Integrate Mandiant Threat Intelligence with Google SecOps
This document provides guidance on how to integrate Mandiant Threat Intelligence with Google Security Operations (Google SecOps).
Integration version: 11.0
Integration parameters
The Mandiant Threat Intelligence integration requires the following parameters:
| Parameters | Description |
|---|---|
UI Root |
Required The UI root of the Mandiant instance. The default value is |
API Root |
Required The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Client ID |
Optional The client ID of the Mandiant Threat Intelligence account. To generate the client ID in Mandiant Threat Intelligence, go to Account settings > API access and keys > Get key ID and secret. |
Client Secret |
Optional The client secret of the Mandiant Threat Intelligence account. To generate the client secret in Mandiant Threat Intelligence, go to Account settings > API access and keys > Get key ID and secret. |
GTI API Key |
Optional
The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action.
Enrich Entities
Use the Enrich Entities action to enrich entities using the information from Mandiant Threat Intelligence. This action only supports the MD5, SHA-1, and SHA-256 hashes.
The Enrich Entities action rund on the following Google SecOps entities:
HostnameIP AddressURLFile HashThreat ActorVulnerability
Action inputs
The Enrich Entities action requires the following parameters:
| Parameter | Description |
|---|---|
Severity Score Threshold |
Required The lowest severity score to mark the entity as suspicious. The action can mark as suspicious the following indicators:
The default value is 50. The maximum value is 100. |
Create Insight |
Optional If selected, the action creates an insight that contains all retrieved information about the entity. Selected by default. |
Only Suspicious Entity Insight |
Optional If selected, the action creates insights only for suspicious entities. If you select this parameter, also select the
|
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Entity enrichment
The following table lists the values for indicators enrichment when using the Enrich Entities action:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
first_seen |
first_seen |
Applicable when it is available in JSON. |
last_seen |
last_seen |
Applicable when it is available in JSON. |
sources |
A CSV file of unique sources/source_name values. |
Applicable when it is available in JSON. |
mscore |
mscore |
Applicable when it is available in JSON. |
attributed_associations_{associated_associations/type}
|
A CSV file of attributed_associations/name keys for
every attributed_associations/type type (one key for every
type). |
Applicable when it is available in JSON. |
report_link |
Crafted. | Applicable when it is available in JSON. |
The following table lists the values for enrichment of the Threat Actors entity
when using the Enrich Entities action:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
motivations |
CSV of motivations/name values. |
Applicable when it is available in JSON. |
aliases |
CSV of aliases/name values. |
Applicable when it is available in JSON. |
industries |
CSV of industries/name values. |
Applicable when it is available in JSON. |
malware |
CSV of malware/name values. |
Applicable when it is available in JSON. |
locations\_source |
CSV of locations/source/country/name values. |
Applicable when it is available in JSON. |
locations\_target |
CSV of locations/target/name values. |
Applicable when it is available in JSON. |
cve |
CSV of cve/cve\_id values. |
Applicable when it is available in JSON. |
description |
description |
Applicable when it is available in JSON. |
last\_activity\_time |
last\_activity\_time |
Applicable when it is available in JSON. |
report\_link |
Crafted. | Applicable when it is available in JSON. |
The following table lists the values for enrichment of the Vulnerability entity
when using the Enrich Entities action:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
sources |
CSV of source_name values. |
Applicable when it is available in JSON. |
exploitation_state |
exploitation_state |
Applicable when it is available in JSON. |
date_of_disclosure |
date_of_disclosure |
Applicable when it is available in JSON. |
vendor_fix_references |
vendor_fix_references/url |
Applicable when it is available in JSON. |
title |
title |
Applicable when it is available in JSON. |
exploitation_vectors |
CSV of exploitation_vectors values. |
Applicable when it is available in JSON. |
description |
description |
Applicable when it is available in JSON. |
risk_rating |
risk_rating |
Applicable when it is available in JSON. |
available_mitigation |
CSV of available_mitigation values. |
Applicable when it is available in JSON. |
exploitation_consequence |
