Applied Threat Intelligence fusion feed overview
The Mandiant Fusion indicator feed is a collection of indicators of compromise (IOCs), including hashes, IPs, domains, and URLs, that are associated with known threat actors, malware strains, active campaigns, and finished intelligence reporting. To ensure maximum value, the feed also includes IOCs that Mandiant Intelligence has carefully checked and validated from open-source feeds, ensuring high accuracy. Mandiant's curation process consists of the following steps.
Frontline incident response: Mandiant analysts gain first-hand knowledge of attacker tools and techniques while investigating breaches.
Threat research: Dedicated teams track threat actors, analyze malware, and uncover emerging attack infrastructure.
Contextualization: IOCs are mapped to specific threats and campaigns which helps in understanding and prioritization of incidents.
The Breach Analytics feed builds upon Fusion, adding indicators associated with new and emerging breaches that Mandiant is actively investigating. It provides real-time insights into the latest attack trends. YARA-L rules can utilize contextual information from the Applied Threat Intelligence Fusion Feed to enhance simple indicator matching rules. It includes associated threat groups, presence of an indicator in a compromised environment, or Mandiant's automated confidence score of maliciousness.
Write YARA-L rules with the Fusion Feed
The process of writing YARA-L rules using Fusion Feed is similar to writing YARA-L rules with other context entity sources. For more information about how to write this type of YARA-L rule, see Create context-aware analytics.
Events and match section
To write a rule, filter the selected context entity graph.
In this case, it is Fusion feed. Then, filter on a specific indicator
type. For example, FILE. The following is an example.
events:
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
$context_graph.graph.metadata.entity_type = "FILE"
Similar to YARA-L rules that don't use context entities, you can add any other
conditions of the event or context entity in the events section.
you can join a field from the context entity and UDM event field. In the following
example, the placeholder variable ioc is used to do a transitive
join between the context entity and the event. This placeholder variable is then used
in the match section to ensure a match in a particular timeframe.
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
For more information about context entity fields that can be leveraged in YARA-L rules, see the Fusion Feed context entity fields section.
Outcome section
Continuing with the previous example, the basic indicator matching rule is set up
against file hashes places in the context entities at the graph.entity.file.md5
field and principal.process.file.md5 UDM field.
This simple matching rule can match a large number of events. Hence, it is
recommended to refine the rule match on context entities that have particular
intelligence that is of interest.
For example, this can include the confidence score assigned to the indicator
by Mandiant, whether it was seen in a breached environment, or the malware family
associated with the indicator. This can all be done in the outcome
section of the rule.
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
In the outcome section of the YARA-L rule, the confidence score is
extracted using an if statement wrapped in a max function. This technique is
required for multi-event rules. The same technique is used to extract the
pwn variable from verdict_info, which indicates if an
indicator has been seen in a breached environment as identified by Mandiant.
These two outcome variables are then combined together in another
matched_conditions variable, which allows the use of chained logic
in the condition section.
Condition section
The condition section ensures that e1,
context_graph, and matched_conditions exist and or
match the specified condition.
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
Complete YARA-L rule
At this point the rule is ready for use and should look like the following:
rule fusion_feed_example_principal_process_file_md5 {
meta:
rule_name = "File Hash - Applied Threat Intelligence"
description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."
events:
// Filter graph
$context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$context_graph.graph.metadata.entity_type = "FILE"
$context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
// Do join
$ioc = $context_graph.graph.entity.file.md5
$ioc = $e1.principal.process.file.md5
match:
$ioc over 1h
outcome:
// Extract the Mandiant Automated Intel confidence score of maliciousness
$confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
// Extract the status of the indicator as seen in a breached environment
$breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))
// Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
// Return 1 if conditions are met, otherwise return 0.
$matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)
condition:
// Ensure $e1, $context_graph and $matched_conditions conditions are met.
$e1 AND $context_graph AND $matched_conditions = 1
}
Fusion Feed context entity fields
You can use many fields from the Mandiant Fusion indicator feed in rules. These fields are all defined in the Unified Data Model field list. The following fields are relevant for prioritizing indicators:
| Entity field | Possible values |
|---|---|
metadata.threat.associations.type |
MALWARE, THREAT_ACTOR |
metadata.threat.associations.name |
Threat association name |
metadata.threat.verdict_info.pwn |
TRUE, FALSE |
metadata.threat.verdict_info.pwn_first_tagged_time.seconds |
Timestamp (seconds) |
Some fields have key-value pairs that need to be used in combination to access the correct values. Following is an example.
| Entity field 1 | Values | Entity field 2 | Values |
|---|---|---|---|
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_hits_count |
Integer |
metadata.threat.verdict_info.source_provider |
Mandiant Global Intel | metadata.threat.verdict_info.global_customer_count |
Integer |
metadata.threat.verdict_info.source_provider |
Mandiant Analyst Intel | metadata.threat.verdict_info.confidence_score |
Integer |
metadata.threat.verdict_info.source_provider |
Mandiant Automated Intel | metadata.threat.verdict_info.confidence_score |
Integer |
In the outcome section of a YARA-L rule, you can access a value designated
by a specific key using the following command:
$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))
Examining entity matches in Google Security Operations lets you to gain a comprehensive view of the data, revealing additional fields that can be valuable in assessing the priority and context of an indicator alert.
