This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

	Specifications
Transport types	Group-IB Attacks Phishing
Content type	GroupIB Phishing Attack JSON
Ingested data	Ingests the following entity types from Group-IB, containing information about phishing attacks: Incidents Indicators TTPs
Endpoint(s)	`/api/v2/attacks/phishing`
Processed data	See Data mapping.

Requirements

Email address registered with Group-IB.
Group-IB API key.

Configure the incoming feed

Create or edit an incoming feed.

Under Transport and content, fill out these fields:

Required fields are marked with an asterisk (*).

Field	Description
Transport type*	Select Group-IB Attacks Phishing from the drop-down menu.
Content type*	Select GroupIB Phishing Attack JSON from the drop-down menu.
API URL*	By default, this is set to `https://bt.group-ib.com`.
API key*	Set this to your Group-IB API key.
Email*	Set this to the email address associated with your Group-IB account.
SSL verification	Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.	Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. For more information, see SSL certificates.
Start ingesting from*	Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

Store your changes by selecting Save.

SSL certificates

To use an SSL certificate with the platform, it must be:

Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:

chown eclecticiq:eclecticiq /path/to/cert.pem

Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Data mapping

The sections below contain non-exhaustive information about how Group-IB Attacks Phishing data is mapped to EclecticIQ Platform entities and observables.

For more information about the Group-IB API schema, see the Group-IB API documentation.

Map to entities
Map Admiralty Code values
Map credibility values to entity tags
Map reliability values to entity Confidence
Map timestamps
Producer/Information source
Incident characteristics
- Time coordinates
- Victim
Data marking
Supported observables
Map severity to observable maliciousness and as entity tag
- severity in observables
- severity added to entities as tags

Map to entities

Each object ingested from Group-IB Attacks Phishing produces:

an Incident
an Indicator (linked to the Incident)
a TTP (linked to the Incident)

Map to Incidents

Incident field name	Mapped from GroupIB Phishing Attack JSON	Example value	Description
Title	`items[].targetBrand`	Phishing Attack: Brand name	Incident title from feed source.
Analysis	`items[].history[]` `items[].phishingDomain.title` `items[].status`	Status: In response History Date: <date> Field: <field> Reason: <reason> Reporter: <reporter> Value: <value>	Contains information about the phishing domain.
Confidence	`items[].evaluation.reliability`	Medium	See Map reliability values to entity Confidence.
Characteristics	Various	Various	See Incident characteristics.
Estimated time	Various	Various	See Map timestamps.
Tags	Attack - Phishing `items[].evaluation.admiraltyCode` `items[].evaluation.credibility` `items[].status` `items[].targetCategory` `items[].type`	Various	See: Map Admiralty Code values Map credibility values to entity tags
Information Source	Various	Various	See Producer/Information source.
Data Marking	Various	Various	See Data marking.

Map to Indicators

Indicator field name	Mapped from GroupIB Phishing Attack JSON	Example value	Description
Title	`items[].phishingDomain.domain`	example.com	This is the title of the ingested Indicator.
Analysis	`items[].phishingDomain.title`	example.com	Contains information about the phishing domain.
Types	Always set to Domain Watchlist	Domain Watchlist	Type of Indicator.
Confidence	`items[].evaluation.reliability`	Medium	See Map reliability values to entity Confidence.
Estimated time	Various	Various	See Map timestamps.
Tags	Attack - Phishing `items[].evaluation.admiraltyCode` `items[].evaluation.credibility` `items[].targetCategory` `items[].type`	Various	See: Map Admiralty Code values Map credibility values to entity tags
Producer	Various	Various	See Producer/Information source.
Data marking	Various	Various	See Data marking.

Map to TTPs

TTP field name	Mapped from GroupIB Phishing Attack JSON	Example value	Description
Title	`items[].targetBrand`	Targeted Victim: Brand name	Title is set as target brand from feed source.
Characteristics	Targeted Victim > Name: `items[].targetBrand`	Brand name	Brand name that is the target of phishing attack.
Estimated time	Estimated observed time: `items[].dateDetected` Estimated threat start time: `items[].dateRegistered`		Estimated times for events.
Tags	Attack - Phishing `items[].evaluation.admiraltyCode` `items[].evaluation.credibility` `items[].status` `items[].targetCategory` `items[].type`	Various	See: Map Admiralty Code values Map credibility values to entity tags
Information Source	Various	Various	See Producer/Information source.
Data Marking	Various	Various	See Data marking.

Map Admiralty Code values

Group-IB uses the Admiralty System to assign reliability and credibility values to a piece of information in the admiraltyCode field. For example:

Object A is assigned an admiraltyCode value of A1 means that it comes from an information source that is “Completely reliable”, and the piece of information can be “Confirmed by other sources”.
Object B that is assigned an admiraltyCode value of D6 means that it comes from an information source that is “Not usually reliable”, and the piece of information is evaluated as “Truth cannot be judged”.

