Incoming feed - Mandiant Threat Intelligence Feed v4 (Report Feed)#

Specifications

Transport type

Mandiant Threat Intelligence Feed v4 (Report Feed)

Content type

Mandiant Threat Intelligence Feed v4 (Report Feed)

Ingested data

Mandiant Threat Intelligence reports

Processed data

See Data Mapping

Requirements#

  • Mandiant Threat Intelligence subscription. Check the Mandiant Documentation to see which subscription you have access to.

  • Mandiant API key ID.

  • Mandiant API secret.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Mandiant Threat Intelligence Feed v4 (Report Feed) from the drop-down menu.

    Content type*

    Select Mandiant Threat Intelligence Feed v4 (Report Feed) from the drop-down menu.

    API URL*

    Default: https://api.intelligence.mandiant.com

    Mandiant API key*

    Set this to your Mandiant API key ID.

    Mandiant API secret*

    Set this to your Mandiant API secret.

    Filter reports by type

    Select which report types to include.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    See SSL Certificates.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL Certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data Mapping#

EIQ JSON field

Mapped from Mandiant JSON

Description

ID

  • report.report_id

  • report.reportId

{http://www.mandiant.com/}Report-<UUID v5 based on report.report_id or report.reportID>

Title

  • report.title

Value stored in report.title

Type

  • N/A

report

Description

  • report.threat_detail

  • report.fromMedia

Value stored in report.threat_detail or in report.fromMedia

Summary

  • report.executive_summary

  • report.isightComment

Value stored in report.executive_summary or in report.isightComment

Short description

  • report.labels[label]

  • report.threat_scape[threat_scape]

  • report.report_confidence

  • report.report_type

  • report.reportType

  • report.zero_day

  • report.threat_detail

  • report.tags.affected_industries

  • report.tags.affected_systems

  • report.tags.intended_effects

  • report.tags.motivations

See Map to Short Descriptions for Reports

Information source

  • report.report_id

  • report.reportId

See Map to Information Sources for Reports

Estimated time: Start time

report.version_one_publish_date

Timestamp in ISO8601 format

Estimated time: Observed

  • report.publish_date

  • report.publishDate

Timestamp in ISO8601 format

Observables

  • report.report_id

  • report.reportId

  • report.in_the_wild

  • report.audience

  • report.tags

See Map to Observables for Reports

Tags

  • report.report_id

  • report.reportId

  • report.in_the_wild

  • report.audience

  • report.tags

See Map to Tags for Reports

Map to Short Descriptions for Reports#

<!-- If report.report_confidence is found: -->
Mandiant Report Confidence: {Value in report.report_confidence}<br>

<!-- If report.report_type or report.reportType is found: -->
Mandiant Report Type: {Value in report.report_type or report.reportType}<br>

<!-- If report.zero_day is found: -->
Mandiant Zero Day: {Value in report.zero_day}<br>

<!-- If report.threat_detail is found: -->
Mandiant Threat Detail: {Value in report.threat_detail}<br>

Mandiant Audience: {List of all labels found in report.labels}<br>
Mandiant Threat Scapes: {List of all threat scapes found in report.threat_scape}<br>

<!-- If report.tags is found -->
Mandiant Affected Industries: {List of all industries found in report.tags.affected_industries}<br>
Mandiant Affected systems: {List of all systems found in report.tags.affected_systems}<br>
Mandiant Intended Effects: {List of all intended effects found in report.tags.intended_effects}<br>
Mandiant Motivations: {List of all motivations found in report.tags.motivations}<br>

Map to Information Sources for Reports#

identity:
  name: Mandiant
  type: identity
type: information-source
description: Mandiant
references: https://advantage.mandiant.com/reports/<Value in `report.report_id` or `report.reportId`>

Map to Observables for Reports#

These observables are produced when file hashes, malware, and threat actors are present in the report.

  • actor-id

  • malware

  • file

  • hash-md5

  • hash-sha1

  • hash-sha256

  • ipv4

  • uri

  • email

Map to Tags for Reports#

Mandiant JSON field

Description

  • report.report_id

  • report.reportID

Value in report.report_id or report.reportID

report.in_the_wild

In the wild: <Value in report.in_the_wild>

report.audience

List of entries found in report.audience

report.tags.actors[actor].name

List of actor names found in report.tags.actors

report.files.identifier

Value in report.files.identifier

report.files.type

Value in report.files.type