Google Threat Intelligence

ver AWS resources that were affected by the CrowdStrike Falcon agent?On July 18th 2024, an update to the CrowdStrike Falcon agent (csagent.sys) caused Windows based devices to experience unplanned stop errors or blue screen. This includes Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon WorkSpaces. This issue only affects Windows Amazon EC2 instances with CrowdStrike installed.Note:If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.If your root Amazon Elastic Block Store (Amazon EBS) volume is encrypted, then make sure the encryption key exists in your account and that you have permission to use it.Identify impaired instancesTo identify failed instances, run the AWS CLI command describe-instance-status similar to the

To enhance the scalability and performance of the Mandiant ASM Discovery Engine, we are expanding our scanner network. Please allowlist the following new scan ranges in preparation for their release later this quarter: 34.19.127.192/28 34.19.116.48/28 34.19.127.208/28 34.19.127.176/28 34.68.34.64/27 8.34.210.32/27 Allowlisting these ranges will ensure uninterrupted scanning and optimal performance of the Mandiant ASM Discovery Engine. We appreciate your cooperation as we continue to improve our services. Visit the documentation for information on the Mandiant ASM scan rages.

Previously, when performing API calls to capture entities (/v1/search/entities/), there were two filters which were always enabled with default values, shown in bold below: hidden:false|true scoped:true|false This meant that building API queries to capture all or both required multiple lookups to capture all entities, and some way of concatenating the resultant data. If building an integration with a third-party product, for example, this added significant complexity. Since late May 2024, we have added options to capture 'both' within a single API call (or search within the UI). How these parameters look in a direct API request (without URI encoding): /v1/stats/entities/ips_by_network/last_seen_after:configured_scan_count scoped:both hidden:both How these parameters look within th

If you have a collection where you expect not to find a specific technology you can create a technology policy for this collection. Let's say your organization does not allow Apache HTTP servers and you want to be notified when one is found in a collection. You can go to the collection setting and add a technology policy and set the appropriate severity based on the risk to your organization.   Here what the configuration would look like.   For more information on technology policies you can find documentation here

In order to change the severity of an issue for a collection you can go to the collection settings and under issue settings select the appropriate severity for the issue.   Some documentation on examples of severity in ASM can be found here  

After an Issue has been seen in a scan it will show in the collection settings. Only after that, an Issue can be disabled. Right now we are not able to turn off checks that have not been seen for that Collection. You can find the configuration under the Collection Settings.  

For Collections configured with high number of seeds and resulting in many entities, there will be a big number of scans to be initiated by ASM. This means that WAF rate-limiting might kick in and stop some of these scans coming from the ASM ranges. The library in the UI will show you all the tasks that are ran. They are not run all on every entity, but depending on entity type and number of entities behind the WAF it is possible to hit 30k or more scans. ASM also has over 100 ports that are being scannned, IPv4 for by default. ASM Customers can also add custom ports that may add to events seen.

By default, Mandiant ASM (Attack Surface Management) has a focused approach to identifying assets for testing. This is great for minimizing false positives, but penetration testers who want a wider net can enable "broad scoping." While this feature helps uncover more potential targets, it might also lead to some inaccuracies in asset ownership identification due to the broader DNS entity scoping. The above can be found here: https://docs.mandiant.com/home/asm-collections-overview Enabling broad scoping:  

In this brief post, we'll take a closer look at the Library in Attack Surface Management (ASM). In ASM you have the ability to browse a listing of all available Issue Definitions, Technology Definitions, and Task Definitions.  This can be useful if you're interested in reviewing the various checks that ASM performs while scanning or the various technologies that ASM can identify.   The ASM Library can be accessed via the following URL, or by clicking your profile drop-down menu in ASM and selecting Library. https://asm.advantage.mandiant.com/library/ On the Library page, we can see that the library is composed of the same three definition types mentioned above, and that we can click through these to browse through

I have created a project and was wondering how I delete it?

This guide will use Python to connect to ASM via API to create and/or delete. The script will contain a menu with 3 options List current projects and project ID Create New Project Delete Project Step 1: Import "request" Module & Create Main Function     import requests def main(): try: # Input API key and Secret via api_credentials.json file with open('api_credentials.json', 'r') as file: credentials = json.load(file) api_key = credentials.get('api_key') api_secret = credentials.get('api_secret') except FileNotFoundError: # Error message if api_credentials.json file is not found print("Error: api_credentials.json not found.") exit(1) except json.JSONDecodeError: # Error message if api_credentials.json is not formated correctly print("Error: Unable to parse api_credentials.json.") exit(1)    

The following two examples can be used as a reference for basic calls to the ASM API.   In both examples, the keys are fabricated and shown for the purpose of demonstrating how to correctly set the headers for each call.     curl https://asm-api.advantage.mandiant.com/api/v1/projects -H 'INTRIGUE_ACCESS_KEY: myaccesskey' -H 'INTRIGUE_SECRET_KEY: mysecretkey'     Invoke-WebRequest http://asm-api.advantage.mandiant.com/api/v1/projects -Headers @{'INTRIGUE_ACCESS_KEY' = 'myaccesskey'; 'INTRIGUE_SECRET_KEY' = 'mysecretkey'} -UseBasicParsing          

How to enable SSO on Mandiant?

I'd like to know if ASM SaaS is vulnerable to the following critical vulnerabilities(specifically, if ASM utilizes WS_FTP or Confluence Data Center or Servers)?On September 14, 2023, Progress Software released a security advisory for a remote code execution (RCE) vulnerability in the WinSock File Transfer Protocol (WS_FTP) Server, which Mandiant Intelligence rates as High-risk. The vulnerability tracked as CVE-2023-40044 caused by a flaw in how the WS_FTP Server handles ad-hoc commands, which an attacker can exploit by sending a specially crafted request to the server to execute arbitrary code on the system. (CVSSv3.1 Base 9.8)On October 4, 2023, Atlassian published a security advisory on a critical vulnerability (CVE-2023-22515) in publicly accessible Confluence Data Center and Server instances where an attacker could create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites not affecte

  We are excited to announce the availability of Google Cloud Security Customer Success subscriptions.   Optimize your Google Cloud Security experience to achieve desired business outcomes together with a team of security experts. Choose the right success offering that best fits your organizational objectives and acquired security subscriptions. Standard: Offers digital and self-service resources, including onboarding, subscription walkthroughs, documentation, and access to knowledge base with product trainings. Expert: Offers a designated Customer Success Manager and Technical Solutions Consultants, providing customized success plans, and strategic guidance.

We have a webinar, Living on the Edge: Investigating Ivanti Connect Secure VPN Zero-Day Exploits coming up this Thursday January 18, 2024. It is a free webinar. Click here to sign up.   

Is there a good explanation why some inferred CVEs come without a reference to (MA)TI Threat Intelligence when the vuln exists in MATI Vulns?For instance CVE-2022-36760 had been detected by ASM, but the link to MATI is missing even so so it seems the CVE had been added to MATI early 2023.help please?

Mandiant Attack Surface Management 30-day free trial https://www.mandiant.com/attack-surface-management-free-trial