Applied Threat Intelligence fusion feed overview

Supported in:

The Mandiant Fusion indicator feed is a collection of indicators of compromise (IOCs), including hashes, IPs, domains, and URLs, that are associated with known threat actors, malware strains, active campaigns, and finished intelligence reporting. To ensure maximum value, the feed also includes IOCs that Mandiant Intelligence has carefully checked and validated from open-source feeds, ensuring high accuracy. Mandiant's curation process consists of the following steps.

  • Frontline incident response: Mandiant analysts gain first-hand knowledge of attacker tools and techniques while investigating breaches.

  • Threat research: Dedicated teams track threat actors, analyze malware, and uncover emerging attack infrastructure.

  • Contextualization: IOCs are mapped to specific threats and campaigns which helps in understanding and prioritization of incidents.

The Breach Analytics feed builds upon Fusion, adding indicators associated with new and emerging breaches that Mandiant is actively investigating. It provides real-time insights into the latest attack trends. YARA-L rules can utilize contextual information from the Applied Threat Intelligence Fusion Feed to enhance simple indicator matching rules. It includes associated threat groups, presence of an indicator in a compromised environment, or Mandiant's automated confidence score of maliciousness.

Write YARA-L rules with the Fusion Feed

The process of writing YARA-L rules using Fusion Feed is similar to writing YARA-L rules with other context entity sources. For more information about how to write this type of YARA-L rule, see Create context-aware analytics.

Events and match section

To write a rule, filter the selected context entity graph. In this case, it is Fusion feed. Then, filter on a specific indicator type. For example, FILE. The following is an example.

events:
   $context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
   $context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
   $context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"
   $context_graph.graph.metadata.entity_type = "FILE"

Similar to YARA-L rules that don't use context entities, you can add any other conditions of the event or context entity in the events section. you can join a field from the context entity and UDM event field. In the following example, the placeholder variable ioc is used to do a transitive join between the context entity and the event. This placeholder variable is then used in the match section to ensure a match in a particular timeframe.

   $ioc = $context_graph.graph.entity.file.md5
   $ioc = $e1.principal.process.file.md5

match:
   $ioc over 1h

For more information about context entity fields that can be leveraged in YARA-L rules, see the Fusion Feed context entity fields section.

Outcome section

Continuing with the previous example, the basic indicator matching rule is set up against file hashes places in the context entities at the graph.entity.file.md5 field and principal.process.file.md5 UDM field. This simple matching rule can match a large number of events. Hence, it is recommended to refine the rule match on context entities that have particular intelligence that is of interest. For example, this can include the confidence score assigned to the indicator by Mandiant, whether it was seen in a breached environment, or the malware family associated with the indicator. This can all be done in the outcome section of the rule.

 outcome:
   // Extract the Mandiant Automated Intel confidence score of maliciousness
   $confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
   // Extract the status of the indicator as seen in a breached environment
   $breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))

   // Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
   // Return 1 if conditions are met, otherwise return 0.
   $matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)

In the outcome section of the YARA-L rule, the confidence score is extracted using an if statement wrapped in a max function. This technique is required for multi-event rules. The same technique is used to extract the pwn variable from verdict_info, which indicates if an indicator has been seen in a breached environment as identified by Mandiant.

These two outcome variables are then combined together in another matched_conditions variable, which allows the use of chained logic in the condition section.

Condition section

The condition section ensures that e1, context_graph, and matched_conditions exist and or match the specified condition.

 condition:
   // Ensure $e1, $context_graph and $matched_conditions conditions are met.
   $e1 AND $context_graph AND $matched_conditions = 1

Complete YARA-L rule

At this point the rule is ready for use and should look like the following:

rule fusion_feed_example_principal_process_file_md5 {
 meta:
   rule_name = "File Hash - Applied Threat Intelligence"
   description = "Matches file hashes against the Applied Threat Intelligence Fusion Feed."

 events:
   // Filter graph
   $context_graph.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
   $context_graph.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
   $context_graph.graph.metadata.entity_type = "FILE"
   $context_graph.graph.metadata.source_type = "GLOBAL_CONTEXT"

   // Do join
   $ioc = $context_graph.graph.entity.file.md5
   $ioc = $e1.principal.process.file.md5

 match:
   $ioc over 1h

 outcome:
   // Extract the Mandiant Automated Intel confidence score of maliciousness
   $confidence_score = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel", $context_graph.graph.metadata.threat.verdict_info.confidence_score, 0))
   // Extract the status of the indicator as seen in a breached environment
   $breached = max(if($context_graph.graph.metadata.threat.verdict_info.pwn = true, 1, 0))

   // Intermediary outcome variable to combine conditions of intelligence extracted in the previous outcome variables.
   // Return 1 if conditions are met, otherwise return 0.
   $matched_conditions = if($confidence_score >= 80 AND $breached = 1, 1, 0)

 condition:
   // Ensure $e1, $context_graph and $matched_conditions conditions are met.
   $e1 AND $context_graph AND $matched_conditions = 1
}

Fusion Feed context entity fields

You can use many fields from the Mandiant Fusion indicator feed in rules. These fields are all defined in the Unified Data Model field list. The following fields are relevant for prioritizing indicators:

Entity field Possible values
metadata.threat.associations.type MALWARE, THREAT_ACTOR
metadata.threat.associations.name Threat association name
metadata.threat.verdict_info.pwn TRUE, FALSE
metadata.threat.verdict_info.pwn_first_tagged_time.seconds Timestamp (seconds)

Some fields have key-value pairs that need to be used in combination to access the correct values. Following is an example.

