Mandiant Threat Intelligence

the mandiant threat intelligence connector enables seamless integration of mandiant's rich threat intelligence data into security workflows, providing timely and relevant information about emerging threats mandiant threat intelligence provides comprehensive cyber threat intelligence that empowers security teams to understand the tactics, techniques, and procedures of adversaries this connector enables seamless integration with swimlane turbine, allowing users to automate the retrieval of threat actor indicators, malware indicators, and detailed threat intelligence reports by leveraging mandiant's rich intelligence data, organizations can enhance their threat detection and response capabilities, ensuring a proactive security posture within the swimlane ecosystem prerequisites to effectively utilize the mandiant threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint for the mandiant threat intelligence api api key your unique identifier to authenticate with the mandiant api api secret a secret key paired with your api key for enhanced security the mandiant threat intelligence connector integrates with swimlane turbine to retrieve the indicators, threat actors, malware and report indicators capabilities this connector provides the following capabilities get actor indicators get indicator get indicator by value and type get malware indicators get report indicators asset setup this connector uses oauth authentication and requires the below parameters key id key secret steps to generate keys for personal use (development and testing) from your mandiant advantage user account login in to mandiant advantage https //advantage mandiant com https //advantage mandiant com click the settings menu from the apiv4 access and key section, click the get key id and secret button the key id and key secret are displayed, copy and paste these to a safe location configurations mandiant oauth 2 0 client credentials authenticates mandiant threat intelligence using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get actor indicators retrieve a list of indicators for a specified threat actor from mandiant threat intelligence, including associated unc groups endpoint url /v4/actor/{{id or name}}/indicators method get input argument name type required description id or name string required the id or name of the threat actor to return output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier indicator count object count value total number output field total hash number output field hash url number url endpoint for the request fqdn number output field fqdn ipv4 number output field ipv4 email number output field email name string name of the resource indicators array output field indicators first seen string output field first seen last seen string output field last seen mscore number score value attributed associations array output field attributed associations name string name of the resource id string unique identifier type string type of the resource id string unique identifier type string type of the resource value string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "threat actor 0ac5c1db 8ad6 54b8 b4b9 c32fc738c54a", "indicator count" {}, "name" "apt1", "indicators" \[] } } ] get indicator retrieve a paginated list of indicators from mandiant threat intelligence using defined parameters, including the start epoch endpoint url /v4/indicator method get input argument name type required description limit number optional defines the maximum number of results to return default 25 and maximum allowed 1000 offset number optional the number of items to skip before starting to collect the result set if not specified, defaults to zero (0) the maximum amount of items that can be fetched using an offset and limit is 10,000 (the offset + limit must be <= 10,000) gte mscore number optional defines the minimum indicator confidence score to return exclude osint boolean optional defines if open source indicators should be returned include reports boolean optional used to include related reports report limit number optional defines the maximum number of reports in list default 25 and maximum allowed 1000 include campaigns boolean optional used to include related campaigns start epoch number required defines the start time of the data to load in epoch format, based on an indicators last updated value the window must be less than 90 days only recent days number optional optionally defines the number of days of data to load relative to the specified start epoch value and the indicators last seen value the default of 30 is recommended and will yield relevant indicators for most use cases minimum allowed 0 (last seen will not be considered when setting to 0) maximum allowed 365 end epoch number optional defines the end time of the data to load in epoch format, based on an indicators last updated value next string optional used to get the next page of results when using next no other parameters should be included in the request note the token returned is valid for 10 minutes sort by string optional the field on which sort needs to be performed it can also be extended to support sort order by appending a ' ' and sort order sort order string optional specify sort order asc or desc output parameter type description status code number http status code of the response reason string response reason phrase indicators array output field indicators associated hashes array output field associated hashes id string unique identifier type string type of the resource value string value for the parameter attributed associations array output field attributed associations id string unique identifier name string name of the resource type string type of the resource first seen string output field first seen id string unique identifier is exclusive boolean output field is exclusive is publishable boolean output field is publishable last seen string output field last seen last