Integrate Mandiant Digital Threat Monitoring with Google SecOps
This document provides guidance on how to integrate Mandiant Digital Threat Monitoring with Google Security Operations (Google SecOps).
Integration version: 4.0
Integration parameters
The Mandiant Digital Threat Monitoring integration requires the following parameters:
| Parameters | Description |
|---|---|
API Root
|
Required
The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Client ID
|
Optional
The client ID of the Mandiant Digital Threat Monitoring account. |
Client Secret
|
Optional
The client secret of the Mandiant Digital Threat Monitoring account. |
GTI API Key
|
Optional
The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the Authenticating using the Google Threat Intelligence API key has a priority over other authentication methods. |
Verify SSL
|
Required
If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .
Actions
The Mandiant Digital Threat Monitoring integration includes the following actions:
Ping
Use the Pingaction to test connectivity to the Mandiant Digital Threat Monitoring server.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Mandiant DTM server with the
provided connection parameters!
|
Action succeeded. |
Failed to connect to the Mandiant DTM server! Error is: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Update Alert
Use the Update Alertaction to update an alert in Mandiant Digital Threat Monitoring.
Action inputs
The Update Alertaction requires the following parameters:
Alert ID
The ID of the alert to update.
Status
The alert status.
Possible values are as follows:
-
New -
Read -
Resolved -
Escalated -
In Progress -
No Action Required -
Duplicate -
Not Relevant -
Tracked Externally
Action outputs
The Update Alertaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Update Alertaction:
{
"id"
:
" ID
"
,
"monitor_id"
:
" MONITOR_ID
"
,
"topic_matches"
:
[
{
"topic_id"
:
"4a6ffb0f-e90d-46ce-b10a-3a1e24fbe70d"
,
"value"
:
"ap-southeast-1.example.com"
,
"term"
:
"lwd"
,
"offsets"
:
[
26
,
29
]
},
{
"topic_id"
:
"doc_type:domain_discovery"
,
"value"
:
"domain_discovery"
}
],
"label_matches"
:
[],
"doc_matches"
:
[],
"tags"
:
[],
"created_at"
:
"2024-05-31T12:27:43.475Z"
,
"updated_at"
:
"2024-05-31T12:43:20.399Z"
,
"labels_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ ID
/labels"
,
"topics_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ ID
/topics"
,
"doc_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/domain_discovery/ ID
"
,
"status"
:
"closed"
,
"alert_type"
:
"Domain Discovery"
,
"alert_summary"
:
"See alert content for details"
,
"title"
:
"Suspicious domain \"ap-southeast-1.example.com\" similar to \"lwd\""
,
"email_sent_at"
:
""
,
"severity"
:
"medium"
,
"confidence"
:
0.5
,
"has_analysis"
:
false
,
"monitor_version"
:
2
}
Output messages
The Update Alertaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated alert with ID INCIDENT_ID
in Mandiant DTM.
|
Action succeeded. |
Error executing action "Update Alert". Reason: ERROR_REASON
|
Action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Alertaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors) .
Mandiant DTM – Alerts Connector
Use the Mandiant DTM – Alerts Connectorto pull alerts from Mandiant
Digital Threat Monitoring. To work with a dynamic list, use the alert_type
parameter.
The Mandiant DTM – Alerts Connectorrequires the following parameters:
Product Field Name
The name of the field where the product name is stored.
The default value is Product Name
.
Event Field Name
The name of the field used to determine the event name (subtype).
The default value is event_type
.
Environment Field Name
The name of the field where the environment name is stored.
If the environment field isn't found, the environment is set to the default value.
The default value is ""
.
Environment Regex Pattern
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is ""
.
Script Timeout
The timeout limit in seconds for the Python process running the current script.
The default value is 180.
API Root
The API root of the Mandiant instance.
The default value is https://api.intelligence.mandiant.com
.
To authenticate with Google Threat Intelligence credentials, enter
the following value: https://www.virustotal.com
.
Client ID
The client ID of the Mandiant Digital Threat Monitoring account.
Client Secret
The client secret of the Mandiant Digital Threat Monitoring account.
GTI API Key
The API key of Google Threat Intelligence.
To authenticate
using Google Threat Intelligence, set the API Root
parameter value to https://www.virustotal.com
.
When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods.
Lowest Severity To Fetch
The lowest severity score of the alerts to retrieve.
If you don't configure this parameter, the connector ingests alerts with all severities.
The parameter accepts the following severity values:
-
Low -
Medium -
High
Monitor ID Filter
A comma-separated list of monitor IDs to retrieve the alerts from.
