Incoming feed - Mandiant Threat Intelligence Feed v4 (Indicator Feed)

	Specifications
Transport type	Mandiant Threat Intelligence Feed v4 (Indicator Feed)
Content type	Mandiant Threat Intelligence Feed v4 (Indicator Feed)
Ingested data	Mandiant Threat Intelligence indicators
Processed data	See Data Mapping

Requirements

• Mandiant Threat Intelligence subscription. Check the Mandiant Documentation to see which subscription you have access to.

• Mandiant API key ID.

• Mandiant API secret.

Configure the incoming feed

1. Create or edit an incoming feed.

2. Under Transport and content, fill out these fields:

   Note

   Required fields are marked with an asterisk (*).

   Field	Description
   Transport type*	Select Mandiant Threat Intelligence Feed v4 (Indicator Feed) from the drop-down menu.
   Content type*	Select Mandiant Threat Intelligence Feed v4 (Indicator Feed) from the drop-down menu.
   API URL*	Default: https://api.intelligence.mandiant.com
   Mandiant API key*	Set this to your Mandiant API key ID.
   Mandiant API secret*	Set this to your Mandiant API secret.
   SSL verification	Selected by default. Select this option to enable SSL for this feed.
   Path to SSL certificate file.	Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. See SSL Certificates.
   Start ingesting from*	Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

3. Store your changes by selecting Save.

SSL Certificates

To use an SSL certificate, it must be:

• Accessible on the EclecticIQ Intelligence Center host.

• Placed in a location that can be accessed by the eclecticiq user.

• Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

2. On the EclecticIQ Intelligence Center host, open the terminal.

3. Change ownership of the SSL certificate by running as root in the terminal:

   chown eclecticiq:eclecticiq /path/to/cert.pem
   

   Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data Mapping

EIQ JSON field	Mandiant	Description
ID	indicators[indicator].value	{UUID v5 based in indicators[indicator].value}
Title	indicators[indicator].type indicators[indicator].value	<Value in indicators[indicator].type>: <Value in indicators[indicator].value>
Type	N/A	indicator
Estimated time: Observed	indicators[indicator].last_updated	Timestamp in ISO8061 format
Observables	indicators[indicator].associated_hashes[associated_hash].value indicators[indicator].associated_hashes[associated_hash].type	List of observables composed of all associated_hashes entries found in the indicator
Tags	indicators[indicator].attributed_associations[association].name	List of tags composed of all attributed_associations entries found in the indicator

These observables are produced if files hashes, emails, and URLs are present for the indicator:

• email

• ipv4

• hash-md5

• hash-sha1

• hash-sha256

• uri