Hi @rahul7514 

Mandiant integration with Chronicle SIEM is done through the SOAR component.

To integrate Mandiant with Chronicle SOAR:

1. Go to Response > Playbooks in the SOAR interface.


2. Select the CDIR PLAYBOOK.


3. Optionally, enable Mandiant enrichment by setting the Mandiant_Enrichment variable to true.


4. In the Cases page, attach the playbook to a test alert to ensure proper configuration.


5. You can use a simulation mode to test the playbook run.


6. Review the playbook results and the overview in the Cases and Alerts tabs.


7. Update the playbook if necessary until you get the expected flow.

For detailed instructions on configuring integrations in Google Security Operations SOAR, see Configure integrations.

I hope this helps. 

@ErikaB so we wont get it in just Siem

I want to use the the threat feeds to filter the traffic logs and trigger alert when suspicious ip is found. 

We have not created playbooks so far. 

I think the question of integration of Mandiant Threat intel and SecOps is somewhat dependent upon the package level that the organization has. Depending on that may drive different things that could potentially be done.

@jstoner @ErikaB 

So if they upgrade their  subscription, will the feed feature automatically start or do we need to integrate anything? 

Can mandiant be recieved as standalone?? 

@rahul7514 

Mandiant Intelligence can be purchased as a standalone.  There is also Google Security Operations which offers a unified experience across SIEM, SOAR, and threat intelligence.  

@ErikaB thanks for the information. When using mandiant threat intel in soar so when we want to enrich ip it makes an api call to mandiant feed right so is there count of how many calls can be made? 

Also is this push or pull mechanism? 

This would be pull.  I’d need to research the call amount.