Hi @Khushboo14,
could you elaborate more on what you want to achieve exactly? (Use Case)
Mandiant is integrated as a threat intel source inside the entity context graph depending on your license.
There are several option you can "integrate" TI, for example within rules. Imagine a rule correlating target IP with the global context.
$event.target.ip = $maliciousIp
$ioc.graph.metadata.entity_type = "IP_ADDRESS"
$ioc.graph.metadata.source_type = "GLOBAL_CONTEXT"
$ioc.graph.metadata.threat.verdict_info.malicious_count >=1
$ioc.graph.entity.ip = $maliciousIp
$ioc.graph.metadata.threat.verdict_info.malicious_count > 0 //must be falged as malicious
$ioc.graph.metadata.source_labels["misp_cisco_top20k"] = "false"
$ioc.graph.metadata.threat.risk_score > 60
$ioc.graph.metadata.source_labels["is_scanner"] = "false"
This rule excerpt matches the globel context asset data and you can view the matched entites when a detection is found (also an excerpt):
metadata.product_entity_id = "ipv4--1a4815d5-af8e-573f-bc04-c3203d7d5e36"
metadata.collected_timestamp.seconds = 1725325145
metadata.collected_timestamp.nanos = 479000000
metadata.vendor_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.threat.verdict_info.source_provider = "Mandiant Automated Intel"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
metadata.threat.verdict_info.ioc_stats.ioc_stats_type = "MANDIANT_SOURCES"
Hope this helps. If not, please elaborate on your use case.
LinkedIn
Twitter
