Skip to main content

Cyware Orchestrate

Mandiant Threat Intelligence 1.0.0

App Vendor: FireEye

App Category: Data Enrichment & Threat Intelligence

Connector Version: 1.1.0

API Version: 1.0.0

Hostname: https://api.intelligence.fireeye.com

Default Port: 443

About App

The Mandiant Threat Intelligence app allows security teams to integrate with the Mandiant Threat Intelligence enterprise application to retrieve alerts, threats, and indicators for threat detection purposes.

The Mandiant Threat Intelligence app in the Orchestrate application can perform the listed actions:

Action Name 

Description 

Get a list of Indicators 

This action can be used to retrieve a list of indicators from the FireEye Threat Intelligence application.

Get a list of Reports 

This action can be used to retrieve a list of reports from the FireEye Threat Intelligence application.

Get a list of Alerts 

This action can be used to retrieve a list of alerts from the FireEye Threat Intelligence application.

Search Indicators 

This action performs searches across all collections on FireEye Mandiant Threat Intelligence.

Generic Action 

This is a generic action to perform any additional use case that you want on FireEye Mandiant.

Prerequisites

All the actions configured in the Mandiant Threat Intelligence app relate to private APIs. Mandiant Threat Intelligence Enterprise subscription is required to access the private APIs.

Configuration parameters

The following configuration parameters are required for the Mandiant Threat Intelligence app to communicate with Mandiant Threat Intelligence Enterprise application. The parameters can be configured by creating Instances in the app.

Parameter 

Description 

Field Type 

Required / Optional 

Comments 

API key 

Enter the API key.

Password

Required

API secret 

Enter the API secret.

Password

Required

Timeout

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with the Mandiant Threat Intelligence.

Integer

Optional

Allowed range:

15 - 120 secs

Default value:

15 secs

Verify

Optional preference to either verify or skip the TLS certificate verification. 

Boolean

Optional

Allowed values: 

  • True 

  • False 

Default value:

False

Action: Get a list of Indicators

This action can be used to retrieve a list of Indicators from the FireEye Threat Intelligence application.

Input Parameters

Parameter 

Description 

Field Type 

Required / Optional 

Comments 

Additional parameters 

Enter the additional parameters.

Key Value

Optional

Allowed values:

  • added_after (int): Timestamp must be in epoch format.

  • length (int): By default, the length is "50". Maximum length must be "1000".

  • match.id (str): STIX UUID as ID; this is the STIX ID of the alert object the user would like to receive.

  • match.status (str): Filters on whether the indicator is in an “active” state or has been “revoked”.

Example Request
[ 
 {  
   “extra_params”:  
   {   
     “length”: “100”,   
     “match.id”: “123”,   
     “match.status”: “active”  
   } 
 }
]
Action: Get a list of Reports

This action can be used to retrieve a list of Reports from the FireEye Threat Intelligence application.

Input Parameters

Parameter 

Description 

Field Type 

Required / Optional 

Comments 

Additional parameters 

Enter the additional parameters.

Key Value

Optional

Allowed values:

  • added_after (int): Timestamp must be in epoch format.

  • length (int): By default, the length is "50". Maximum length must be "1000".

  • match.id (str): STIX UUID as ID; this is the STIX ID of the alert object the user would like to receive.

  • match.status (str): Filters on whether the indicator is in an “active” state or has been “revoked”.

  • match.document_id (str): Filters this endpoint to a single report using the “report ID”.

  • match.subscription (str): cyber-crime, cyber-espionage, hacktivism, cyber-physical, strategic, fusion, operational, vulnerability, standard.

  • match.report_type (str): Filter on a report type. Used for multiple report types.

  • match.actor_name (str): Actor’s name.

  • match.malware_name(str): name of Malware family.

Example Request
[ 
 {  
   “extra_params”:  
   {   
     “added_after“: “1606780800“,   
     “length”: “100”,   
     “match.id”: “<Sample ID>”,   
     “match.status”: “active”,   
     “match.document_id“: “<Sample document ID>“,   
     “match.subscription”: “cyber-crime”,   
     “match.report_type“: “<Sample report_type>“,   
     “match.actor_name“: “<Sample actor_name>“,   
     “match.malware_name“: “<Sample malware_name>“  
    } 
  }
]
Action: Get a list of Alerts

This action can be used to get a list of Alerts from the FireEye Threat Intelligence application.

Input Parameters

Parameter 

Description 

Field Type 

Required / Optional 

Comments 

Additional parameters 

Enter the additional parameters.

Key Value

Optional

Allowed values:

  • added_after (int): Timestamp must be in epoch format.

  • length (int): By default, the length is "50". Maximum length must be "1000".

  • match.alert_type (str): forum_post, tweet, web_content_publish, paste, email_analysis, domain_discovery, document_analysis.

  • match.alert_categories (str): social-media, forums, documents, malware-repository, network-indicators, web-content, paste-sites.

  • match.status (str): new, new_requested, investigated, under_investigation, closed, closed_investigated; Filters on whether the indicator is in state.

  • match.id (str): STIX UUID as ID; this is the STIX ID of the alert object the user would like to receive.

  • match.alert_severity (str): low, medium, high, critical

Example Request
[ 
 {  
   “extra_params”:  
   {   
     “added_after“: “1606780800“,   
     “length”: “100”,   
     “match.alert_type“: “forum_post“,   
     “match.alert_categories“: “forums“,   
     “match.id”: “<Sample ID>”,   
     “match.status”: “active”,   
     “match.alert_severity”: “low“  
   } 
 }
]
Action: Search Indicator

This gets a list of alerts from the FireEye Threat Intelligence application. 

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator Type

Enter the indicator type. Example: 

"ipv4-addr"

Text

Optional

Query

Enter the query to search for indicators. 

Example: "value = '164.132.67.216'"

Text 

Optional

Include Connected Objects

Choose whether to include connected objects. 

Example: 

"true"

Boolean

Optional

Allowed values:

  • True

  • False

Extra Params

Enter the additional parameters. 

Example: 

"limit=10"

Key Value

Optional

Action: Generic Action

This is a generic action to perform any additional use case that you want on FireEye Mandiant Threat Intelligence.

Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method

Enter the HTTP method to perform an action.

Example:

GET

Text

Optional

Allowed values:

  • GET

  • PUT

  • DELETE

  • POST

Endpoint

Enter the endpoint to make the request.

Example:

/search/instances

Text

Required

Query params 

Enter the query parameters to pass to the API.

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Any

Optional

Additional fields 

Enter the additional parameters to pass. For available keys refer to the document.

Example: {'download':true,'custoum_output':'this is a custom output'}

Key Value

Optional

Available keys:

  • payload_data(Dictionary)

  • custom_output(String)

  • download(Boolean)

  • filename(String)

  • files(Tuple)

  • retry_wait(Integer)

  • retry_count(Integer)

  • response_type(String)