Group-IB Threat Intelligence & Attribution predicts cybercriminal activity by identifying links between scattered data such as phishing attacks, botnets, etc., and builds a network graph for cybercrime investigations, threat attribution, and the detection of phishing & fraud.
This document provides information about the Group IB Threat Intelligence & Attribution Feed connector, which facilitates automated interactions, with a Group IB Threat Intelligence & Attribution Feed server using FortiSOAR™ playbooks. Add the Group IB Threat Intelligence & Attribution Feed Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving indicators from a particular group in Group IB, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
yum install cyops-connector-group-ib-threat-intelligence-attribution-feed
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Group IB Threat Intelligence & Attribution Feed connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The URL of the Group IB server to which you will connect and perform the automated operations. |
| Username | The username used to access the Group IB server to which you will connect and perform the automated operations. |
| Password | The password used to access the Group IB server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves a limited number of indicators for the specified Group IB collection, and all indicators for a particular incident if you have specified the incident ID. | get_indicators Investigation |
| Parameter | Description |
|---|---|
| Collection | The Group IB Collection from which you want to retrieve indicators. You can choose from the following options: compromised/mule, compromised/imei, attacks/ddos, attacks/deface, attacks/phishing, attacks/phishing_kit, hi/threat, apt/threat, osi/vulnerability, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, or malware/cnc. |
| Incident ID | The incident ID whose associated indicators you want to retrieve from Group IB |
| Limit | The maximum number of indicators that you want to display in the War Room. You can specify the following values: 10, 20, 30, 40, or 50. By default, the limit is set to 50. |
The output contains the following populated JSON schema:
{
"value": "",
"type": "",
"asn": "",
"geocountry": "",
"gibmalwarename": ""
}
The Sample - Group IB Threat Intelligence & Attribution Feed - 1.0.0 playbook collection comes bundled with the Group IB Threat Intelligence & Attribution Feed connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Group IB Threat Intelligence & Attribution Feed connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Group-IB Threat Intelligence & Attribution predicts cybercriminal activity by identifying links between scattered data such as phishing attacks, botnets, etc., and builds a network graph for cybercrime investigations, threat attribution, and the detection of phishing & fraud.
This document provides information about the Group IB Threat Intelligence & Attribution Feed connector, which facilitates automated interactions, with a Group IB Threat Intelligence & Attribution Feed server using FortiSOAR™ playbooks. Add the Group IB Threat Intelligence & Attribution Feed Connector as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving indicators from a particular group in Group IB, etc.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
yum install cyops-connector-group-ib-threat-intelligence-attribution-feed
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Group IB Threat Intelligence & Attribution Feed connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The URL of the Group IB server to which you will connect and perform the automated operations. |
| Username | The username used to access the Group IB server to which you will connect and perform the automated operations. |
| Password | The password used to access the Group IB server to which you will connect and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves a limited number of indicators for the specified Group IB collection, and all indicators for a particular incident if you have specified the incident ID. | get_indicators Investigation |
| Parameter | Description |
|---|---|
| Collection | The Group IB Collection from which you want to retrieve indicators. You can choose from the following options: compromised/mule, compromised/imei, attacks/ddos, attacks/deface, attacks/phishing, attacks/phishing_kit, hi/threat, apt/threat, osi/vulnerability, suspicious_ip/tor_node, suspicious_ip/open_proxy, suspicious_ip/socks_proxy, or malware/cnc. |
| Incident ID | The incident ID whose associated indicators you want to retrieve from Group IB |
| Limit | The maximum number of indicators that you want to display in the War Room. You can specify the following values: 10, 20, 30, 40, or 50. By default, the limit is set to 50. |
The output contains the following populated JSON schema:
{
"value": "",
"type": "",
"asn": "",
"geocountry": "",
"gibmalwarename": ""
}
The Sample - Group IB Threat Intelligence & Attribution Feed - 1.0.0 playbook collection comes bundled with the Group IB Threat Intelligence & Attribution Feed connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Group IB Threat Intelligence & Attribution Feed connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
