Mandiant Digital Threat Monitoring
This document provides guidance on how to integrate Mandiant Digital Threat Monitoring with the SOAR module of Google Security Operations.
Integration version: 1.0
Integrate Mandiant Digital Threat Monitoring with Google SecOps
The integration requires the following parameters:
| Parameters | Description |
|---|---|
API Root |
Required The API root of the Mandiant instance. The
default value is |
Client ID |
Required The Client ID of the Mandiant Digital Threat Monitoring account. |
Client Secret |
Required The Client secret of the Mandiant Digital Threat Monitoring account. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
Ping
Use the Ping action to test connectivity to the Mandiant Digital Threat Monitoring server.
Action inputs
None.
Action outputs
The action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
On a Case Wall, the Ping action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Mandiant DTM server with the
provided connection parameters! |
Action succeeded. |
Failed to connect to the Mandiant DTM server! Error is:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Update Alert
Use the Update Alert action to update an alert in Mandiant Digital Threat Monitoring.
Action inputs
The Update Alert action requires the following parameters:
| Parameters | Description |
|---|---|
Alert ID |
Required The ID of the alert to update. |
Status |
Optional The alert status. Possible values are as follows:
|
Action outputs
The Update Alert action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example describes the JSON result output received when using the Update Alert action:
{
"id": "ID",
"monitor_id": "MONITOR_ID",
"topic_matches": [
{
"topic_id": "4a6ffb0f-e90d-46ce-b10a-3a1e24fbe70d",
"value": "ap-southeast-1.example.com",
"term": "lwd",
"offsets": [
26,
29
]
},
{
"topic_id": "doc_type:domain_discovery",
"value": "domain_discovery"
}
],
"label_matches": [],
"doc_matches": [],
"tags": [],
"created_at": "2024-05-31T12:27:43.475Z",
"updated_at": "2024-05-31T12:43:20.399Z",
"labels_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID/labels",
"topics_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID/topics",
"doc_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ID",
"status": "closed",
"alert_type": "Domain Discovery",
"alert_summary": "See alert content for details",
"title": "Suspicious domain \"ap-southeast-1.example.com\" similar to \"lwd\"",
"email_sent_at": "",
"severity": "medium",
"confidence": 0.5,
"has_analysis": false,
"monitor_version": 2
}
Output messages
On a Case Wall, the Update Alert action provides the following output messages:
| Output message | Message description |
|---|---|
Successfully updated alert with ID
INCIDENT_ID in Mandiant DTM. |
Action succeeded. |
Error executing action "Update Alert". Reason:
ERROR_REASON |
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table describes the values for the script result output when using the Update Alert action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
Mandiant DTM – Alerts Connector
Use the Mandiant DTM – Alerts Connector to pull alerts from Mandiant
Digital Threat Monitoring. To work with a dynamic list, use the alert_type
parameter.
The connector requires the following parameters:
| Parameters | |
|---|---|
Product Field Name |
Required The name of the field where the product name is stored. The default value is |
Event Field Name |
Required The name of the field used to determine the event name (subtype). The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the environment is set to the default value. The default value is |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is |
Script Timeout |
Required The timeout limit (in seconds) for the Python process running the current script. Default value is 180 seconds. |
API Root |
Required The API root of the Mandiant instance. The
default value is |
Client ID |
Required The Client ID of the Mandiant Digital Threat Monitoring account. |
Client Secret |
Required The Client secret of the Mandiant Digital Threat Monitoring account. |
Lowest Severity To Fetch |
Optional
Lowest severity score of the alerts to fetch. If no value is provided, the connector ingests alerts with all severities. The parameter accepts the following severity values:
|
Monitor ID Filter |
Optional A comma-separated list of monitor IDs to retrieve the alerts from. |
Max Hours Backwards |
Required
Number of hours previously from when to fetch alerts. Default value is 1 hour. |
Max Alerts To Fetch |
Required
Number of alerts to process for every connector iteration. Default value is 25. |
Disable Overflow |
Optional If selected, the connector ignores the overflow mechanism. Not selected by default. |
Use dynamic list as a blocklist |
Required
If selected, the integration uses the dynamic list as a blocklist. Not selected by default. |
Verify SSL |
Required
If selected, verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |
Connector rules
The connector supports proxies.
Connector events
There are two types of events for the Mandiant DTM – Alerts Connector: an event that is based on the main alert and an event that is based on a topic.
An example of the connector event based on the main alert is as follows:
{
"id": "ID",
"event_type": "Main Alert",
"monitor_id": "MONITOR_ID",
"doc": {
"__id": "6ed37932-b74e-4253-aa69-3eb4b00d0ea2",
"__type": "account_discovery",
"ingested": "2024-05-20T16:15:53Z",
"service_account": {
"login": "user@example.com",
"password": {
"plain_text": "********"
},
"profile": {
"contact": {
"email": "user@example.com",
"email_domain": "example.com"
}
},
"service": {
"inet_location": {
"domain": "www.example-service.com",
"path": "/signin/app",
"protocol": "https",
"url": "https://www.example-service.com/signin/app"
},
"name": "www.example-service.com"
}
},
"source": "ccmp",
"source_file": {
"filename": "[1.145.094.680] urlloginpass ap.txt",
"hashes": {
"md5": "c401baa01fbe311753b26334b559d945",
"sha1": "bf700f18b6ab562afb6128b42a34ae088f9c7434",
"sha256": "5e6302d95a7e7edb28d68926cede0c44babded720ad1cc9a72c12d8c6d66153f"
},
"size": 84161521407
},
"source_url": "https://cymbalgroup.com",
"timestamp": "2023-11-14T20:09:04Z"
},
"labels": "Label",
"topic_matches": [
{
"topic_id": "doc_type:account_discovery",
"value": "account_discovery"
}
],
"label_matches": [],
"doc_matches": [
{
"match_path": "service_account.profile.contact.email_domain",
"locations": [
{
"offsets": [
0,
9
],
"value": "example.com"
}
]
}
],
"tags": [],
"created_at": "2024-05-20T16:16:52.439Z",
"updated_at": "2024-05-30T12:10:56.691Z",
"labels_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID/labels",
"topics_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID/topics",
"doc_url": "https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ID",
"status": "read",
"alert_type": "Compromised Credentials",
"alert_summary": "ccmp",
"title": "Leaked Credentials found for domain \"example.com\"",
"email_sent_at": "",
"indicator_mscore": 60,
"severity": "high",
"confidence": 0.9999995147741939,
"aggregated_under_id": "ID",
"monitor_name": "Compromised Credentials - Example",
"has_analysis": false,
"meets_password_policy": "policy_unset",
"monitor_version": 1
}
An example of the connector event based on a topic is as follows:
{
"id": "ID",
"event_type": "location_name",
"location_name": "LOCATION_NAME",
"timestamp": "2024-05-25T10:56:17.201Z",
"type": "location_name",
"value": "LOCATION_NAME",
"extractor": "analysis-pipeline.nerprocessor-nerenglish-gpu",
"extractor_version": "4-0-2",
"confidence": 100,
"entity_locations": [
{
"element_path": "body",
"offsets": [
227,
229
]
}
]
}