Group-IB

Cyware Orchestrate

Group-IB

App Vendor: Group-IB

App Category: Data Enrichment and Threat Intelligence

Connector Version: 1.0.0

API Version: 1.0.0

About App

Group-IB Threat Intelligence & Attribution (TI&A) is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity. TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out.

The Group-IB app is configured with Orchestrate to perform the following actions:

Action Name	Description
Generic Action	This is a generic action used to make request to any endpoint.
Get IOC Details	This action retrieves the details of an indicator of compromise (IOC).
Get Updated IOCs	This action retrieves the updated IOCs.
List All IOCs	This action lists all the IOCs.

Configuration Parameters

The following configuration parameters are required for the Group-IB app to communicate with the Group-IB enterprise application. The parameters can be configured by creating instances in the application.

Parameter	Description	Field Type	Required/Optional	Comments
Username	Enter the username to authenticate with Group-IB.	Text	Required
API Token	Enter the API token to authenticate with Group-IB.	Password	Required
Verify	Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection with Group-IB.	Boolean	Optional	Allowed values: true false Default value: true
Timeout	Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Group-IB.	Integer	Optional	Allowed values: 15-120 Default value: 15

Action: Get IOC Details

This action retrieves the details of an IOC.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
IOC ID	Enter the IOC ID to get the details. Example: 018b3c1fbfeb226741bb784d25c9b01baf76f019	Text	Required	You can retrieve an IOC ID using the action List All IOCs.

Parameter

Description

Field Type

Required/Optional

Comments

IOC ID

Enter the IOC ID to get the details.

Example:

018b3c1fbfeb226741bb784d25c9b01baf76f019

Text

Required

You can retrieve an IOC ID using the action List All IOCs.

Example Request

[
  {
    "ioc_id": "018b3c1fbfeb226741bb784d25c9b01baf76f019"
  }
]

Action: Get Updated IOCs

This action retrieves the updated IOCs.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Sequence	Enter the sequence number to get the updated IOCs. Example: 3	Integer	Optional	This is the initial number from which updated IOCs will be sequentially retrieved.
Limit	Enter the limit to get the updated IOCs. Example: 10	Integer	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Sequence

Enter the sequence number to get the updated IOCs.

Example:

Integer

Optional

This is the initial number from which updated IOCs will be sequentially retrieved.

Limit

Enter the limit to get the updated IOCs.

Example:

Integer

Optional

Example Request

[
 {
  "sequence": 3,
  "limit": 10
 }
]

Action: List All IOCs

This action lists all the IOCs.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Search query	Enter the query to search for IOCs. Example: malware	Text	Optional
From date	Enter the date from which IOCs need to be fetched. Example: 2021-09-01:00:00:00	Text	Optional	The date must be of the format YYYY-MM-DD:HH:MM:SS.
End date	Enter the date up to which IOCs need to be fetched. Example: 2022-09-01:00:00:00	Text	Optional	The date must be of the format YYYY-MM-DD:HH:MM:SS.
Result ID	Enter the result ID to search for IOCs. Example: 13	Text	Optional

Example Request

[
 {
  "query": "malware"
 }
]

Action: Generic Action

This is a generic action used to make request to any endpoint.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Method	Enter the HTTP method to make the request. Example: GET	Text	Required	Allowed values: GET PUT POST PATCH DELETE
Endpoint	Enter the endpoint to make the request to. Example: /api/vulnerabilities/{cve_id}/affected-projects	Text	Required
Query Params	Enter the query parameters to pass to the API.	Key Value	Optional
Payload	Enter the payload to pass to the API.	Any	Optional
Extra Fields	Enter the extra fields to pass to the API.	Key Value	Optional

Example Request

[
  {
    "method": "GET",
    "endpoint": "ioc/common",
    "extra_fields": {},
    "query_params": {}
  }
]

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

Group-IB

About App

Configuration Parameters

Action: Get IOC Details

Action: Get Updated IOCs

Action: List All IOCs

Action: Generic Action

Search results