Mandiant Plugin for Threat Exchange

Mandiant Plugin for Threat Exchange

This document explains how to configure the Mandiant Plugin with Threat Exchange module of the Netskope Cloud Exchange platform. This integration fetches IoCs of the type of URL (URL, FQDN, IPv4, and IPv6), and MD5 from the Google Mandiant platform. This plugin does not support sharing of indicators. You need a Google Mandiant Key ID and Key secret to configure the plugin.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Threat Prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Mandiant instance with admin access, and a subscription to Mandiant Advantage Threat Intelligence feeds: Security Operations feed and/or Fusion feed.
  • Connectivity to the following host: https://api.intelligence.mandiant.com/.
Mandiant Plugin Support
Fetched Indicator TypesShared Indicator Types
URL, MD5, FQDN, IPV4, IPV6Not supported
Mappings
Severity Mapping (Netskope field – Mandiant fields)
Netskope CE Fields Mandiant field
UNKNOWN 0 or not available
LOW 10 <= mscore <= 39
MEDIUM 40 <= mscore <= 69
HIGH 70 <= mscore <= 89
CRITICAL 90 <= mscore <= 100
Mappings for Pull (Netskope field – Mandiant fields)
Netskope CE Fields Mandiant Field
value value
type type
firstSeen first_seen
lastSeen last_seen
severity mscore
tags Category, attributed_associations.name
Permissions
  • Any “Free Subscription” account.
API Details
List of APIs Used
API Endpoint Method Use case
https://api.intelligence.mandiant.com/token POST To generate API Token
https://api.intelligence.mandiant.com/v4/indicator GET To get an indicators list
Generate Token

Example:

API Endpoint: https://api.intelligence.mandiant.com/token

Method: POST

Parameters: grant_type: client_credentials

Headers:

Content-Type: application/x-www-form-urlencoded

Authorization: Basis <base64 encoded client id and client secret separated by colon>

API Request Endpoint: https://api.intelligence.mandiant.com/token?grant_type=client_credentials

Sample API Response:

{

“access_token”: “86347c299bd7885736652a2506d26cf65361f795b69d4583xxxxxxxxxxxxxxxx”,

“token_type”: “Bearer”,

“expires_in”: 43199

}

Pull Indicators

Example:

API Endpoint: https://api.intelligence.mandiant.com/v4/indicator

Method: GET

Parameters:

start_epoch:1698050685

limit:1000

sort_by:last_updated:asc

end_epoch:1698054285

gte_mscore:50

exclude_osint:False

API Request Endpoint:

https://api.intelligence.mandiant.com/v4/indicator

Sample API Response:

