Hi All,
We want to integrate Mandiant with Google SIEM.
Can someone please advise how can this be done.
Mandiant Threat Advantage integration with SIEM
+2
+4- Bronze 4
Hi @Khushboo14,
could you elaborate more on what you want to achieve exactly? (Use Case)
Mandiant is integrated as a threat intel source inside the entity context graph depending on your license.
There are several option you can "integrate" TI, for example within rules. Imagine a rule correlating target IP with the global context.
$event.target.ip = $maliciousIp
$ioc.graph.metadata.entity_type = "IP_ADDRESS"
$ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"
$ioc.graph.metadata.threat.verdict_info.malicious_count >=1
$ioc.graph.entity.ip = $maliciousIp
$ioc.graph.metadata.threat.verdict_info.malicious_count > 0 //must be falged as malicious
$ioc.graph.metadata.source_labels["misp_cisco_top20k"] = "false"
$ioc.graph.metadata.threat.risk_score > 60
$ioc.graph.metadata.source_labels["is_scanner"] = "false"
This rule excerpt matches the globel context asset data and you can view the matched entites when a detection is found (also an excerpt):
metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
Hope this helps. If not, please elaborate on your use case.
+2Hi @Khushboo14,
could you elaborate more on what you want to achieve exactly? (Use Case)
Mandiant is integrated as a threat intel source inside the entity context graph depending on your license.
There are several option you can "integrate" TI, for example within rules. Imagine a rule correlating target IP with the global context.
$event.target.ip = $maliciousIp
$ioc.graph.metadata.entity_type = "IP_ADDRESS"
$ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"
$ioc.graph.metadata.threat.verdict_info.malicious_count >=1
$ioc.graph.entity.ip = $maliciousIp
$ioc.graph.metadata.threat.verdict_info.malicious_count > 0 //must be falged as malicious
$ioc.graph.metadata.source_labels["misp_cisco_top20k"] = "false"
$ioc.graph.metadata.threat.risk_score > 60
$ioc.graph.metadata.source_labels["is_scanner"] = "false"
This rule excerpt matches the globel context asset data and you can view the matched entites when a detection is found (also an excerpt):
metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
Hope this helps. If not, please elaborate on your use case.
We need to integrate Mandiant DTM as a Feed with Google SIEM.
+5We need to integrate Mandiant DTM as a Feed with Google SIEM.
DTM is a supported log type but currently it doesn't have a default parser, so a custom one would need to be built. I advise to go through support as this request my be prioritized for a default parser:
+2DTM is a supported log type but currently it doesn't have a default parser, so a custom one would need to be built. I advise to go through support as this request my be prioritized for a default parser:
Thanks for that and by which integration method we can integrate Mandiant DTM with SIEM.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.