Entity field 1 Values Entity field 2 Values
metadata.threat.verdict_info.source_provider Mandiant Global Intel metadata.threat.verdict_info.global_hits_count Integer
metadata.threat.verdict_info.source_provider Mandiant Global Intel metadata.threat.verdict_info.global_customer_count Integer
metadata.threat.verdict_info.source_provider Mandiant Analyst Intel metadata.threat.verdict_info.confidence_score Integer
metadata.threat.verdict_info.source_provider Mandiant Automated Intel metadata.threat.verdict_info.confidence_score Integer

In the outcome section of a YARA-L rule, you can access a value designated by a specific key using the following command:

$hit_count = max(if($context_graph.graph.metadata.threat.verdict_info.source_provider = "Mandiant Global Intel", $context_graph.graph.metadata.threat.verdict_info.global_hits_count, 0))

Examining entity matches in Google Security Operations lets you to gain a comprehensive view of the data, revealing additional fields that can be valuable in assessing the priority and context of an indicator alert.

The following is an example of a Fusion Feed context entity as an initial reference point.

{
  "metadata": {
    "product_entity_id": "md5--147d19e6-cdae-57bb-b9a1-a8676265fa4c",
    "collected_timestamp": {
      "seconds": "1695165683",
      "nanos": 48000000
    },
    "vendor_name": "MANDIANT_FUSION_IOC",
    "product_name": "MANDIANT_FUSION_IOC",
    "product_version": "1710194393",
    "entity_type": "FILE",
    "creation_timestamp": {
      "seconds": "1710201600"
    },
    "interval": {
      "start_time": {
        "seconds": "1"
      },
      "end_time": {
        "seconds": "253402300799"
      }
    },
    "threat": [
      {
        "category_details": [
          "A phishing email message or the relevant headers from a phishing email."
        ],
        "severity_details": "HIGH",
        "confidence_details": "75",
        "risk_score": 75,
        "first_discovered_time": {
          "seconds": "1683294326"
        },
        "associations": [
          {
            "id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
            "type": "THREAT_ACTOR",
            "name": "UNC2633"
          },
          {
            "id": "threat-actor--3e5e6bdf-5b4e-5166-84fa-83045e637f23",
            "country_code": [
              "unknown"
            ],
            "type": "THREAT_ACTOR",
            "name": "UNC2633",
            "description": "UNC2633 is a distribution threat cluster that delivers emails containing malicious attachments or links that lead to malware payloads, primarily QAKBOT, but also SNOWCONE.GZIPLOADER (which leads to ICEDID) and MATANBUCHUS. Historically, UNC2633 has distributed ZIP files containing malicious Excel files that download malware payloads. In early 2023, UNC2633 started distributing OneNote files (.one) that usually led to QAKBOT. It has also leveraged HTML smuggling to distribute ZIP files containing IMG files that contain LNK files and malware payloads.",
            "alias": [
              {
                "name": "TA570 (Proofpoint)"
              }
            ],
            "first_reference_time": {
              "seconds": "1459085092"
            },
            "last_reference_time": {
              "seconds": "1687392000"
            },
            "industries_affected": [
              "Aerospace & Defense",
              "Agriculture",
              "Automotive",
              "Chemicals & Materials",
              "Civil Society & Non-Profits",
              "Construction & Engineering",
              "Education",
              "Energy & Utilities",
              "Financial Services",
              "Governments",
              "Healthcare",
              "Hospitality",
              "Insurance",
              "Legal & Professional Services",
              "Manufacturing",
              "Media & Entertainment",
              "Oil & Gas",
              "Pharmaceuticals",
              "Retail",
              "Technology",
              "Telecommunications",
              "Transportation"
            ]
          }
        ],
        "campaigns": [
          "CAMP.23.007"
        ],
        "last_updated_time": {
          "seconds": "1695165683",
          "nanos": 48000000
        },
        "verdict_info": [
          {
            "source_provider": "Mandiant Automated Intel",
            "confidence_score": 75
          },
          {
            "verdict_type": "ANALYST_VERDICT",
            "confidence_score": 75
          },
          {
            "source_count": 91,
            "response_count": 1,
            "verdict_type": "PROVIDER_ML_VERDICT",
            "malicious_count": 1,
            "ioc_stats": [
              {
                "ioc_stats_type": "MANDIANT_SOURCES",
                "second_level_source": "Knowledge Graph",
                "quality": "HIGH_CONFIDENCE",
                "malicious_count": 1,
                "response_count": 1,
                "source_count": 8
              },
              {
                "ioc_stats_type": "MANDIANT_SOURCES",
                "second_level_source": "Malware Analysis",
                "source_count": 4
              },
              {
                "ioc_stats_type": "MANDIANT_SOURCES",
                "second_level_source": "Spam Monitoring",
                "source_count": 1
              },
              {
                "ioc_stats_type": "THIRD_PARTY_SOURCES",
                "second_level_source": "Crowdsourced Threat Analysis",
                "source_count": 71
              },
              {
                "ioc_stats_type": "THIRD_PARTY_SOURCES",
                "first_level_source": "MISP",
                "second_level_source": "Trusted Software List",
                "source_count": 3
              },
              {
                "ioc_stats_type": "THIRD_PARTY_SOURCES",
                "first_level_source": "Threat Intelligence Feeds",
                "second_level_source": "Digitalside It Hashes",
                "source_count": 1
              },
              {
                "ioc_stats_type": "THIRD_PARTY_SOURCES",
                "first_level_source": "Threat Intelligence Feeds",
                "second_level_source": "Tds Harvester",
                "source_count": 1
              },
              {
                "ioc_stats_type": "THIRD_PARTY_SOURCES",
                "first_level_source": "Threat Intelligence Feeds",
                "second_level_source": "Urlhaus",
                "source_count": 1
              }
            ]
          },
          {
            "source_provider": "Mandiant Analyst Intel",
            "confidence_score": 75,
            "pwn": true,
            "pwn_first_tagged_time": {
              "seconds": "1683911695"
            }
          }
        ],
        "last_discovered_time": {
          "seconds": "1683909854"
        }
      }
    ],
    "source_type": "GLOBAL_CONTEXT",
    "source_labels": [
      {
        "key": "is_scanner",
        "value": "false"
      },
      {
        "key": "osint",
        "value": "false"
      },
      {
        "key": "misp_akamai",
        "value": "false"
      },
...
      {
        "key": "has_pwn",
        "value": "2023-05-12T17:14:55.000+0000"
      }
    ],
    "event_metadata": {
      "id": "\\000\\000\\000\\000\\034Z\\n\\2545\\237\\367\\353\\271\\357\\302\\215t\\330\\275\\237\\000\\000\\000\\000\\007\\000\\000\\000\\206\\000\\000\\000",
      "base_labels": {
        "log_types": [
          "MANDIANT_FUSION_IOC"
        ],
        "allow_scoped_access": true
      }
    }
  },
  "entity": {
    "file": {
      "sha256": "000bc5900dc7a32851e380f418cc178ff0910242ee0561ae37ff424e6d3ec64a",
      "md5": "f0095b0a7480c826095d9ffc9d5d2d8f",
      "sha1": "8101315b9fbbf6a72bddbfe64837d246f4c8b419"
    },
    "labels": [
      {
        "key": "is_scanner",
        "value": "false"
      },
      {
        "key": "osint",
        "value": "false"
      },
      {
        "key": "misp_akamai",
        "value": "false"
      },
...
    ]
  }
}

