 4, - "fieldId": "gibfavicon", - "height": 22, - "id": "b8585f30-0f12-11ec-b4dd-539628da0f41", - "index": 5, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "General Information from GIB TIA", - "static": false, - "w": 2, - "x": 0, - "y": 2 - }, - { - "displayType": "ROW", - "h": 2, - "hideName": false, - "i": "caseinfoid-81b45f40-0f1e-11ec-b4dd-539628da0f41", - "items": [ - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "gibperson", - "height": 22, - "id": "355968d0-0f13-11ec-b4dd-539628da0f41", - "index": 0, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "dropEffect": "move", - "endCol": 2, - "fieldId": "gibaddress", - "height": 22, - "id": "31a64be0-0f13-11ec-b4dd-539628da0f41", - "index": 1, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "phonenumber", - "height": 22, - "id": "3f55b6e0-0f13-11ec-b4dd-539628da0f41", - "index": 2, - "sectionItemType": "field", - "startCol": 0 - }, - { - "endCol": 2, - "fieldId": "gibemail", - "height": 22, - "id": "3ac161b0-0f13-11ec-b4dd-539628da0f41", - "index": 3, - "sectionItemType": "field", - "startCol": 0 - } - ], - "maxW": 3, - "minH": 1, - "minW": 1, - "moved": false, - "name": "Person Information from GIB TIA", - "static": false, - "w": 1, - "x": 0, - "y": 4 - } - ], - "type": "custom" - }, - { - "id": "warRoom", - "name": "War Room", - "type": "warRoom" - }, - { - "id": "workPlan", - "name": "Work Plan", - "type": "workPlan" - }, - { - "id": "evidenceBoard", - "name": "Evidence Board", - "type": "evidenceBoard" - }, - { - "id": "relatedIncidents", - "name": "Related Incidents", - "type": "relatedIncidents" - }, - { - "id": "canvas", - "name": "Canvas", - "type": "canvas" - } - ] - }, - "group": "incident", - "id": "GIB Brand Protection Domain Layout", - "name": "GIB Brand Protection Domain Layout", - "system": false, - "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md index af4bfdcbe8f5..bc56e8123c4c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_&_Attribution_README.md @@ -7,7 +7,7 @@ This playbook uses the following sub-playbooks, integrations, and scripts. This playbook does not use any sub-playbooks. ### Integrations -* Group-IB Threat Intelligence & Attribution +* Group-IB Threat Intelligence ### Scripts This playbook does not use any scripts. @@ -27,4 +27,4 @@ There are no outputs for this playbook. ## Playbook Image --- -![Incident Postprocessing - Group-IB Threat Intelligence & Attribution](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) +![Incident Postprocessing - Group-IB Threat Intelligence](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md index 2f35b7bf202f..6e8902d73422 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md @@ -1,6 +1,6 @@ Nowadays businesses in any sphere may have problems with their cybersecurity: from simple phishing to professional cybercriminals, so it is very important to respond to incidents quickly. -Group-IB Threat Intelligence & Attribution Pack can help you with managing your incident and indicators from Group-IB within the SOAR system. +Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system. ### What does this pack do? * Receive incidents and attribute them to adversaries. @@ -9,5 +9,5 @@ Group-IB Threat Intelligence & Attribution Pack can help you with managing your As part of this pack, you will also get incident types, fields, and layouts; indicator types, fields, and layouts; the classifier and mapper for properly delivering data to these types and fields. Also, you will get a playbook, that enriches incidents, upcoming from Group-IB with threat reports and threat actor information. -![Incident Postprocessing - Group-IB Threat Intelligence & Attribution](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) +![Incident Postprocessing - Group-IB Threat Intelligence](https://raw.githubusercontent.com/demisto/content/951efb2cd026c6382d207447ee78eb3c5a1f97aa/Packs/GroupIB_ThreatIntelligenceAttribution/doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_%26_Attribution_Wed_Oct_20_2021.png) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md new file mode 100644 index 000000000000..8c3c71893118 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/1_4_0.md @@ -0,0 +1,34 @@ + +#### Integrations + +##### Group-IB Threat Intelligence +- Updated the Docker image to: *demisto/python3:3.10.13.80593*. +- Updated all Group-IB Threat Intelligence feed collections. +- Updated app logic - app was completely redesigned, including parsing and matching parameters. +- New branding. + +##### Group-IB Threat Intelligence Feed +- Updated the Docker image to: *demisto/python3:3.10.13.80593*. +- Added new (and major) feeds - compromised/account_group, ioc/common. +- Deprecated feeds - bp/domain, osi/git_leak, compromised/account. +- New branding. + +#### Scripts + +##### GIBIncidentUpdate +- Updated the Docker image to: *demisto/python3:3.10.13.80593*. +- New branding. + +##### GIBIncidentUpdateIncludingClosed +- Updated the Docker image to: *demisto/python3:3.10.13.80593*. +- New branding. + +#### Layouts + +##### GIB Brand Protection Domain Layout +- Deprecated. No available replacement. + +#### Incident Types + +##### GIB Brand Protection Domain +- Deprecated. No available replacement. diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml index 93149e558ca1..6af6f8fbd367 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml @@ -7,7 +7,7 @@ comment: |- commonfields: id: GIBIncidentUpdate version: -1 -dockerimage: demisto/python3:3.10.13.78960 +dockerimage: demisto/python3:3.10.13.80593 enabled: true name: GIBIncidentUpdate script: '' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml index b69b1fded527..67d3de60a4af 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml @@ -7,7 +7,7 @@ comment: |- commonfields: id: GIBIncidentUpdateIncludingClosed version: -1 -dockerimage: demisto/python3:3.10.13.78960 +dockerimage: demisto/python3:3.10.13.80593 enabled: true name: GIBIncidentUpdateIncludingClosed script: '' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json index 612f6da2417f..2ec29ba9fec1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Group-IB Threat Intelligence", "description": "Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.", "support": "partner", - "currentVersion": "1.3.12", + "currentVersion": "1.4.0", "author": "Group-IB", "url": "https://www.group-ib.com/", "email": "integration@group-ib.com",