Mandiant Threat Intelligence¶
Configure the Mandiant Threat Intelligence integration to set how frequently the integration runs, how much history to initially download, how much history to use in an Intel file, and how much history to maintain in the SQLite DB. This integration uses the Mandiant Threat Intelligence API v4. To use the v2 API, see FireEye iSIGHT Threat Intelligence.
do_notice
The do_notice
flag can be set based on the individual indicator type, and an overall minimum Confidence Score.
For example, setting the min_confidence_score_doNotice: 95
, would only set the do_notice
flag to T
, if the Mandiant Confidence score was 95% or better.
It is not set in the database; only when the intel file is created.
Tip
By default, only MD5 hash support is enabled on a Corelight Sensor. It is recommended that you use only one hash type. If you plan on using another hash type, update the configuration and enable the appropriate package on the sensor.
If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global Configuration and Policy Settings
The default settings are:
# Enable Mandiant Threat Intelligence
mandiant_threat_intel:
enabled: true
interval_hours: 0
url: https://api.intelligence.mandiant.com
key_id:
key_secret:
download_history: 89 # must be less than 90 days
max_history: 365 # how much history to keep in the local database
use_history: 25 # how much history to use in the intel file
debug: false
min_confidence_score_use: 80 # minimum confidence score to use in the intel file
min_confidence_score_download: 60 # minimum confidence score to download into the local database
min_confidence_score_doNotice: 100 # minimum confidence score to set the do_notice flag
exclude_os_indicators: false # exclude open source indicators from the download into the local db
request_limit: 1000
indicator_type_url: true
do_notice_url: true # do_notice flags will only be enabled if 'min_confidence_score_doNotice' is met
indicator_type_fqdn: true
do_notice_fqdn: true
indicator_type_ipv4: true
do_notice_ipv4: true
indicator_type_md5: true # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
do_notice_md5: true
indicator_type_sha1: false # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
do_notice_sha1: true
indicator_type_sha256: false # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
do_notice_sha256: true
Settings¶
download_history
defines how many days of indicators to initially download. Once the initial download is complete, the integration will run at the next interval and only pull changes back to the last successful download. If a download fails, or thedownload_history
setting is changed, the next download will pull all indicators as defined by thedownload_history
.
max_history
defines how many days of indicators to store in the local database.
use_history
defines how many days of indicators to use in the intel file.
min_confidence_score_use
defines the minimum confidence score an indicator must have to be included in the intel file.
min_confidence_score_download
defines the minimum confidence score an indicator must have to be downloaded from Mandiant. Note that Mandiant frequently updates its confidence scores for indicators, so configure this setting well below themin_confidence_score_use
. If an indicator’s confidence score is changed and downgraded below this setting, the latest indicator will not be pulled from Madiant, and the indicator record in the local database will retain the last downloaded confidence score until themax_history
is met and it’s aged out.
exclude_os_indicators
allows the download of open source indicators. This setting only applies to downloading new indicators. Once the indicator is downloaded, it will remain in the local database and in use until it no longer meets theuse_history
setting. It will remain in the local database until themax_history
is met and it’s aged out.
Intel Log¶
This integration will enrich the intel.log with content like the following:
{
"@path":"intel",
"@sensor":"Lab-AP200",
"@timestamp":"2023-01-06T05:13:38.841292Z",
"ts":"2023-01-06T05:13:38.841292Z",
"uid":"CNh51N3dSRfMZG1Pt4",
"id.orig_h":"195.133.40.86",
"id.orig_p":64910,
"id.resp_h":"192.168.13.20",
"id.resp_p":80,
"seen.indicator":"77.247.181.165",
"seen.indicator_type":"Intel::ADDR",
"seen.where":"Conn::IN_ORIG",
"matched": [
"Intel::ADDR"
],
"sources": [
"blocklist_de",
"cinsscore_ci_badguys",
"blocklist_net_ua",
"Mandiant",
"dshield_block"
],
}
If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following: (all indicators will not have all fields)
{
"confidence": [99],
"desc": [
"Mandiant Threat Intellegence"
]
"lastseen": [
"2023-01-03T16:10:54Z"
],
"firstseen": [
"2021-03-20T10:10:01Z"
],
"url": [
"https://advantage.mandiant.com/"
],
"reports": [
"ID:23-00000242, Type:News Analysis"
],
"campaigns": [],
"associated": [
"ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
],
"category": [
"exploit",
"exploit/vuln-scanning, exploit"
],
}