Mandiant Threat Intelligence provides automated access to indicators of compromise (IOCs) — IP addresses, domain names, and URLs that threat actors are using (via the indicators). Mandiant Threat Intelligence allows access to full-length finished intelligence in the reports, allows for notification of threats to brand and keyword monitoring via the alerts, and finally allows searching for intelligence on the adversary with the search.
This document provides information about the Mandiant Threat Intelligence Connector, which facilitates automated interactions, with a Mandiant Threat Intelligence server using FortiSOAR™ playbooks. Add the Mandiant Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations with Mandiant Threat Intelligence such as retrieving indicators, alerts, collections, etc. from Mandiant Threat Intelligence.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-mandiant-threat-intel
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Mandiant Threat Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | The service-based URI to which you will connect and perform the automated operations. |
| Public Key | The unique Mandiant Threat Intelligence Public Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Private Key | The unique Mandiant Threat Intelligence Private Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | get_indicators Investigation |
| Get Reports | Retrieves all reports or specific reports for threat actors from Mandiant Threat Intelligence based on the input parameters you have specified. | get_reports Investigation |
| Get Alerts | Retrieves all alerts or specific alerts from Mandiant Threat Intelligence based on the input parameters you have specified. | get_alerts Investigation |
| Search Collections | Retrieves all collections or specific collections from Mandiant Threat Intelligence based on the input parameters you have specified. | search_collections Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"definition_type": "",
"definition": {
"tlp": ""
}
},
{
"external_references": [
{
"source_name": "",
"external_id": "",
"description": ""
}
],
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"malware_types": [],
"is_family": "",
"labels": [],
"revoked": "",
"spec_version": ""
},
{
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"identity_class": "",
"lang": "",
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"definition_type": "",
"definition": {
"tlp": ""
}
},
{
"id": "",
"source_ref": "",
"target_ref": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"relationship_type": "",
"spec_version": ""
},
{
"x_fireeye_com_metadata": {
"subscriptions": []
},
"indicator_types": [],
"pattern_type": "",
"object_marking_refs": [],
"id": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"valid_from": "",
"confidence": "",
"pattern": "",
"labels": [],
"valid_until": "",
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"spec_version": "",
"definition": {
"statement": ""
}
},
{
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"identity_class": "",
"spec_version": ""
}
],
"id": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| Report ID | Specify the STIX ID of the report object based on which you want to retrieve reports from Mandiant Threat Intelligence. |
| Document ID | Specify the Report ID to filter this operation to retrieve details of the specific report from Mandiant Threat Intelligence. |
| Status | Select the status of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
| Subscription | Select the subscription of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from the following options: Cyber-Crime, Cyber-Espionage, Hacktivism, Cyber-Physical, Strategic, Fusion, Operational, Vulnerability, or Standard. |
| Report Type | Specify the type of report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. |
| Actor Name | Specify the name of the actor based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific actor and returns all matching reports for that actor. |
| Malware Name | Specify the name of the malware based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific malware family and returns all matching reports for that malware family. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"type": "",
"spec_version": "",
"id": "",
"created_by_ref": "",
"created": "",
"modified": "",
"name": "",
"description": "",
"report_types": [],
"published": "",
"object_marking_refs": [],
"x_fireeye_com_additional_description_sections": {
"analysis": [],
"key_points": []
},
"object_refs": [],
"x_fireeye_com_tracking_info": {
"document_version": "",
"current_release_date": "",
"document_id": ""
},
"x_fireeye_com_metadata": {
"product_type": [],
"subscriptions": []
}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the alerts were created in Mandiant Threat Intelligence, and from when you want to retrieve alerts from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| ID | Specify the STIX ID of the alert object based on which you want to retrieve alerts from Mandiant Threat Intelligence. |
| Alert Type | Select the type of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Forum_Post, Tweet, Web_Content_Publish, Paste, Email_Analysis, Domain_Discovery, or Document_Analysis. |
| Alert Status | Select the status of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: New, New_Requested, Investigated, Under_Investigation, Closed, or Closed_Investigated. |
| Alert Categories | Select the category of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Social-Media, Forums, Documents, Malware-Repository, Network-Indicators, Web-Content, or Paste-Sites. |
| Alert Severity | Select the severity of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Low, Medium, High, or Critical. |
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"alert_type": "",
"name": "",
"status": "",
"alert_context": [],
"prerequisite_conditions": [],
"object_refs": [],
"action_nature": "",
"description": "",
"created": "",
"modified": "",
"alert_severity": {
"severity_score": ""
},
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"definition": {
"statement": ""
},
"spec_version": ""
},
{
"id": "",
"name": "",
"type": "",
"identity_class": "",
"created": "",
"modified": "",
"object_marking_refs": [],
"spec_version": ""
}
],
"id": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of collections) is returned.