Complex conditions

To use multiple fields at a time in a context entity, you can combine multiple outcome variables together to create more complex conditional logic. To combine multiple fields, you can create intermediary outcome variables. These variables are then combined to form a new outcome variable that can be used in the condition section.

The following is an example.

// Value will be 1 if threat.associations.type = "MALWARE"
// Wrapper max function required for multi-event rules
$is_attributed_malware = max(if($entity_context.graph.metadata.threat.associations.type = "MALWARE", 1, 0))

// Value will be 1 if threat.associations.type = "THREAT_ACTOR"
$is_attributed_actor = max(if($entity_context.graph.metadata.threat.associations.type = "THREAT_ACTOR", 1,0))

// Value will be the sum of the $is_attributed_malware $is_attributed_malware and $is_attributed_actor
$is_attributed = if($is_attributed_malware = 1, 1, 0)
                    +
                    if($is_attributed_actor = 1, 1, 0)

// If the value of $is_attributed is greater than 1, this indicates the indicator has been attributed at least once with the type "MALWARE" or "THREAT_ACTOR"

In this case, two intermediary outcome variables, is_attributed_malware and is_attributed_actor, are combined together in an outcome variable is_attributed.

In this example, the intermediary outcome values return numerical values, which allows numerical comparisons in the new outcome variable. In this example, is_attributed will be a value of 1 or greater if the indicator has at least one threat association of type MALWARE or THREAT_ACTOR.

Flexible Joins in YARA-L

Flexible joins between IOCs allow for multiple UDM fields to be joined against a context entity. This reduces the number of rules required if multiple UDM fields are joined with context entities.

Following is an example event section that uses flexible joins for multiple UDM fields.

  events:
    // Filter graph
    $mandiant.graph.metadata.product_name = "MANDIANT_FUSION_IOC"
    $mandiant.graph.metadata.vendor_name = "MANDIANT_FUSION_IOC"
    $mandiant.graph.metadata.entity_type = "FILE"
    $mandiant.graph.metadata.source_type = "GLOBAL_CONTEXT"

    $mandiant.graph.entity.file.md5 = strings.coalesce($e.target.process.file.md5, $e.target.process.file.md5) OR
    $mandiant.graph.entity.file.md5 = strings.coalesce($e.principal.process.file.md5, $e.principal.process.file.md5)