Incoming feed - Group-IB Malware C2
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
Specifications |
|
|
Transport types |
Group-IB Malware C2 |
|
Content type |
GroupIB Malware CNC JSON |
|
Ingested data |
Ingests the Indicators from Group-IB. |
|
Endpoint(s) |
/api/v2/malware/cnc |
|
Processed data |
See Data mapping. |
Requirements
Email address registered with Group-IB.
Group-IB API key.
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Group-IB Malware C2 from the drop-down menu.
Content type*
Select GroupIB Malware CNC JSON from the drop-down menu.
API URL*
By default, this is set to https://bt.group-ib.com.
API key*
Set this to your Group-IB API key.
Email*
Set this to the email address associated with your Group-IB account.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Store your changes by selecting Save.
SSL certificates
To use an SSL certificate with the platform, it must be:
Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.
To make sure that the platform can access the SSL certificate:
Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq/path/to/cert.pemWhere /path/to/cert.pem is the location of the SSL certificate the platform needs to access.
Data mapping
The sections below contain non-exhaustive information about how Group-IB Malware C2 data is mapped to EclecticIQ Platform entities and observables.
For more information about the Group-IB API schema, see the Group-IB API documentation.
Map to Indicators
|
Indicator field name |
Mapped from GroupIB Malware CNC JSON |
Example value |
Description |
|
Title |
|
http://10.0.0.1/ |
This is the title of the ingested Indicator. |
|
Analysis |
|
Malware C2 Associated Malware: - … Associated Threat Actor: - … Associated Files: - … Region: - … |
Contains information about the malware C2 indicator. |
|
Types |
|
URL Watchlist, C2 |
Type of Indicator. |
|
Confidence |
|
Unknown |
Indicator confidence |
|
Estimated time |
|
Various |
See Map timestamps. |
|
Tags |
|
Various |
If items[].threatActor.isAPT is present, sets a Is APT - <isAPT> tag. |
|
Producer |
|
Various |
|
|
Data marking |
|
Various |
See Data marking. |
Map timestamps
The following table describes how GroupIB Malware CNC JSON timestamps are mapped to Indicator and Incident timestamps on the platform.
|
Indicator estimated time field |
GroupIB Malware CNC JSON field |
|
Estimated threat start time |
items[].dateDetected |
|
Estimated threat end time |
items[].dateLastSeen |
|
Estimated observed time |
items[].dateDetected |
|
Half-life |
items[].evaluation.ttl |
|
Ingested |
Date and time ingested. |
Producer/Information source
|
Field name |
Mapped from GroupIB Malware CNC JSON |
Example value |
Description |
|
Identity |
|
Group-IB |
Name of organization or person that created the information. Always set to “Group-IB”. |
|
Roles |
|
Initial Author |
Role of information source. Always set to “Initial Author”. |
|
References |
|
|
One or more links that lead to source information. |
Data marking
|
Field name |
Mapped from GroupIB Malware CNC JSON |
Description |
|
TLP |
items[].evaluation.tlp |
This sets the entity TLP color using values in GroupIB Malware CNC JSON. |
Supported observables
The following table describes the observable types supported for this feed, and how they’re mapped from GroupIB Malware CNC JSON:
|
ASN |
Unknown |
|
Indicator |
|
City |
Safe |
|
Indicator |
|
Country |
Safe |
|
Indicator |
|
Country Code |
Safe |
|
Indicator |
|
Domain |
High |
items[].domain (If this field contains an IPv4 string, no Domain observable is created) |
Indicator |
|
Hash-md5 |
Unknown |
items[].file[].hashes.md5 |
Indicator |
|
Hash-sha1 |
Unknown |
items[].file[].hashes.sha1 |
Indicator |
|
Hash-sha256 |
Unknown |
items[].file[].hashes.sha256 |
Indicator |
|
Hash-sha512 |
Unknown |
items[].file[].hashes.sha512 |
Indicator |
|
IPv4 |
Low |
|
Indicator |
|
Organisation |
Unknown |
|
Indicator |
|
URI |
High |
|
Indicator |
Map severity to observable maliciousness and as entity tag
Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.
severity in observables
When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.
The table below describes how severity values are translated to observable maliciousness:
|
Group-IB severity value |
EclecticIQ Platform observable maliciousness value |
|
red |
Malicious (High confidence) |
|
orange |
Malicious (Medium confidence) |
|
green |
Malicious (Low confidence) |
severity added to entities as tags
When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:
|
Group-IB severity value |
EclecticIQ Platform tags |
|
red |
Severity - red |
|
orange |
Severity - orange |
|
green |
Severity - green |