Group-IB Intelligence

72 min

the group ib intelligence connector enables seamless integration with swimlane turbine, allowing users to access a wide range of cyber threat intelligence directly within their security automation workflows group ib intelligence is a comprehensive threat intelligence platform that provides actionable insights into cyber threats and fraud by integrating with swimlane turbine, users can automate the retrieval of intelligence data such as compromised credentials, phishing campaigns, and indicators of compromise (iocs) this connector enables security teams to enhance their threat detection and response capabilities by leveraging group ib's extensive dark web monitoring and analysis the streamlined access to group ib's intelligence within swimlane turbine's low code environment empowers users to proactively defend against evolving cyber threats and reduce incident response times prerequisites to effectively utilize the group ib intelligence connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the group ib intelligence api username your group ib intelligence account username api key a valid api key provided by group ib intelligence for secure access asset the group ib connector requires username and api key group ib accepts connections only from whitelisted ip addresses if a customer is using swimlane on cloud solution, they should contact the swimlane infrastructure team to get the public ips of the instance and whitelist them in group ib portal group ib has strict rate limiting and raises 429 client error too many requests for url the customer should wait for at least 15sec before making another request capabilities the group ib intelligence connector provides the following capabilities get access get account group get bank card group get breached get discord get git repository get ioc common list get masked card get messenger get phishing info get phishing kit info get public leak get reaper get updated items(apt threat) get updated items(ioccommon) and so on configurations http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get access retrieve the latest compromised data intelligence from dark web marketplaces using group ib intelligence endpoint url /api/v2/compromised/access/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get access output parameter type description status code number http status code of the response reason string response reason phrase items array output field items accesstype string type of the resource cnc object output field cnc cnc string output field cnc domain string output field domain ipv4 object output field ipv4 asn string output field asn city string output field city countrycode string output field countrycode countryname string name of the resource ip string output field ip provider string unique identifier region string output field region ipv6 object output field ipv6 asn string output field asn city string output field city countrycode string output field countrycode countryname string name of the resource ip string output field ip provider string unique identifier region string output field region url string url endpoint for the request datecompromised string output field datecompromised example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "count" 1 } } ] get account group retrieve the latest account group information from group ib intelligence for up to date data access endpoint url /api/v2/compromised/account group/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get account group output parameter type description status code number http status code of the response reason string response reason phrase items array output field items datefirstcompromised string output field datefirstcompromised datefirstseen string output field datefirstseen datelastcompromised string output field datelastcompromised datelastseen string output field datelastseen displayoptions object output field displayoptions evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl eventcount number count value events array output field events client object output field client ipv4 object output field ipv4 asn string output field asn city string output field city countrycode string output field countrycode countryname string name of the resource ip string output field ip provider string unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "items" \[], "count" 123 } } ] get bank card group retrieve grouped data on compromised bank cards from various sources as collected by group ib intelligence endpoint url /api/v2/compromised/bank card group/updated method get input argument name type required description sequpdate number optional date value limit number optional parameter for get bank card group apply hunting rules number optional parameter for get bank card group output parameter type description status code number http status code of the response reason string response reason phrase items array output field items basename string name of the resource cardinfo object output field cardinfo bin array output field bin issuer object output field issuer countrycode string output field countrycode countryname string name of the resource issuer string output field issuer number string output field number system string output field system type string type of the resource datefirstcompromised string output field datefirstcompromised datefirstseen string output field datefirstseen datelastcompromised string output field datelastcompromised datelastseen string output field datelastseen displayoptions object output field displayoptions evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "items" \[], "count" 123 } } ] get breached obtain a list of breached items from group ib intelligence, offering insights into compromised data endpoint url /api/v2/compromised/breached method get input argument name type required description q string optional search query df string optional date from dt string optional date to limit number optional limit the number of results resultid string optional result id is to get the next data chunk apply hunting rules number optional parameter for get breached output parameter type description status code number http status code of the response reason string response reason phrase resultid string unique identifier items array output field items addinfo object output field