GIBTIA_Compromised_imei
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Author: Hesham Saad
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | Group-IB |
| Source | View on GitHub |
⚠️ Not listed in Solution JSON: This content item was discovered by scanning the solution folder but is not included in the official Solution JSON file. It may be a legacy item, under development, or excluded from the official solution package.
Tables Used
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
GIBTIACompromisedIMEI_CL |
? | ✓ | ? |
GIBTechTable_CL |
? | ✓ | ? |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azureloganalyticsdatacollector |
Managed | 1 | 4 |
azuremonitorlogs |
Managed | 1 | 1 |
http |
Built-in | 0 | 2 |
Action parameters (URLs, paths, function IDs)
azureloganalyticsdatacollector (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Update_Last_Item_id_in_Tech_table_ | post | /api/logs |
— |
| Init_TechTable | post | /api/logs |
— |
| Send_Data | post | /api/logs |
— |
| Save_seqUpdate | post | /api/logs |
— |
azuremonitorlogs (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Get_last_received_item_ID_from_Azure_Log_DB | post | /queryData |
— |
http (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| HTTP | GET | @{parameters('GIB API URL ')}sequence_list |
— |
| Get_next_portion_of_events_from_GIB | GET | @{parameters('GIB API URL ')}@{parameters('Collection Name')}/updated |
— |
Additional Documentation
📄 Source: readme.md
Ingest Group-IB Threat Intelligence & Attribution Feeds and Indicators Collections
Author: Hesham Saad
Group-IB Azure Sentinel playbooks designed by Group-IB team and supported by Microsoft team to ingest Threat Intelligence & Attribution feeds and indicators from multiple Group-IB data collections and writes them to Microsoft Security Graph API to be listed under Azure Sentinel ThreatIntelligenceIndicators table and custom log tables as well for adversaries, threat actors,...etc
There are a number of pre-configuration steps required before deploying the playbooks.
Group-IB Sentinel Playbooks Collections Detailed Description
- "GIBIndicatorProcessor" Playbook
This playbook is used to send indicators to Microsoft Security Graph API from all other GIB playbooks.
- "GIBTIA_APT_Threats" Playbook
a. Collection: apt/threat
b. Has Indicators: Yes
c. Indicators Content:
GIB APT Threat Indicator(IPv4)
GIB APT Threat Indicator(domain)
GIB APT Threat Indicator(url)
GIB APT Threat Indicator(md5)
GIB APT Threat Indicator(sha256)
GIB APT Threat Indicator(sha1)
d. Description:
Group-IB continuously monitors activities undertaken by hacker groups, investigate, collect, and analyze information about all emerging and ongoing attacks. Based on this information, we provide IOC's related to APT Groups Attacks.
- "GIBTIA_APT_ThreatActor" Playbook
a. Collection: apt/threat_actor
b. Has Indicators: No
c. Indicators Content: N/A
d. Description:
This collection contains APT groups’ info, with detailed descriptions.
- "GIBTIA_Attacks_ddos" Playbook
a. Collection: attacks/ddos
b. Has Indicators: Yes
c. Indicators Content:
GIB DDoS Attack(IPv4)
d. Description:
The "DDoS attacks" collection contains a DDoS Attacks targets and C2 indicators.
- "GIBTIA_Attacks_deface" Playbook
a. Collection: attacks/deface
b. Has Indicators: Yes
c. Indicators Content:
GIB Attack Deface(url)
d. Description:
The “Deface” collection contains information about online resources that have become subject to defacement attacks (the visual content of a website being substituted or modified).
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