Incoming feed - Group-IB APT Threat#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

	Specifications
Transport types	Group-IB APT Threat
Content type	GroupIB Threat JSON
Ingested data	Ingests threat reports from Group-IB that contains information about APT threats.
Endpoint(s)	`/api/v2/apt/threat`
Processed data	The extension ingests the feed and creates Report entities with the following associated objects where available: Observables. Indicator entities. Threat actor entities. Targeted Victim TTP entities.

Requirements#

Email address registered with Group-IB.
Group-IB API key.

Configure the incoming feed#

Create or edit an incoming feed.

Under Transport and content, fill out these fields:

Note

Required fields are marked with an asterisk (*).

Field	Description
Transport type*	Select Group-IB APT Threat from the drop-down menu.
Content type*	Select GroupIB Threat JSON from the drop-down menu.
API URL*	By default, this is set to `https://bt.group-ib.com`.
API key*	Set this to your Group-IB API key.
Email*	Set this to the email address associated with your Group-IB account.
SSL verification	Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.	Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. For more information, see SSL certificates.
Start ingesting from*	Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

Store your changes by selecting Save.

SSL certificates#

To use an SSL certificate, it must be:

Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
```
chown eclecticiq:eclecticiq /path/to/cert.pem
```
Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data mapping#

The sections below contain non-exhaustive information about how Group-IB APT Threat data is mapped to EclecticIQ Platform entities and observables.

For more information about the Group-IB API schema, see the Group-IB API documentation.

Map Group-IB reports to indicator title and type #

EclecticIQ Platform Indicator entities produced by ingesting Group-IB Human Intelligence and APT threat reports. have their titles determined by the following:

The title field of the Group-IB indicator object.

If the title field is missing or empty (null), then the Indicator title is derived from the contents of the params and type field in the Group-IB feed data, in order of priority:

network type Group-IB indicators

file type Group-IB indicators

Priority	`param` field name
1	`url`
2	`domain`
3	`ipv4`
4	`ipv6`
(not used)	`ssl`

Priority	`param` field name
1	`hashes.sha512`
2	`hashes.sha256`
3	`hashes.sha1`
4	`hashes.md5`
(not used)	`md4` `md6` `sha1`

For Group-IB indicators of network type, the platform also adds a Watchlist type to the relevant Indicator entity produced from that data.

This table shows how values of the type and params field are mapped to the Indicator type, in order of priority:

Priority	`param` field name	EclecticIQ Platform Indicator type
1	`url`	URL Watchlist
2	`domain`	Domain Watchlist
3	`ipv4`	IP Watchlist
4	`ipv6`	Watchlist

Map Admiralty Code values #

Group-IB uses the Admiralty System to assign reliability and credibility values to a piece of information in the admiraltyCode field. For example:

Object A is assigned an admiraltyCode value of A1 means that it comes from an information source that is “Completely reliable”, and the piece of information can be “Confirmed by other sources”.
Object B that is assigned an admiraltyCode value of D6 means that it comes from an information source that is “Not usually reliable”, and the piece of information is evaluated as “Truth cannot be judged”.

When these objects are ingested by EclecticIQ Platform, these values are added as tags to the entities to which the Admiralty System classification applies. For example:

Object A with an admiraltyCode value of “A1” produces entities with these two tags attached:
- Admiralty Code - Completely reliable
- Admiralty Code - Confirmed by other sources
Object A with an admiraltyCode value of “D6” produces entities with these two tags attached
- Admiralty Code - Not usually reliable
- Admiralty Code - Truth cannot be judged

The table below describes how admiraltyCode values are translated to tags on EclecticIQ Platform:

Group-IB `admiraltyCode` value	EclecticIQ Platform tags
A	Admiralty Code - Completely reliable
B	Admiralty Code - Usually reliable
C	Admiralty Code - Fairly reliable
D	Admiralty Code - Not usually reliable
E	Admiralty Code - Unreliable
F	Admiralty Code - Reliability cannot be judged
1	Admiralty Code - Confirmed by other sources
2	Admiralty Code - Probably True
3	Admiralty Code - Possibly True
4	Admiralty Code - Doubtful
5	Admiralty Code - Improbable
6	Admiralty Code - Truth cannot be judged

Map credibility values to entity tags #

Group-IB assigns a credibility value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, credibility values are added as tags to the resulting entities.

The table below shows how credibility values are translated into tags:

Group-IB `credibility` value	EclecticIQ Platform tags
0–33	Credibility - Low
34–66	Credibility - Medium
67–100	Credibility - High

Map reliability values to entity Confidence #

Group-IB assigns a reliability value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, reliability values are used to set the Confidence of an entity:

Group-IB `reliability` value	EclecticIQ Platform entity confidence
0–33	Low
34–66	Medium
67–100	High

A Group-IB intelligence object may hold MITRE ATT&CK information in the mitreMatrix field. If present, this MITRE ATT&CK information is processed and added as a single tag to the resulting entities.

