Group-IB Threat Intelligence and Attribution Connector - Azure Sentinel

Published Apr 07 2021 11:06 PM 2,760 Views
Microsoft

Overview & Use Case

Thanks to Ivan Ovchinnikov,  Lead integration developer at Group-IB, Rijuta Kapoor from Microsoft Azure Sentinel Threat Intelligence team, Sreedhar Ande from Microsoft Azure Sentinel PG, the whole Group-IB Threat Intelligence and Azure Sentinel Threat Intelligence Product Group teams for the technical brainstorming, contributing and proof reading! 

 

Group-IB Threat Intelligence & Attribution (TI&A) is a system for analyzing and attributing cyberattacks, threat hunting, and protecting network infrastructure based on data relating to adversary tactics, tools and activity. TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out. The functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country. Below is the high-level architecture of Group-IB TI&A:

 

gib-architecture.PNG

SOC team requirement is to ingest Group-IB TI&A feeds & indicators based on multiple TI collections to Azure Sentinel (and writes them to Microsoft Security Graph API to be listed under Azure Sentinel ThreatIntelligenceIndicators table and custom log tables as well) for automatic scanning and detecting matched TI feeds/indicators across their organizational data sources logs for further investigation and analysis.

 

Implementation

First let’s understand and get more technical details on the Group-IB TI&A collections to see how we can ingest and map these feeds/indicators to the Azure Sentinel Threat Intelligence data types via TI&A APIs and Azure Sentinel Automation (Playbooks):

 

gib-tia

Collection

Has Indicators

Indicators Content

Description

GIBTIA_APT_Threats

apt/threat

Yes

GIB APT Threat Indicator(IPv4)


GIB APT Threat Indicator(domain)


GIB APT Threat Indicator(url)


GIB APT Threat Indicator(md5)


GIB APT Threat Indicator(sha256)


GIB APT Threat Indicator(sha1)

Group-IB continuously monitors activities undertaken by hacker groups, investigate, collect, and analyze information about all emerging and ongoing attacks. Based on this information, we provide IOC's related to APT Groups Attacks

GIBTIA_APT_ThreatActor

apt/threat_actor

No

N/A

This collection contains APT groups’ info, with detailed descriptions

GIBTIA_Attacks_ddos

attacks/ddos

Yes

GIB DDoS

Attack(IPv4)

The "DDoS attacks" collection contains a DDoS Attacks targets and C2 indicators

GIBTIA_Attacks_deface

attacks/deface

Yes

GIB Attack Deface(url)

The “Deface” collection contains information about online resources that have become subject to defacement attacks (the visual content of a website being substituted or modified)

GIBTIA_Attacks_phishing

attacks/phishing

Yes

GIB Phishing Domain(domain)


GIB Phishing IP(IPv4)


GIB Phishing URL(url)

The “Attacks Phishing" collection provides information about various phishing resources (including URLs, Domains and IPs.)

GIBTIA_Attacks_phishing_kit

attacks/phishing_kit

Yes

GIB Phishing Kit Email(email)

The “Atacks Phishing Kits” collection contains information about the archives of phishing kits. Emails gotten from kits can be obtained as indicators

GIBTIA_BP_phishing

bp/phishing

Yes

GIB Phishing Domain(domain)


GIB Phishing IP(IPv4)


GIB Phishing URL(url)

The "BP Phishing" collection provides events related to clients company

GIBTIA_BP_phishing_kit

bp/phishing_kit

Yes

GIB Phishing Kit Email(email)

The "BP Phishing Kit" collection provides phishing kits related to clients company

GIBTIA_Compromised_account

compromised/account

Yes

GIB Compromised Account CNC(url)


GIB Compromised Account CNC(domain)


GIB Compromised Account CNC(IPv4)

This collection contains credentials collected from various phishing resources, botnets, command-and-control (C&C) servers used by hackers

GIBTIA_Compromised_card

compromised/card

Yes

GIB Compromised Card CNC URL(url)


GIB Compromised Card CNC Domain(domain)


GIB Compromised Card CNC IP(IPv4)

This collection contains information about compromised bank cards. This includes data collected from card shops, specialized forums, and public sources

GIBTIA_Compromised_imei

compromised/imei

Yes

GIB Compromised IMEI CNC Domain(domain)


