Mandiant Plugin for Threat Exchange
Mandiant Plugin for Threat Exchange
This document explains how to configure the Mandiant Plugin with Threat Exchange module of the Netskope Cloud Exchange platform. This integration fetches IoCs of the type of URL (URL, FQDN, IPv4, and IPv6), and MD5 from the Google Mandiant platform. This plugin does not support sharing of indicators. You need a Google Mandiant Key ID and Key secret to configure the plugin.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Secure Web Gateway subscription for URL sharing.
- A Threat Prevention subscription for malicious file hash sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A Mandiant instance with admin access, and a subscription to Mandiant Advantage Threat Intelligence feeds: Security Operations feed and/or Fusion feed.
- Connectivity to the following host:
https://api.intelligence.mandiant.com/
.
Mandiant Plugin Support
Fetched Indicator Types | Shared Indicator Types |
---|---|
URL, MD5, FQDN, IPV4, IPV6 | Not supported |
Mappings
Severity Mapping (Netskope field – Mandiant fields)
Netskope CE Fields | Mandiant field |
---|---|
UNKNOWN | 0 or not available |
LOW | 10 <= mscore <= 39 |
MEDIUM | 40 <= mscore <= 69 |
HIGH | 70 <= mscore <= 89 |
CRITICAL | 90 <= mscore <= 100 |
Mappings for Pull (Netskope field – Mandiant fields)
Netskope CE Fields | Mandiant Field |
---|---|
value | value |
type | type |
firstSeen | first_seen |
lastSeen | last_seen |
severity | mscore |
tags | Category, attributed_associations.name |
Permissions
- Any “Free Subscription” account.
API Details
List of APIs Used
API Endpoint | Method | Use case |
---|---|---|
https://api.intelligence.mandiant.com/token | POST | To generate API Token |
https://api.intelligence.mandiant.com/v4/indicator | GET | To get an indicators list |
Generate Token
Example:
API Endpoint: https://api.intelligence.mandiant.com/token
Method: POST
Parameters: grant_type: client_credentials
Headers:
Content-Type: application/x-www-form-urlencoded
Authorization: Basis <base64 encoded client id and client secret separated by colon>
API Request Endpoint: https://api.intelligence.mandiant.com/token?grant_type=client_credentials
Sample API Response:
{
“access_token”: “86347c299bd7885736652a2506d26cf65361f795b69d4583xxxxxxxxxxxxxxxx”,
“token_type”: “Bearer”,
“expires_in”: 43199
}
Pull Indicators
Example:
API Endpoint: https://api.intelligence.mandiant.com/v4/indicator
Method: GET
Parameters:
start_epoch:1698050685
limit:1000
sort_by:last_updated:asc
end_epoch:1698054285
gte_mscore:50
exclude_osint:False
API Request Endpoint:
https://api.intelligence.mandiant.com/v4/indicator
Sample API Response:
{
“indicators”: [
{
“id”: “md5–98bf8a96-3e53-55ba-8d73-ec5295035298”,
“mscore”: 50,
“type”: “md5”,
“value”: “7462407e3723d097835aaf4832813f39”,
“is_publishable”: true,
“sources”: [
{
“first_seen”: “2023-10-22T20:04:42.689+0000”,
“last_seen”: “2023-10-22T20:04:42.689+0000”,
“osint”: true,
“category”: [],
“source_name”: “dtm.blackbeard”
}
],
“misp”: {
“akamai”: false,
“alexa”: false,
“amazon-aws”: false,
“apple”: false,
“automated-malware-analysis”: false,
“bank-website”: false,
“captive-portals”: false,
“censys-scanning”: false,
“cisco_1M”: false,
“cisco_top1000”: false,
“cisco_top10k”: false,
“cisco_top20k”: false,
“cisco_top5k”: false,
“cloudflare”: false,
“common-contact-emails”: false,
“common-ioc-false-positive”: false,
“covid”: false,
