splunk
Group-IB Threat Intelligence
Splunk Cloud
Overview
Details
[Group-IB Threat Intelligence](https://www.group-ib.com/products/threat-intelligence/)is a system for analysing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity. TI combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out.
This application is build for integration of Threat Intelligence with Splunk SIEM to consume TI feeds. To use integration, please make sure you have an active Group-IB Threat Intelligence license access to the interface.
This application is build for integration of Threat Intelligence with Splunk SIEM to consume TI feeds. To use integration, please make sure you have an active Group-IB Threat Intelligence license access to the interface.
Group-IB Threat Intelligence (TI) is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity.
TI combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out.
The functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country.
To search through data that was loaded into the splunk use the command:
index="gib_tia" sourcetype="enter the source type you need"
ATTENTION!: To search, you must first enable collection loading in the configuration.
The following sourcetypes will appear in the system as soon as the configuration will be completed.
| Collection | Sourcetype (gib-ti) | Description |
|---|---|---|
| APT :: Threat | gib_ti_apt_threat | A collection of Indicators and MITRE ATT&CK matrix. It contains HASH sums of malicious files that were generated by hackers, IP addresses, domains, CVE and the group's activities, motives, and goals to understand what tools and tactics they use according to the MITRE ATT&CK matrix. |
| APT :: Threat Actor | gib_ti_apt_threat_actor | Cybercriminal groups including nation-state (state-sponsored hacker groups) and organized threat groups that target various industries and countries. |
| Attacks :: DDoS | gib_ti_attacks_ddos | An attack that creates a load on the server and is executed simultaneously from a large number of computers (often a network of infected zombie computers is used) in order to create an artificial increase in requests to a resource and thereby disable it. |
| Attacks :: Deface | gib_ti_attacks_deface | Defacement attacks are often conducted by web-hooligans (a form of vandalism) or hacktivists (politically or religiously motivated actors) whose aim is to draw attention to something. After a successful attack, the threat actors publish information on special sites dedicated to defacement, social media, or their personal sites. |
| Attacks :: Phishing Group | gib_ti_attacks_phishing_group | The Phishing Group displays information about various phishing resources (including sites masqueraded as Google, Microsoft, etc.). Group-IB collects this data with the help of Passive-DNS analysis performed by Managed XDR (ManagedExtended Detection and Response) systems, alerts received by CERT-GIB, tracked SPAM messages, malicious contextual advertising, new domain names, and other valuable data. |
| Attacks :: Phishing Kit | gib_ti_attacks_phishing_kit | A Phishing kit is a collection of pages, scripts, and images that keep a phishing website up and running. In other words, it is a ready-made phishing website with a relevant settings file that specifies the parameters of how the page needs to be displayed. |
| Compromised Data :: Access | gib_ti_compromised_access | This collection displays the freshest information about compromised data from various darkweb marketplaces (which sell illegal or restricted data and services, according to the laws of a particular country). Most often it is malware, hacked databases of social networks and so on. The information obtained from this collection can help detect relevant threats that compromise company employees, customers or systems on the internal network. |
| Compromised Data :: Bank Card Group | gib_ti_compomised_bank_card_group | Bank Cards Group collection contains information about compromised bank cards and masked cards. This includes data collected from card shops, specialized forums, and public sources. All data collected is grouped by card number. |
| Compromised Data :: Breached Databases | gib_ti_compromised_breached | The Breached collection contains information about leaked databases collected by the TI system. Such databases can contain a different set of data, which includes logins, passwords, contact and other personal information of users. For each login found, the client will see in which database it was detected, and what additional information has leaked for this user. |
| Compromised Data :: Discord | gib_ti_compromised_discord | The Discord collection contains data that was received by the TI system from Discord. The Threat Intelligence system analyzes every chat and channel (even private ones). Here detailed information about Discord servers, channels and users can be extracted. You can also find data from the channels which were added manually to the TI system. |
| Compromised Data :: IMEI | gib_ti_compromised_imei | Android Trojans are designed to steal money from bank accounts, spy on account holders, and extort money. They can intercept SMS messages, recover passwords from cloud storage services, upload photo and video files, transmit the device geolocation and lists of installed applications from a mobile device to the threat actor, and automatically transfer funds. |
| Compromised Data :: Masked Card | gib_ti_compomised_masked_card | Masked Card collection contains information about compromised masked cards. This includes data collected from card shops, specialized forums, and public sources. |
| Compromised Data :: Messenger | gib_ti_compromised_messenger | In this collection information from the Telegram chats and channels can be found. The Threat Intelligence system analyzes every chat and channel (even private ones. Here records can contain bank/personal credentials, media, files, links, ip-addresses and domains of the companies that can be targeted in the nearest future, or were already attacked and it was discussed in the specific chat channel. |
| Compromised Data :: Mules | gib_ti_compromised_mule | This collection contains data about bank accounts threat actors have transferred or plan to transfer stolen money to. Man-in-the-Browser (MITB) attacks, mobile Trojans, and phishing kits allow fraudsters to make money transfers automatically. Analyzing bank-targeted botnets helps extract this data from malware configuration files. |
