Incoming feed - Group-IB Attacks Phishing#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
---|---|
Transport types |
Group-IB Attacks Phishing |
Content type |
GroupIB Phishing Attack JSON |
Ingested data |
Ingests the following entity types from Group-IB, containing information about phishing attacks:
|
Endpoint(s) |
|
Processed data |
See Data mapping. |
Requirements#
Email address registered with Group-IB.
Group-IB API key.
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Group-IB Attacks Phishing from the drop-down menu.
Content type*
Select GroupIB Phishing Attack JSON from the drop-down menu.
API URL*
By default, this is set to
https://bt.group-ib.com
.API key*
Set this to your Group-IB API key.
Email*
Set this to the email address associated with your Group-IB account.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Store your changes by selecting Save.
SSL certificates#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiq
user.Owned by
eclecticiq:eclecticiq
.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pem
is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.
Data mapping#
The sections below contain non-exhaustive information about how Group-IB Attacks Phishing data is mapped to EclecticIQ Platform entities and observables.
For more information about the Group-IB API schema, see the Group-IB API documentation.
Map to entities#
Each object ingested from Group-IB Attacks Phishing produces:
an Incident
an Indicator (linked to the Incident)
a TTP (linked to the Incident)
Map to Incidents#
Incident field name |
Mapped from GroupIB Phishing Attack JSON |
Example value |
Description |
---|---|---|---|
Title |
|
Phishing Attack: Brand name |
Incident title from feed source. |
Analysis |
|
Status: In response History Date: <date> Field: <field> Reason: <reason> Reporter: <reporter> Value: <value> |
Contains information about the phishing domain. |
Confidence |
|
Medium |
|
Characteristics |
|
Various |
|
Estimated time |
|
Various |
See Map timestamps. |
Tags |
|
Various |
See: |
Information Source |
|
Various |
|
Data Marking |
|
Various |
See Data marking. |
Map to Indicators#
Indicator field name |
Mapped from GroupIB Phishing Attack JSON |
Example value |
Description |
---|---|---|---|
Title |
|
example.com |
This is the title of the ingested Indicator. |
Analysis |
|
example.com |
Contains information about the phishing domain. |
Types |
|
Domain Watchlist |
Type of Indicator. |
Confidence |
|
Medium |
|
Estimated time |
|
Various |
See Map timestamps. |
Tags |
|
Various |
See: |
Producer |
|
Various |
|
Data marking |
|
Various |
See Data marking. |
Map to TTPs#
TTP field name |
Mapped from GroupIB Phishing Attack JSON |
Example value |
Description |
---|---|---|---|
Title |
|
Targeted Victim: Brand name |
Title is set as target brand from feed source. |
Characteristics |
|
Brand name |
Brand name that is the target of phishing attack. |
Estimated time |
|
Estimated times for events. |
|
Tags |
|
Various |
See: |
Information Source |
|
Various |
|
Data Marking |
|
Various |
See Data marking. |
Map Admiralty Code values#
Group-IB uses the Admiralty System to assign
reliability and credibility values to
a piece of information in the admiraltyCode
field.
For example:
Object A is assigned an
admiraltyCode
value of A1 means that it comes from an information source that is “Completely reliable”, and the piece of information can be “Confirmed by other sources”.Object B that is assigned an
admiraltyCode
value of D6 means that it comes from an information source that is “Not usually reliable”, and the piece of information is evaluated as “Truth cannot be judged”.