“covid-19-cyber-threat-coalition-whitelist”: false,
“covid-19-krassi-whitelist”: false,
“crl-hostname”: false,
“crl-ip”: false,
“dax30”: false,
“digitalside”: false,
“disposable-email”: false,
“dynamic-dns”: false,
“eicar.com”: false,
“empty-hashes”: false,
“fastly”: false,
“findip-host”: false,
“google”: false,
“google-chrome-crux-1million”: false,
“google-gcp”: false,
“google-gmail-sending-ips”: false,
“googlebot”: false,
“ipv6-linklocal”: false,
“majestic_million”: false,
“majestic_million_1M”: false,
“microsoft”: false,
“microsoft-attack-simulator”: false,
“microsoft-azure”: false,
“microsoft-azure-appid”: false,
“microsoft-azure-china”: false,
“microsoft-azure-germany”: false,
“microsoft-azure-us-gov”: false,
“microsoft-office365”: false,
“microsoft-office365-cn”: false,
“microsoft-office365-ip”: false,
“microsoft-win10-connection-endpoints”: false,
“moz-top500”: false,
“mozilla-CA”: false,
“mozilla-IntermediateCA”: false,
“multicast”: false,
“nioc-filehash”: false,
“openai-gptbot”: false,
“ovh-cluster”: false,
“parking-domain”: false,
“parking-domain-ns”: false,
“phone_numbers”: false,
“public-dns-hostname”: false,
“public-dns-v4”: false,
“public-dns-v6”: false,
“public-ipfs-gateways”: false,
“rfc1918”: false,
“rfc3849”: false,
“rfc5735”: false,
“rfc6598”: false,
“rfc6761”: false,
“second-level-tlds”: false,
“security-provider-blogpost”: false,
“sinkholes”: false,
“smtp-receiving-ips”: false,
“smtp-sending-ips”: false,
“stackpath”: false,
“tenable-cloud-ipv4”: false,
“tenable-cloud-ipv6”: false,
“ti-falsepositives”: false,
“tlds”: false,
“tranco”: false,
“tranco10k”: false,
“umbrella-blockpage-hostname”: false,
“umbrella-blockpage-v4”: false,
“umbrella-blockpage-v6”: false,
“university_domains”: false,
“url-shortener”: false,
“vpn-ipv4”: false,
“vpn-ipv6”: false,
“whats-my-ip”: false,
“wikimedia”: false,
“zscaler”: false
},
“last_updated”: “2023-10-23T08:45:19.739Z”,
“first_seen”: “2023-10-22T20:04:42.000Z”,
“last_seen”: “2023-10-22T20:04:44.000Z”
},
],
“next”: “FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoKhZSLVdHTlNkN1MyZTA0NTRWTTk5bkxRAAAAADMcHecWcnR4bm9DOUtUTk96SVQ4bHdkLXB3QRZfM3JkdWVZcVRodTRxc3F6WkhYSmxnAAAAADPp8u0WaVNUa2J0TmRRVnUtcXJuVEhqX0pBQRY4alo4RU1sMVNucUltWEdGM2NKcnF3AAAAAD0Hx2cWTDZHTzJBM2lTM09kcnd5U2cwR1Y1QRZKQWJ1NGc5UlRCV3hCSW0zTG82aDNBAAAAADKcN64WVFVzRHBNZl9TaEs5UDZyVXVZYnM2ZxZhTlNRMWswMFNkT0l5VXhDM18wVnBRAAAAAFKUD6AWTEdjMWlMTjZUV2E3aXh1Vll4MVB0dxZZX1plVFpwOFJPbXhJVW54SzVHRzBBAAAAADnHZbkWNzBzRXhnZXFTZi1qR2lGYUpnSGpEQRZlYXQxYXZZTVFGMnlISUVpRklWa29BAAAAAEW_LlMWT1NQR1NjcGtST1c5b05TRjlnWUtGQRZxMEtYNHNpTlNjR3FxRy1YX1dELUdnAAAAADCdndUWa19EQlNvNkVRZDZOeGlpc0JhX0hRdxZVRmdzeEtaUVRORzllMmV6UXRka2NRAAAAADC6SvEWTWFVRmJaaFJSOENaQUVMYjVzRGJsdxZVRmdzeEtaUVRORzllMmV6UXRka2NRAAAAADC6SvAWTWFVRmJaaFJSOENaQUVMYjVzRGJsdxZJNDNlSUg3OVR6U19iWWFRRTQtWE9nAAAAAEv49akWMGxpaG5wQXVUN20tQ1pPY0czOVRUdxZqSlhzQ0w4SlJjeVRrbWM5clNuZFZRAAAAADCiS7sWU29ZTTBRN3hUd2VRNkFfT09WeDk1dxZNeUR3M1F3SVE3R1VFNzFQdXA5b3VnAAAAADK8xRcWaWRiWC15V29SZENDS1FpUHVVMWM4dxY4RFN4T3p1OFIxLWdlc2VwaGdPR2ZBAAAAAEAyJV0WeHV0Z09DY0RSX0doWXZSek1ZQnJjdxZfdXdQYlJmZVNFbTRsanhITnFCMEtBAAAAADnayq8WT0lPU25zc3BSWm1BQlJtVTMxd1BSQRZUdS04b3NnZ1NNcUxSSTNiTHBhdVZ3AAAAAEMF6YcWZVcwMmliVWtSY09LYVp3VG96eHhkQRZNeUR3M1F3SVE3R1VFNzFQdXA5b3VnAAAAADK8xRYWaWAADMzb-===”
}
Performance Matrix
Below is the performance reading conducted for fetching 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.
