Incoming feed - Mandiant Threat Intelligence Feed v4 (Malware Feed)#
Specifications |
|
---|---|
Transport type |
Mandiant Threat Intelligence Feed v4 (Malware Feed) |
Content type |
Mandiant Threat Intelligence Feed v4 (Malware Feed) |
Ingested data |
Mandiant Threat Intelligence malwares |
Processed data |
See Data Mapping |
Requirements#
Mandiant Threat Intelligence subscription. Check the Mandiant Documentation to see which subscription you have access to.
Mandiant API key ID.
Mandiant API secret.
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Mandiant Threat Intelligence Feed v4 (Malware Feed) from the drop-down menu.
Content type*
Select Mandiant Threat Intelligence Feed v4 (Malware Feed) from the drop-down menu.
API URL*
Default:
https://api.intelligence.mandiant.com
Mandiant API key*
Set this to your Mandiant API key ID.
Mandiant API secret*
Set this to your Mandiant API secret.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
See SSL Certificates.
Store your changes by selecting Save.
SSL Certificates#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiq
user.Owned by
eclecticiq:eclecticiq
.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pem
is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.
Data Mapping#
Note
On EclecticIQ Intelligence Center 2.14, this extension produces TTP entities instead of Malware entities.
EIQ JSON field |
Mandiant |
Description |
---|---|---|
ID |
|
|
Title |
|
|
Type |
|
|
Description |
|
Value stored in |
Estimated time: Observed |
|
Timestamp in ISO8061 format |
Observables |
|
|
Tags |
|
List of tags from the values found in the attributes listed in the previous column |
TLP |
|
List of TLP colors found in all entries of |
Map to Observables for Malware#
EIQ Observable Types |
Mandiant JSON field |
---|---|
actor-id |
|
malware |
|
cve |
|