When these objects are ingested by EclecticIQ Platform, these values are added as tags to the entities to which the Admiralty System classification applies. For example:

Object A with an admiraltyCode value of “A1” produces entities with these two tags attached:
- Admiralty Code - Completely reliable
- Admiralty Code - Confirmed by other sources
Object A with an admiraltyCode value of “D6” produces entities with these two tags attached
- Admiralty Code - Not usually reliable
- Admiralty Code - Truth cannot be judged

The table below describes how admiraltyCode values are translated to tags on EclecticIQ Platform:

Group-IB `admiraltyCode` value	EclecticIQ Platform tags
A	Admiralty Code - Completely reliable
B	Admiralty Code - Usually reliable
C	Admiralty Code - Fairly reliable
D	Admiralty Code - Not usually reliable
E	Admiralty Code - Unreliable
F	Admiralty Code - Reliability cannot be judged
1	Admiralty Code - Confirmed by other sources
2	Admiralty Code - Probably True
3	Admiralty Code - Possibly True
4	Admiralty Code - Doubtful
5	Admiralty Code - Improbable
6	Admiralty Code - Truth cannot be judged

Map credibility values to entity tags

Group-IB assigns a credibility value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, credibility values are added as tags to the resulting entities.

The table below shows how credibility values are translated into tags:

Group-IB `credibility` value	EclecticIQ Platform tags
0–33	Credibility - Low
34–66	Credibility - Medium
67–100	Credibility - High

Map reliability values to entity Confidence

Group-IB assigns a reliability value to intelligence objects.

When Group-IB intelligence objects are ingested by EclecticIQ Platform, reliability values are used to set the Confidence of an entity:

Group-IB `reliability` value	EclecticIQ Platform entity confidence
0–33	Low
34–66	Medium
67–100	High

Map timestamps

The following table describes how GroupIB Phishing Attack JSON timestamps are mapped to Indicator and Incident timestamps on the platform.

Indicator estimated time field	GroupIB Phishing Attack JSON field
Estimated threat start time	`items[].phishingDomain.dateRegistered`
Estimated threat end time	`items[].dateBlocked`
Estimated observed time	`items[].dateDetected`
Half-life	`items[].evaluation.ttl`
Ingested	Date and time ingested.

Producer/Information source

Field name	Mapped from GroupIB Phishing Attack JSON	Example value	Description
Identity	N/A	Group-IB	Name of organization or person that created the information. Always set to “Group-IB”.
Roles	N/A	Initial Author	Role of information source. Always set to “Initial Author”.
References	`items[].portalLink`	https://bt.group-ib.com/attacks/phishing?searchValue=id:adc83b19e793491b1c6ea0fd8b46cd9f32e592fc	One or more links that lead to source information.

Incident characteristics

To view Characteristics for an entity, open the entity overview and click the JSON tab.

Time coordinates
Victim

Time coordinates

For brevity, the Precision column describes the values set in Time <field name> precision fields.

E.g., the Precision column in the table below for First malicious action is the value set for the Time first malicious action precision field in the platform.

Field name	Mapped from GroupIB Phishing Attack JSON	Precision
First malicious action	`items[].phishingDomain.dateRegistered`	second
Incident discovery	`items[].dateDetected`	second
Containment achieved	`items[].dateBlocked`	second

Victim

Field name

Mapped from GroupIB Phishing Attack JSON

Description

Organization name

items[].targetBrand

Type*	Value*
Name only	`<Name of targeted brand>`

Data marking

Field name	Mapped from GroupIB Phishing Attack JSON	Description
TLP	`items[].evaluation.tlp`	This sets the entity TLP color using values in GroupIB Phishing Attack JSON.

Supported observables

The following table describes the observable types supported for this feed, and how they’re mapped from GroupIB Phishing Attack JSON:

Observable type

Maliciousness

Maps from GroupIB Phishing Attack JSON

Related to

ASN

Unknown

items[].ipv4.asn (Extracts only ASN number)

Indicator

City

Safe

items[].ipv4.city

Indicator

Country

Safe

items[].ipv4.countryName

Indicator

Country Code

Safe

items[].ipv4.countryCode

Indicator

Domain

Various

Mapped from	Maliciousness
`items[].phishingDomain.Domain`	Mapped from `items[].evaluation.severity`. See Map severity to observable maliciousness and as entity tag.
`items[].phishingDomain.local`	Unknown

Indicator

IPv4

Unknown

items[].ipv4.ip

Indicator

Organisation

Unknown

items[].ipv4.provider

Indicator

Registrar

Unknown

items[].phishingDomain.registrar

Indicator

Map severity to observable maliciousness and as entity tag

Group-IB assigns a severity value to intelligence objects. When that intelligence object is ingested, its severity value is inherited by the entities and observables it produces.

severity in observables
severity added to entities as tags

severity in observables

When Group-IB intelligence objects are ingested to produce observables on the EcleciticIQ Platform, its severity value is used to set the Maliciousness of the observable.

The table below describes how severity values are translated to observable maliciousness:

Group-IB `severity` value	EclecticIQ Platform observable maliciousness value
`red`	Malicious (High confidence)
`orange`	Malicious (Medium confidence)
`green`	Malicious (Low confidence)

severity added to entities as tags

When Group-IB intelligence objects are ingested to produce entities on EclecticIQ Platform, its severity value is translated to a corresponding value and added as a tag to entities produced from it:

Group-IB `severity` value	EclecticIQ Platform tags
`red`	Severity - red
`orange`	Severity - orange
`green`	Severity - green