Mandiant
Connector Category: Enrichment Tool
About Integration
CTIX integrates with Mandiant to enrich threat data by providing valuable context about cyber threats, threat actors, attack techniques, and indicators of compromise (IOCs) to help you make more informed decisions and respond effectively to cyber incidents.
Use Cases
Get up-to-date information on known threat actors, their tactics, techniques, and procedures (TTPs), and the latest cyber threats.
Correlate threat data objects to get insightful threat intelligence.
Understand the attack patterns and techniques used by threat actors.
Get cyber threat reports that provide in-depth analysis of recent cyberattacks, trends, and threat actor behavior. These reports offer actionable intelligence to help organizations adapt their security strategies.
Benefits
Enrich threat data objects in real time.
Get actionable intelligence to improve security strategies.
Get the IOCs related to specific cyber threats or attacks. These IOCs can include IP addresses, domains, file hashes, and other artifacts associated with malicious activity.
Configure Mandiant as Enrichment Tool
Configure Mandiant to enrich IP addresses, domains, URLs, hashes, and vulnerabilities.
Before you Start
You must have the view, create, and update permissions for Enrichment Management in CTIX.
You must have the base URL, API key, and secret key of your Mandiant account.
Note
Ensure that the API key includes the permissions to retrieve threat data details.
Steps
To configure Mandiant as an enrichment tool in CTIX, do the following:
Sign in to CTIX and go to Administration > Enrichment Management > Enrichment Tools.
Search and select one of the following enrichment tools:
Mandiant Threat Intelligence: Select this app to enrich using the Mandiant Threat Intelligence app version 3.
Mandiant Threat Intelligence v4: Select this app to enrich using the Mandiant Threat Intelligence app version 4.
Click Add Account.
Enter a unique account name to identify the instance. For example, Prod_Mandiant.
Enter the base URL of your Mandiant instance. The default base URLs are:
Mandiant Threat Intelligence:
https://api.intelligence.fireeye.com/Mandiant Threat Intelligence v4:
https://api.intelligence.mandiant.com/
Enter the API key and secret key of your Mandiant account to authenticate communication between the CTIX and Mandiant servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Mandiant servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
After successfully adding an account, you can view and enable the Mandiant feed enrichment types. You can also configure quota to define a limit to the number of enrichment requests a Mandiant account makes. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.
To understand the number of API calls and quota units consumed by the Mandiant enrichment tool per polling, refer to the following table.
Enrichment Tool | Feed Enrichment Type | No. of API calls | Quota Consumed |
|---|---|---|---|
Mandiant | Domain | 1 | 1 |
Vulnerability | 1 | 1 | |
Hash | 1 | 1 | |
IP | 1 | 1 | |
URL | 1 | 1 |
You can configure an enrichment policy to automatically enrich threat data objects using the Mandiant enrichment tool. For more information, see Configure Enrichment Policy.