Mandiant (previously FireEye)#

# Release History

## Version(s): 3.1.5, 3.2.2, 2.14.5
## Release date: 07 Feb 2024

**Fixed:**
- Issue in Report Feed caused by missing fields in files data.
- API connection issue in Vulnerability feed.


## Version(s): 3.1.4, 3.2.1, 2.14.4
## Release date: 26 Jan 2024

## Added
- Adds option to 'Exclude OSINT indicators` to
Mandiant Threat Intelligence Feed v4 (Indicator Feed).

## Changed
- In Mandiant Threat Intelligence Feed v4 (Indicator Feed),
change name of option 'Minimal Maliciousness score' to
'Minimum Indicator Confidence score' and tool tip to better reflect usage.
Functionality is unchanged. This field allows users to set a minimum IC-score
to exclude indicators below this score from this feed.
- 'Minimum Indicator Confidence score' is by default set to '60'
to only ingest 'Suspicious' and above indicators.

## Version(s): 3.1.3, 3.0.3, 2.14.3
## Release date: 10 Nov 2023

**Added:**
- Mandiant Threat Intelligence Feed v4 (Indicator Feed)
  - Now provide 'Minimal Maliciousness value' that will be used when we filter the data. 
    It will be used for Indicator data that is greater than the 
    provided score in the configuration of the feed.


**Changed:**
- Mandiant Threat Intelligence Feed v4 (Report Feed)
  - Now provide 'Summary' that is the same as on the Mandiant portal and appropriate PDF.

**Fixed:**
- Mandiant Threat Intelligence Feed v4 (Vulnerability Feed)
  - Fixed issue where versions in vulnerabilities of the exploit target entity have '&' and we can
    render it properly.
  - Fixed issue where references of the exploit target have '/[' in the url.


## Version(s): 3.1.2, 3.0.2, 2.14.2
## Release date: 06 Oct 2023

**Added:**

- Now provides Mandiant Threat Intelligence Feed v4 (Campaign Feed)
  - Endpoint(s): `/v4/campaign`
  - (IC 3.0 and newer) Ingested as campaign entities,
    with related attack pattern and indicator entities.
  - (IC 2.14) Ingested as campaign entities,
    with related TTP and indicator entities.
  - Indicator entities produced by this feed
    have arbitrary titles to prevent high duplicate rate
    with Mandiant-provided titles.
  - Has 'Campaign Historic time' field that allows you to enter a number.
    If the `last_activity_time` of the ingested campaign
    is older than the date the feed runs minus the number of months set here,
    the campaign's 'Status' field is set to 'Historic'. Otherwise,
    the campaign's 'Status' field is set to 'Ongoing'.

    For example, setting 'Campaign Historic time' to '1', when we run the feed
    on 5th October 2023, any ingested campaign entity with the 
    `last_activity_time` earlier than 5th September 2023 will have its 'Status'
    field set to 'Historic'.

**Changed:**

- Mandiant Threat Intelligence Feed v4 (Report Feed)
  - Now includes 'Targeted Information' tags.
- Mandiant Threat Intelligence Feed v4 (Indicator Feed)
  - Now, only 'MISP warning list' that include a 'True' value are included.

**Fixed:**

- Fixed issue where Mandiant Threat Intelligence Feed v4 (Indicator Feed)
  would fail if 'Start ingesting from' time was set to more than 90 days
  before feed run. Now, feed automatically chunks requests to handle
  this limitation.

## Version(s): 3.1.1, 3.0.1, 2.14.1
## Release date: 16 Sep 2023

**Changed:**

- Previously, Mandiant Threat Intelligence Feed v4 (Report Feed)
  would retrieve Mandiant reports from `/v4/report`,
  and additionally retrieve data from multiple Mandiant endpoints
  to create highly detailed report entities in EclecticIQ Intelligence Center.
  However, this means we get highly interconnected entities that are slow to ingest.
  These long ingest times can lead to
  timeouts that cause the feed to fail.

