Skip to main content

Hi All,

We want to integrate Mandiant with Google SIEM. 

Can someone please advise how can this be done.

Hi @Khushboo14

could you elaborate more on what you want to achieve exactly? (Use Case)

Mandiant is integrated as a threat intel source inside the entity context graph depending on your license. 

There are several option you can "integrate" TI, for example within rules. Imagine a rule correlating target IP with the global context. 

$event.target.ip = $maliciousIp

    $ioc.graph.metadata.entity_type = "IP_ADDRESS"
    $ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $ioc.graph.metadata.threat.verdict_info.malicious_count >=1
    $ioc.graph.entity.ip = $maliciousIp
    $ioc.graph.metadata.threat.verdict_info.malicious_count > 0  //must be falged as malicious
    $ioc.graph.metadata.source_labels["misp_cisco_top20k"] = "false"
    $ioc.graph.metadata.threat.risk_score > 60
    $ioc.graph.metadata.source_labels["is_scanner"] = "false"  
 
This rule excerpt matches the globel context asset data and you can view the matched entites when a detection is found (also an excerpt): 

metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"

 

Hope this helps. If not, please elaborate on your use case. 

Hi @Khushboo14

could you elaborate more on what you want to achieve exactly? (Use Case)

Mandiant is integrated as a threat intel source inside the entity context graph depending on your license. 

There are several option you can "integrate" TI, for example within rules. Imagine a rule correlating target IP with the global context. 

$event.target.ip = $maliciousIp

    $ioc.graph.metadata.entity_type = "IP_ADDRESS"
    $ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"
    $ioc.graph.metadata.threat.verdict_info.malicious_count >=1
    $ioc.graph.entity.ip = $maliciousIp
    $ioc.graph.metadata.threat.verdict_info.malicious_count > 0  //must be falged as malicious
    $ioc.graph.metadata.source_labels["misp_cisco_top20k"] = "false"
    $ioc.graph.metadata.threat.risk_score > 60
    $ioc.graph.metadata.source_labels["is_scanner"] = "false"  
 
This rule excerpt matches the globel context asset data and you can view the matched entites when a detection is found (also an excerpt): 

metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"

 

Hope this helps. If not, please elaborate on your use case. 


We need to integrate Mandiant DTM as a Feed with Google SIEM.

We need to integrate Mandiant DTM as a Feed with Google SIEM.


DTM is a supported log type but currently it doesn't have a default parser, so a custom one would need to be built. I advise to go through support as this request my be prioritized for a default parser: 



 

DTM is a supported log type but currently it doesn't have a default parser, so a custom one would need to be built. I advise to go through support as this request my be prioritized for a default parser: 



 


Thanks for that and by which integration method we can integrate Mandiant DTM with SIEM.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.