Integrate Mandiant Threat Intelligence with Google SecOps
This document provides guidance on how to integrate Mandiant Threat Intelligence with Google Security Operations (Google SecOps).
Integration version: 11.0
Integration parameters
The Mandiant Threat Intelligence integration requires the following parameters:
| Parameters | Description |
|---|---|
UI Root
|
Required
The UI root of the Mandiant instance. The default value is |
API Root
|
Required
The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Client ID
|
Optional
The client ID of the Mandiant Threat Intelligence account. To generate the client ID in Mandiant Threat Intelligence, go to Account settings > API access and keys > Get key ID and secret . |
Client Secret
|
Optional
The client secret of the Mandiant Threat Intelligence account. To generate the client secret in Mandiant Threat Intelligence, go to Account settings > API access and keys > Get key ID and secret . |
GTI API Key
|
Optional
The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods. |
Verify SSL
|
Required
If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
For instructions about configuring an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about configuring and supporting multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from your workdesk and Perform a manual action .
Enrich Entities
Use the Enrich Entitiesaction to enrich entities using the information from Mandiant Threat Intelligence. This action only supports the MD5, SHA-1, and SHA-256 hashes.
The Enrich Entitiesaction rund on the following Google SecOps entities:
-
Hostname -
IP Address -
URL -
File Hash -
Threat Actor -
Vulnerability
Action inputs
The Enrich Entitiesaction requires the following parameters:
| Parameter | Description |
|---|---|
Severity Score Threshold
|
Required
The lowest severity score to mark the entity as suspicious. The action can mark as suspicious the following indicators: The default value is 50. The maximum value is 100. |
Create Insight
|
Optional
If selected, the action creates an insight that contains all retrieved information about the entity. Selected by default. |
Only Suspicious Entity Insight
|
Optional
If selected, the action creates insights only for suspicious entities. If you select this parameter, also select the |
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Entity enrichment table | Available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
Entity enrichment
The following table lists the values for indicators enrichment when using the Enrich Entitiesaction:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
first_seen
|
first_seen
|
Applicable when it is available in JSON. |
last_seen
|
last_seen
|
Applicable when it is available in JSON. |
sources
|
A CSV file of unique sources/source_name
values. |
Applicable when it is available in JSON. |
mscore
|
mscore
|
Applicable when it is available in JSON. |
attributed_associations_{associated_associations/type}
|
A CSV file of attributed_associations/name
keys for
every attributed_associations/type
type (one key for every
type). |
Applicable when it is available in JSON. |
report_link
|
Crafted. | Applicable when it is available in JSON. |
The following table lists the values for enrichment of the Threat Actors
entity
when using the Enrich Entitiesaction:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
motivations
|
CSV of motivations/name
values. |
Applicable when it is available in JSON. |
