icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Group-IB Threat Intelligence
SHA256 checksum (group-ib-threat-intelligence_180.tgz) 094332b01875cf8ddfdc2cce1aac8a52771ca89a4e6787285e4863e0c558cedf SHA256 checksum (group-ib-threat-intelligence_175.tgz) f1734cd6e7de55982415bec6a1088a84a066dc58f879f37b422dfd023a091f7f SHA256 checksum (group-ib-threat-intelligence_144.tgz) b08f2a0a8bad469baf95fd54aea4c9772302604a01bdb67eb1c60964017293a0 SHA256 checksum (group-ib-threat-intelligence_142.tgz) 19933fae551ab24b3072cd5a560843a8a0cb8880a16e095e4f84b5231b8bb694 SHA256 checksum (group-ib-threat-intelligence_141.tgz) 3b90e3b3ee6e021c65ed92ff2bd923d5c9ba0cb6e40dd5d5451978135a6ffd1b SHA256 checksum (group-ib-threat-intelligence_140.tgz) c6cff5e73d9afcc6acc8cb74887aa5344ca2e36dd906244a4d94df6a12ec0951 SHA256 checksum (group-ib-threat-intelligence_123.tgz) 2c27399134ef06b00f4104611e6fd861e8010695a9dabd0fadf9439085f84b0d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Group-IB Threat Intelligence

Splunk Cloud
Overview
Details
Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity. Read more on Group-IB web-site - https://www.group-ib.com/products/threat-intelligence.

Threat Intelligence (TI) combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors and related infrastructures collected since 2003, including those that criminals attempted to wipe out. This application is built for integration of Threat Intelligence with Splunk SIEM to consume TI feeds and process pivoting.

This Splunk integration allows you to:

- Import and process Threat Intelligence feeds directly into Splunk
- Search and correlate IoCs from Group-IB collections
- Enrich internal alerts with external intelligence

To use integration, you must have an active Group-IB Threat Intelligence license and API access.

Data Collections Overview

Once the configuration is complete, the following sourcetypes become available in Splunk.

Note: If you’re using a POC or partner license, access to data is limited to 30 days. The recommended date ranges below are guidelines and can be adjusted according to your needs.

Format: YYYY-MM-DD

Collection Sourcetype (gib-ti) Description Recommended date
APT::Threat Report gib_ti_apt_threat Reports on nation-state APTs activities, including associated indicators (IOCs), attack techniques, and MITRE ATT\&CK mappings. 2-4 years
APT::Threat Actor gib_ti_apt_threat_actor Profiles of nation-state groups detailing their characteristics, targets, motivations, and techniques. 2-4 years
Attacks::DDoS gib_ti_attacks_ddos Data on Distributed Denial of Service (DDoS) attacks, including targeted resources and attack durations. 5-10 days
Attacks::Deface gib_ti_attacks_deface Records of defacement attacks, highlighting compromised websites and related actors. 5-10 days
Attacks::Phishing Group gib_ti_attacks_phishing_group Information on phishing attacks, including URLs of phishing websites. Note: do not use IPs for detection - it may cause many false positives. Focus only on URLs. 3-5 days
Attacks::Phishing Kit gib_ti_attacks_phishing_kit Collections of phishing website templates, scripts, and configurations used by attackers. 30 days
Compromised::Account gib_ti_compromised_account_group The collection contains credentials collected from various phishing resources, botnets, C\&C servers, Darkweb, etc., used by hackers. All indicated sources are unique and private. It also includes combolist and corporate accounts. For Public Breaches - please refer to Compromised::Breached DB. 2-4 years
Compromised::Shops gib_ti_compromised_access Sales proposals on compromised data on darkweb marketplaces 2-4 years
Compromised::Group Card gib_ti_compomised_bank_card_group Information about compromised bank cards, sourced from card shops, forums, and public leaks. 2 years
Compromised::Breached DB gib_ti_compromised_breached Information about publicly leaked databases containing credentials and personal data. Note: hunting rules are on by default here 90 days
Compromised::Discord gib_ti_compromised_discord Extracted intelligence from Discord channels and servers, mostly discussions. 30 days
Compromised::Masked Card gib_ti_compomised_masked_card Information on compromised masked bank cards gathered from illicit marketplaces and forums. 90 days
Compromised::Messenger gib_ti_compromised_messenger Intelligence collected from Telegram channels, including credentials, targeted companies and attack discussions. 30 days
Compromised::Darkweb gib_ti_compromised_reaper Intelligence from closed darkweb forums used by threat actors for attack planning and coordination. 30 days
Compromised::SPD gib_ti_compromised_spd Data on suspicious payment details (SPD) - bank accounts, crypto wallets, phone numbers and other data used for laundering/illicit/stolen funds 90 days
Cybercriminals::Threat Report gib_ti_hi_threat Finance motivated cybercriminals reports, including associated indicators (IOCs), attack techniques, and MITRE ATT\&CK mappings. 2-4 years
Cybercriminals::Threat Actor gib_ti_hi_threat_actor Profiles of financially motivated cybercriminals detailing their characteristics, targets, motivations, and techniques. 2-4 years
IOC::Common gib_ti_ioc_common General indicators of Compromise (IoCs) from threat reports (cybercriminals and APT) and Malware sections. Consists of Hashes (MD5, SHA1, SHA256), IPs, domains and URLs. Major source of IOCs 90 days
Malware::C\&C gib_ti_malware_cnc Information on malware Command-and-Control (C\&C) servers used for data exfiltration and command distribution. This feed is also part of IOC Common 90 days
Malware::Config gib_ti_malware_config Extracted malware configuration data. 90 days
Malware::Report gib_ti_malware_malware Detailed malware descriptions. 2-4 years
Malware::Signature gib_ti_malware_signature Suricata signatures for malware detection. 30 days
Malware::YARA gib_ti_malware_yara YARA rules for identifying specific malware families. 30 days
OSI::Git repository gib_ti_osi_git_repository Publicly available code from repositories like GitHub, filtered by your hunting rules. Note: hunting rules are on by default here 30 days
OSI::Public Leak gib_ti_osi_public_leak Public data leaks from sources like Pastebin, ghostbin, and others., including credentials, database dumps, configuration files, and logs. Note: hunting rules are on by default here 15 days
OSI::Vulnerability gib_ti_osi_vulnerability Information on software vulnerabilities, associated exploits, and available proof-of-concept details. 90 days
Suspicious IP::Tor Node gib_ti_suspicious_ip_tor_nodes Data about known Tor exit nodes used as anonymity relays. 5 days
Suspicious IP::Open Proxy gib_ti_suspicious_ip_open_proxy Information on publicly available proxy servers, including potentially misconfigured proxies. 5 days
Suspicious IP::Scanner gib_ti_suspicious_ip_scanner IP addresses identified as scanning or probing corporate networks. 5 days
Suspicious IP::Socks Proxy gib_ti_suspicious_ip_socks_proxy IP addresses of infected hosts configured as SOCKS proxies used for anonymized attacks. 5 days
Suspicious IP::VPN gib_ti_suspicious_ip_vpn Information about public and private VPN servers identified as potentially malicious or suspicious. 5 days

