Skip to main content

Cyware Threat Intelligence eXchange

Mandiant Threat Intelligence

Connector Category: API Feed Source

About Integration

Mandiant Threat Intelligence provides contextually rich threat intelligence data about indicators of compromise (IOCs). Intel Exchange integrates with Mandiant Threat Intelligence to retrieve feeds about the following threat objects:

  • Indicators

    Note

    The indicator feeds include IP, MD5, SHA1, SHA256, other hash types, Domain, Email, and URL indicator types. MD5 hashes are directly ingested into Intel Exchange, and the related SHA1, SHA256, and other hash types are reflected as custom attributes of the MD5 hash.

  • Malware

  • Threat actors

  • Vulnerabilities

  • Threat campaigns

  • Intel reports.

Use Cases 

  • Capitalize on the detailed information received from Mandiant about Threat Actors and Campaigns and use it to make data-driven decisions on offensive and defensive measures to protect the organization from cyber-attacks.

  • Use the data received on these feeds to add additional context on indicators observed on the infrastructure or received via RSS and Twitter feeds.

  • Provide extended threat visibility to Mandiant’s threat intelligence feeds by ingesting them in STIX format and reports in CTIX.

  • Ingestion of threat intelligence feeds in multiple formats, such as JSON, STIX, RSS feeds, emails, Twitter feeds, and many more.

Benefits 

  • Get comprehensive threat intel data to make it easier for analysts to view relationships between threat data objects while investigating threats.

  • Receive the latest alerts on constantly changing adversary tactics, techniques, and procedures (TTPs) to defend against evolving threats.

Configure Mandiant as API Feed Source

Configure Mandiant Threat Intelligence as an API feed source to receive threat data feeds.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.

  • You must have the base URL, API key, and secret key of your Mandiant Threat Intelligence account.

    Note

    Ensure that the API key includes the permissions to retrieve threat data. If the API key does not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.

Steps 

To configure Mandiant as an API feed source in CTIX, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API source.

  3. Search and select the Mandiant Threat Intelligence app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance name. For example, Mandiant-Prod.

  6. Enter the base URL of your Mandiant Threat Intelligence v4 instance. The default base URL for the Mandiant Threat Intelligence v4 app is https://api.intelligence.mandiant.com/.

  7. Enter the API key and secret key of your Mandiant account to authenticate communication between the CTIX and Mandiant servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Mandiant servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

The Mandiant instance is configured and you can view the Mandiant feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure Mandiant Feed Channels

Configure the feed channels to retrieve threat data feeds from Mandiant Threat Intelligence and store the feeds in a collection.

Steps 

To configure the Fetch Indicator Feeds v4 channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Mandiant Threat Intelligence app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select the Fetch Indicator Feeds v4 channel and enable the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, Mandiant Indicators Feeds. CTIX creates the collection and stores all the feeds from the feed channel.

  8. In Data Preference, provide the following details:

    • IC Score Threshold: Enter a confidence score to ingest indicator feeds that have an mscore equal to or higher than the specified value. For example, 80. Indicator feeds with a confidence score less than the specified value will be excluded from ingestion.

    • OS Intelligence: Select this option to include open-source intelligence data in the ingested feeds. By default, this option is selected.

  9. Select from one of the following Polling Cron Schedule types to define when to poll the data:

    • Manual: Allows you to manually poll from the source collection.

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  10. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  11. Select any tags to identify and categorize the feeds.

  12. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Note

The Fetch Threat Actor Feeds v4, Fetch Malware Feeds v4, and Fetch Threat Campaigns Feeds v4 channels retrieve the complete feed list. However, only the feeds with a last updated time greater than or equal to the configured polling start date and time are ingested.

Test Mandiant Feed Channel Connectivity

Test the connectivity of the Mandiant Threat Intelligence API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.

Before you Start 

  • Ensure that the Mandiant Threat Intelligence API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Mandiant Threat Intelligence app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, CTIX disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, CTIX enables the feed channel automatically.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

Mandiant Feed Channels

CTIX provides various channels to poll feeds from Mandiant. The following table lists the feed channels and the API endpoints used to retrieve feeds:

Feed Channel

API Endpoint

Fetch Threat Actor Feeds v4

{{base-url}}v4/actor 

Fetch Malware Feeds v4

{{base-url}}v4/malware 

Fetch Vulnerability Feeds v4

{{base-url}}v4/vulnerability 

Fetch Report Feeds v4

{{base-url}}v4/reports 

Threat Campaigns Feeds v4

{{base-url}}v4/campaign 

Fetch Indicator Feeds v4

{{base-url}}v4/indicator