Group-IB Threat Intelligence for SOAR

Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity. Read more on Group-IB web-site - https://www.group-ib.com/products/threat-intelligence. Threat Intelligence (TI) combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors and related infrastructures collected since 2003, including those that criminals attempted to wipe out. This application is built for integration of Threat Intelligence with Splunk SOAR to consume TI feeds and process pivoting. This Splunk SOAR app connects to Group-IB Threat Intelligence so you can ingest threat data into SOAR as containers and artifacts, and run playbook actions for enrichment (WHOIS-style lookups for IPs and domains, and IP risk scoring). It is aimed at SOAR administrators who install and configure the app, and analysts who use ingested data and actions in investigations. To use integration, you must have an active Group-IB Threat Intelligence license and API access.

Supported Actions

• test connectivity: Validate the asset configuration for connectivity using supplied configuration
• on poll: Callback action for the on_poll ingest functionality
• whois ip: Execute whois lookup on the given IP address
• whois domain: Execute whois lookup on the given domain name
• ip scoring: Get risk score for an IP address from Group-IB Threat Intelligence