Max Hours Backwards
The number of hours previously from when to fetch alerts.
The default value is 1 hour.
Max Alerts To Fetch
The number of alerts to process for every connector iteration.
The default value is 25.
Disable Overflow
If selected, the connector ignores the overflow mechanism.
Not selected by default.
Use dynamic list as a blocklist
If selected, the integration uses the dynamic list as a blocklist.
Not selected by default.
Verify SSL
If selected, verifies that the SSL certificate for the connection to the Mandiant server is valid.
Selected by default.
Proxy Server Address
The address of the proxy server to use.
Proxy Username
The proxy username to authenticate with.
Proxy Password
The proxy password to authenticate with.
Connector rules
The connector supports proxies.
Connector events
There are two types of events for the Mandiant DTM – Alerts Connector: an event that is based on the main alert and an event that is based on a topic.
An example of the connector event based on the main alert is as follows:
{
"id"
:
" ID
"
,
"event_type"
:
"Main Alert"
,
"monitor_id"
:
" MONITOR_ID
"
,
"doc"
:
{
"__id"
:
"6ed37932-b74e-4253-aa69-3eb4b00d0ea2"
,
"__type"
:
"account_discovery"
,
"ingested"
:
"2024-05-20T16:15:53Z"
,
"service_account"
:
{
"login"
:
"user@example.com"
,
"password"
:
{
"plain_text"
:
"********"
},
"profile"
:
{
"contact"
:
{
"email"
:
"user@example.com"
,
"email_domain"
:
"example.com"
}
},
"service"
:
{
"inet_location"
:
{
"domain"
:
"www.example-service.com"
,
"path"
:
"/signin/app"
,
"protocol"
:
"https"
,
"url"
:
"https://www.example-service.com/signin/app"
},
"name"
:
"www.example-service.com"
}
},
"source"
:
"ccmp"
,
"source_file"
:
{
"filename"
:
"[1.145.094.680] urlloginpass ap.txt"
,
"hashes"
:
{
"md5"
:
"c401baa01fbe311753b26334b559d945"
,
"sha1"
:
"bf700f18b6ab562afb6128b42a34ae088f9c7434"
,
"sha256"
:
"5e6302d95a7e7edb28d68926cede0c44babded720ad1cc9a72c12d8c6d66153f"
},
"size"
:
84161521407
},
"source_url"
:
"https://cymbalgroup.com"
,
"timestamp"
:
"2023-11-14T20:09:04Z"
},
"labels"
:
"Label"
,
"topic_matches"
:
[
{
"topic_id"
:
"doc_type:account_discovery"
,
"value"
:
"account_discovery"
}
],
"label_matches"
:
[],
"doc_matches"
:
[
{
"match_path"
:
"service_account.profile.contact.email_domain"
,
"locations"
:
[
{
"offsets"
:
[
0
,
9
],
"value"
:
"example.com"
}
]
}
],
"tags"
:
[],
"created_at"
:
"2024-05-20T16:16:52.439Z"
,
"updated_at"
:
"2024-05-30T12:10:56.691Z"
,
"labels_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ ID
/labels"
,
"topics_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ ID
/topics"
,
"doc_url"
:
"https://api.intelligence.mandiant.com/v4/dtm/docs/account_discovery/ ID
"
,
"status"
:
"read"
,
"alert_type"
:
"Compromised Credentials"
,
"alert_summary"
:
"ccmp"
,
"title"
:
"Leaked Credentials found for domain \"example.com\""
,
"email_sent_at"
:
""
,
"indicator_mscore"
:
60
,
"severity"
:
"high"
,
"confidence"
:
0.9999995147741939
,
"aggregated_under_id"
:
" ID
"
,
"monitor_name"
:
"Compromised Credentials - Example"
,
"has_analysis"
:
false
,
"meets_password_policy"
:
"policy_unset"
,
"monitor_version"
:
1
}
An example of the connector event based on a topic is as follows:
{
"id"
:
" ID
"
,
"event_type"
:
"location_name"
,
"location_name"
:
" LOCATION_NAME
"
,
"timestamp"
:
"2024-05-25T10:56:17.201Z"
,
"type"
:
"location_name"
,
"value"
:
" LOCATION_NAME
"
,
"extractor"
:
"analysis-pipeline.nerprocessor-nerenglish-gpu"
,
"extractor_version"
:
"4-0-2"
,
"confidence"
:
100
,
"entity_locations"
:
[
{
"element_path"
:
"body"
,
"offsets"
:
[
227
,
229
]
}
]
}
Need more help? Get answers from Community members and Google SecOps professionals.