GIB Compromised IMEI CNC URL(url)


GIB Compromised IMEI CNC IP(IPv4)

The section contains data on infected mobile devices, which is obtained by analyzing mobile botnets. It does not contain personal data and is available to all system users

GIBTIA_Compromised_mule

compromised/mule

Yes

GIB Compromised Mule CNC Domain(domain)


GIB Compromised Mule CNC URL(url)


GIB Compromised Mule CNC IP(IPv4)

This section contains information about bank accounts to which threat actors have transferred or plan to transfer stolen money. Man-in-the-Browser (MITB) attacks, mobile Trojans, and phishing kits allow fraudsters to make money transfers automatically. Playbook provides C2 data related to compromitation

GIBTIA_HI_Threats

hi/threat

Yes

GIB HI Threat Indicator(domain)

Group-IB continuously monitors activities undertaken by hacker groups, investigate, collect, and analyze information about all emerging and ongoing attacks. Based on this information, we provide IOC's related to Hackers Attacks

GIBTIA_HI_ThreatActor

hi/threat_actor

No

N/A

This collection contains non-APT groups’ and Individual hackers info, with detailed descriptions

GIBTIA_Malware_cnc

malware/cnc

Yes

GIB Malware CNC Domain(domain)


GIB Malware CNC URL(url)


GIB Malware CNC IP(IPv4)

The "Malware" collection contains Malwares C2 detected by group IB

GIBTIA_Malware_Targeted_Malware

malware/targeted_malware

Yes

GIB Malware Targeted Malware(md5)


GIB Malware Targeted Malware(sha1)


GIB Malware Targeted Malware(sha256)


GIB Malware Targeted Malware Inject(md5)

The “Targeted Trojans” section contains information about malicious programs targeting the client's infrastructure. Information is collected by examining a multitude of malicious files and investigating various incidents

GIBTIA_OSI_GitLeak

osi/git_leak

No

N/A

Open-source repositories such as GitHub contain codes that anyone can search for. They are often used by threat actors planning to attack a specific company. The “Git Leaks” section contains the above data in code repositories

GIBTIA_OSI_PublicLeak

osi/public_leak

No

N/A

The “Public leaks” collection contains the leaked clinets data collected on popular file-sharing resources or text/information exchange websites

GIBTIA_OSI_Vulnerability

osi/vulnerability

No

N/A

The “Vulnerabilities” collection displays information about vulnerabilities detected in the software by version

GIBTIA_Suspicious_ip_open_proxy

suspicious_ip/open_proxy

Yes

GIB Open Proxy Address(IPv4)

The “Open proxy” collection proviedes information about lists of proxy servers that are publicly available on various online resources related to anonymity. In addition, proxy servers may be configured as open proxies intentionally or as a result of misconfiguration or breaches

GIBTIA_Suspicious_ip_socks_proxy

suspicious_ip/socks_proxy

Yes

GIB Socks Proxy Address(IPv4)

The “Socks proxy” collection providess information about addresses where malware that turns infected computers into SOCKS proxies has been installed. Such computers (bots) are rented out and used in various attacks to ensure the attacker as much anonymity as possible

GIBTIA_Suspicious_ip_tor_node

suspicious_ip/tor_node

Yes

GIB Tor Node Address(IPv4)

The “Tor Node” collection displays information about Tor exit nodes, which are the final Tor relays in the circuit. The nodes act as a medium between a Tor client and public Internet

 

#Deployment Steps

 

The whole custom connectors code & deployment templates with detailed instructions and considerations already been uploaded at Azure Sentinel github Playbooks repo

 

Step(1): Azure Sentinel gib-tia Playbooks

  • Deploy GIBIndicatorsProcessor playbook first
  • Deploy required collections Playbooks and configure the following parameters:
    • GIB Username - is a login to access Group-IB TI&A Web Interface
    • Save only indicators - set to true if only indicators enrichment is required, otherwise, an additional table in Workspace with full event content will be created
    • Some collections provide no indicators, so do not have this parameter configurable and add Group-IB TI&A events only in Log Workspace
    • GIB Action - This is an action required to set in a particular indicator type provided through the current collection.(The action to apply if the indicator is matched from within the target Product security tool. Possible values are: unknown, allow, block, alert)
    • GIB API URL - is an GIB TI&A API URL
    • Configure API Key variable. API Key can be generated in the Profile Section in Group-IB TI&A Web Interface