{
“indicators”: [
{
“id”: “md5–98bf8a96-3e53-55ba-8d73-ec5295035298”,
“mscore”: 50,
“type”: “md5”,
“value”: “7462407e3723d097835aaf4832813f39”,
“is_publishable”: true,
“sources”: [
{
“first_seen”: “2023-10-22T20:04:42.689+0000”,
“last_seen”: “2023-10-22T20:04:42.689+0000”,
“osint”: true,
“category”: [],
“source_name”: “dtm.blackbeard”
}
],
“misp”: {
“akamai”: false,
“alexa”: false,
“amazon-aws”: false,
“apple”: false,
“automated-malware-analysis”: false,
“bank-website”: false,
“captive-portals”: false,
“censys-scanning”: false,
“cisco_1M”: false,
“cisco_top1000”: false,
“cisco_top10k”: false,
“cisco_top20k”: false,
“cisco_top5k”: false,
“cloudflare”: false,
“common-contact-emails”: false,
“common-ioc-false-positive”: false,
“covid”: false,
“covid-19-cyber-threat-coalition-whitelist”: false,
“covid-19-krassi-whitelist”: false,
“crl-hostname”: false,
“crl-ip”: false,
“dax30”: false,
“digitalside”: false,
“disposable-email”: false,
“dynamic-dns”: false,
“eicar.com”: false,
“empty-hashes”: false,
“fastly”: false,
“findip-host”: false,
“google”: false,
“google-chrome-crux-1million”: false,
“google-gcp”: false,
“google-gmail-sending-ips”: false,
“googlebot”: false,
“ipv6-linklocal”: false,
“majestic_million”: false,
“majestic_million_1M”: false,
“microsoft”: false,
“microsoft-attack-simulator”: false,
“microsoft-azure”: false,
“microsoft-azure-appid”: false,
“microsoft-azure-china”: false,
“microsoft-azure-germany”: false,
“microsoft-azure-us-gov”: false,
“microsoft-office365”: false,
“microsoft-office365-cn”: false,
“microsoft-office365-ip”: false,
“microsoft-win10-connection-endpoints”: false,
“moz-top500”: false,
“mozilla-CA”: false,
“mozilla-IntermediateCA”: false,
“multicast”: false,
“nioc-filehash”: false,
“openai-gptbot”: false,
“ovh-cluster”: false,
“parking-domain”: false,
“parking-domain-ns”: false,
“phone_numbers”: false,
“public-dns-hostname”: false,
“public-dns-v4”: false,
“public-dns-v6”: false,
“public-ipfs-gateways”: false,
“rfc1918”: false,
“rfc3849”: false,
“rfc5735”: false,
“rfc6598”: false,
“rfc6761”: false,
“second-level-tlds”: false,
“security-provider-blogpost”: false,
“sinkholes”: false,
“smtp-receiving-ips”: false,
“smtp-sending-ips”: false,
“stackpath”: false,
“tenable-cloud-ipv4”: false,
“tenable-cloud-ipv6”: false,
“ti-falsepositives”: false,
“tlds”: false,
“tranco”: false,
“tranco10k”: false,
“umbrella-blockpage-hostname”: false,
“umbrella-blockpage-v4”: false,
“umbrella-blockpage-v6”: false,
“university_domains”: false,
“url-shortener”: false,
“vpn-ipv4”: false,
“vpn-ipv6”: false,
“whats-my-ip”: false,
“wikimedia”: false,
“zscaler”: false
},
“last_updated”: “2023-10-23T08:45:19.739Z”,
“first_seen”: “2023-10-22T20:04:42.000Z”,
“last_seen”: “2023-10-22T20:04:44.000Z”
},
],
“next”: “FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoKhZSLVdHTlNkN1MyZTA0NTRWTTk5bkxRAAAAADMcHecWcnR4bm9DOUtUTk96SVQ4bHdkLXB3QRZfM3JkdWVZcVRodTRxc3F6WkhYSmxnAAAAADPp8u0WaVNUa2J0TmRRVnUtcXJuVEhqX0pBQRY4alo4RU1sMVNucUltWEdGM2NKcnF3AAAAAD0Hx2cWTDZHTzJBM2lTM09kcnd5U2cwR1Y1QRZKQWJ1NGc5UlRCV3hCSW0zTG82aDNBAAAAADKcN64WVFVzRHBNZl9TaEs5UDZyVXVZYnM2ZxZhTlNRMWswMFNkT0l5VXhDM18wVnBRAAAAAFKUD6AWTEdjMWlMTjZUV2E3aXh1Vll4MVB0dxZZX1plVFpwOFJPbXhJVW54SzVHRzBBAAAAADnHZbkWNzBzRXhnZXFTZi1qR2lGYUpnSGpEQRZlYXQxYXZZTVFGMnlISUVpRklWa29BAAAAAEW_LlMWT1NQR1NjcGtST1c5b05TRjlnWUtGQRZxMEtYNHNpTlNjR3FxRy1YX1dELUdnAAAAADCdndUWa19EQlNvNkVRZDZOeGlpc0JhX0hRdxZVRmdzeEtaUVRORzllMmV6UXRka2NRAAAAADC6SvEWTWFVRmJaaFJSOENaQUVMYjVzRGJsdxZVRmdzeEtaUVRORzllMmV6UXRka2NRAAAAADC6SvAWTWFVRmJaaFJSOENaQUVMYjVzRGJsdxZJNDNlSUg3OVR6U19iWWFRRTQtWE9nAAAAAEv49akWMGxpaG5wQXVUN20tQ1pPY0czOVRUdxZqSlhzQ0w4SlJjeVRrbWM5clNuZFZRAAAAADCiS7sWU29ZTTBRN3hUd2VRNkFfT09WeDk1dxZNeUR3M1F3SVE3R1VFNzFQdXA5b3VnAAAAADK8xRcWaWRiWC15V29SZENDS1FpUHVVMWM4dxY4RFN4T3p1OFIxLWdlc2VwaGdPR2ZBAAAAAEAyJV0WeHV0Z09DY0RSX0doWXZSek1ZQnJjdxZfdXdQYlJmZVNFbTRsanhITnFCMEtBAAAAADnayq8WT0lPU25zc3BSWm1BQlJtVTMxd1BSQRZUdS04b3NnZ1NNcUxSSTNiTHBhdVZ3AAAAAEMF6YcWZVcwMmliVWtSY09LYVp3VG96eHhkQRZNeUR3M1F3SVE3R1VFNzFQdXA5b3VnAAAAADK8xRYWaWAADMzb-===”
}

