help with Query

rahul7514 · 10-10-2024 09:02 PM

Hi

Upon checking the IOC tab i can see Mandiant Open Source Intelligence feeds , how can i call these feeds when trying to build a YARA L rule ,
i want to create an alert where traffic towards these IOC's that are allowed needs to trigger an alert and send it to SOAR .

error is this

Also i can see this info from entity summary using Virus total , does that mean i can use this info in building YARA L . I am not sure if we have enterprise edition of VT or not ?

AymanC

Hi @rahul7514,

The two sources below will be of use:

[1] - https://www.googlecloudcommunity.com/gc/SIEM-Forum/Mandiant-Threat-Advantage-integration-with-SIEM/m...

[2] - https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/LogType

Kind Regards,

Ayman

rahul7514

@AymanC the second link is giving 404 error.

Thanks for the above info ,but in normal siem search can you tell me how can i see these feed logs both Virustotal and mandiant. if they are available in free version still can i see their feeds?

AymanC

hi @rahul7514,

Apologies, the last character 'e' is missing from the second reference.

LogType | Google Security Operations | Google Cloud

In terms of whether this offering is part of your package, I would suggest to speak to your account team.

Kind Regards,

Ayman

rahul7514

@AymanC Sorry i think i did not make my question clear , i can see threat feeds from "Mandiant Open Source Intelligence" , i want to know if i can use them in my alerts ?
If yes what should i search for ?

@jstoner : Could you help me my request

JensW

@rahul7514 try out these feeds individually

metadata.product_name = "OPEN_SOURCE_INTEL_IOC"
metadata.product_name = "GCTI Feed"
metadata.product_name = "MANDIANT_FUSION_IOC"