Stack details | Size: Large
RAM: 32 GB CPU: 16 Cores |
Indicators fetched from Google Mandiant | ~10K per minute |
Indicators shared to Google Mandiant | Not Supported |
User Agent
The user-agent added in this plugin is in the following format netskope-ce-<ce_version>-<module>-<plugin_name>-v<plugin_version>
- netskope-ce-4.2.0-cte-google-mandiant-v2.0.0
Workflow
- Create a custom File Profile.
- Create a Malware Detection Profile.
- Create a Real-time Protection Policy.
- Get Mandiant credentials.
- Configure a Mandiant Plugin.
- Configure sharing between Netskope and Mandiant.
- Validate the Mandiant Plugin.
Click play to watch a video.
- In the Netskope UI, go to Policies , select File , and click New File Profile.
- Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
- Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character
f
. For example,ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
. This will have a very low possibility of matching a valid file format. - Click Next.
- Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
- Click Save.
- To publish this profile into the tenant, click Apply Changes in the top right.
- In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
- Click Next.
Note
For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.
- Click Next again.
- Select the File Profile you created in the previous section and click Next.
- Enter a Malware Detection Profile name and click Save Malware Detection Profile.
- To publish this profile in the tenant, click Apply Changes in the top right.
- In the Netskope UI, go to Policies > Real-time Protection.
Note
The policy configured here is just an example. Modify as appropriate for your organization.
- Click New Policy and select Threat Protection.
- For Source, leave the default (User = All Users)
- For Destination: select Category
- The Category section expands and allows you to search and select categories. Click Select All.
When finished, click outside of the Category section.
- When the Activities & Constraints section opens, click Edit.
- Select Upload and Download, and then click Save.
- For Profile & Action, click in the text field.
- Select the Malware Detection profile you created in the previous section.
- For the Severity Levels, change all of the Actions settings from
Action: Alert
toAction: Block
. - Select a template to choose which block message is sent to the user.
- For Set Policy, enter a descriptive Policy Name.
- Click Save in the top right to save the policy.
- Choose the To the top option when it appear. (Or appropriate location in your security policy)
- To publish this policy into the tenant, select Apply Changes in the top right.
- Go to https://login.mandiant.com/ and log in.
- Click on the Mandiant Advantage Threat Intelligence option under Applications.
- Click on Settings.
- Go to API Access and Keys Section.
- Click on the “Get Key ID and Secret” Button to retrieve your key ID and Secret.
- Copy the Access ID and Secret Key, as these will not be accessible after closing the window. These are required to configure the Mandiant plugin.
- In Cloud Exchange, go to Settings and click Plugins.
- Search for and select the Mandiant plugin box to open the plugin creation pages.
- Enter and select the Basic Information on the first page:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Adjust the Sync Interval to appropriate value : Suggested is 5+ minutes.