Practical Usage Scenarios

How to use Group-IB collections based on your detection and attribution needs:

  • IOC-driven detection: Use the IOC::Common collection to trigger SOC alerts based on critical IOCs like hashes, domains, IPs, and URLs.
  • Targeted detection with high-confidence sources: Focus only on APT and financial threat reports (APT::Threat Report, Cybercriminals::Threat Report) for precision alerts.
  • Attribution enrichment: Use Suspicious IP collections (Tor, VPN, Proxy, Scanner) not for detection, but for additional attribution to contextualize IPs seen in internal alerts.
  • Internal risk exposure:
  • Alert SOC if compromised employee accounts appear in the Compromised::Access or Compromised::Messenger collections.
  • Enrich transaction monitoring or IAM tools with compromised cards and retail accounts from Compromised::Masked Card, Group_Card, and SPD.

  • Intelligence collection: Archive TI data within your Splunk environment for long-term visibility, avoiding full dependency on the Group-IB portal.

  • Suspicious transaction detection: Integrate Splunk feed with your internal transaction tools to detect fraud using Compromised::SPD entries.
  • Threat Investigation with Pivoting: In addition to detection and enrichment, analysts can use the gibsearch command to pivot on a specific IOC (e.g., domain, IP, hash) and retrieve linked indicators across all Group-IB collections in real time. This is especially useful for investigating suspicious alerts, understanding attacker infrastructure, and expanding threat context.

Note: The final workflow depends on you and your preferences. Any scenario must be adapted to suit your infrastructure.

Search Setup

To query Group-IB data inside Splunk, use the following command (change “gib_tia” if you use multiple API accounts):

index="gib_tia" sourcetype="enter the source type you need"

ATTENTION!: Before searching, make sure the relevant collection is enabled in the “Data inputs” of your Splunk or Splunk Heavy Forwarder instance.

Global search - pivoting

For global search use command:

| gibsearch search=<value>

NOTE: In Global search ip, domain, hash, url data can be used in the request body.

This command provides the opportunity to find references of the desired data in all collections throughout the Group-IB Threat Intelligence system and returns IOCs associated with this data (Date, ID, Hash, CNC, Domain, URL, IP). This search command shows data directly from Group-IB cloud - not your instance data.

Example usage:

| gibsearch search=group-ib.com

Release Notes

Version 1.8.0
Aug. 8, 2025
  • History and images have been removed from malware/malware collection due to its unnecessity;
  • Added the compromised/spd collection (suspicious payment details);
  • Updated the cyberintegrations library to version 0.10.0;
  • The names of some collections in the Data Inputs settings window have been changed to deliver a more clear understanding of it;
  • Fixed bug with logging level selection;
  • Updated documentation on Splunkbase;
  • Removed the deprecated collection - compromised/mule (SPD is an actual replacement).
Version 1.7.5
Aug. 1, 2025
  • Changed sourceTypes from "gib_tia" to "gib_ti";
  • Set default maximum application log size to 200 MB (up to 4 GB with extended logging enabled);
  • Improved error handling in state_store;
  • Removed the option to download images;
  • Added a flag to limit the size of collected logs;
  • Improved display of search command information;
  • Added a flag to control the logging level;
  • Added support for binding Splunk to multiple IP addresses.
Version 1.4.4
May 20, 2025
  • New hunting rules filter option across most of collections;
  • Possibility to work with several accounts with different indexes;
  • Updated library and code refactoring;
  • Fixed bug with missing Data Inputs.
Version 1.4.2
Feb. 3, 2025
  • improved stability
  • new Splunk cloud compliance
Version 1.4.1
March 20, 2024
  • Fixed minor error with compromised/reaper (darkweb), compromised/breached
  • Updated library
Version 1.4.0
Dec. 11, 2023

Refactored search logic
Removed deprecated collections
Refactored Attribution logic

Version 1.2.3
Feb. 20, 2023
  • added more Whois and Attribution information
  • more masking options for compromised data

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.