Step(2): Register an Azure AD App for TI Indicators Graph API Write Access

  • Go to Azure Active Directory / App Registrations
  • Create +New Registration
  • Give it a name. Click Register
  • Click API Permissions Blade
  • Click Add a Permission
  • Click Microsoft Graph
  • Click Application Permissions
  • Check permissions for ThreatIndicators (ThreatIndicators.ReadWrite.OwnedBy). Click Add permissions
  • Click grant admin consent for domain.com
  • Click Certificates and Secrets
  • Click New Client Secret
  • Enter a description, select never. Click Add
  • IMPORTANT. Click copy next to the new secret and paste it somewhere temporarily. You cannot come back to get the secret once you leave the blade
  • Copy the client ID from the application properties and paste it somewhere as you will need it to be added to the Playbooks
  • Also copy the tenant ID from the AAD directory properties blade

groupIBSentinelPart6.gif

 

groupIBSentinelPart1.gif

groupIBSentinelPart3.gif

 

groupIBSentinelPart5.gif

 

groupIBSentinelPart4.gif

 

Detection & Investigation

 

A sample Azure Sentinel Analytics rule to identify a match in CommonSecurityLog Event data from any FileHash IOC from gib-tia, we highly recommend you to check out the list of the Azure Sentinel TI Out of the box TI analytics rules:

 

 

 

//gib-tia TI map File Hash to CommonSecurityLog Event data sources in Azure Sentinel, to identify a match in CommonSecurityLog Event data from any FileHash IOC from gib-tia

let dt_lookBack = 1h;

let ioc_lookBack = 14d;

let fileHashIndicators = ThreatIntelligenceIndicator

| where SourceSystem == "SecurityGraph" and ThreatType == "Malware"

| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()

| where Active == true

| where isnotempty(FileHashValue);

// Handle matches against both lower case and uppercase versions of the hash:

( fileHashIndicators | extend  FileHashValue = tolower(FileHashValue)

  |union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))

|  join (

   CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)

   | where isnotempty(FileHash)

   | extend CommonSecurityLog_TimeGenerated = TimeGenerated

)

on $left.FileHashValue == $right.FileHash

| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId

| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,

CommonSecurityLog_TimeGenerated, SourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,

RequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity

| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url

 

 

 

groupIBSentinelPart7.gif

 

Get started today!

 