addinfo email array output field email evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl id array unique identifier leakname string name of the resource password array output field password updatetime string time value uploadtime string time value count number count value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "resultid" "1234567890", "items" \[], "count" 0 } } ] get discord retrieve discord related threat intelligence data from group ib intelligence, with no specific input parameters needed endpoint url /api/v2/compromised/discord/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get discord output parameter type description status code number http status code of the response reason string response reason phrase items array output field items author object output field author avatar string output field avatar discriminator string output field discriminator id string unique identifier name string name of the resource channel object output field channel avatar string output field avatar description object output field description topic string output field topic id string unique identifier name string name of the resource parsedcounters object output field parsedcounters channels number output field channels domain number output field domain files number output field files ip number output field ip links number output field links media number output field media server string output field server serverid string unique identifier stat object output field stat firstmessagedate string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "count" 1 } } ] get git repository retrieve the latest updates from a specified git repository within the group ib intelligence platform endpoint url /api/v2/osi/git repository/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get git repository output parameter type description status code number http status code of the response reason string response reason phrase items array output field items contributors array output field contributors authoremail string output field authoremail authorname string name of the resource datafound object response data property1 number output field property1 property2 number output field property2 datecreated string output field datecreated datedetected string output field datedetected evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl files array output field files datafound object response data datecreated string output field datecreated datedetected string output field datedetected evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "count" 1 } } ] get ioc common list retrieve a list of common indicators of compromise (iocs) from group ib intelligence endpoint url api/v2/ioc/common method get input argument name type required description q string optional parameter for get ioc common list df string optional parameter for get ioc common list dt string optional parameter for get ioc common list resultid string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase resultid string unique identifier items array output field items threatactorlist array output field threatactorlist id string unique identifier isapt boolean output field isapt name string name of the resource datefirstseen string output field datefirstseen datelastseen string output field datelastseen domain string output field domain hash array output field hash id string unique identifier ip array output field ip malwarelist array output field malwarelist category array output field category class string output field class id string unique identifier name string name of the resource platform array output field platform stixguid string unique identifier threatlevel string output field threatlevel sequpdate number date value sources object output field sources additionalprop1 object output field additionalprop1 example \[ { "status code" 200, "response headers" { "allow" "get", "cache control" "no cache, private", "content encoding" "gzip", "content security policy" "frame ancestors 'self';", "content type" "application/json", "date" "fri, 29 sep 2023 06 22 29 gmt", "feature policy" "camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';paymen ", "permissions policy" "camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(), ", "referrer policy" "strict origin when cross origin", "server" "istio envoy", "strict transport security" "max age=31536000; includesubdomains", "vary" "accept encoding", "x content type options" "nosniff", "x dns prefetch control" "off", "x download options" "noopen" }, "reason" "ok", "json body" { "resultid" "string", "items" \[], "count" 0 } } ] get masked card retrieves details on compromised masked cards from various sources within group ib intelligence endpoint url /api/v2/compromised/masked card/updated method get input argument name type required description sequpdate number optional date value limit number optional parameter for get masked card apply hunting rules number optional parameter for get masked card output parameter type description status code number http status code of the response reason string response reason phrase items array output field items basename string name of the resource cardinfo object output field cardinfo cvv string output field cvv dump string output field dump issuer object output field issuer countrycode string output field countrycode countryname string name of the resource issuer string output field issuer number string output field number pin string output field pin system string output field system type string type of the resource validthru string unique identifier client object output field client ipv4 object output field ipv4 asn string output field asn city string output field city countrycode string output field countrycode countryname string name of the resource ip string output field ip provider string unique identifier region string output field region example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "items" \[], "count" 123 } } ] get messenger retrieve messenger related intelligence, including account details and associated data from group ib intelligence endpoint url /api/v2/compromised/messenger/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get messenger output parameter type description status code number http status code of the response reason string response reason phrase items array output