| Parameter | Description |
|---|---|
| Queries | Specify the queries using which you want to retrieve the list of Query Objects from Mandiant Threat Intelligence. Each query object includes its type and properties. |
| Include Connected Objects | Select this option to include objects connected to matching objects, through a reference or relationship, in the search response. |
| Connected Objects | Specify the list of all connections using which you want to retrieve connected objects from Mandiant Threat Intelligence. Connections contain fields such as, connection_type, connected_type, object_type, property, or relationship_type. |
| Sort By | Specify the property of the object using which you want to sort results retrieved from Mandiant Threat Intelligence. Note: Sort By is applicable only when the include_connected_object flag is set to false. |
| Order By | Specify the sort direction of the results retrieved from Mandiant Threat Intelligence. You can set the sort order to "asc" (ascending) or "desc" (descending). If the sort order is not specified, it defaults to ascending. Note: Sort Order is applicable only when the include_connected_object flag is set to false. |
The output contains a non-dictionary value.
The Sample - Mandiant Threat Intelligence - 1.0.0 playbook collection comes bundled with the Mandiant Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mandiant Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Mandiant Threat Intelligence provides automated access to indicators of compromise (IOCs) — IP addresses, domain names, and URLs that threat actors are using (via the indicators). Mandiant Threat Intelligence allows access to full-length finished intelligence in the reports, allows for notification of threats to brand and keyword monitoring via the alerts, and finally allows searching for intelligence on the adversary with the search.
This document provides information about the Mandiant Threat Intelligence Connector, which facilitates automated interactions, with a Mandiant Threat Intelligence server using FortiSOAR™ playbooks. Add the Mandiant Threat Intelligence connector as a step in FortiSOAR™ playbooks and perform automated operations with Mandiant Threat Intelligence such as retrieving indicators, alerts, collections, etc. from Mandiant Threat Intelligence.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-mandiant-threat-intel
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Mandiant Threat Intelligence connector card. On the connector popup, click the Configurations tab to enter the required configuration details.
| Parameter | Description |
|---|---|
| Server URL | The service-based URI to which you will connect and perform the automated operations. |
| Public Key | The unique Mandiant Threat Intelligence Public Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Private Key | The unique Mandiant Threat Intelligence Private Key used to create an authentication token required to access the Mandiant Threat Intelligence API. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Get Indicators | Retrieves all indicators or specific indicators from Mandiant Threat Intelligence based on the input parameters you have specified. | get_indicators Investigation |
| Get Reports | Retrieves all reports or specific reports for threat actors from Mandiant Threat Intelligence based on the input parameters you have specified. | get_reports Investigation |
| Get Alerts | Retrieves all alerts or specific alerts from Mandiant Threat Intelligence based on the input parameters you have specified. | get_alerts Investigation |
| Search Collections | Retrieves all collections or specific collections from Mandiant Threat Intelligence based on the input parameters you have specified. | search_collections Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of indicators) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| STIX UUID | Specify the STIX ID of the alert object based on which you want to retrieve indicators from Mandiant Threat Intelligence. |
| Status | Select the status of the indicator based on which you want to filter the indicators retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"created": "",
"definition_type": "",
"definition": {
"tlp": ""
}
},
{
"external_references": [
{
"source_name": "",
"external_id": "",
"description": ""
}
],
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"malware_types": [],
"is_family": "",
"labels": [],
"revoked": "",
"spec_version": ""
},
{
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"identity_class": "",
"lang": "",
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"definition_type": "",
"definition": {
"tlp": ""
}
},
{
"id": "",
"source_ref": "",
"target_ref": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"relationship_type": "",
"spec_version": ""
},
{
"x_fireeye_com_metadata": {
"subscriptions": []
},
"indicator_types": [],
"pattern_type": "",
"object_marking_refs": [],
"id": "",
"type": "",
"created": "",
"modified": "",
"revoked": "",
"valid_from": "",
"confidence": "",
"pattern": "",
"labels": [],
"valid_until": "",
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"spec_version": "",
"definition": {
"statement": ""
}
},
{
"object_marking_refs": [],
"id": "",
"name": "",
"type": "",
"created": "",
"modified": "",
"identity_class": "",
"spec_version": ""
}
],