exploitation_consequence |
Applicable when it is available in JSON. |
report_link |
Crafted | Applicable when it is available in JSON. |
JSON result
The following example shows the JSON result output for indicators received when using the Enrich Entities action:
{
"Entity": "192.0.2.1",
"EntityResult": {
"first_seen": "2022-03-22T21:46:43.000Z",
"last_seen": "2022-05-22T00:58:48.000Z",
"sources": [
{
"first_seen": "2022-03-22T21:46:46.000+0000",
"last_seen": "2022-03-24T19:12:57.000+0000",
"osint": false,
"category": [],
"source_name": "Mandiant"
}
],
"mscore": 100,
"attributed_associations": [
{
"id": "malware--f1151a22-9d9c-589d-90ad-xxxxx",
"name": "EMOTET",
"type": "malware"
}
],
"misp": {
"smtp-receiving-ips": false,
"covid": false,
"eicar.com": false,
"majestic_million": false,
"sinkholes": false,
"alexa": false,
"cisco_top1000": false,
"microsoft": false,
"microsoft-office365": false,
"crl-hostname": false,
"googlebot": false,
"microsoft-azure-germany": false,
"microsoft-attack-simulator": false,
"microsoft-azure": false,
"rfc5735": false,
"tranco10k": false,
"dax30": false,
"public-dns-v4": false,
"dynamic-dns": false,
"public-dns-v6": false,
"covid-19-cyber-threat-coalition-whitelist": false,
"common-ioc-false-positive": false,
"cisco_1M": false,
"google-gmail-sending-ips": false,
"microsoft-azure-china": false,
"stackpath": false,
"google": false,
"cloudflare": false,
"moz-top500": false,
"tranco": false,
"tlds": false,
"university_domains": false,
"smtp-sending-ips": false,
"cisco_top20k": false,
"empty-hashes": false,
"nioc-filehash": false,
"amazon-aws": false,
"url-shortener": false,
"microsoft-office365-ip": false,
"microsoft-win10-connection-endpoints": false,
"microsoft-azure-us-gov": false,
"majestic_million_1M": false,
"mozilla-CA": false,
"whats-my-ip": false,
"microsoft-office365-cn": false,
"vpn-ipv6": false,
"rfc3849": false,
"rfc6761": false,
"security-provider-blogpost": false,
"cisco_top5k": false,
"apple": false,
"public-dns-hostname": false,
"mozilla-IntermediateCA": false,
"rfc1918": false,
"ti-falsepositives": false,
"akamai": false,
"bank-website": false,
"alexa_1M": false,
"automated-malware-analysis": false,
"rfc6598": false,
"google-gcp": false,
"ovh-cluster": false,
"multicast": false,
"phone_numbers": false,
"fastly": false,
"cisco_top10k": false,
"second-level-tlds": false,
"wikimedia": false,
"disposable-email": false,
"common-contact-emails": false,
"vpn-ipv4": true,
"ipv6-linklocal": false,
"covid-19-krassi-whitelist": false,
"crl-ip": false
},
"id": "ID",
"type": "ipv4",
"value": "192.0.2.1",
"is_publishable": true,
"last_updated": "2022-05-22T01:04:46.098Z",
"report_link": "https://advantage.mandiant.com/indicator/ipv4/ID"
}
}
The following example shows the JSON result output for the Threat Actor entity
received when using the Enrich Entities action:
{
"Entity": "ENTITY_ID",
"EntityResult": {
"motivations": [
{
"id": "ID",
"name": "Example",
"attribution_scope": "confirmed"
}
],
"aliases": [
{
"name": "Comment Crew (Internet)",
"attribution_scope": "confirmed"
}
],
"industries": [
{
"id": "ID",
"name": "Aerospace & Defense",
"attribution_scope": "confirmed"
},
{
"id": "ID",
"name": "Transportation",
"attribution_scope": "confirmed"
}
],
"observed": [
{
"earliest": "2003-06-20T12:00:00.000Z",
"recent": "2015-10-20T00:00:00.000Z",
"attribution_scope": "confirmed"
}
],
"malware": [
{
"id": "malware--ID",
"name": "EXAMPLE1",
"attribution_scope": "confirmed"
},
{
"id": "malware--ID",
"name": "EXAMPLE2",
"attribution_scope": "confirmed"
}
],
"tools": [
{
"id": "malware--ID",
"name": "EXAMPLE3",
"attribution_scope": "confirmed"
}
],
"suspected_attribution": [],
"locations": {
"source": [
{
"region": {
"id": "location--ID",
"name": "Asia",
"attribution_scope": "confirmed"
},
"sub_region": {
"id": "location--ID",
"name": "East Asia",
"attribution_scope": "confirmed"
},
"country": {
"id": "location--ID",
"name": "China",
"iso2": "CN",
"attribution_scope": "confirmed"
}
}
],
"target": [
{
"id": "location--ID",
"name": "Belgium",
"iso2": "be",
"region": "Europe",
"sub-region": "West Europe",
"attribution_scope": "confirmed"
}
],
"target_sub_region": [
{
"id": "location--ID",
"name": "East Asia",
"key": "eastasia",
"region": "Asia",
"attribution_scope": "confirmed"
}
],
"target_region": [
{
"id": "location--ID",
"name": "Africa",
"key": "africa",
"attribution_scope": "confirmed"
}
]
},
"cve": [
{
"id": "vulnerability--ID",
"cve_id": "CVE-ID",
"attribution_scope": "confirmed"
}
],
"associated_uncs": [],
"id": "threat-actor--ID",
"name": "Example",
"description": "A description of the threat actor",
"type": "threat-actor",
"last_updated": "2022-05-29T05:30:48.000Z",
"last_activity_time": "2015-10-20T00:00:00.000Z",
"audience": [
{
"name": "intel_fusion",
"license": "INTEL_RBI_FUS"