field items author object output field author id string unique identifier username string name of the resource chatstat object output field chatstat avatar object output field avatar detected string output field detected hash string output field hash id string unique identifier firstmessagets string response message id number unique identifier lastmessagets string response message messagenum number response message name string name of the resource title string output field title type string type of the resource usernum number output field usernum edits object output field edits highlight array output field highlight id string unique identifier isreply boolean output field isreply lasteditts string output field lasteditts message string response message example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "count" 1 } } ] get phishing retrieve detailed phishing campaign data from group ib intelligence, including threat actor details and attack vectors endpoint url api/v2/attacks/phishing method get input argument name type required description q string optional parameter for get phishing df string optional parameter for get phishing dt string optional parameter for get phishing resultid string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase resultid string unique identifier count number count value items array output field items file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "allow" "get", "cache control" "max age=0, must revalidate, private", "content encoding" "gzip", "content security policy" "frame ancestors 'self';", "content type" "application/json", "date" "fri, 29 sep 2023 03 57 56 gmt", "expires" "fri, 29 sep 2023 03 57 56 gmt", "feature policy" "camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';paymen ", "permissions policy" "camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(), ", "referrer policy" "strict origin when cross origin", "server" "istio envoy", "strict transport security" "max age=31536000; includesubdomains", "vary" "accept encoding", "x content type options" "nosniff", "x dns prefetch control" "off" }, "reason" "ok", "json body" { "resultid" "3c280a8aeeba47215af3cd20fdceac9e29cea553", "count" 0, "items" \[] } } ] get phishing kit retrieve detailed information about phishing kits from group ib intelligence for analysis and threat response endpoint url api/v2/attacks/phishing kit method get input argument name type required description q string optional parameter for get phishing kit df string optional parameter for get phishing kit dt string optional parameter for get phishing kit resultid string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase resultid string unique identifier count number count value items array output field items datedetected string output field datedetected datefirstseen string output field datefirstseen datelastseen string output field datelastseen downloadedfrom array output field downloadedfrom date string date value url string url endpoint for the request domain string output field domain filename object name of the resource emails array output field emails evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl hash string output field hash id string unique identifier isfavourite boolean output field isfavourite ishidden boolean unique identifier example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "resultid" "string", "count" 123, "items" \[] } } ] get public leak retrieve details and metadata of a public data leak from group ib intelligence endpoint url /api/v2/osi/public leak/updated method get input argument name type required description sequpdate number optional sequence update number limit number optional limit the amount of returned data for this collection apply hunting rules number optional parameter for get public leak output parameter type description status code number http status code of the response reason string response reason phrase items array output field items bind array output field bind id string unique identifier key string output field key rulevalue string value for the parameter type string type of the resource created string output field created data string response data displayoptions object output field displayoptions evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl hash string output field hash id string unique identifier language string output field language linklist array output field linklist author string output field author datedetected string output field datedetected datepublished string output field datepublished example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "items" \[], "count" 1 } } ] get reaper retrieve messages from the reaper collection in group ib intelligence, encompassing closed forum communications for cybercriminal attack planning endpoint url /api/v2/compromised/reaper method get input argument name type required description q string optional search query df string optional date from dt string optional date to limit number optional limit the number of results resultid string optional result id is to get the next data chunk apply hunting rules number optional parameter for get reaper output parameter type description status code number http status code of the response reason string response reason phrase resultid string unique identifier items array output field items id string unique identifier topic string output field topic topichash string output field topichash message string response message message hash string response message lang object output field lang detected string output field detected confidence number unique identifier message lang object response message detected string output field detected confidence number unique identifier message len number response message datetime string time value last post string output field last post first post boolean output field first post forum string output field forum domain string output field domain url string url endpoint for the request nickname string name of the resource nicknameurl string url endpoint for the request uploadtime string time value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "resultid" "res 7fa921bc", "items" \[], "count" 1 } } ] get updated items apt threat retrieve the latest apt threat intelligence updates from group ib intelligence endpoint url api/v2/apt/threat/updated method get input argument