Incoming feed - Group-IB Compromised Data Accounts

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

Group-IB Compromised Data Accounts

Content type

GroupIB accounts JSON

Ingested data

Ingests information about compromised user accounts.

Endpoint(s)

/api/v2/compromised/account

Processed data

The extension ingests the feed and creates Report entities with the following associated objects where available:

  • Observables.

  • Incident entities containing the user information of account compromised, such as user name and password.

  • Threat Actor entities.

  • Malware Variant TTP entitites.

  • Indicator entities.

Requirements

  • Email address registered with Group-IB.

  • Group-IB API key.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Group-IB Compromised Data Accounts from the drop-down menu.

    Content type*

    Select GroupIB accounts JSON from the drop-down menu.

    API URL*

    By default, this is set to https://bt.group-ib.com.

    API key*

    Set this to your Group-IB API key.

    Email*

    Set this to the email address associated with your Group-IB account.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Data mapping

The sections below contain non-exhaustive information about how Group-IB Compromised Data Accounts data is mapped to EclecticIQ Platform entities and observables.

For more information about the Group-IB API schema, see the Group-IB API documentation.

Map Admiralty Code values

Group-IB uses the Admiralty System to assign reliability and credibility values to a piece of information in the admiraltyCode field. For example:

  • Object A is assigned an admiraltyCode value of A1 means that it comes from an information source that is “Completely reliable”, and the piece of information can be “Confirmed by other sources”.

  • Object B that is assigned an admiraltyCode value of D6 means that it comes from an information source that is “Not usually reliable”, and the piece of information is evaluated as “Truth cannot be judged”.

When these objects are ingested by EclecticIQ Platform, these values are added as tags to the entities to which the Admiralty System classification applies. For example:

  • Object A with an admiraltyCode value of “A1” produces entities with these two tags attached:

    • Admiralty Code - Completely reliable

    • Admiralty Code - Confirmed by other sources

  • Object A with an admiraltyCode value of “D6” produces entities with these two tags attached

    • Admiralty Code - Not usually reliable

    • Admiralty Code - Truth cannot be judged

The table below describes how admiraltyCode values are translated to tags on EclecticIQ Platform:

Group-IB admiraltyCode value

EclecticIQ Platform tags

A

Admiralty Code - Completely reliable

B

Admiralty Code - Usually reliable

C

Admiralty Code - Fairly reliable

D

Admiralty Code - Not usually reliable

E

Admiralty Code - Unreliable

F

Admiralty Code - Reliability cannot be judged

1

Admiralty Code - Confirmed by other sources

2

Admiralty Code - Probably True

3

Admiralty Code - Possibly True

4

Admiralty Code - Doubtful

5

Admiralty Code - Improbable

6

Admiralty Code - Truth cannot be judged

Map credibility values to entity tags

Group-IB assigns a credibility value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, credibility values are added as tags to the resulting entities.

The table below shows how credibility values are translated into tags:

Group-IB credibility value

EclecticIQ Platform tags

0–33

Credibility - Low

34–66

Credibility - Medium

67–100

Credibility - High

Map reliability values to entity Confidence

Group-IB assigns a reliability value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, reliability values are used to set the Confidence of an entity:

Group-IB reliability value

EclecticIQ Platform entity confidence

0–33

Low

34–66

Medium

67–100

High

Map MITRE matrix to tags

A Group-IB intelligence object may hold MITRE ATT&CK information in the mitreMatrix field. If present, this MITRE ATT&CK information is processed and added as a single tag to the resulting entities.

The tag generated from MITRE ATT&CK information looks like this: <attackType>-<attackTactic>-<id>

For example, the following mitreMatrix values:

{
  "attackPatternId": "attack-pattern-​d3999268-740f-467e-a075-c82e2d04be62",
  "attackTactic": "priority-definition-planning",
  "attackType": "pre_attack_tactics",
  "id": "PRE-T1001",
  // ...
}

Produce a tag named: PRE-ATT&CK-Priority Definition Planning-T1001

The table below shows how values from the mitreMatrix object is mapped to values that appear in the resulting tag:

Table of mapped values

Group-IB field name

Group-IB field value example

Resulting EclecticIQ Platform tag

attackTactic

priority-definition-planning

Priority Definition Planning

attackType

See Table of attack types below.

See Table of attack types below.

Id

PRE-T1001

T1001

Table of attack types

attackType value

Maps to

pre_attack_tactics

PRE-ATT&CK

enterprise_tactics

Enterprise

mobile_tactics

Mobile

ics_tactics

ICS

Map severity to observable maliciousness and as entity tag

Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.

severity in observables

When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.

The table below describes how severity values are translated to observable maliciousness:

Group-IB severity value

EclecticIQ Platform observable maliciousness value

red

Malicious (High confidence)

orange

Malicious (Medium confidence)

green

Malicious (Low confidence)

severity added to entities as tags

When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:

Group-IB severity value

EclecticIQ Platform tags

red

Severity - red

orange

Severity - orange

green

Severity - green