}
],
"is_publishable": true,
"counts": {
"reports": 171,
"malware": 92,
"cve": 1,
"associated_uncs": 0,
"aliases": 4,
"industries": 16,
"attack_patterns": 111
},
"intel_free": true,
"report_link": "https://advantage.mandiant.com/indicator/ipv4/ID"
}
}
The following example shows the JSON result output for the Vulnerability entity
received when using the Enrich Entities action:
{
"Entity": "CVE-ID",
"EntityResult": {
"exploits": [],
"vulnerable_products": "<p>The following vendors/products have been reported as vulnerable:</p>\\n<ul>\\n<li>Company A: Example Application Server 7.01, 7.02, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54, 7.55, 7.56, and 7.86</li>\\n</ul>",
"sources": [
{
"source_description": "Company A Security Patch Day – January 2022",
"source_name": "Company A",
"url": "URL",
"date": "2022-01-11T17:00:00.000Z",
"unique_id": "ID"
}
],
"exploitation_state": "No Known",
"date_of_disclosure": "2022-01-11T07:00:00.000Z",
"id": "vulnerability--ID",
"vendor_fix_references": [
{
"url": "https://launchpad.support.company.com/#/notes/ID",
"name": "Company A ID Security Update Information",
"unique_id": "ID"
}
],
"title": "Company A Example Application Server 7.86 Unspecified Vulnerability",
"exploitation_vectors": [
"General Network Connectivity"
],
"was_zero_day": false,
"vulnerable_cpes": [
{
"technology_name": "example_as_abap 7.31",
"vendor_name": "Company A",
"cpe_title": "company a example_as_abap 7.31",
"cpe": "cpe:2.3:a:company a:example_as_abap:7.31:*:*:*:*:*:*:*"
}
],
"executive_summary": "<p>An unspecified vulnerability exists within Company A Example Application Server 7.86 and earlier that, when exploited, allows an authenticated attacker to remotely access potentially sensitive information. Exploit code is not publicly available. Mitigation options include a vendor fix.</p>",
"cwe": "Unknown",
"description": null,
"cve_id": "CVE-ID",
"risk_rating": "LOW",
"observed_in_the_wild": false,
"common_vulnerability_scores": {
"v2.0": {
"access_complexity": "LOW",
"temporal_score": 3,
"confidentiality_impact": "PARTIAL",
"report_confidence": "CONFIRMED",
"base_score": 4,
"access_vector": "NETWORK",
"vector_string": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C",
"integrity_impact": "NONE",
"availability_impact": "NONE",
"remediation_level": "OFFICIAL_FIX",
"authentication": "SINGLE",
"exploitability": "UNPROVEN"
}
},
"available_mitigation": [
"Patch"
],
"exploitation_consequence": "Information Disclosure",
"analysis": "<p>Mandiant Threat Intelligence considers this a Low-risk vulnerability because of the privileges required and the limited impact upon exploitation.</p>",
"audience": [
"intel_vuln"
],
"publish_date": "2022-01-11T18:24:00.000Z",
"workarounds": null,
"type": "vulnerability",
"is_publishable": true,
"associated_actors": [],
"associated_malware": [],
"intel_free": false,
"report_link": "https://advantage.mandiant.com/indicator/ipv4/ID"
}
}
Output messages
The Enrich Entities action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Enrich Entities". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Entities action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Enrich IOCs
Use the Enrich IOCs action to obtain information about IOCs from Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
The Enrich IOCs action requires the following parameters:
| Parameter | Description |
|---|---|
IOC Identifiers |
Required A comma-separated list of IOCs to enrich. |
Action outputs
The Enrich IOCs action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Enrich IOCs action:
{
"first_seen": "2011-09-12T12:23:13.000Z",
"last_seen": "2011-09-12T12:23:13.000Z",
"sources": [
{
"first_seen": "2011-09-12T12:23:13.000+0000",
"last_seen": "2011-09-12T12:23:13.000+0000",
"osint": false,
"category": [],
"source_name": "Mandiant"
}
],
"mscore": 47,
"attributed_associations": [
{
"id": "threat-actor--ID",
"name": "Example",
"type": "threat-actor"
}
],
"misp": {
"smtp-receiving-ips": false,
"covid": false,
"eicar.com": false,
"majestic_million": false,
"sinkholes": false,
"alexa": false,
"cisco_top1000": false,
"crl-hostname": false,
"microsoft-office365": false,
"microsoft": false,
"googlebot": false,
"microsoft-azure-germany": false,
"microsoft-attack-simulator": false,
"microsoft-azure": false,
"rfc5735": false,
"tranco10k": false,
"public-dns-v4": false,
"dax30": false,
"dynamic-dns": false,
"public-dns-v6": false,
"covid-19-cyber-threat-coalition-whitelist": false,
"common-ioc-false-positive": false,
"cisco_1M": false,
"google-gmail-sending-ips": false,
"microsoft-azure-china": false,
"stackpath": false,
"google": false,
"cloudflare": false,
"moz-top500": false,
"tranco": false,
"tlds": true,
"university_domains": false,
"smtp-sending-ips": false,
"cisco_top20k": false,