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

%3CLINGO-SUB%20id%3D%22lingo-sub-2252904%22%20slang%3D%22en-US%22%3EGroup-IB%20Threat%20Intelligence%20and%20Attribution%20Connector%20-%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2252904%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EOverview%20%26amp%3B%20Use%20Case%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThanks%20to%20Ivan%20Ovchinnikov%2C%26nbsp%3B%20Lead%20integration%20developer%20at%20Group-IB%2C%20Rijuta%20Kapoor%26nbsp%3Bfrom%20Microsoft%20Azure%20Sentinel%20Threat%20Intelligence%20team%2C%20Sreedhar%20Ande%20from%20Microsoft%20Azure%20Sentinel%20PG%2C%20the%20whole%20Group-IB%20Threat%20Intelligence%20and%20Azure%20Sentinel%20Threat%20Intelligence%20Product%20Group%20teams%26nbsp%3Bfor%20the%20technical%20brainstorming%2C%20contributing%20and%20proof%20reading!%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.group-ib.com%2Fintelligence-attribution.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EGroup-IB%20Threat%20Intelligence%20%26amp%3B%20Attribution%3C%2FA%3E%20(TI%26amp%3BA)%20is%20a%20system%20for%20analyzing%20and%20attributing%20cyberattacks%2C%20threat%20hunting%2C%20and%20protecting%20network%20infrastructure%20based%20on%20data%20relating%20to%20adversary%20tactics%2C%20tools%20and%20activity.%26nbsp%3BTI%26amp%3BA%20combines%20unique%20data%20sources%20and%20experience%20in%20investigating%20high-tech%20crimes%20and%20responding%20to%20complex%20multi-stage%20attacks%20worldwide.%20The%20system%20stores%20data%20on%20threat%20actors%2C%20domains%2C%20IPs%2C%20and%20infrastructures%20collected%20over%20the%20last%2015%20years%2C%20including%20those%20that%20criminals%20attempted%20to%20wipe%20out.%20The%20functionality%20of%20the%20system%20helps%20customize%20it%20to%20the%20threat%20landscape%20not%20only%20relevant%20to%20a%20particular%20industry%2C%20but%20also%20to%20a%20specific%20company%20in%20a%20certain%20country.%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EBelow%20is%20the%20high-level%20architecture%20of%20Group-IB%20TI%26amp%3BA%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorHesham%20Saad_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22gib-architecture.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269389i2FC4E317B42E4E4A%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22gib-architecture.PNG%22%20alt%3D%22gib-architecture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESOC%20team%20requirement%20is%20to%20ingest%20Group-IB%20TI%26amp%3BA%20feeds%20%26amp%3B%20indicators%20based%20on%20multiple%20TI%20collections%20to%20Azure%20Sentinel%20(and%20writes%20them%20to%20Microsoft%20Security%20Graph%20API%20to%20be%20listed%20under%20Azure%20Sentinel%20ThreatIntelligenceIndicators%20table%20and%20custom%20log%20tables%20as%20well)%20for%20automatic%20scanning%20and%20detecting%20matched%20TI%20feeds%2Findicators%20across%20their%20organizational%20data%20sources%20logs%20for%20further%20investigation%20and%20analysis.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFirst%20let%E2%80%99s%20understand%20and%20get%20more%20technical%20details%20on%20the%20Group-IB%20TI%26amp%3BA%20collections%20to%20see%20how%20we%20can%20ingest%20and%20map%20these%20feeds%2Findicators%20to%20the%20Azure%20Sentinel%20Threat%20Intelligence%20data%20types%20via%20TI%26amp%3BA%20APIs%20and%20Azure%20Sentinel%20Automation%20(Playbooks)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20width%3D%22684%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3E%3CSTRONG%3Egib-tia%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3E%3CSTRONG%3ECollection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3E%3CSTRONG%3EHas%20Indicators%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3E%3CSTRONG%3EIndicators%20Content%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_APT_Threats%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eapt%2Fthreat%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20APT%20Threat%20Indicator(IPv4)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20APT%20Threat%20Indicator(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20APT%20Threat%20Indicator(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20APT%20Threat%20Indicator(md5)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20APT%20Threat%20Indicator(sha256)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20APT%20Threat%20Indicator(sha1)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EGroup-IB%20continuously%20monitors%20activities%20undertaken%20by%20hacker%20groups%2C%20investigate%2C%20collect%2C%20and%20analyze%20information%20about%20all%20emerging%20and%20ongoing%20attacks.