The following is an example of a Fusion Feed context entity as an initial reference point.
{
"metadata": {
"product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
"collected_timestamp": {
"seconds": "1695165683",
"nanos": 48000000
},
"vendor_name": "MANDIANT_FUSION_IOC",
"product_name": "MANDIANT_FUSION_IOC",
"product_version": "1710194393",
"entity_type": "FILE",
"creation_timestamp": {
"seconds": "1710201600"
},
"interval": {
"start_time": {
"seconds": "1"
},
"end_time": {
"seconds": "253402300799"
}
},
"threat": [
{
"category_details": [
"A phishing email message or the relevant headers from a phishing email."
],
"severity_details": "HIGH",
"confidence_details": "75",
"risk_score": 75,
"first_discovered_time": {
"seconds": "1683294326"
},
"associations": [
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"type": "THREAT_ACTOR",
"name": "UNC2633"
},
{
"id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
"country_code": [
"unknown"
],
"type": "THREAT_ACTOR",
"name": "UNC2633",
"description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
"alias": [
{
"name": "TA570 (Proofpoint)"
}
],
"first_reference_time": {
"seconds": "1459085092"
},
"last_reference_time": {
"seconds": "1687392000"
},
"industries_affected": [
"Aerospace & Defense",
"Agriculture",
"Automotive",
"Chemicals & Materials",
"Civil Society & Non-Profits",
"Construction & Engineering",
"Education",
"Energy & Utilities",
"Financial Services",
"Governments",
"Healthcare",
"Hospitality",
"Insurance",
"Legal & Professional Services",
"Manufacturing",
"Media & Entertainment",
"Oil & Gas",
"Pharmaceuticals",
"Retail",
"Technology",
"Telecommunications",
"Transportation"
]
}
],
"campaigns": [
"CAMP.23.007"
],
"last_updated_time": {
"seconds": "1695165683",
"nanos": 48000000
},
"verdict_info": [
{
"source_provider": "Mandiant Automated Intel",
"confidence_score": 75
},
{
"verdict_type": "ANALYST_VERDICT",
"confidence_score": 75
},
{
"source_count": 91,
"response_count": 1,
"verdict_type": "PROVIDER_ML_VERDICT",
"malicious_count": 1,
"ioc_stats": [
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Knowledge Graph",
"quality": "HIGH_CONFIDENCE",
"malicious_count": 1,
"response_count": 1,
"source_count": 8
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Malware Analysis",
"source_count": 4
},
{
"ioc_stats_type": "MANDIANT_SOURCES",
"second_level_source": "Spam Monitoring",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"second_level_source": "Crowdsourced Threat Analysis",
"source_count": 71
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "MISP",
"second_level_source": "Trusted Software List",
"source_count": 3
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Digitalside It Hashes",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Tds Harvester",
"source_count": 1
},
{
"ioc_stats_type": "THIRD_PARTY_SOURCES",
"first_level_source": "Threat Intelligence Feeds",
"second_level_source": "Urlhaus",
"source_count": 1
}
]
},
{
"source_provider": "Mandiant Analyst Intel",
"confidence_score": 75,
"pwn": true,
"pwn_first_tagged_time": {
"seconds": "1683911695"
}
}
],
"last_discovered_time": {
"seconds": "1683909854"
}
}
],
"source_type": "GLOBAL_CONTEXT",
"source_labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
{
"key": "has_pwn",
"value": "2023-05-12T17:14:55.000+0000"
}
],
"event_metadata": {
"id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
"base_labels": {
"log_types": [
"MANDIANT_FUSION_IOC"
],
"allow_scoped_access": true
}
}
},
"entity": {
"file": {
"sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
"md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
"sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
},
"labels": [
{
"key": "is_scanner",
"value": "false"
},
{
"key": "osint",
"value": "false"
},
{
"key": "misp_akamai",
"value": "false"
},
...
]
}
}
Complex conditions
To use multiple fields at a time in a context entity, you can combine
multiple outcome variables together to create more complex conditional logic.
To combine multiple fields, you can create intermediary outcome variables.
These variables are then combined to form a new outcome variable that can be
used in the condition section.
The following is an example.
// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))
// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))
// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
+
if($is_attributed_actor = 1, 1, 0)
// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"
In this case, two intermediary outcome variables, is_attributed_malware
and is_attributed_actor, are combined together in an outcome variable
is_attributed.
In this example, the intermediary outcome values return numerical values, which
allows numerical comparisons in the new outcome variable.
In this example, is_attributed will be a value of 1 or greater if
the indicator has at least one threat association of type MALWARE
or THREAT_ACTOR.
Flexible Joins in YARA-L
Flexible joins between IOCs allow for multiple UDM fields to be joined against a context entity. This reduces the number of rules required if multiple UDM fields are joined with context entities.
Following is an example event section that uses flexible joins for
multiple UDM fields.
events:
// Filter graph
$mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
$mandiant.graph.metadata.entity_type = "FILE"
$mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"
$mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
$mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)