When these objects are ingested by EclecticIQ Platform, these values are added as tags to the entities to which the Admiralty System classification applies. For example:
Object A with an
admiraltyCode
value of “A1” produces entities with these two tags attached:Admiralty Code - Completely reliable
Admiralty Code - Confirmed by other sources
Object A with an
admiraltyCode
value of “D6” produces entities with these two tags attachedAdmiralty Code - Not usually reliable
Admiralty Code - Truth cannot be judged
The table below describes how admiraltyCode
values are translated to tags on EclecticIQ Platform:
Group-IB |
EclecticIQ Platform tags |
---|---|
A |
Admiralty Code - Completely reliable |
B |
Admiralty Code - Usually reliable |
C |
Admiralty Code - Fairly reliable |
D |
Admiralty Code - Not usually reliable |
E |
Admiralty Code - Unreliable |
F |
Admiralty Code - Reliability cannot be judged |
1 |
Admiralty Code - Confirmed by other sources |
2 |
Admiralty Code - Probably True |
3 |
Admiralty Code - Possibly True |
4 |
Admiralty Code - Doubtful |
5 |
Admiralty Code - Improbable |
6 |
Admiralty Code - Truth cannot be judged |
Map reliability values to entity Confidence#
Group-IB assigns a reliability
value
to intelligence objects.
When Group-IB intelligence objects
are ingested by EclecticIQ Platform,
reliability
values are used to
set the Confidence of an entity:
Group-IB |
EclecticIQ Platform entity confidence |
---|---|
0–33 |
Low |
34–66 |
Medium |
67–100 |
High |
Map timestamps#
The following table describes how GroupIB Phishing Attack JSON timestamps are mapped to Indicator and Incident timestamps on the platform.
Indicator estimated time field |
GroupIB Phishing Attack JSON field |
---|---|
Estimated threat start time |
|
Estimated threat end time |
|
Estimated observed time |
|
Half-life |
|
Ingested |
Date and time ingested. |
Producer/Information source#
Field name |
Mapped from GroupIB Phishing Attack JSON |
Example value |
Description |
---|---|---|---|
Identity |
|
Group-IB |
Name of organization or person that created the information. Always set to “Group-IB”. |
Roles |
|
Initial Author |
Role of information source. Always set to “Initial Author”. |
References |
|
https://bt.group-ib.com/attacks/phishing?searchValue=id:adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
One or more links that lead to source information. |
Incident characteristics#
Tip
To view Characteristics for an entity, open the entity overview and click the JSON tab.
Time coordinates#
Caution
For brevity, the Precision column describes the values set in Time <field name> precision fields.
E.g., the Precision column in the table below for First malicious action is the value set for the Time first malicious action precision field in the platform.
Field name |
Mapped from GroupIB Phishing Attack JSON |
Precision |
---|---|---|
First malicious action |
|
second |
Incident discovery |
|
second |
Containment achieved |
|
second |
Victim#
Field name |
Mapped from GroupIB Phishing Attack JSON |
Description |
||||
---|---|---|---|---|---|---|
Organization name |
|
|
Data marking#
Field name |
Mapped from GroupIB Phishing Attack JSON |
Description |
---|---|---|
TLP |
|
This sets the entity TLP color using values in GroupIB Phishing Attack JSON. |
Supported observables#
The following table describes the observable types supported for this feed, and how they’re mapped from GroupIB Phishing Attack JSON:
Observable type |
Maliciousness |
Maps from GroupIB Phishing Attack JSON |
Related to |
||||||
---|---|---|---|---|---|---|---|---|---|
ASN |
Unknown |
|
Indicator |
||||||
City |
Safe |
|
Indicator |
||||||
Country |
Safe |
|
Indicator |
||||||
Country Code |
Safe |
|
Indicator |
||||||
Domain |
Various |
|
Indicator |
||||||
IPv4 |
Unknown |
|
Indicator |
||||||
Organisation |
Unknown |
|
Indicator |
||||||
Registrar |
Unknown |
|
Indicator |
Map severity to observable maliciousness and as entity tag#
Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.
severity
in observables#
When Group-IB intelligence objects are
ingested to produce observables
on the EcleciticIQ Platform,
its severity
value is
used to set the Maliciousness of the observable.
The table below describes how severity
values
are translated to observable maliciousness:
Group-IB |
EclecticIQ Platform observable maliciousness value |
---|---|
|
Malicious (High confidence) |
|
Malicious (Medium confidence) |
|
Malicious (Low confidence) |