%20Based%20on%20this%20information%2C%20we%20provide%20IOC's%20related%20to%20APT%20Groups%20Attacks%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_APT_ThreatActor%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eapt%2Fthreat_actor%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EN%2FA%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThis%20collection%20contains%20APT%20groups%E2%80%99%20info%2C%20with%20detailed%20descriptions%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Attacks_ddos%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eattacks%2Fddos%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20DDoS%3C%2FP%3E%0A%3CP%3EAttack(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%22DDoS%20attacks%22%20collection%20contains%20a%20DDoS%20Attacks%20targets%20and%20C2%20indicators%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Attacks_deface%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eattacks%2Fdeface%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Attack%20Deface(url)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CDeface%E2%80%9D%20collection%20contains%20information%20about%20online%20resources%20that%20have%20become%20subject%20to%20defacement%20attacks%20(the%20visual%20content%20of%20a%20website%20being%20substituted%20or%20modified)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Attacks_phishing%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eattacks%2Fphishing%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Phishing%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Phishing%20IP(IPv4)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Phishing%20URL(url)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CAttacks%20Phishing%22%20collection%20provides%20information%20about%20various%20phishing%20resources%20(including%20URLs%2C%20Domains%20and%20IPs.)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Attacks_phishing_kit%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eattacks%2Fphishing_kit%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Phishing%20Kit%20Email(email)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CAtacks%20Phishing%20Kits%E2%80%9D%20collection%20contains%20information%20about%20the%20archives%20of%20phishing%20kits.%20Emails%20gotten%20from%20kits%20can%20be%20obtained%20as%20indicators%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_BP_phishing%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ebp%2Fphishing%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Phishing%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Phishing%20IP(IPv4)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Phishing%20URL(url)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%22BP%20Phishing%22%20collection%20provides%20events%20related%20to%20clients%20company%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_BP_phishing_kit%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ebp%2Fphishing_kit%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Phishing%20Kit%20Email(email)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%22BP%20Phishing%20Kit%22%20collection%20provides%20phishing%20kits%20related%20to%20clients%20company%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Compromised_account%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ecompromised%2Faccount%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Compromised%20Account%20CNC(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Account%20CNC(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Account%20CNC(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThis%20collection%20contains%20credentials%20collected%20from%20various%20phishing%20resources%2C%20botnets%2C%20command-and-control%20(C%26amp%3BC)%20servers%20used%20by%20hackers%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Compromised_card%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ecompromised%2Fcard%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Compromised%20Card%20CNC%20URL(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Card%20CNC%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Card%20CNC%20IP(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThis%20collection%20contains%20information%20about%20compromised%20bank%20cards.%20This%20includes%20data%20collected%20from%20card%20shops%2C%20specialized%20forums%2C%20and%20public%20sources%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Compromised_imei%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ecompromised%2Fimei%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Compromised%20IMEI%20CNC%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20IMEI%20CNC%20URL(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20IMEI%20CNC%20IP(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20section%20contains%20data%20on%20infected%20mobile%20devices%2C%20which%20is%20obtained%20by%20analyzing%20mobile%20botnets.%20It%20does%20not%20contain%20personal%20data%20and%20is%20available%20to%20all%20system%20users%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Compromised_mule%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ecompromised%2Fmule%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Compromised%20Mule%20CNC%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Mule%20CNC%20URL(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Compromised%20Mule%20CNC%20IP(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThis%20section%20contains%20information%20about%20bank%20accounts%20to%20which%20threat%20actors%20have%20transferred%20or%20plan%20to%20transfer%20stolen%20money.