How to Check If Mandiant Threat Intelligence is Working in Google Chronicle for IOC Matches

Question

Hi everyone,We’ve noticed that for the past week, we haven’t seen any alerts or results related to Mandiant Threat Intelligence in Google Chronicle, particularly in terms of IOCs matches.Could anyone share how we can check if the Mandiant feed is working correctly or if it’s integrated properly? (We've checked and seen that the credentials we've provided are working, but we haven't been getting any successful results for the past week.) We’re specifically looking for any IOC matches that should be triggering alerts or logs.Is there a way for us to verify or troubleshoot this on our own within Chronicle, such as running specific queries or reviewing any logs to ensure the integration is active and functioning as expected?Appreciate any help or guidance on this!Thanks in advance!Thanks,Dnyaneshwar

SoarAndy · Accepted Answer

Hello ,This is related to SIEM, specifically the 'Alerts and IOC Matches' section under the detection options. In the past, we have seen numerous matches with IOCs and alerts. However, in the past few days, we haven't seen any results. We compared the older results with the new logs, and found that a few still match the conditions—based on Mandiant's analysis, these are part of the IOCs. Yet, we are not seeing any IOC match alerts in portal. That’s why we have some doubts about whether there might be an issue with the IOC matching in the Google SecOps tool, especially with the Mandiant integration.Thanks,DnyaneshwarI suggest copy/paste the question to the Chronicle section &#128578;https://www.googlecloudcommunity.com/gc/forums/filteredbylabelpage/board-id/chronicle-siem/label-name/Chronicle

SoarAndy · Answer

Is this relating to automated enrichment in SIEM, or playbook enrichment in SOAR?

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded