This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Mandiant Security Validation: Step 4 - Security Content

‎09-06-2024 12:32 PM - edited ‎10-11-2024 12:59 PM

GCSCommunity
Staff
0 0 312

Table of Contents

Below you'll find a table of contents for the Security Content journey.

msv-security-content.png

 

To better support the Security Validation user community and to enhance the platform's capabilities, users can create new Actions, Sequences, and Evaluations. You can create File Transfer and Email Actions from the File Library, but other Action types must be created from the Action Library. Sequences and Evaluations are often created by selecting Actions from the Action Library and adding them to the Action Queue. However, you can also clone existing security content and create Sequences & Evaluations from a file.

Prerequisites

  • Administrative access to MSV Director.

Actions

msv-security-content-actions.png
Actions

Actions are the building blocks of Mandiant Security Validation. They are the individual tests that are run against your security controls to ensure they are working as expected. In this section, we will walk through the process of creating an example TCP Port Scan action, to simulate typical reconnaissance activities like full port scans and services fingerprinting.

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Administrative access to MSV Director.
Steps

  1. Review how actions work within MSV to gain an understanding of their capabilities. | Docs

  2. In the MSV Director Console, navigate to Library > Actions.

  3. Click Add Action and select TCP Port Scan.

  4. Fill out the required fields as described in the linked documentation..

  5. Save Port Scan.

Relevant Links
msv-security-content-sequences.png
Sequences

Sequences are a collection of Actions that are run in a specific order. In this section, we will walk through the process of creating an example Sequence that will run a TCP Port Scan (created in the last step). If you have other Actions that you would like to include in the Sequence, you can add them as well.

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Administrative access to MSV Director.
Steps

  1. Review how sequences work within MSV to gain an understanding of their capabilities. | Docs

  2. In the MSV Director Console, navigate to Library > Actions.

  3. Select Two or more Actions to add to the Queue, follow the instructions in the linked documentation for more selection criteria.

  4. Click Queue and select New Sequence from All

  5. Fill out the required fields as described in the linked documentation.

Relevant Links
msv-security-content-evaluations.png
Evaluations

Similar to Sequences, Evaluations are a collection of Actions that are run in a specific order. The main difference between sequences and evaluations is how MSV responds when a particular action is blocked in a sequence.  For a sequence, if MSV encounters a block from a security technology, or the action is unsuccessful in completing, then the sequence in the attack killchain stops.   With an Evaluation, if an action is prevented by a security technology, the block is noted as a result, and the remaining actions in a sequence continue to run. 

In this section, we will walk through the process of creating an example Evaluation that will run a TCP Port Scan (created in the first step). If you have other Actions that you would like to include in the Evaluation, you can add them as well.

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Administrative access to MSV Director.
Steps

  1. In the MSV Director Console, navigate to Library > Actions.

  2. Select Two or more Actions to add to the Queue, follow the instructions in the linked documentation for more selection criteria.

  3. Click Queue and select New Evaluation from All.

  4. Fill out the required fields as described in the linked documentation.

Relevant Links
 
msv-security-content-jobs.png
Jobs

Jobs are the resulting act from running an Action. You can manually run Actions, Sequences, and Evaluations, or you can schedule them to run at a specific time. In this section, we will walk through the process of creating an example Job that will run an Evaluation (created in the last step).

 
Show More
Prerequisites

See the Relevant Links section for more documentation regarding the prerequisites.

  • Administrative access to MSV Director.
Steps

  1. Review how jobs work within MSV to gain an understanding of their capabilities. | Docs

  2. In the MSV Director Console, navigate to Library > Actions. You can use filters to find the actions you want to run.

  3. Select the Action you want to run, then click Run.

  4. Select a Source Actor, then select or accept the Destination Actor

  5. Click Run Now or Schedule to run the Job.

Relevant Links
 

Next Step: Mandiant Security Validation: Step 5 - Testing

Previous Step: Mandiant Security Validation: Step 3 - Integrations

Contributors
0 Likes
Version history
Last update:
‎10-11-2024 12:59 PM
Updated by: