Mandiant Threat Intelligence

the mandiant threat intelligence connector enables seamless integration of mandiant's rich threat intelligence data into security workflows, providing timely and relevant information about emerging threats mandiant threat intelligence provides comprehensive cyber threat intelligence that empowers security teams to understand the tactics, techniques, and procedures of adversaries this connector enables seamless integration with swimlane turbine, allowing users to automate the retrieval of threat actor indicators, malware indicators, and detailed threat intelligence reports by leveraging mandiant's rich intelligence data, organizations can enhance their threat detection and response capabilities, ensuring a proactive security posture within the swimlane ecosystem prerequisites to effectively utilize the mandiant threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for authentication with the following parameters url endpoint for the mandiant threat intelligence api api key your unique identifier to authenticate with the mandiant api api secret a secret key paired with your api key for enhanced security the mandiant threat intelligence connector integrates with swimlane turbine to retrieve the indicators, threat actors, malware and report indicators capabilities this connector provides the following capabilities get actor indicators get indicator get indicator by value and type get malware indicators get report indicators asset setup this connector uses oauth authentication and requires the below parameters key id key secret steps to generate keys for personal use (development and testing) from your mandiant advantage user account login in to mandiant advantage https //advantage mandiant com click the settings menu from the apiv4 access and key section, click the get key id and secret button the key id and key secret are displayed, copy and paste these to a safe location notes https //docs mandiant com/home/mati threat intelligence api v4 configurations mandiant oauth 2 0 client credentials authenticates mandiant threat intelligence using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required client id api key string required client secret api secret string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get actor indicators retrieve a list of indicators for a specified threat actor from mandiant threat intelligence, including associated unc groups endpoint url /v4/actor/{{id or name}}/indicators method get input argument name type required description path parameters id or name string required the id or name of the threat actor to return input example {"path parameters" {"id or name" "threat actor 0ac5c1db 8ad6 54b8 b4b9 c32fc738c54a"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier indicator count object count value indicator count total number output field indicator count total indicator count hash number output field indicator count hash indicator count url number url endpoint for the request indicator count fqdn number output field indicator count fqdn indicator count ipv4 number output field indicator count ipv4 indicator count email number output field indicator count email name string name of the resource indicators array output field indicators indicators first seen string output field indicators first seen indicators last seen string output field indicators last seen indicators mscore number score value indicators attributed associations array output field indicators attributed associations indicators attributed associations name string name of the resource indicators attributed associations id string unique identifier indicators attributed associations type string type of the resource indicators id string unique identifier indicators type string type of the resource indicators value string value for the parameter output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "threat actor 0ac5c1db 8ad6 54b8 b4b9 c32fc738c54a","indicator count" {"total" 83,"hash" 0,"url" 0,"fqdn" 14,"ipv4" 69,"email" 0},"name" "apt1","indicators" \[{}]}} get indicator retrieve a paginated list of indicators from mandiant threat intelligence using defined parameters, including the start epoch endpoint url /v4/indicator method get input argument name type required description parameters limit number optional defines the maximum number of results to return default 25 and maximum allowed 1000 parameters offset number optional the number of items to skip before starting to collect the result set if not specified, defaults to zero (0) the maximum amount of items that can be fetched using an offset and limit is 10,000 (the offset + limit must be <= 10,000) parameters gte mscore number optional defines the minimum indicator confidence score to return parameters exclude osint boolean optional defines if open source indicators should be returned parameters include reports boolean optional used to include related reports parameters report limit number optional defines the maximum number of reports in list default 25 and maximum allowed 1000 parameters include campaigns boolean optional used to include related campaigns parameters start epoch number required defines the start time of the data to load in epoch format, based on an indicators last updated value the window must be less than 90 days parameters only recent days number optional optionally defines the number of days of data to load relative to the specified start epoch value and the indicators last seen value the default of 30 is recommended and will yield relevant indicators for most use cases minimum allowed 0 (last seen will not be considered when setting to 0) maximum allowed 365 parameters end epoch number optional defines the end time of the data to load in epoch format, based on an indicators last updated value parameters next string optional used to get the next page of results when using next no other parameters should be included in the request note the token returned is valid for 10 minutes parameters sort by string optional the field on which sort needs to be performed it can also be extended to support sort order by appending a ' ' and sort order parameters sort order string optional specify sort order asc or desc input example {"parameters" {"limit" 25,"offset" 0,"gte mscore" 80,"exclude osint"\ true,"include reports"\ true,"report limit" 1,"include campaigns"\ true,"start epoch" 1700823637,"only recent days" 15,"end epoch" 1653426342,"next" "","sort by" "publish date","sort order" "desc"}} output parameter type description status code number http status code of the response reason string response reason phrase indicators array output field indicators indicators associated hashes array output field indicators associated hashes indicators associated hashes id string unique identifier indicators associated hashes type string type of the resource indicators associated hashes value string value for the parameter indicators attributed associations array output field indicators attributed associations indicators attributed associations id string unique identifier indicators attributed associations name string name of the resource indicators attributed associations type string type of the resource indicators first seen string output field indicators first seen indicators id string unique identifier indicators is exclusive boolean output field indicators is exclusive indicators is publishable boolean output field indicators is publishable indicators last seen string output field indicators last seen indicators last updated string output field indicators last updated indicators misp object output field indicators misp indicators misp akamai boolean output field indicators misp akamai indicators misp alexa boolean output field indicators misp alexa indicators misp alexa 1m boolean output field indicators misp alexa 1m indicators misp amazon aws boolean output field indicators misp amazon aws indicators misp apple boolean output field indicators misp apple indicators misp automated malware analysis boolean output field indicators misp automated malware analysis indicators misp bank website boolean output field indicators misp bank website output example {"indicators" \[{"associated hashes" \[],"attributed associations" \[],"first seen" "string","id" "12345678 1234 1234 1234 123456789abc","is exclusive"\ true,"is publishable"\ true,"last seen" "string","last updated" "string","misp" {},"mscore" 123,"reports" \[],"campaigns" \[],"sources" \[],"type" "string","value" "string"}],"next" "string"} get indicator by value and type retrieve a specific indicator object from mandiant threat intelligence using its type and value endpoint url /v4/indicator/{{indicator type}}/{{indicator value}} method get input argument name type required description path parameters indicator type string required parameters for the get indicator by value and type action path parameters indicator value string required parameters for the get indicator by value and type action input example {"path parameters" {"indicator type" "ipv4","indicator value" "39 52 41 194"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier mscore number score value type string type of the resource value string value for the parameter is publishable boolean output field is publishable sources array output field sources sources first seen string output field sources first seen sources last seen string output field sources last seen sources osint boolean output field sources osint sources category array output field sources category sources category file name string name of the resource sources category file string output field sources category file sources source name string name of the resource misp object output field misp misp akamai boolean output field misp akamai misp alexa boolean output field misp alexa misp amazon aws boolean output field misp amazon aws misp apple boolean output field misp apple misp automated malware analysis boolean output field misp automated malware analysis misp bank website boolean output field misp bank website misp captive portals boolean output field misp captive portals misp censys scanning boolean output field misp censys scanning misp check host net boolean output field misp check host net output example {"status code" 200,"response headers" {"date" "thu, 20 jun 2024 10 18 11 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","vary" "origin","x envoy upstream service time" "12","via" "1 1 google","cf cache status" "dynamic","server" "cloudflare","cf ray" "896b03695ee6445d bom","content encoding" "gzip"},"reason" "ok","json body" {"id" "ipv4 ad58d6ad 381e 5b21 9f31 36ef8404ea6f","mscore" 50,"type" "ipv4","value" "39 52 41 194","is publis get malware indicators retrieve a list of indicators associated with a specified malware from mandiant threat intelligence using either its id or name endpoint url /v4/malware/{{id or name}}/indicators method get input argument name type required description path parameters id or name string required the id or name of the malware family to return input example {"path parameters" {"id or name" "malware 81f821d1 4ec9 534d 8dc7 53da47e5074a"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier indicator count object count value indicator count total number output field indicator count total indicator count hash number output field indicator count hash indicator count url number url endpoint for the request indicator count fqdn number output field indicator count fqdn indicator count ipv4 number output field indicator count ipv4 indicator count email number output field indicator count email name string name of the resource indicators array output field indicators indicators first seen string output field indicators first seen indicators last seen string output field indicators last seen indicators mscore number score value indicators attributed associations array output field indicators attributed associations indicators attributed associations name string name of the resource indicators attributed associations id string unique identifier indicators attributed associations type string type of the resource indicators id string unique identifier indicators type string type of the resource indicators value string value for the parameter output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "malware 81f821d1 4ec9 534d 8dc7 53da47e5074a","indicator count" {"total" 4,"hash" 0,"url" 0,"fqdn" 4,"ipv4" 0,"email" 0},"name" "008s","indicators" \[{}]}} get report indicators retrieve indicator objects and associated reports from mandiant threat intelligence using the provided id endpoint url /v4/indicator/{{id}}/reports method get input argument name type required description path parameters id string required the id of the object to return input example {"path parameters" {"id" "ipv4 98019aaa 43af 5869 b530 591a9a9d9fb3"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier mscore number score value type string type of the resource value string value for the parameter first seen string output field first seen last seen string output field last seen is customer releasable boolean output field is customer releasable reports array output field reports reports id string unique identifier reports report id string unique identifier reports type string type of the resource reports title string output field reports title reports published date string date value reports audience array output field reports audience next string output field next output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "ipv4 98019aaa 43af 5869 b530 591a9a9d9fb3","mscore" 100,"type" "ipv4","value" "190 31 53 131","first seen" "2020 08 05t21 31 41z","last seen" "2021 01 10t06 52 11z","is customer releasable"\ true,"reports" \[{}],"next" "fgluy2x1zgvfy29udgv4df91dwlkdnf1zxj5v "}} response headers header description example cf cache status http response header cf cache status dynamic cf ray http response header cf ray 84a85266a8349a8a nag connection http response header connection keep alive content encoding http response header content encoding gzip content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 20 jun 2024 10 18 11 gmt server information about the software used by the origin server cloudflare set cookie http response header set cookie cf bm=p5a9erukxqespuvaktfq2hexecypzwcsijmilpyxsw4 1706099785 1 acmmim+v5egsqbvdlpkojcvyrfqnmgtrknym+4fpmv1skdqzllvd3kymzhag6q1ezoyqq6x3x5b1qxlqnbynmqc=; path=/; expires=wed, 24 jan 24 13 06 25 gmt; domain= mandiant com; httponly; secure; samesite=none strict transport security http response header strict transport security max age=15724800; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary origin via http response header via 1 1 google x amzn trace id http response header x amzn trace id 8706bdd97032bce4c21759f54ecfad69 x envoy upstream service time http response header x envoy upstream service time 12