- Aging Criteria: Leave Default.
- Override Reputation: Leave Default.
- Enable SSL verification: Enable if SSL verification is required for communication.
- Use System Proxy: Enable if proxy is required for communication.
- Click Next.
- Enter the Configuration Parameters on the second page:
- Key ID: Enter the APIv4 Key ID generated from the ‘Setting > API Access and Keys Section’ of your Mandiant platform.
- Key Secret: Enter the APIv4 Key Secret generated from the ‘Setting > API Access and Keys Section’ of your Mandiant platform.
- Minimum Indicator Confidential Score (IC-Score): Provide the IC-Score from 0 to 100. Only the indicators with IC-Score greater than or equal to the specified score will be fetched.
- Exclude Open Source Indicators: Exclude open source indicators from Mandiant.
- Enable Tagging: Enable/Disable tagging functionality.
- Initial Range: Number of days to pull the data for the initial run.
- Click Save.
Configure a Business Rule for Mandiant
To share indicators from Google Mandiant to Netskope you need to have a business rule that will filter out the indicators that you need to share. To configure a business rule, follow the below steps:
- Go to Threat Exchange > Business Rule > Create New Rule.
- Add your required filter for the IoCs you want to share and click Save.
Configure Sharing for Mandiant
To share IoCs from the Google Mandiant plugin to Netskope, follow the below steps:
- Go to Threat Exchange > Sharing and click Add Sharing Configuration.
- Select your Source Configuration (Google Mandiant), Business Rule, Destination Configuration (Netskope), and Target, and select the existing IoC List Name, or create a new IoC list on the platform.
- Click Save.
Validate the Mandiant Plugin
Validate the Pull
-
-
- You can verify the pulling of IOCs from the plugin by going to Loggings and checking the pulled logs from the CTE Google Mandiant plugin.
- You can check the pulled data stored in CE under Threat Exchange > Threat IOCs. Search the IOCs pulled from the plugin. You can also filter the IOCs based on the tags, as shown below.
- Log in to Mandiant.
- Click Threat Intelligence > Threat Intelligence. Check the Alerts are present while clicking on any Incident -> Alerts & Insights.
-
Validate the Push
The Google Mandiant plugin does not support the pushing of IoCs. You can push the IoCs pulled from the Google Mandiant to Netskope or any Third-party plugin supported in Threat Exchange.
Follow the below steps to verify the pushed IoCs to Netskope.
- To validate the pushed indicator on Netskope CE, go to Threat IoCs and search for IoCs that are shared with Netskope.
- You can also verify the pushed IoCs from Logging in Netskope CE.
- Filter the logs available from the Netskope plugin.
To validate the IoCs shared on Netskope follow the below steps:
- Log in to the Netskope tenant. Go to Policies > Web > URL Lists. Click on your URL List that you selected while configuring the sharing and check the shared IOCs.
Note that we have shared all types of URLs (URL, FQDN, IP Address) pulled from Google Mandiant to Netskope URL List. - Log in to Netskope tenant. Go to Policies > File > File Profile. Click on your File List which you selected while configuring the sharing and check the shared IoCs.
Note that we have shared both types of MD5 pulled from Google Mandiant to Netskope File List.
- For more information, go to Logging in the left nav panel.
Troubleshooting
Receiving error for exit code 401, Unauthorization
While configuring the plugin if you receive any kind of error in Key ID and Key Secret please check Key ID and Key Secret from the Mandiant platform.
- Go to https://login.mandiant.com/ and log in.
- Click on the Mandiant Advantage Threat Intelligence option under Applications.
- Click Settings.
- Go to the API Access and Keys Section.
- Click Get Key ID and Secret to retrieve your key ID and Secret.
- Verify both are correct.
When not able to fetch IOCs from Google Mandiant
If you are not able to fetch IoCs from Mandiant to Netskope Cloud Threat Exchange
- Log in to Mandiant.
- Click on Threat Intelligence-> Threat Intelligence
- Check the Alerts are present while clicking on any Incident -> Alerts & Insights
- Make sure alerts are present and if present they should be in your initial range.
,/p>