The tag generated from MITRE ATT&CK information looks like this: <attackType>-<attackTactic>-<id>

For example, the following mitreMatrix values:

{
  "attackPatternId": "attack-pattern-​d3999268-740f-467e-a075-c82e2d04be62",
  "attackTactic": "priority-definition-planning",
  "attackType": "pre_attack_tactics",
  "id": "PRE-T1001",
  // ...
}

Produce a tag named: PRE-ATT&CK-Priority Definition Planning-T1001

The table below shows how values from the mitreMatrix object is mapped to values that appear in the resulting tag:

Table of mapped values#
Group-IB field name	Group-IB field value example	Resulting EclecticIQ Platform tag
`attackTactic`	`priority-definition-planning`	Priority Definition Planning
`attackType`	See Table of attack types below.	See Table of attack types below.
`Id`	`PRE-T1001`	T1001

Table of attack types#
`attackType` value	Maps to
`pre_attack_tactics`	PRE-ATT&CK
`enterprise_tactics`	Enterprise
`mobile_tactics`	Mobile
`ics_tactics`	ICS

Map contact details in Group-IB reports to observables #

If a Group-IB Human Intelligence or APT threat report contains a contacts field, the contents of that field is ingested as observables.

The contacts field contains a list of contacts. One observable is created per contact found in that list; that observable:

Derives its title from the value of the account field.
Derives its type from the value of the type field.

This table describes how the values in the type field are mapped to EclecticIQ Platform observable types:

Group-IB contact type

EclecticIQ Platform observable type

email

Email

phone

Telephone

im

Handle

wallet

Bank account

social_network

Handle

Group-IB contact type	EclecticIQ Platform observable type
`email`	Email
`phone`	Telephone
`im`	Handle
`wallet`	Bank account
`social_network`	Handle

Map sector to entity tags and observable titles #

If an ingested Group-IB report contains a sectors field, the contents of the field are processed to

produce observables of industry type, and
adds tags to corresponding entities.

For example, a Group-IB report that has these two sectors:

agriculture
financial-services

is processed to produce:

Industry Sector - Agriculture and Industry Sector - Financial Services tags that are added to the corresponding entities.
Creates two observables of industry type:
- industry: Agriculture
- industry: Financial Services

This table describes how a field value maps to EclecticIQ Platform entity tags, and the observables produced:

Group-IB `sectors` value	EclecticIQ Platform tag	EclecticIQ Platform observable
`agriculture`	Industry Sector - Agriculture	industry: Agriculture
`aerospace`	Industry Sector - Aerospace	industry: Aerospace
`automotive`	Industry Sector - Automotive	industry: Automotive
`communications`	Industry Sector - Communications	industry: Communications
`construction`	Industry Sector - Construction	industry: Construction
`defence`	Industry Sector - Defence	industry: Defence
`education`	Industry Sector - Education	industry: Education
`energy`	Industry Sector - Energy	industry: Energy
`entertainment`	Industry Sector - Entertainment	industry: Entertainment
`financial-services`	Industry Sector - Financial Services	industry: Financial Services
`government-national`	Industry Sector - Government National	industry: Government National
`government-regional`	Industry Sector - Government Regional	industry: Government Regional
`government-local`	Industry Sector - Government Local	industry: Government Local
`government-public-services`	Industry Sector - Government Public	industry: Services Government Public Services
`healthcare`	Industry Sector - Healthcare	industry: Healthcare
`hospitality-leisure`	Industry Sector - Hospitality Leisure	industry: Hospitality Leisure
`infrastructure`	Industry Sector - Infrastructure	industry: Infrastructure
`insurance`	Industry Sector - Insurance	industry: Insurance
`manufacturing`	Industry Sector - Manufacturing	industry: Manufacturing
`mining`	Industry Sector - Mining	industry: Mining
`non-profit`	Industry Sector - Non-Profit	industry: Non-Profit
`pharmaceuticals`	Industry Sector - Pharmaceuticals	industry: Pharmaceuticals
`retail`	Industry Sector - Retail	industry: Retail
`technology`	Industry Sector - Technology	industry: Technology
`telecommunications`	Industry Sector - Telecommunications	industry: Telecommunications
`transportation`	Industry Sector - Transportation	industry: Transportation
`utilities`	Industry Sector - Utilities	industry: Utilities
`all`	Industry Sector - All	industry: N/A

Map severity to observable maliciousness and as entity tag #

Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.

`severity` in observables #

When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.

The table below describes how severity values are translated to observable maliciousness:

Group-IB `severity` value	EclecticIQ Platform observable maliciousness value
`red`	Malicious (High confidence)
`orange`	Malicious (Medium confidence)
`green`	Malicious (Low confidence)

`severity` added to entities as tags #

When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:

Group-IB `severity` value	EclecticIQ Platform tags
`red`	Severity - red
`orange`	Severity - orange
`green`	Severity - green