aliases
|
CSV of aliases/name
values. |
Applicable when it is available in JSON. |
industries
|
CSV of industries/name
values. |
Applicable when it is available in JSON. |
malware
|
CSV of malware/name
values. |
Applicable when it is available in JSON. |
locations\_source
|
CSV of locations/source/country/name
values. |
Applicable when it is available in JSON. |
locations\_target
|
CSV of locations/target/name
values. |
Applicable when it is available in JSON. |
cve
|
CSV of cve/cve\_id
values. |
Applicable when it is available in JSON. |
description
|
description
|
Applicable when it is available in JSON. |
last\_activity\_time
|
last\_activity\_time
|
Applicable when it is available in JSON. |
report\_link
|
Crafted. | Applicable when it is available in JSON. |
The following table lists the values for enrichment of the Vulnerability
entity
when using the Enrich Entitiesaction:
| Enrichment field name | Source (JSON key) | Applicability |
|---|---|---|
sources
|
CSV of source_name
values. |
Applicable when it is available in JSON. |
exploitation_state
|
exploitation_state
|
Applicable when it is available in JSON. |
date_of_disclosure
|
date_of_disclosure
|
Applicable when it is available in JSON. |
vendor_fix_references
|
vendor_fix_references/url
|
Applicable when it is available in JSON. |
title
|
title
|
Applicable when it is available in JSON. |
exploitation_vectors
|
CSV of exploitation_vectors
values. |
Applicable when it is available in JSON. |
description
|
description
|
Applicable when it is available in JSON. |
risk_rating
|
risk_rating
|
Applicable when it is available in JSON. |
available_mitigation
|
CSV of available_mitigation
values. |
Applicable when it is available in JSON. |
exploitation_consequence
|
exploitation_consequence
|
Applicable when it is available in JSON. |
report_link
|
Crafted | Applicable when it is available in JSON. |
JSON result
The following example shows the JSON result output for indicators received when using the Enrich Entitiesaction:
{
"Entity"
:
"192.0.2.1"
,
"EntityResult"
:
{
"first_seen"
:
"2022-03-22T21:46:43.000Z"
,
"last_seen"
:
"2022-05-22T00:58:48.000Z"
,
"sources"
:
[
{
"first_seen"
:
"2022-03-22T21:46:46.000+0000"
,
"last_seen"
:
"2022-03-24T19:12:57.000+0000"
,
"osint"
:
false
,
"category"
:
[],
"source_name"
:
"Mandiant"
}
],
"mscore"
:
100
,
"attributed_associations"
:
[
{
"id"
:
"malware--f1151a22-9d9c-589d-90ad-xxxxx"
,
"name"
:
"EMOTET"
,
"type"
:
"malware"
}
],
"misp"
:
{
"smtp-receiving-ips"
:
false
,
"covid"
:
false
,
"eicar.com"
:
false
,
"majestic_million"
:
false
,
"sinkholes"
:
false
,
"alexa"
:
false
,
"cisco_top1000"
:
false
,
"microsoft"
:
false
,
"microsoft-office365"
:
false
,
"crl-hostname"
:
false
,
"googlebot"
:
false
,
"microsoft-azure-germany"
:
false
,
"microsoft-attack-simulator"
:
false
,
"microsoft-azure"
:
false
,
"rfc5735"
:
false
,
"tranco10k"
:
false
,
"dax30"
:
false
,
"public-dns-v4"
:
false
,
"dynamic-dns"
:
false
,
"public-dns-v6"
:
false
,
"covid-19-cyber-threat-coalition-whitelist"
:
false
,
"common-ioc-false-positive"
:
false
,
"cisco_1M"
:
false
,
"google-gmail-sending-ips"
:
false
,
"microsoft-azure-china"
:
false
,
"stackpath"
:
false
,
"google"
:
false
,
"cloudflare"
:
false
,
"moz-top500"
:
false
,
"tranco"
:
false
,
"tlds"
:
false
,
"university_domains"
:
false
,
"smtp-sending-ips"
:
false
,
"cisco_top20k"
:
false
,
"empty-hashes"
:
false
,
"nioc-filehash"
:
false
,
"amazon-aws"
:
false
,
"url-shortener"
:
false
,
"microsoft-office365-ip"
:
false
,
"microsoft-win10-connection-endpoints"
:
false
,
"microsoft-azure-us-gov"
:
false
,
"majestic_million_1M"
:
false
,
"mozilla-CA"
:
false
,
"whats-my-ip"
:
false
,
"microsoft-office365-cn"
:
false
,
"vpn-ipv6"
:
false
,
"rfc3849"
:
false
,
"rfc6761"
:
false
,
"security-provider-blogpost"
:
false
,
"cisco_top5k"
:
false
,
"apple"
:
false
,
"public-dns-hostname"
:
false
,
"mozilla-IntermediateCA"
:
false
,
"rfc1918"
:
false
,
"ti-falsepositives"
:
false
,
"akamai"
:
false
,
"bank-website"
:
false
,
"alexa_1M"
:
false
,
"automated-malware-analysis"
:
false
,
"rfc6598"
:
false
,
"google-gcp"
:
false
,
"ovh-cluster"
:
false
,
"multicast"
:
false
,
"phone_numbers"
:
false
,
"fastly"
:
false
,
"cisco_top10k"
:
false
,
"second-level-tlds"
:
false
,
"wikimedia"
:
false
,
"disposable-email"
:
false
,
"common-contact-emails"
:
false
,
"vpn-ipv4"
:
true
,
"ipv6-linklocal"
:
false
,
"covid-19-krassi-whitelist"
:
false
,
"crl-ip"
:
false
},
"id"
:
" ID
"
,
"type"
:
"ipv4"
,
"value"
:
"192.0.2.1"
,
"is_publishable"
:
true
,
"last_updated"
:
"2022-05-22T01:04:46.098Z"
,
"report_link"
:
"https://advantage.mandiant.com/indicator/ipv4/ ID
"
}
}
The following example shows the JSON result output for the Threat Actor
entity
received when using the Enrich Entitiesaction:
{
"Entity"
:
" ENTITY_ID
"
,
"EntityResult"
:
{
"motivations"
:
[
{
"id"
:
" ID
"
,
"name"
:
"Example"
,
"attribution_scope"
:
"confirmed"
}
],
"aliases"
:
[
{
"name"
:
"Comment Crew (Internet)"
,
"attribution_scope"
:
"confirmed"
}
],
"industries"
:
[
{
"id"
:
" ID
"
,
"name"
:
"Aerospace & Defense"
,
"attribution_scope"
:
"confirmed"
},
{
"id"
:
" ID
"
,
"name"
:
"Transportation"
,
"attribution_scope"
:
"confirmed"
}
],
"observed"
:
[
{
"earliest"
:
"2003-06-20T12:00:00.000Z"
,
"recent"
:
"2015-10-20T00:00:00.000Z"
,
"attribution_scope"
:
"confirmed"
}
],
"malware"
:
[
{
"id"
:
"malware-- ID
"
,
"name"
:
"EXAMPLE1"
,
"attribution_scope"
:
"confirmed"
},
{
"id"
:
"malware-- ID
"
,
"name"
:
"EXAMPLE2"
,
"attribution_scope"
:
"confirmed"
}
],
"tools"
:
[
{
"id"
:
"malware-- ID
"
,
"name"
:
"EXAMPLE3"
,
"attribution_scope"
:
"confirmed"
}
],
"suspected_attribution"
:
[],
"locations"
:
{
"source"
:
[
{
"region"
:
{
"id"
:
"location-- ID
"
,
"name"
:
"Asia"
,
"attribution_scope"
:
"confirmed"
},
"sub_region"
:
{
"id"
:
"location-- ID
"
,
"name"
:
"East Asia"
,
"attribution_scope"
:
"confirmed"
},
"country"
:
{
"id"
:
"location-- ID
"
,
"name"
:
"China"
,
"iso2"
:
"CN"
,
"attribution_scope"
:
"confirmed"
}
}
],
"target"
:
[
{
"id"
:
"location-- ID
"
,
"name"
:
"Belgium"
,
"iso2"
:
"be"
,
"region"
:
"Europe"
,
"sub-region"
:
"West Europe"
,
"attribution_scope"
:
"confirmed"
}
],
"target_sub_region"
:
[
{
"id"
:
"location-- ID
"
,
"name"
:
"East Asia"
,
"key"
:
"eastasia"
,
"region"
:
"Asia"
,
"attribution_scope"
:
"confirmed"
}
],
"target_region"
:
[
{
"id"
:
"location-- ID
"
,
"name"
:
"Africa"
,
"key"
:
"africa"
,
"attribution_scope"
:
"confirmed"
}
]
},
"cve"
:
[
{
"id"
:
"vulnerability-- ID
"
,
"cve_id"
:
"CVE- ID
"
,
"attribution_scope"
:
"confirmed"
}
],
"associated_uncs"
:
[],
"id"
:
"threat-actor-- ID
"
,
"name"
:
"Example"
,
"description"
:
"A description of the threat actor"
,
"type"
:
"threat-actor"
,
"last_updated"
:
"2022-05-29T05:30:48.000Z"
,
"last_activity_time"
:
"2015-10-20T00:00:00.000Z"
,
"audience"
:
[
{
"name"
:
"intel_fusion"
,
"license"
:
"INTEL_RBI_FUS"
}
],
"is_publishable"
:
true
,
"counts"
:
{
"reports"
:
171
,
"malware"
:
92
,
"cve"
:
1
,
"associated_uncs"
:
0
,
"aliases"
:
4
,
"industries"
:
16
,
"attack_patterns"
:
111
},
"intel_free"
:
true
,
"report_link"
:
"https://advantage.mandiant.com/indicator/ipv4/ ID
"
}
}
The following example shows the JSON result output for the Vulnerability
entity
received when using the Enrich Entitiesaction:
{
"Entity"
:
"CVE- ID
"
,
"EntityResult"
:
{
"exploits"
:
[],
"vulnerable_products"
:
"<p>The following vendors/products have been reported as vulnerable:</p>\\n<ul>\\n<li>Company A: Example Application Server 7.01, 7.02, 7.11, 7.30, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54, 7.55, 7.56, and 7.86</li>\\n</ul>"
,
"sources"
:
[
{
"source_description"
:
"Company A Security Patch Day – January 2022"
,
"source_name"
:
"Company A"
,
"url"
:
" URL
"
,
"date"
:
"2022-01-11T17:00:00.000Z"
,
"unique_id"
:
" ID
"
}
],
"exploitation_state"
:
"No Known"
,
"date_of_disclosure"
:
"2022-01-11T07:00:00.000Z"
,
"id"
:
"vulnerability-- ID
"
,
"vendor_fix_references"
:
[
{
"url"
:
"https://launchpad.support.company.com/#/notes/ ID
"
,
"name"
:
"Company A ID
Security Update Information"
,
"unique_id"
:
" ID
"
}
],
"title"
:
"Company A Example Application Server 7.86 Unspecified Vulnerability"
,
"exploitation_vectors"
:
[
"General Network Connectivity"
],
"was_zero_day"
:
false
,
"vulnerable_cpes"
:
[
{
"technology_name"
:
"example_as_abap 7.31"
,
"vendor_name"
:
"Company A"
,
"cpe_title"
:
"company a example_as_abap 7.31"
,
"cpe"
:
"cpe:2.3:a:company a:example_as_abap:7.31:*:*:*:*:*:*:*"
}
],
"executive_summary"
:
"<p>An unspecified vulnerability exists within Company A Example Application Server 7.86 and earlier that, when exploited, allows an authenticated attacker to remotely access potentially sensitive information. Exploit code is not publicly available. Mitigation options include a vendor fix.</p>"
,
"cwe"
:
"Unknown"
,
"description"
:
null
,
"cve_id"
:
"CVE- ID
"
,
"risk_rating"
:
"LOW"
,
"observed_in_the_wild"
:
false
,
"common_vulnerability_scores"
:
{
"v2.0"
:
{
"access_complexity"
:
"LOW"
,
"temporal_score"
:
3
,
"confidentiality_impact"
:
"PARTIAL"
,
"report_confidence"
:
"CONFIRMED"
,
"base_score"
:
4
,
"access_vector"
:
"NETWORK"
,
"vector_string"
:
"AV:N/AC:L/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C"
,
"integrity_impact"
:
"NONE"
,
"availability_impact"
:
"NONE"
,
"remediation_level"
:
"OFFICIAL_FIX"
,
"authentication"
:
"SINGLE"
,
"exploitability"
:
"UNPROVEN"
}
},
"available_mitigation"
:
[
"Patch"
],
"exploitation_consequence"
:
"Information Disclosure"
,
"analysis"
:
"<p>Mandiant Threat Intelligence considers this a Low-risk vulnerability because of the privileges required and the limited impact upon exploitation.</p>"
,
"audience"
:
[
"intel_vuln"
],
"publish_date"
:
"2022-01-11T18:24:00.000Z"
,
"workarounds"
:
null
,
"type"
:
"vulnerability"
,
"is_publishable"
:
true
,
"associated_actors"
:
[],
"associated_malware"
:
[],
"intel_free"
:
false
,
"report_link"
:
"https://advantage.mandiant.com/indicator/ipv4/ ID
"
}
}
Output messages
The Enrich Entitiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich Entities". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich Entitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Enrich IOCs
Use the Enrich IOCsaction to obtain information about IOCs from Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
The Enrich IOCsaction requires the following parameters:
| Parameter | Description |
|---|---|
IOC Identifiers
|
Required
A comma-separated list of IOCs to enrich. |
Action outputs
The Enrich IOCsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Enrich IOCsaction:
{
"first_seen"
:
"2011-09-12T12:23:13.000Z"
,
"last_seen"
:
"2011-09-12T12:23:13.000Z"
,
"sources"
:
[
{
"first_seen"
:
"2011-09-12T12:23:13.000+0000"
,
"last_seen"
:
"2011-09-12T12:23:13.000+0000"
,
"osint"
:
false
,
"category"
:
[],
"source_name"
:
"Mandiant"
}
],
"mscore"
:
47
,
"attributed_associations"
:
[
{
"id"
:
"threat-actor-- ID
"
,
"name"
:
"Example"
,
"type"
:
"threat-actor"
}
],
"misp"
:
{
"smtp-receiving-ips"
:
false
,
"covid"
:
false
,
"eicar.com"
:
false
,
"majestic_million"
:
false
,
"sinkholes"
:
false
,
"alexa"
:
false
,
"cisco_top1000"
:
false
,
"crl-hostname"
:
false
,
"microsoft-office365"
:
false
,
"microsoft"
:
false
,
"googlebot"
:
false
,
"microsoft-azure-germany"
:
false
,
"microsoft-attack-simulator"
:
false
,
"microsoft-azure"
:
false
,
"rfc5735"
:
false
,
"tranco10k"
:
false
,
"public-dns-v4"
:
false
,
"dax30"
:
false
,
"dynamic-dns"
:
false
,
"public-dns-v6"
:
false
,
"covid-19-cyber-threat-coalition-whitelist"
:
false
,
"common-ioc-false-positive"
:
false
,
"cisco_1M"
:
false
,
"google-gmail-sending-ips"
:
false
,
"microsoft-azure-china"
:
false
,
"stackpath"
:
false
,
"google"
:
false
,
"cloudflare"
:
false
,
"moz-top500"
:
false
,
"tranco"
:
false
,
"tlds"
:
true
,
"university_domains"
:
false
,
"smtp-sending-ips"
:
false
,
"cisco_top20k"
:
false
,
"empty-hashes"
:
false
,
"nioc-filehash"
:
false
,
"amazon-aws"
:
false
,
"url-shortener"
:
false
,
"microsoft-office365-ip"
:
false
,
"microsoft-win10-connection-endpoints"
:
false
,
"microsoft-azure-us-gov"
:
false
,
"majestic_million_1M"
:
false
,
"mozilla-CA"
:
false
,
"whats-my-ip"
:
false
,
"microsoft-office365-cn"
:
false
,
"vpn-ipv6"
:
false
,
"rfc3849"
:
false
,
"rfc6761"
:
false
,
"security-provider-blogpost"
:
false
,
"cisco_top5k"
:
false
,
"apple"
:
false
,
"public-dns-hostname"
:
false
,
"mozilla-IntermediateCA"
:
false
,
"rfc1918"
:
false
,
"ti-falsepositives"
:
false
,
"akamai"
:
false
,
"bank-website"
:
false
,
"automated-malware-analysis"
:
false
,
"rfc6598"
:
false
,
"alexa_1M"
:
false
,
"google-gcp"
:
false
,
"ovh-cluster"
:
false
,
"multicast"
:
false
,
"phone_numbers"
:
false
,
"fastly"
:
false
,
"cisco_top10k"
:
false
,
"second-level-tlds"
:
true
,
"wikimedia"
:
false
,
"disposable-email"
:
false
,
"common-contact-emails"
:
false
,
"vpn-ipv4"
:
false
,
"ipv6-linklocal"
:
false
,
"covid-19-krassi-whitelist"
:
false
,
"crl-ip"
:
false
},
"id"
:
"fqdn-- ID
"
,
"type"
:
"fqdn"
,
"value"
:
"example.com"
,
"is_publishable"
:
true
,
"is_exclusive"
:
true
,
"last_updated"
:
"2022-02-21T13:20:27.176Z"
}
Output messages
The Enrich IOCsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Enrich IOCs". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Enrich IOCsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Malware Details
Use the Get Malware Detailsaction to obtain information about malware from Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
The Get Malware Detailsaction requires the following parameters:
| Parameter | Description |
|---|---|
Malware Names
|
Required
A comma-separated list of malware names to enrich. |
Create Insight
|
Optional
If selected, the action creates an insight that contains all retrieved information about the entity. |
Fetch Related IOCs
|
Optional
If selected, the action fetches indicators that are related to the provided malware. |
Max Related IOCs To Return
|
Optional
The number of indicators which the action processes for every malware. The default value is 100. |
Action outputs
The Get Malware Detailsaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Malware Detailsaction:
{
"inherently_malicious"
:
1
,
"operating_systems"
:
[
"Windows"
],
"aliases"
:
[],
"capabilities"
:
[
{
"name"
:
"Allocates memory"
,
"description"
:
"Capable of allocating memory. "
}
],
"detections"
:
[],
"yara"
:
[],
"roles"
:
[
"Cryptocurrency Miner"
],
"malware"
:
[],
"actors"
:
[],
"cve"
:
[],
"id"
:
"malware-- ID
"
,
"name"
:
"EXAMPLE"
,
"description"
:
"Example description"
,
"type"
:
"malware"
,
"last_updated"
:
"2022-04-13T02:59:30.000Z"
,
"last_activity_time"
:
"2022-04-13T02:59:30.000Z"
,
"audience"
:
[
{
"name"
:
"intel_fusion"
,
"license"
:
"INTEL_RBI_FUS"
}
],
"is_publishable"
:
true
,
"counts"
:
{
"reports"
:
0
,
"capabilities"
:
26
,
"malware"
:
0
,
"actors"
:
0
,
"detections"
:
0
,
"cve"
:
0
,
"aliases"
:
0
,
"industries"
:
5
,
"attack_patterns"
:
19
},
"intel_free"
:
false
}
Output messages
The Get Malware Detailsaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Malware Details". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Malware Detailsaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Get Related Entities
Use the Get Related Entitiesaction to obtain details about indicators of compromise (IOCs) that are related to entities using information from Mandiant Threat Intelligence.
This action runs on the following Google SecOps entities:
-
Hostname -
IP Address -
URL -
File Hash -
Threat Actor
Action inputs
The Get Related Entitiesaction requires the following parameters:
| Parameter | Description |
|---|---|
Lowest Severity Score
|
Required
The lowest severity score to return related indicators. The default value is 50. The maximum value is 100. |
Max IOCs To Return
|
Optional
The number of indicators that the action processes for every entity. The default value is 100. |
Action outputs
The Get Related Entitiesaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get Related Entitiesaction:
{
"hash"
:
" VALUE
"
,
"url"
:
" VALUE
"
,
"fqdn"
:
" VALUE
"
,
"ip"
:
" VALUE
"
,
"email"
:
" VALUE
"
}
Output messages
The Get Related Entitiesaction can return the following output messages:
| Output message | Message description |
|---|---|
| |
The action succeeded. |
Error executing action "Get Related Entities". Reason: ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get Related Entitiesaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Ping
Use the Pingaction to test the connectivity to Mandiant Threat Intelligence.
This action doesn't run on Google SecOps entities.
Action inputs
None.
Action outputs
The Pingaction provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Pingaction can return the following output messages:
| Output message | Message description |
|---|---|
Successfully connected to the Mandiant server with the provided
connection parameters!
|
The action succeeded. |
Failed to connect to the Mandiant server! Error is ERROR_REASON
|
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Pingaction:
| Script result name | Value |
|---|---|
is_success
|
True
or False
|
Need more help? Get answers from Community members and Google SecOps professionals.