updated string output field last updated misp object output field misp akamai boolean output field akamai alexa boolean output field alexa alexa 1m boolean output field alexa 1m amazon aws boolean output field amazon aws apple boolean output field apple automated malware analysis boolean output field automated malware analysis bank website boolean output field bank website example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "indicators" \[], "next" "string" } } ] get indicator by value and type retrieve a specific indicator object from mandiant threat intelligence using its type and value endpoint url /v4/indicator/{{indicator type}}/{{indicator value}} method get input argument name type required description indicator type string required type of the resource indicator value string required value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier mscore number score value type string type of the resource value string value for the parameter is publishable boolean output field is publishable sources array output field sources first seen string output field first seen last seen string output field last seen osint boolean output field osint category array output field category file name string name of the resource file string output field file source name string name of the resource misp object output field misp akamai boolean output field akamai alexa boolean output field alexa amazon aws boolean output field amazon aws apple boolean output field apple automated malware analysis boolean output field automated malware analysis bank website boolean output field bank website captive portals boolean output field captive portals censys scanning boolean output field censys scanning check host net boolean output field check host net example \[ { "status code" 200, "response headers" { "date" "thu, 20 jun 2024 10 18 11 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "vary" "origin", "x envoy upstream service time" "12", "via" "1 1 google", "cf cache status" "dynamic", "server" "cloudflare", "cf ray" "896b03695ee6445d bom", "content encoding" "gzip" }, "reason" "ok", "json body" { "id" "ipv4 ad58d6ad 381e 5b21 9f31 36ef8404ea6f", "mscore" 50, "type" "ipv4", "value" "39 52 41 194", "is publishable" true, "sources" \[], "misp" {}, "last updated" "2024 05 31t11 35 06 557z", "first seen" "2024 03 02t10 10 00 000z", "last seen" "2024 03 02t10 10 06 000z" } } ] get malware indicators retrieve a list of indicators associated with a specified malware from mandiant threat intelligence using either its id or name endpoint url /v4/malware/{{id or name}}/indicators method get input argument name type required description id or name string required the id or name of the malware family to return output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier indicator count object count value total number output field total hash number output field hash url number url endpoint for the request fqdn number output field fqdn ipv4 number output field ipv4 email number output field email name string name of the resource indicators array output field indicators first seen string output field first seen last seen string output field last seen mscore number score value attributed associations array output field attributed associations name string name of the resource id string unique identifier type string type of the resource id string unique identifier type string type of the resource value string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "malware 81f821d1 4ec9 534d 8dc7 53da47e5074a", "indicator count" {}, "name" "008s", "indicators" \[] } } ] get report indicators retrieve indicator objects and associated reports from mandiant threat intelligence using the provided id endpoint url /v4/indicator/{{id}}/reports method get input argument name type required description id string required the id of the object to return output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier mscore number score value type string type of the resource value string value for the parameter first seen string output field first seen last seen string output field last seen is customer releasable boolean output field is customer releasable reports array output field reports id string unique identifier report id string unique identifier type string type of the resource title string output field title published date string date value audience array output field audience next string output field next example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "ipv4 98019aaa 43af 5869 b530 591a9a9d9fb3", "mscore" 100, "type" "ipv4", "value" "190 31 53 131", "first seen" "2020 08 05t21 31 41z", "last seen" "2021 01 10t06 52 11z", "is customer releasable" true, "reports" \[], "next" "fgluy2x1zgvfy29udgv4df91dwlkdnf1zxj5v " } } ] response headers header description example cf cache status http response header cf cache status dynamic cf ray http response header cf ray 896b03695ee6445d bom connection http response header connection keep alive content encoding http response header content encoding gzip content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt server information about the software used by the origin server cloudflare set cookie http response header set cookie cf bm=p5a9erukxqespuvaktfq2hexecypzwcsijmilpyxsw4 1706099785 1 acmmim+v5egsqbvdlpkojcvyrfqnmgtrknym+4fpmv1skdqzllvd3kymzhag6q1ezoyqq6x3x5b1qxlqnbynmqc=; path=/; expires=wed, 24 jan 24 13 06 25 gmt; domain= mandiant com; httponly; secure; samesite=none strict transport security http response header strict transport security max age=15724800; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary origin via http response header via 1 1 google x amzn trace id http response header x amzn trace id 8706bdd97032bce4c21759f54ecfad69 x envoy upstream service time http response header x envoy upstream service time 12 notes mandiant threat intelligence api documentation https //docs mandiant com/home/mati threat intelligence api v4