"empty-hashes": false,
"nioc-filehash": false,
"amazon-aws": false,
"url-shortener": false,
"microsoft-office365-ip": false,
"microsoft-win10-connection-endpoints": false,
"microsoft-azure-us-gov": false,
"majestic_million_1M": false,
"mozilla-CA": false,
"whats-my-ip": false,
"microsoft-office365-cn": false,
"vpn-ipv6": false,
"rfc3849": false,
"rfc6761": false,
"security-provider-blogpost": false,
"cisco_top5k": false,
"apple": false,
"public-dns-hostname": false,
"mozilla-IntermediateCA": false,
"rfc1918": false,
"ti-falsepositives": false,
"akamai": false,
"bank-website": false,
"automated-malware-analysis": false,
"rfc6598": false,
"alexa_1M": false,
"google-gcp": false,
"ovh-cluster": false,
"multicast": false,
"phone_numbers": false,
"fastly": false,
"cisco_top10k": false,
"second-level-tlds": true,
"wikimedia": false,
"disposable-email": false,
"common-contact-emails": false,
"vpn-ipv4": false,
"ipv6-linklocal": false,
"covid-19-krassi-whitelist": false,
"crl-ip": false
},
"id": "fqdn--ID",
"type": "fqdn",
"value": "example.com",
"is_publishable": true,
"is_exclusive": true,
"last_updated": "2022-02-21T13:20:27.176Z"
}
Output messages
The Enrich IOCs action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Enrich IOCs". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich IOCs action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Malware Details
Use the Get Malware Details action to obtain information about malware from Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Malware Details action requires the following parameters:
| Parameter | Description |
|---|---|
Malware Names |
Required A comma-separated list of malware names to enrich. |
Create Insight |
Optional If selected, the action creates an insight that contains all retrieved information about the entity. |
Fetch Related IOCs |
Optional If selected, the action fetches indicators that are related to the provided malware. |
Max Related IOCs To Return |
Optional The number of indicators which the action processes for every malware. The default value is 100. |
Action outputs
The Get Malware Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Malware Details action:
{
"inherently_malicious": 1,
"operating_systems": [
"Windows"
],
"aliases": [],
"capabilities": [
{
"name": "Allocates memory",
"description": "Capable of allocating memory. "
}
],
"detections": [],
"yara": [],
"roles": [
"Cryptocurrency Miner"
],
"malware": [],
"actors": [],
"cve": [],
"id": "malware--ID",
"name": "EXAMPLE",
"description": "Example description",
"type": "malware",
"last_updated": "2022-04-13T02:59:30.000Z",
"last_activity_time": "2022-04-13T02:59:30.000Z",
"audience": [
{
"name": "intel_fusion",
"license": "INTEL_RBI_FUS"
}
],
"is_publishable": true,
"counts": {
"reports": 0,
"capabilities": 26,
"malware": 0,
"actors": 0,
"detections": 0,
"cve": 0,
"aliases": 0,
"industries": 5,
"attack_patterns": 19
},
"intel_free": false
}
Output messages
The Get Malware Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Malware Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Malware Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Get Related Entities
Use the Get Related Entities action to obtain details about indicators of compromise (IOCs) that are related to entities using information from Mandiant Threat Intelligence.
This action runs on the following Google SecOps entities:
HostnameIP AddressURLFile HashThreat Actor
Action inputs
The Get Related Entities action requires the following parameters:
| Parameter | Description |
|---|---|
Lowest Severity Score |
Required The lowest severity score to return related indicators. The default value is 50. The maximum value is 100. |
Max IOCs To Return |
Optional The number of indicators that the action processes for every entity. The default value is 100. |
Action outputs
The Get Related Entities action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related Entities action:
{
"hash": "VALUE",
"url": "VALUE",
"fqdn": "VALUE",
"ip": "VALUE",
"email": "VALUE"
}
Output messages
The Get Related Entities action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get Related Entities". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related Entities action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Ping
Use the Ping action to test the connectivity to Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Ping action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Ping action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Mandiant server with the provided
connection parameters! |
The action succeeded. |
Failed to connect to the Mandiant server! Error is
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Ping action:
| Script result name | Value |
|---|---|
is_success |
True or False |