Performance Matrix

Below is the performance reading conducted for fetching 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.

Stack details Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from Google Mandiant ~10K per minute
Indicators shared to Google Mandiant Not Supported
User Agent

The user-agent added in this plugin is in the following format netskope-ce-<ce_version>-<module>-<plugin_name>-v<plugin_version>

  • netskope-ce-4.2.0-cte-google-mandiant-v2.0.0

Workflow

  1. Create a custom File Profile.
  2. Create a Malware Detection Profile.
  3. Create a Real-time Protection Policy.
  4. Get Mandiant credentials.
  5. Configure a Mandiant Plugin.
  6. Configure sharing between Netskope and Mandiant.
  7. Validate the Mandiant Plugin.

Click play to watch a video.

 

Create a Secure Web Gateway Custom File Profile for Mandiant

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.
    image3.jpeg
  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
    image4.jpeg
  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
    image5.jpeg
  4. Click Next.
  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
    image6.jpeg
  6. Click Save.
  7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for Mandiant

  1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
  2. Click Next.

    Note

    For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.

  3. Click Next again.
  4. Select the File Profile you created in the previous section and click Next.
  5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
  6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for Mandiant

  1. In the Netskope UI, go to Policies > Real-time Protection.

    Note

    The policy configured here is just an example. Modify as appropriate for your organization.

  2. Click New Policy and select Threat Protection.
  3. For Source, leave the default (User = All Users)
  4. For Destination: select Category
  5. The Category section expands and allows you to search and select categories. Click Select All.

    When finished, click outside of the Category section.

  6. When the Activities & Constraints section opens, click Edit.
  7. Select Upload and Download, and then click Save.
  8. For Profile & Action, click in the text field.
  9. Select the Malware Detection profile you created in the previous section.
  10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
  11. Select a template to choose which block message is sent to the user.
  12. For Set Policy, enter a descriptive Policy Name.
  13. Click Save in the top right to save the policy.
  14. Choose the To the top option when it appear. (Or appropriate location in your security policy)
  15. To publish this policy into the tenant, select Apply Changes in the top right.

Get your Mandiant Key ID and Key Secret

  1. Go to https://login.mandiant.com/ and log in.
  2. Click on the Mandiant Advantage Threat Intelligence option under Applications.

  3. Click on Settings.
  4. Go to API Access and Keys Section.

  5. Click on the “Get Key ID and Secret” Button to retrieve your key ID and Secret.

  6. Copy the Access ID and Secret Key, as these will not be accessible after closing the window. These are required to configure the Mandiant plugin.
image1.png

