Integrate Mandiant Digital Threat Monitoring with Google SecOps

This document provides guidance on how to integrate Mandiant Digital Threat Monitoring with Google Security Operations (Google SecOps).

Integration version: 4.0

Integration parameters

The Mandiant Digital Threat Monitoring integration requires the following parameters:

Parameters Description
API Root Required

The API root of the Mandiant instance.

The default value is https://api.intelligence.mandiant.com.

To authenticate with Google Threat Intelligence credentials, enter the following value: https://www.virustotal.com.
Client ID Optional

The client ID of the Mandiant Digital Threat Monitoring account.
Client Secret Optional

The client secret of the Mandiant Digital Threat Monitoring account.
GTI API Key Optional

The API key of Google Threat Intelligence.

To authenticate using Google Threat Intelligence, set the API Root parameter value to https://www.virustotal.com.

Authenticating using the Google Threat Intelligence API key has a priority over other authentication methods.
Verify SSL Required

If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid.

Selected by default.

For instructions about configuring an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.

Actions

The Mandiant Digital Threat Monitoring integration includes the following actions:

Ping

Use the Ping action to test connectivity to the Mandiant Digital Threat Monitoring server.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Not available
Output messages Available
Script result Available
Output messages

The Ping action can return the following output messages:

Output message Message description
Successfully connected to the Mandiant DTM server with the provided connection parameters! Action succeeded.
Failed to connect to the Mandiant DTM server! Error is: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Ping action:

Script result name Value
is_success True or False

Update Alert

Use the Update Alert action to update an alert in Mandiant Digital Threat Monitoring.

Action inputs

The Update Alert action requires the following parameters:

Parameters Description
Alert ID Required

The ID of the alert to update.
Status Optional

The alert status.

Possible values are as follows:

  • New
  • Read
  • Resolved
  • Escalated
  • In Progress
  • No Action Required
  • Duplicate
  • Not Relevant
  • Tracked Externally

Action outputs

The Update Alert action provides the following outputs:

Action output type Availability
Case wall attachment Not available
Case wall link Not available
Case wall table Not available
Enrichment table Not available
JSON result Available
Output messages Available
Script result Available
JSON result

The following example shows the JSON result output received when using the Update Alert action:

{
   "id": "ID",
   "monitor_id": "MONITOR_ID",
   "topic_matches": [
       {
           "topic_id": "4a6ffb0f-e90d-46ce-b10a-3a1e24fbe70d",
           "value": "ap-southeast-1.example.com",
           "term": "lwd",
           "offsets": [
               26,
               29
           ]
       },
       {
           "topic_id": "doc_type:domain_discovery",
           "value": "domain_discovery"
       }
   ],
   "label_matches": [],
   "doc_matches": [],
   "tags": [],
   "created_at": "2024-05-31T12:27:43.475Z",
   "updated_at": "2024-05-31T12:43:20.399Z",
   "labels_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID/labels",
   "topics_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID/topics",
   "doc_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID",
   "status": "closed",
   "alert_type": "Domain Discovery",
   "alert_summary": "See alert content for details",
   "title": "Suspicious domain \"ap-southeast-1.example.com\" similar to \"lwd\"",
   "email_sent_at": "",
   "severity": "medium",
   "confidence": 0.5,
   "has_analysis": false,
   "monitor_version": 2
}
Output messages

The Update Alert action can return the following output messages:

Output message Message description
Successfully updated alert with ID INCIDENT_ID in Mandiant DTM. Action succeeded.
Error executing action "Update Alert". Reason: ERROR_REASON

Action failed.

Check the connection to the server, input parameters, or credentials.
Script result

The following table lists the value for the script result output when using the Update Alert action:

Script result name Value
is_success True or False

Connectors

For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).

Mandiant DTM – Alerts Connector

Use the Mandiant DTM – Alerts Connector to pull alerts from Mandiant Digital Threat Monitoring. To work with a dynamic list, use the alert_type parameter.

The Mandiant DTM – Alerts Connector requires the following parameters:

Parameter Description
Product Field Name Required

The name of the field where the product name is stored.

The default value is Product Name.
Event Field Name Required

The name of the field used to determine the event name (subtype).

The default value is event_type.
Environment Field Name Optional

The name of the field where the environment name is stored.

If the environment field isn't found, the environment is set to the default value.

The default value is "".
Environment Regex Pattern Optional

A regular expression pattern to run on the value found in the Environment Field Name field. This parameter lets you manipulate the environment field using the regular expression logic.

Use the default value .* to retrieve the required raw Environment Field Name value.

If the regular expression pattern is null or empty, or the environment value is null, the final environment result is "".
Script Timeout Required

The timeout limit in seconds for the Python process running the current script.

The default value is 180.
API Root Required

The API root of the Mandiant instance.