| Compromised Data :: Reaper | gib_ti_compromised_reaper | The Reaper collection contains data from messages collected on closed online forums that are not directly accessible. Cybercriminal groups use such forums to gather information for further attack planning. Group-IB analysts and automated systems collect and classify various types of information to warn clients against emerging or future attacks. |
| Human Intelligence :: Threat | gib_ti_hi_threat | A collection of Indicators and MITRE ATT&CK matrix. It contains HASH sums of malicious files that were generated by hackers, IP addresses, domains, CVE and group's activities motives, and goals to understand what tools and tactics they use according to the MITRE ATT&CK matrix. |
| Human Intelligence :: Threat Actor | gib_ti_hi_threat_actor | Cybercriminal groups including nation-state (state-sponsored hacker groups) and organized threat groups that target various industries and countries. |
| Indicator of Compromise :: Common | gib_ti_ioc_common | The Common IoCs collection can help identify malicious activity or security threats. Indicators of Compromise are clues and evidence of a data breach, usually observed during a cybersecurity attack. Identified IoCs provide the organization with a window into the techniques and methodologies of the attackers who target them. |
| Malware :: C2 | gib_ti_malware_cnc | Command and control. CNC collection contains information on the control center where malware related to targeted attacks use to store stolen data or download commands from. |
| Malware :: Config | gib_ti_malware_config | Malicious files come from the Malware control center. Contains HASH sums of malicious files that were generated by hackers, IP addresses, and domains. |
| Malware :: Malware | gib_ti_malware_malware | The Malware collection contains detailed information about specific malware detected through analyzing Threat Actors activity. Can contain malware names, related attacker names and additionally legitimate tools used by attackers during an attack. |
| Malware :: Signature | gib_ti_malware_signaure | This collection contains malware signatures that can be used to enrich malware security feeds, detect potentially confidential information and identify specific malware promptly. Here the signature name, class and raw data can be found (if detected). |
| Malware :: YARA | gib_ti_malware_yara | This collection includes data related to YARA rules set by Group-IB and containing information about specific malware families. Here YARA rule name, class and raw data can be displayed (if detected). |
| OSI :: Git repository | gib_ti_osi_git_repository | Open-source repositories such as GitHub contain codes that anyone can search for. They are often used by threat actors planning to attack a specific company. |
| OSI :: Public Leak | gib_ti_osi_public_leak | There are specialized websites for exchanging textual information (such as Pastebin and analogous resources). They can be used to upload texts and send anyone a link to them. Both legitimate IT specialists and hackers actively use such resources. IT professionals may underestimate the risks and load configuration files for network equipment, export tables from databases, code fragments containing access credentials, and much more. Hackers mainly post lists of usernames, passwords, bank card details, Trojan configuration files, attack outcomes, and various logs. |
| OSI :: Vulnerability | gib_ti_osi_vulnerability | The Vulnerability collection displays information about vulnerabilities detected in the software by version. In addition to general information, the subsection also contains data on existing exploits, with the option to view links to PoC (Proof-of-Concept) and additional information, or to download the exploit. |
| Suspicious IP :: Tor Node | gib_ti_suspicious_ip_tor_nodes | The Tor collection displays data about Tor exit nodes, which are the final Tor relays in the circuit. The nodes act as an intermediary between a Tor client and public Internet. |
| Suspicious IP :: Open Proxy | gib_ti_suspicious_ip_open_proxy | The Open proxy collection shows information about lists of proxy servers that are publicly available on various Internet resources related to anonymity. In addition, proxy servers may be configured as open proxies intentionally or as a result of misconfiguration or breaches. |
| Suspicious IP :: Scanner | gib_ti_suspicious_ip_scanner | This collection contains data about public and private IP-addresses that were identified by the Group-IB TI system. These records can be used to identify or block connections between the corporate network and servers detected. |
| Suspicious IP :: Socks Proxy | gib_ti_suspicious_ip_socks_proxy | The Socks proxy collection shows information about addresses where malware that turns infected computers into SOCKS proxies has been installed. Such computers (bots) are rented out and used in various attacks to ensure the attacker as much anonymity as possible. |
| Suspicious IP :: VPN | gib_ti_suspicious_ip_vpn | This collection contains information about public and private VPNs servers that were identified by the Group-IB TI system. These records can be used to identify or block connections between the corporate network and servers detected. |
Global search
For global search use command:
gibsearch search=<value>
NOTE: In Global search ip, domain, hash, url data can be used in the request body.
This command provides the opportunity to find references of the desired data in all collections throughout the Group-IB Threat Intelligence system and returns IOCs associated with this data (Date, ID, Hash, CNC, Domain, URL, IP).
Release Notes
Version 1.7.5
Aug. 1, 2025
Changed sourceTypes from "gib_tia" to "gib_ti";
Set default maximum application log size to 200 MB (up to 4 GB with extended logging enabled);
Improved error handling in state_store;
Removed the option to download images;
Added a flag to limit the size of collected logs;
Improved display of search command information;
Added a flag to control the logging level;
Added support for binding Splunk to multiple IP addresses.
Version 1.4.4
May 20, 2025
- New hunting rules filter option across most of collections;
- Possibility to work with several accounts with different indexes;
- Updated library and code refactoring;
- Fixed bug with missing Data Inputs.
Version 1.4.2
Feb. 3, 2025
- improved stability
- new Splunk cloud compliance
Version 1.4.1
March 20, 2024
- Fixed minor error with compromised/reaper (darkweb), compromised/breached
- Updated library
Version 1.4.0
Dec. 11, 2023
Refactored search logic
Removed deprecated collections
Refactored Attribution logic
Version 1.2.3
Feb. 20, 2023
- added more Whois and Attribution information
- more masking options for compromised data