name type required description limit number optional parameter for get updated items apt threat output parameter type description status code number http status code of the response reason string response reason phrase items array output field items contacts array output field contacts account string count value flag string output field flag service string output field service type string type of the resource countries string output field countries createdat string output field createdat cvelist array output field cvelist name string name of the resource datefirstseen string output field datefirstseen datelastseen string output field datelastseen datepublished string output field datepublished description string output field description displayoptions object output field displayoptions evaluation object output field evaluation admiraltycode string output field admiraltycode credibility number output field credibility reliability number output field reliability severity string output field severity tlp string output field tlp ttl number output field ttl expertise array output field expertise example \[ { "status code" 200, "response headers" { "cache control" "no cache, private", "content encoding" "gzip", "content security policy" "frame ancestors 'self';", "content type" "application/json", "date" "tue, 09 jan 2024 09 06 07 gmt", "feature policy" "camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';paymen ", "permissions policy" "camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(), ", "referrer policy" "strict origin when cross origin", "server" "istio envoy", "strict transport security" "max age=31536000; includesubdomains", "vary" "accept encoding", "x content type options" "nosniff", "x dns prefetch control" "off", "x download options" "noopen", "x frame options" "sameorigin" }, "reason" "ok", "json body" { "items" \[], "count" 0 } } ] get updated items ioccommon retrieve the latest updates for ioccommon items from group ib intelligence, ensuring current threat intelligence endpoint url api/v2/ioc/common/updated method get input argument name type required description sequpdate number optional date value limit number optional parameter for get updated items ioccommon output parameter type description status code number http status code of the response reason string response reason phrase items array output field items threatactorlist array output field threatactorlist id string unique identifier isapt boolean output field isapt name string name of the resource datefirstseen string output field datefirstseen datelastseen string output field datelastseen domain string output field domain hash array output field hash id string unique identifier ip array output field ip malwarelist array output field malwarelist category array output field category class string output field class id string unique identifier name string name of the resource platform array output field platform stixguid string unique identifier threatlevel string output field threatlevel sequpdate number date value sources object output field sources threatlist array output field threatlist name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no cache, private", "content encoding" "gzip", "content security policy" "frame ancestors 'self';", "content type" "application/json", "date" "tue, 09 jan 2024 09 06 07 gmt", "feature policy" "camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';paymen ", "permissions policy" "camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(), ", "referrer policy" "strict origin when cross origin", "server" "istio envoy", "strict transport security" "max age=31536000; includesubdomains", "vary" "accept encoding", "x content type options" "nosniff", "x dns prefetch control" "off", "x download options" "noopen", "x frame options" "sameorigin" }, "reason" "ok", "json body" { "items" \[], "count" 0 } } ] search api retrieve search results from group ib intelligence using specified query parameters endpoint url api/v2/search method get input argument name type required description q string optional parameter for search api lang string optional parameter for search api output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "no cache, private", "content encoding" "gzip", "content security policy" "frame ancestors 'self';", "content type" "application/json", "date" "tue, 09 jan 2024 09 06 07 gmt", "feature policy" "camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';paymen ", "permissions policy" "camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(), ", "referrer policy" "strict origin when cross origin", "server" "istio envoy", "strict transport security" "max age=31536000; includesubdomains", "vary" "accept encoding", "x content type options" "nosniff", "x dns prefetch control" "off", "x download options" "noopen", "x frame options" "sameorigin" }, "reason" "ok", "json body" \[ {} ] } ] response headers header description example allow http response header allow get cache control directives for caching mechanisms max age=0, must revalidate, private content encoding http response header content encoding gzip content security policy http response header content security policy frame ancestors 'self'; content type the media type of the resource application/json date the date and time at which the message was originated fri, 29 sep 2023 06 22 29 gmt expires the date/time after which the response is considered stale fri, 29 sep 2023 03 57 56 gmt feature policy http response header feature policy camera 'none';microphone 'none';geolocation 'none';encrypted media 'none';payment 'none';speaker 'none';usb 'none'; permissions policy http response header permissions policy camera=(),microphone=(),geolocation=(),encrypted media=(),payment=(),speaker=(),usb=(), referrer policy http response header referrer policy strict origin when cross origin server information about the software used by the origin server istio envoy strict transport security http response header strict transport security max age=31536000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x dns prefetch control http response header x dns prefetch control off x download options http response header x download options noopen x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block notes api documentation https //tap group ib com/hc/api https //tap group ib com/hc/api