%20Man-in-the-Browser%20(MITB)%20attacks%2C%20mobile%20Trojans%2C%20and%20phishing%20kits%20allow%20fraudsters%20to%20make%20money%20transfers%20automatically.%20Playbook%20provides%20C2%20data%20related%20to%20compromitation%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_HI_Threats%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ehi%2Fthreat%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20HI%20Threat%20Indicator(domain)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EGroup-IB%20continuously%20monitors%20activities%20undertaken%20by%20hacker%20groups%2C%20investigate%2C%20collect%2C%20and%20analyze%20information%20about%20all%20emerging%20and%20ongoing%20attacks.%20Based%20on%20this%20information%2C%20we%20provide%20IOC's%20related%20to%20Hackers%20Attacks%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_HI_ThreatActor%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Ehi%2Fthreat_actor%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EN%2FA%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThis%20collection%20contains%20non-APT%20groups%E2%80%99%20and%20Individual%20hackers%20info%2C%20with%20detailed%20descriptions%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Malware_cnc%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Emalware%2Fcnc%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Malware%20CNC%20Domain(domain)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Malware%20CNC%20URL(url)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Malware%20CNC%20IP(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%22Malware%22%20collection%20contains%20Malwares%20C2%20detected%20by%20group%20IB%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Malware_Targeted_Malware%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Emalware%2Ftargeted_malware%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Malware%20Targeted%20Malware(md5)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Malware%20Targeted%20Malware(sha1)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Malware%20Targeted%20Malware(sha256)%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EGIB%20Malware%20Targeted%20Malware%20Inject(md5)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CTargeted%20Trojans%E2%80%9D%20section%20contains%20information%20about%20malicious%20programs%20targeting%20the%20client's%20infrastructure.%20Information%20is%20collected%20by%20examining%20a%20multitude%20of%20malicious%20files%20and%20investigating%20various%20incidents%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_OSI_GitLeak%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eosi%2Fgit_leak%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EN%2FA%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EOpen-source%20repositories%20such%20as%20GitHub%20contain%20codes%20that%20anyone%20can%20search%20for.%20They%20are%20often%20used%20by%20threat%20actors%20planning%20to%20attack%20a%20specific%20company.%20The%20%E2%80%9CGit%20Leaks%E2%80%9D%20section%20contains%20the%20above%20data%20in%20code%20repositories%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_OSI_PublicLeak%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eosi%2Fpublic_leak%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EN%2FA%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CPublic%20leaks%E2%80%9D%20collection%20contains%20the%20leaked%20clinets%20data%20collected%20on%20popular%20file-sharing%20resources%20or%20text%2Finformation%20exchange%20websites%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_OSI_Vulnerability%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Eosi%2Fvulnerability%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3ENo%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EN%2FA%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CVulnerabilities%E2%80%9D%20collection%20displays%20information%20about%20vulnerabilities%20detected%20in%20the%20software%20by%20version%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Suspicious_ip_open_proxy%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Esuspicious_ip%2Fopen_proxy%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Open%20Proxy%20Address(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9COpen%20proxy%E2%80%9D%20collection%20proviedes%20information%20about%20lists%20of%20proxy%20servers%20that%20are%20publicly%20available%20on%20various%20online%20resources%20related%20to%20anonymity.%20In%20addition%2C%20proxy%20servers%20may%20be%20configured%20as%20open%20proxies%20intentionally%20or%20as%20a%20result%20of%20misconfiguration%20or%20breaches%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Suspicious_ip_socks_proxy%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Esuspicious_ip%2Fsocks_proxy%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Socks%20Proxy%20Address(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CSocks%20proxy%E2%80%9D%20collection%20providess%20information%20about%20addresses%20where%20malware%20that%20turns%20infected%20computers%20into%20SOCKS%20proxies%20has%20been%20installed.