"id": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of reports) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the indicators were created in Mandiant Threat Intelligence, and from when you want to retrieve indicators from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| Report ID | Specify the STIX ID of the report object based on which you want to retrieve reports from Mandiant Threat Intelligence. |
| Document ID | Specify the Report ID to filter this operation to retrieve details of the specific report from Mandiant Threat Intelligence. |
| Status | Select the status of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose between Active or Revoked. |
| Subscription | Select the subscription of the report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. You can choose from the following options: Cyber-Crime, Cyber-Espionage, Hacktivism, Cyber-Physical, Strategic, Fusion, Operational, Vulnerability, or Standard. |
| Report Type | Specify the type of report based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. |
| Actor Name | Specify the name of the actor based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific actor and returns all matching reports for that actor. |
| Malware Name | Specify the name of the malware based on which you want to filter the reports retrieved from Mandiant Threat Intelligence. This parameter filters the report results down to a specific malware family and returns all matching reports for that malware family. |
The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"objects": [
{
"type": "",
"spec_version": "",
"id": "",
"created_by_ref": "",
"created": "",
"modified": "",
"name": "",
"description": "",
"report_types": [],
"published": "",
"object_marking_refs": [],
"x_fireeye_com_additional_description_sections": {
"analysis": [],
"key_points": []
},
"object_refs": [],
"x_fireeye_com_tracking_info": {
"document_version": "",
"current_release_date": "",
"document_id": ""
},
"x_fireeye_com_metadata": {
"product_type": [],
"subscriptions": []
}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of alerts) is returned.
| Parameter | Description |
|---|---|
| Created At | Specify the DateTime when the alerts were created in Mandiant Threat Intelligence, and from when you want to retrieve alerts from Mandiant Threat Intelligence. |
| Size | Specify the number of results, per page, that you want to include in the response of this operation. The maximum number of results per page is set to 50 items. |
| ID | Specify the STIX ID of the alert object based on which you want to retrieve alerts from Mandiant Threat Intelligence. |
| Alert Type | Select the type of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Forum_Post, Tweet, Web_Content_Publish, Paste, Email_Analysis, Domain_Discovery, or Document_Analysis. |
| Alert Status | Select the status of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: New, New_Requested, Investigated, Under_Investigation, Closed, or Closed_Investigated. |
| Alert Categories | Select the category of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Social-Media, Forums, Documents, Malware-Repository, Network-Indicators, Web-Content, or Paste-Sites. |
| Alert Severity | Select the severity of alerts based on which you want to filter the alerts retrieved from Mandiant Threat Intelligence. You can choose from the following options: Low, Medium, High, or Critical. |
The output contains the following populated JSON schema:
{
"spec_version": "",
"objects": [
{
"id": "",
"type": "",
"alert_type": "",
"name": "",
"status": "",
"alert_context": [],
"prerequisite_conditions": [],
"object_refs": [],
"action_nature": "",
"description": "",
"created": "",
"modified": "",
"alert_severity": {
"severity_score": ""
},
"spec_version": ""
},
{
"id": "",
"type": "",
"created": "",
"created_by_ref": "",
"definition_type": "",
"definition": {
"statement": ""
},
"spec_version": ""
},
{
"id": "",
"name": "",
"type": "",
"identity_class": "",
"created": "",
"modified": "",
"object_marking_refs": [],
"spec_version": ""
}
],
"id": "",
"type": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list (of collections) is returned.
| Parameter | Description |
|---|---|
| Queries | Specify the queries using which you want to retrieve the list of Query Objects from Mandiant Threat Intelligence. Each query object includes its type and properties. |
| Include Connected Objects | Select this option to include objects connected to matching objects, through a reference or relationship, in the search response. |
| Connected Objects | Specify the list of all connections using which you want to retrieve connected objects from Mandiant Threat Intelligence. Connections contain fields such as, connection_type, connected_type, object_type, property, or relationship_type. |
| Sort By | Specify the property of the object using which you want to sort results retrieved from Mandiant Threat Intelligence. Note: Sort By is applicable only when the include_connected_object flag is set to false. |
| Order By | Specify the sort direction of the results retrieved from Mandiant Threat Intelligence. You can set the sort order to "asc" (ascending) or "desc" (descending). If the sort order is not specified, it defaults to ascending. Note: Sort Order is applicable only when the include_connected_object flag is set to false. |
The output contains a non-dictionary value.
The Sample - Mandiant Threat Intelligence - 1.0.0 playbook collection comes bundled with the Mandiant Threat Intelligence connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Mandiant Threat Intelligence connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