Configure the Mandiant Plugin

  1. In Cloud Exchange, go to Settings and click Plugins.
  2. Search for and select the Mandiant plugin box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Adjust the Sync Interval to appropriate value : Suggested is 5+ minutes.
    • Aging Criteria: Leave Default.
    • Override Reputation: Leave Default.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if proxy is required for communication.
  4. Click Next.
  5. Enter the Configuration Parameters on the second page:
    • Key ID: Enter the APIv4 Key ID generated from the ‘Setting > API Access and Keys Section’ of your Mandiant platform.
    • Key Secret: Enter the APIv4 Key Secret generated from the ‘Setting > API Access and Keys Section’ of your Mandiant platform.
    • Minimum Indicator Confidential Score (IC-Score): Provide the IC-Score from 0 to 100. Only the indicators with IC-Score greater than or equal to the specified score will be fetched.
    • Exclude Open Source Indicators: Exclude open source indicators from Mandiant.
    • Enable Tagging: Enable/Disable tagging functionality.
    • Initial Range: Number of days to pull the data for the initial run.
  6. Click Save.

Configure a Business Rule for Mandiant

To share indicators from Google Mandiant to Netskope you need to have a business rule that will filter out the indicators that you need to share. To configure a business rule, follow the below steps:

  1. Go to Threat Exchange > Business Rule > Create New Rule.

  2. Add your required filter for the IoCs you want to share and click Save.

Configure Sharing for Mandiant

To share IoCs from the Google Mandiant plugin to Netskope, follow the below steps:

  1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
  2. Select your Source Configuration (Google Mandiant), Business Rule, Destination Configuration (Netskope), and Target, and select the existing IoC List Name, or create a new IoC list on the platform.

  3. Click Save.

Validate the Mandiant Plugin

Validate the Pull

      1. You can verify the pulling of IOCs from the plugin by going to Loggings and checking the pulled logs from the CTE Google Mandiant plugin.

      2. You can check the pulled data stored in CE under Threat Exchange > Threat IOCs. Search the IOCs pulled from the plugin. You can also filter the IOCs based on the tags, as shown below.

      3. Log in to Mandiant.
      4. Click Threat Intelligence > Threat Intelligence. Check the Alerts are present while clicking on any Incident -> Alerts & Insights.

Validate the Push

The Google Mandiant plugin does not support the pushing of IoCs. You can push the IoCs pulled from the Google Mandiant to Netskope or any Third-party plugin supported in Threat Exchange.

Follow the below steps to verify the pushed IoCs to Netskope.

  1. To validate the pushed indicator on Netskope CE, go to Threat IoCs and search for IoCs that are shared with Netskope.

  2. You can also verify the pushed IoCs from Logging in Netskope CE.
  3. Filter the logs available from the Netskope plugin.

To validate the IoCs shared on Netskope follow the below steps:

  1. Log in to the Netskope tenant. Go to Policies > Web > URL Lists. Click on your URL List that you selected while configuring the sharing and check the shared IOCs.
    Note that we have shared all types of URLs (URL, FQDN, IP Address) pulled from Google Mandiant to Netskope URL List.

  2. Log in to Netskope tenant. Go to Policies > File > File Profile. Click on your File List which you selected while configuring the sharing and check the shared IoCs.

    Note that we have shared both types of MD5 pulled from Google Mandiant to Netskope File List.

  3. For more information, go to Logging in the left nav panel.

Troubleshooting

Receiving error for exit code 401, Unauthorization

While configuring the plugin if you receive any kind of error in Key ID and Key Secret please check Key ID and Key Secret from the Mandiant platform.

  • Go to https://login.mandiant.com/ and log in.
  • Click on the Mandiant Advantage Threat Intelligence option under Applications.
  • Click Settings.
  • Go to the API Access and Keys Section.
  • Click Get Key ID and Secret to retrieve your key ID and Secret.
  • Verify both are correct.

When not able to fetch IOCs from Google Mandiant

If you are not able to fetch IoCs from Mandiant to Netskope Cloud Threat Exchange

  1. Log in to Mandiant.
  2. Click on Threat Intelligence-> Threat Intelligence
  3. Check the Alerts are present while clicking on any Incident -> Alerts & Insights
  4. Make sure alerts are present and if present they should be in your initial range.

    ,/p>

Share this Doc

Mandiant Plugin for Threat Exchange

Or copy link

In this topic ...