%20Such%20computers%20(bots)%20are%20rented%20out%20and%20used%20in%20various%20attacks%20to%20ensure%20the%20attacker%20as%20much%20anonymity%20as%20possible%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22174%22%3E%3CP%3EGIBTIA_Suspicious_ip_tor_node%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22126%22%3E%3CP%3Esuspicious_ip%2Ftor_node%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%2278%22%3E%3CP%3EYes%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22147%22%3E%3CP%3EGIB%20Tor%20Node%20Address(IPv4)%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22159%22%3E%3CP%3EThe%20%E2%80%9CTor%20Node%E2%80%9D%20collection%20displays%20information%20about%20Tor%20exit%20nodes%2C%20which%20are%20the%20final%20Tor%20relays%20in%20the%20circuit.%20The%20nodes%20act%20as%20a%20medium%20between%20a%20Tor%20client%20and%20public%20Internet%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%23Deployment%20Steps%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20whole%20custom%20connectors%20code%20%26amp%3B%20deployment%20templates%20with%20detailed%20instructions%20and%20considerations%20already%20been%20uploaded%20at%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FSolutions%2FGroup-IB%2FPlaybooks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20github%20Playbooks%20repo%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep(1)%3A%20Azure%20Sentinel%20gib-tia%20Playbooks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDeploy%20GIBIndicatorsProcessor%20playbook%20first%3C%2FLI%3E%0A%3CLI%3EDeploy%20required%20collections%20Playbooks%20and%20configure%20the%20following%20parameters%3A%3CUL%3E%0A%3CLI%3EGIB%20Username%20-%20is%20a%20login%20to%20access%20G%3CSPAN%3Eroup-IB%20TI%26amp%3BA%26nbsp%3B%3C%2FSPAN%3EWeb%20Interface%3C%2FLI%3E%0A%3CLI%3ESave%20only%20indicators%20-%20set%20to%20true%20if%20only%20indicators%20enrichment%20is%20required%2C%20otherwise%2C%20an%20additional%20table%20in%20Workspace%20with%20full%20event%20content%20will%20be%20created%3C%2FLI%3E%0A%3CLI%3ESome%20collections%20provide%20no%20indicators%2C%20so%20do%20not%20have%20this%20parameter%20configurable%20and%20add%26nbsp%3B%3CSPAN%3EGroup-IB%20TI%26amp%3BA%3C%2FSPAN%3E%20events%20only%20in%20Log%20Workspace%3C%2FLI%3E%0A%3CLI%3EGIB%20Action%20-%20This%20is%20an%20action%20required%20to%20set%20in%20a%20particular%20indicator%20type%20provided%20through%20the%20current%20collection.(The%20action%20to%20apply%20if%20the%20indicator%20is%20matched%20from%20within%20the%20target%20Product%20security%20tool.%20Possible%20values%20are%3A%20unknown%2C%20allow%2C%20block%2C%20alert)%3C%2FLI%3E%0A%3CLI%3EGIB%20API%20URL%20-%20is%20an%20GIB%20TI%26amp%3BA%20API%20URL%3C%2FLI%3E%0A%3CLI%3EConfigure%20API%20Key%20variable.%20API%20Key%20can%20be%20generated%20in%20the%20Profile%20Section%20in%20Group-IB%20TI%26amp%3BA%20Web%20Interface%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EStep(2)%3A%20Register%20an%20Azure%20AD%20App%20for%20TI%20Indicators%20Graph%20API%20Write%20Access%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EGo%20to%20Azure%20Active%20Directory%20%2F%20App%20Registrations%3C%2FLI%3E%0A%3CLI%3ECreate%20%2BNew%20Registration%3C%2FLI%3E%0A%3CLI%3EGive%20it%20a%20name.%20Click%20Register%3C%2FLI%3E%0A%3CLI%3EClick%20API%20Permissions%20Blade%3C%2FLI%3E%0A%3CLI%3EClick%20Add%20a%20Permission%3C%2FLI%3E%0A%3CLI%3EClick%20Microsoft%20Graph%3C%2FLI%3E%0A%3CLI%3EClick%20Application%20Permissions%3C%2FLI%3E%0A%3CLI%3ECheck%20permissions%20for%20ThreatIndicators%20(ThreatIndicators.ReadWrite.OwnedBy).%20Click%20Add%20permissions%3C%2FLI%3E%0A%3CLI%3EClick%20grant%20admin%20consent%20for%20domain.com%3C%2FLI%3E%0A%3CLI%3EClick%20Certificates%20and%20Secrets%3C%2FLI%3E%0A%3CLI%3EClick%20New%20Client%20Secret%3C%2FLI%3E%0A%3CLI%3EEnter%20a%20description%2C%20select%20never.%20Click%20Add%3C%2FLI%3E%0A%3CLI%3EIMPORTANT.%20Click%20copy%20next%20to%20the%20new%20secret%20and%20paste%20it%20somewhere%20temporarily.%20You%20cannot%20come%20back%20to%20get%20the%20secret%20once%20you%20leave%20the%20blade%3C%2FLI%3E%0A%3CLI%3ECopy%20the%20client%20ID%20from%20the%20application%20properties%20and%20paste%20it%20somewhere%20as%20you%20will%20need%20it%20to%20be%20added%20to%20the%20Playbooks%3C%2FLI%3E%0A%3CLI%3EAlso%20copy%20the%20tenant%20ID%20from%20the%20AAD%20directory%20properties%20blade%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart6.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269390iEEF9F59CE0344B5D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart6.gif%22%20alt%3D%22groupIBSentinelPart6.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart1.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269391iF3B6D9E717FAEFC5%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart1.gif%22%20alt%3D%22groupIBSentinelPart1.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart3.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269392i2E731133AB3811F2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart3.gif%22%20alt%3D%22groupIBSentinelPart3.