  This release instead provides
  5 incoming feed transport types:

  - Mandiant Threat Intelligence Feed v4 (Report Feed)
    - Endpoint(s): `/v4/reports`, `/v4/report`
    - Ingested as report entities.
    - Also creates related indicator entities for each object present
      in the `files` field of the retrieved report.
  - Mandiant Threat Intelligence Feed v4 (Threat Actor Feed)
    - Endpoint(s): `/v4/actor`
    - Ingested as threat actor entities.
  - Mandiant Threat Intelligence Feed v4 (Malware Feed)
    - Endpoint(s): `/v4/malware`
    - (IC 3.0 and newer) Ingested as malware entities.
    - (IC 2.14) Ingested as TTP entities.
  - Mandiant Threat Intelligence Feed v4 (Vulnerability Feed)
    - Endpoint(s): `/v4/vulnerability`
    - Ingested as exploit target entities.
    - (IC 3.0 and newer) Also creates tool entities for each object
      present in the `exploits` field of the endpoint response.
    - (IC 2.14) Also creates TTP entities for each object
      present in the `exploits` field of the endpoint response.
  - Mandiant Threat Intelligence Feed v4 (Indicator Feed)
    - Endpoint(s): `/v4/indicator`
    - Ingested as indicator entities.

  When run individually, they produce entities ingested from their respective endpoints.
  If these ingested entities are related to other Mandiant entities:
  - These ingested entities can contain external references that are initially unresolved.
    When the entity these external references point at is successfully ingested
    from one of the other Mandiant feeds, the external reference resolves
    into a legible relation on EclecticIQ Intelligence Center.
  - Entities ingested separately from these feeds may share related observables.
    When two or more entities in EclecticIQ Intelligence Center
    are related to the same observable, you can trace those relationships
    in graphs or through queries.


- Report entities created by this feed now includes its
  PDF version as an attachment, retrieved from Mandiant.
- Ingested entities now contain MITRE ATT&CK data.
- Mandiant Threat Intelligence Feed v4 (Report Feed) now has a "Filter reports by type".
  Enter a comma-separated list of report types to
  only ingest Mandiant reports with those types.
  Possible values (must be exact):

  - `Actor Profile`
  - `Event Coverage/Implication`
  - `Executive Perspective`
  - `ICS Security Roadmap`
  - `Industry Reporting`
  - `Malware Profile`
  - `Network Activity Reports`
  - `News Analysis`
  - `Patch Report`
  - `TTP Deep Dive`
  - `Threat Activity Alert`
  - `Threat Activity Reports`
  - `Trends and Forecasting`
  - `Vulnerability Report`
  - `Weekly Vulnerability Exploitation Report`


**Fixed:**

- Fixed issue where incoming feeds would fail because of unexpected timestamp formats.

## Initial release

Release date: 15 June 2023

**Features:**

* Now provides the Mandiant Threat Intelligence Feed v4 (Report Feed).

# Release History

## Version(s): 3.2.1, 3.1.1, 2.14.1
## Release date: 20 Dec 2023

**Changed:**
- Now we are deduplicating the indicators that are provided in the `networks` section of the response.

## Release versions: 2.9.3, 2.10.2

Release date: 26 August, 2021

**Changed:**

* Incoming feed now does not set a maliciousness value for port observables.

**Fixed:**

* Issue where incoming feeds would fail because some report IDs listed by FireEye do not exist.
* Issue where incoming feeds would fail when it encounters an invalid observable.


## Release versions: 2.9.2, 2.10.1

Release date: 13 August, 2021

**Fixed:**

* Issue where ingested "port" observables are marked as
  "Safe". Now, all "port" observables are marked with
  "Unknown" maliciousness.


## Release versions: 2.9.1 (25 March 2021)

Release date: 25 March, 2021

**Features:**

* Now using Fireeye API version 2.6 to prevent data loss on service interruption


## Initial release

Release date: December, 2016

**Features:**

* Now provides the Fireeye feed.