This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Mandiant integration with chronicle

Posted on 10-17-2024 09:00 AM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi

Can some one give me the integration steps for Mandiant with Chronicle SIEM . 

Solved Solved
1 7 666
Topic Labels
Jump to Solution
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
ErikaB
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

@rahul7514 

Mandiant Intelligence can be purchased as a standalone.  There is also Google Security Operations which offers a unified experience across SIEM, SOAR, and threat intelligence.  

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to rahul7514
Reply posted on --/--/---- --:-- AM

This would be pull.  Iโ€™d need to research the call amount. 

View solution in original post

Jump to Solution
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
ErikaB
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

Hi @rahul7514 

Mandiant integration with Chronicle SIEM is done through the SOAR component.

To integrate Mandiant with Chronicle SOAR:

  1. Go to Response > Playbooks in the SOAR interface.
  2. Select the CDIR PLAYBOOK.
  3. Optionally, enable Mandiant enrichment by setting the Mandiant_Enrichment variable to true.
  4. In the Cases page, attach the playbook to a test alert to ensure proper configuration.
  5. You can use a simulation mode to test the playbook run.
  6. Review the playbook results and the overview in the Cases and Alerts tabs.
  7. Update the playbook if necessary until you get the expected flow.

For detailed instructions on configuring integrations in Google Security Operations SOAR, see Configure integrations.

I hope this helps. 

Jump to Solution

Posted on --/--/---- --:-- AM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

@ErikaB so we wont get it in just Siem

I want to use the the threat feeds to filter the traffic logs and trigger alert when suspicious ip is found. 

We have not created playbooks so far. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I think the question of integration of Mandiant Threat intel and SecOps is somewhat dependent upon the package level that the organization has. Depending on that may drive different things that could potentially be done.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rahul7514
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

@jstoner @ErikaB 

So if they upgrade their  subscription, will the feed feature automatically start or do we need to integrate anything? 

Can mandiant be recieved as standalone?? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ErikaB
Community Manager
Community Manager
Reply posted on --/--/---- --:-- AM

@rahul7514 

Mandiant Intelligence can be purchased as a standalone.  There is also Google Security Operations which offers a unified experience across SIEM, SOAR, and threat intelligence.  

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
rahul7514
Bronze 4
Bronze 4
In response to ErikaB
Reply posted on --/--/---- --:-- AM

@ErikaB thanks for the information. When using mandiant threat intel in soar so when we want to enrich ip it makes an api call to mandiant feed right so is there count of how many calls can be made? 

Also is this push or pull mechanism? 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dnehoda
Staff
In response to rahul7514
Reply posted on --/--/---- --:-- AM

This would be pull.  Iโ€™d need to research the call amount. 

Jump to Solution
0 Likes
Top Solution Authors
View all