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart5.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269395i65CDA67F87E74CE3%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart5.gif%22%20alt%3D%22groupIBSentinelPart5.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart4.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269393i25FD59D0A718BFAA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart4.gif%22%20alt%3D%22groupIBSentinelPart4.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDetection%20%26amp%3B%20Investigation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20sample%20Azure%20Sentinel%20Analytics%20rule%20to%20identify%20a%20match%20in%20CommonSecurityLog%20Event%20data%20from%20any%20FileHash%20IOC%20from%20gib-tia%2C%20we%20highly%20recommend%20you%20to%20check%20out%20the%20list%20of%20the%20Azure%20Sentinel%20TI%20Out%20of%20the%20box%20TI%20analytics%20rules%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-javascript%22%3E%3CCODE%3E%2F%2Fgib-tia%20TI%20map%20File%20Hash%20to%20CommonSecurityLog%20Event%20data%20sources%20in%20Azure%20Sentinel%2C%20to%20identify%20a%20match%20in%20CommonSecurityLog%20Event%20data%20from%20any%20FileHash%20IOC%20from%20gib-tia%0A%0Alet%20dt_lookBack%20%3D%201h%3B%0A%0Alet%20ioc_lookBack%20%3D%2014d%3B%0A%0Alet%20fileHashIndicators%20%3D%20ThreatIntelligenceIndicator%0A%0A%7C%20where%20SourceSystem%20%3D%3D%20%22SecurityGraph%22%20and%20ThreatType%20%3D%3D%20%22Malware%22%0A%0A%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(ioc_lookBack)%20and%20ExpirationDateTime%20%26gt%3B%20now()%0A%0A%7C%20where%20Active%20%3D%3D%20true%0A%0A%7C%20where%20isnotempty(FileHashValue)%3B%0A%0A%2F%2F%20Handle%20matches%20against%20both%20lower%20case%20and%20uppercase%20versions%20of%20the%20hash%3A%0A%0A(%20fileHashIndicators%20%7C%20extend%20%20FileHashValue%20%3D%20tolower(FileHashValue)%0A%0A%20%20%7Cunion%20(fileHashIndicators%20%7C%20extend%20FileHashValue%20%3D%20toupper(FileHashValue)))%0A%0A%7C%20%20join%20(%0A%0A%20%20%20CommonSecurityLog%20%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(dt_lookBack)%0A%0A%20%20%20%7C%20where%20isnotempty(FileHash)%0A%0A%20%20%20%7C%20extend%20CommonSecurityLog_TimeGenerated%20%3D%20TimeGenerated%0A%0A)%0A%0Aon%20%24left.FileHashValue%20%3D%3D%20%24right.FileHash%0A%0A%7C%20summarize%20LatestIndicatorTime%20%3D%20arg_max(TimeGenerated%2C%20*)%20by%20IndicatorId%0A%0A%7C%20project%20LatestIndicatorTime%2C%20Description%2C%20ActivityGroupNames%2C%20IndicatorId%2C%20ThreatType%2C%20Url%2C%20ExpirationDateTime%2C%20ConfidenceScore%2C%0A%0ACommonSecurityLog_TimeGenerated%2C%20SourceIP%2C%20SourcePort%2C%20DestinationIP%2C%20DestinationPort%2C%20SourceUserID%2C%20SourceUserName%2C%20DeviceName%2C%20DeviceAction%2C%0A%0ARequestURL%2C%20DestinationUserName%2C%20DestinationUserID%2C%20ApplicationProtocol%2C%20Activity%0A%0A%7C%20extend%20timestamp%20%3D%20CommonSecurityLog_TimeGenerated%2C%20IPCustomEntity%20%3D%20SourceIP%2C%20HostCustomEntity%20%3D%20DeviceName%2C%20AccountCustomEntity%20%3D%20SourceUserName%2C%20URLCustomEntity%20%3D%20Url%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22groupIBSentinelPart7.gif%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F269396i96ABC6E7582BB1DA%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22groupIBSentinelPart7.gif%22%20alt%3D%22groupIBSentinelPart7.gif%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EGet%20started%20today!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20encourage%20you%20to%20try%20it%20now!%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20contribute%20new%20connectors%2C%20workbooks%2C%20analytics%20and%20more%20in%20Azure%20Sentinel.%20Get%20started%20now%20by%20joining%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fthreathunters%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20Threat%20Hunters%20GitHub%20community%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2252904%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20using%20Group-IB%20Threat%20Intelligence%20(TI%26amp%3BA)%20system%20and%20looking%20for%20a%20custom%20connector%20to%20integrate%20with%20Azure%20Sentinel%20and%20your%20SOC%20team%20can%20create%20custom%20analytics%20detection%20rules%20to%20automatically%20scan%20and%20detect%20matching%20CTI%20feeds%2Findicators%20across%20your%20organizational%20data%20sources%20logs%20for%20further%20investigation%20and%20analysis%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20your%20back%2C%20Group-IB%20%26amp%3B%20Microsoft%20teams%20supported%20and%20built%20a%20custom%20Azure%20Sentinel%20Playbooks%20(connector)%20that%20covers%20the%20majority%20of%20Group-IB%20Threat%20Intelligence%20%26amp%3B%20Attribution%20data%20collections!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2252904%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHunting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInvestigation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20Intelligence%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Apr 07 2021 11:36 PM
Updated by: