Mandiant Threat Intelligence

Configure the Mandiant Threat Intelligence integration to set how frequently the integration runs, how much history to initially download, how much history to use in an Intel file, and how much history to maintain in the SQLite DB. This integration uses the Mandiant Threat Intelligence API v4. To use the v2 API, see FireEye iSIGHT threat intelligence.

do_notice

The do_notice flag can be set based on the individual indicator type, and an overall minimum Confidence Score. For example, setting the min_confidence_score_doNotice: 95, would only set the do_notice flag to T, if the Mandiant Confidence score was 95% or better. It is not set in the database; only when the intel file is created.

Tip

By default, only MD5 hash support is enabled on a Corelight Sensor. It is recommended that you use only one hash type. If you plan on using another hash type, update the configuration and enable the appropriate package on the sensor.

If the ‘interval_hours’ is set to 0, the integration will attempt to download additional content each time the Corelight-update service runs. See Global configuration and policy settings

The default settings are:

# Enable Mandiant Threat Intelligence
mandiant_threat_intel:
  enabled: true
  interval_hours: 0
  url: https://api.intelligence.mandiant.com
  key_id:
  key_secret:
  download_history: 89  # must be less than 90 days
  max_history: 365      # how much history to keep in the local database
  use_history: 25       # how much history to use in the intel file
  debug: false
  min_confidence_score_use: 80         # minimum confidence score to use in the intel file
  min_confidence_score_download: 60    # minimum confidence score to download into the local database
  min_confidence_score_doNotice: 100   # minimum confidence score to set the do_notice flag
  exclude_os_indicators: false         # exclude open source indicators from the download into the local db
  request_limit: 1000
  indicator_type_url: true
  do_notice_url: true        # do_notice flags will only be enabled if 'min_confidence_score_doNotice' is met
  indicator_type_fqdn: true
  do_notice_fqdn: true
  indicator_type_ipv4: true
  do_notice_ipv4: true
  indicator_type_md5: true      # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
  do_notice_md5: true
  indicator_type_sha1: false    # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
  do_notice_sha1: true
  indicator_type_sha256: false  # it's recommended to only enable 1 hash indicator type (MD5, SHA1 or SHA256)
  do_notice_sha256: true

Settings

  • download_history defines how many days of indicators to initially download. Once the initial download is complete, the integration will run at the next interval and only pull changes back to the last successful download. If a download fails, or the download_history setting is changed, the next download will pull all indicators as defined by the download_history.

  • max_history defines how many days of indicators to store in the local database.

  • use_history defines how many days of indicators to use in the intel file.

  • min_confidence_score_use defines the minimum confidence score an indicator must have to be included in the intel file.

  • min_confidence_score_download defines the minimum confidence score an indicator must have to be downloaded from Mandiant. Note that Mandiant frequently updates its confidence scores for indicators, so configure this setting well below the min_confidence_score_use. If an indicator’s confidence score is changed and downgraded below this setting, the latest indicator will not be pulled from Madiant, and the indicator record in the local database will retain the last downloaded confidence score until the max_history is met and it’s aged out.

  • exclude_os_indicators allows the download of open source indicators. This setting only applies to downloading new indicators. Once the indicator is downloaded, it will remain in the local database and in use until it no longer meets the use_history setting. It will remain in the local database until the max_history is met and it’s aged out.

Intel log

This integration will enrich the intel.log with content like the following:

{
  "@path":"intel",
  "@sensor":"Lab-AP200",
  "@timestamp":"2023-01-06T05:13:38.841292Z",
  "ts":"2023-01-06T05:13:38.841292Z",
  "uid":"CNh51N3dSRfMZG1Pt4",
  "id.orig_h":"195.133.40.86",
  "id.orig_p":64910,
  "id.resp_h":"192.168.13.20",
  "id.resp_p":80,
  "seen.indicator":"77.247.181.165",
  "seen.indicator_type":"Intel::ADDR",
  "seen.where":"Conn::IN_ORIG",
  "matched": [
    "Intel::ADDR"
  ],
  "sources": [
    "blocklist_de",
    "cinsscore_ci_badguys",
    "blocklist_net_ua",
    "Mandiant",
    "dshield_block"
  ],
}

If the ExtendIntel Zeek package is loaded, the intel.log will be enriched with additional content like the following: (all indicators will not have all fields)

{
  "confidence": [99],
  "desc": [
    "Mandiant Threat Intellegence"
    ]
  "lastseen": [
    "2023-01-03T16:10:54Z"
    ],
  "firstseen": [
    "2021-03-20T10:10:01Z"
    ],
  "url": [
    "https://advantage.mandiant.com/"
    ],
  "reports": [
    "ID:23-00000242, Type:News Analysis"
  ],
  "campaigns": [],
  "associated": [
    "ID:threat-actor--b7e371c2-724e-5ffa-9e3c-9b1410513c27, Name:FIN13; ID:threat-actor--8211bc17-9216-5e83-b54d-d1b04add12f3, Name:APT28; ID:threat-actor--7a39953e-0dae-569a-9d49-d52a4a8865b1, Name:APT29; ID:threat-actor--2f0ab36a-02a6-59f7-ac23-bcd824cc7c8e, Name:FIN4"
  ],
  "category": [
    "exploit",
    "exploit/vuln-scanning, exploit"
  ],
}