The default value is https://api.intelligence.mandiant.com.

To authenticate with Google Threat Intelligence credentials, enter the following value: https://www.virustotal.com.
Client ID Optional

The client ID of the Mandiant Digital Threat Monitoring account.
Client Secret Optional

The client secret of the Mandiant Digital Threat Monitoring account.
GTI API Key Optional

The API key of Google Threat Intelligence.

To authenticate using Google Threat Intelligence, set the API Root parameter value to https://www.virustotal.com.

When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods.
Lowest Severity To Fetch Optional

The lowest severity score of the alerts to retrieve.

If you don't configure this parameter, the connector ingests alerts with all severities.

The parameter accepts the following severity values:

  • Low
  • Medium
  • High
Monitor ID Filter Optional

A comma-separated list of monitor IDs to retrieve the alerts from.
Max Hours Backwards Required

The number of hours previously from when to fetch alerts.

The default value is 1 hour.
Max Alerts To Fetch Required

The number of alerts to process for every connector iteration.

The default value is 25.
Disable Overflow Optional

If selected, the connector ignores the overflow mechanism.

Not selected by default.
Use dynamic list as a blocklist Required

If selected, the integration uses the dynamic list as a blocklist.

Not selected by default.
Verify SSL Required

If selected, verifies that the SSL certificate for the connection to the Mandiant server is valid.

Selected by default.
Proxy Server Address Optional

The address of the proxy server to use.
Proxy Username Optional

The proxy username to authenticate with.
Proxy Password Optional

The proxy password to authenticate with.

Connector rules

The connector supports proxies.

Connector events

There are two types of events for the Mandiant DTM – Alerts Connector: an event that is based on the main alert and an event that is based on a topic.

An example of the connector event based on the main alert is as follows:

{
   "id": "ID",
   "event_type": "Main Alert",
   "monitor_id": "MONITOR_ID",
   "doc": {
       "__id": "6ed37932-b74e-4253-aa69-3eb4b00d0ea2",
       "__type": "account_discovery",
       "ingested": "2024-05-20T16:15:53Z",
       "service_account": {
           "login": "user@example.com",
           "password": {
               "plain_text": "********"
           },
           "profile": {
               "contact": {
                   "email": "user@example.com",
                   "email_domain": "example.com"
               }
           },
           "service": {
               "inet_location": {
                   "domain": "www.example-service.com",
                   "path": "/signin/app",
                   "protocol": "https",
                   "url": "https://www.example-service.com/signin/app"
               },
               "name": "www.example-service.com"
           }
       },
       "source": "ccmp",
       "source_file": {
           "filename": "[1.145.094.680] urlloginpass ap.txt",
           "hashes": {
               "md5": "c401baa01fbe311753b26334b559d945",
               "sha1": "bf700f18b6ab562afb6128b42a34ae088f9c7434",
               "sha256": "5e6302d95a7e7edb28d68926cede0c44babded720ad1cc9a72c12d8c6d66153f"
           },
           "size": 84161521407
       },
       "source_url": "https://cymbalgroup.com",
       "timestamp": "2023-11-14T20:09:04Z"
   },
   "labels": "Label",
   "topic_matches": [
       {
           "topic_id": "doc_type:account_discovery",
           "value": "account_discovery"
       }
   ],
   "label_matches": [],
   "doc_matches": [
       {
           "match_path": "service_account.profile.contact.email_domain",
           "locations": [
               {
                   "offsets": [
                       0,
                       9
                   ],
                   "value": "example.com"
               }
           ]
       }
   ],
   "tags": [],
   "created_at": "2024-05-20T16:16:52.439Z",
   "updated_at": "2024-05-30T12:10:56.691Z",
   "labels_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID/labels",
   "topics_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID/topics",
   "doc_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID",
   "status": "read",
   "alert_type": "Compromised Credentials",
   "alert_summary": "ccmp",
   "title": "Leaked Credentials found for domain \"example.com\"",
   "email_sent_at": "",
   "indicator_mscore": 60,
   "severity": "high",
   "confidence": 0.9999995147741939,
   "aggregated_under_id": "ID",
   "monitor_name": "Compromised Credentials - Example",
   "has_analysis": false,
   "meets_password_policy": "policy_unset",
   "monitor_version": 1
}

An example of the connector event based on a topic is as follows:

{
   "id": "ID",
   "event_type": "location_name",
   "location_name": "LOCATION_NAME",
   "timestamp": "2024-05-25T10:56:17.201Z",
   "type": "location_name",
   "value": "LOCATION_NAME",
   "extractor": "analysis-pipeline.nerprocessor-nerenglish-gpu",
   "extractor_version": "4-0-2",
   "confidence": 100,
   "entity_locations": [
       {
           "element_path": "body",
           "offsets": [
               227,
               229
           ]
       }
   ]
}