Incoming feed - Mandiant Threat Intelligence Feed v4 (Threat Actor Feed)#

Specifications

Transport type

Mandiant Threat Intelligence Feed v4 (Threat Actor Feed)

Content type

Mandiant Threat Intelligence Feed v4 (Threat Actor Feed)

Ingested data

Mandiant Threat Intelligence threat actors

Processed data

See Data Mapping

Requirements#

  • Mandiant Threat Intelligence subscription. Check the Mandiant Documentation to see which subscription you have access to.

  • Mandiant API key ID.

  • Mandiant API secret.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Mandiant Threat Intelligence Feed v4 (Threat Actor Feed) from the drop-down menu.

    Content type*

    Select Mandiant Threat Intelligence Feed v4 (Threat Actor Feed) from the drop-down menu.

    API URL*

    Default: https://api.intelligence.mandiant.com

    Mandiant API key*

    Set this to your Mandiant API key ID.

    Mandiant API secret*

    Set this to your Mandiant API secret.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    See SSL Certificates.

  3. Store your changes by selecting Save.

SSL Certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data Mapping#

EIQ JSON field

Mandiant JSON field

Description

ID

actors[actor].name

<UUID v5 based on actors[actor].name>

Title

actors[actor].name

Value in actors[actor].name

Type

N/A

threat-actor

Description

actors[actor].description

Value in actors[actor].description

Identity

actors[actor].name

See Map to Identities for Threat Actors

Information source

actors[actor].id

See Map to Information Sources for Threat Actors

Estimated time: Observed

actors[actor].last_updated

Timestamp in ISO8061 format

Estimated time: Start time

actors[actor].observed

Earliest timestamp (in ISO8061 format) of all actors[actor].observed[item].earliest entries

Estimated time: End time

actors[actor].observed

Earliest timestamp (in ISO8061 format) of all actors[actor].observed[item].recent entries

Observables

  • actors[actor].alias[alias].name

  • actors[actor].suspected_attribution[attribution].name

  • actors[actor].cves[cve].cve_id

  • actors[actor].locations.source.name

  • actors[actor].locations.target.name

  • actors[actor].locations.target_region.name

  • actors[actor].locations.target_sub_region.name

  • actors[actor].locations.source.name

  • actors[actor].locations.target.name

  • actors[actor].locations.target_region.name

  • actors[actor].locations.target_sub_region.name

  • actors[actor].malware[malware].name

  • actors[actor].tools[tool].name

  • actors[actor].suspected_attribution[attribution].name

  • actors[actor].tools[tool].name

See Map to Observables for Threat Actors

Tags

  • actors[actor].alias[alias].name

  • actors[actor].suspected_attribution[attribution].name

  • actors[actor].cves[cve].cve_id

  • actors[actor].locations.source.name

  • actors[actor].locations.target.name

  • actors[actor].locations.target_region.name

  • actors[actor].locations.target_sub_region.name

  • actors[actor].locations.source.name

  • actors[actor].locations.target.name

  • actors[actor].locations.target_region.name

  • actors[actor].locations.target_sub_region.name

  • actors[actor].malware[malware].name

  • actors[actor].tools[tool].name

  • actors[actor].suspected_attribution[attribution].name

  • actors[actor].tools[tool].name

List of tags from the values found in the attributes listed in the previous column.

TLP

actors[actor].audience.license

List of TLP colors found in all entries of actors[actor].audience[audience].license

Map to Identities for Threat Actors#

Name: Value in actors[actor].name
Type: identity

Map to Information Sources for Threat Actors#

Identity: Mandiant
Description: Mandiant
References: https://advantage.mandiant.com/reports/<Value in `actors[actor].id`>

Map to Observables for Threat Actors#

EIQ Observable Types

Mandiant JSON field

actor-id

  • actors[actor].alias[alias].name

  • actors[actor].suspected_attribution[attribution].name

cve

actors[actor].cves[cve].cve_id

country

  • actors[actor].locations.source.name

  • actors[actor].locations.target.name

  • actors[actor].locations.target_region.name

  • actors[actor].locations.target_sub_region.name

country-code

  • actors[actor].locations.source.iso2

  • actors[actor].locations.target.iso2

  • actors[actor].locations.target_region.iso2

  • actors[actor].locations.target_sub_region.iso2

malware

  • actors[actor].malware[malware].name

  • actors[actor].tools[tool].name

name

  • actors[actor].suspected_attribution[attribution].name

  • actors[actor].tools[tool].name