All Collections
Connectors
Threat Intelligence
Mandiant Connector (API v4 - February 2024)
Mandiant Connector (API v4 - February 2024)

Learn all about integrating Mandiant Threat Intelligence into the Vulcan Platform

Updated this week

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and the Connector's available releases (new vs. older revisions).

To access the relevant user guide to your environment, click on the "How to connect" button on the Connector's setup page. Doing so will direct you to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.


Overview

Why Mandiant?

The Mandiant connector is a TI (Threat Intelligence) connector that enriches your Vulcan Platform's existing threat intelligence data. Mandiant adds another layer of intelligence to the CVE severity based on extensive vulnerability research.

Vulcan Cyber acknowledges the high reliability of Mandiant TI and the dependency of many Security Engineers and CISOs on it as their primary source of Cyber Threat Intelligence. Therefore, we offer a dedicated connector that consolidates and aggregates the TI data from Mandiant.

Read all about the value you gain out of this integration here.

Mandiant Connector Details

Supported products

Mandiant v4 API

Category

Threat Intelligence

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

V4 API

What do you get as a CISO/Security Engineer?

Identify new Mandiant-tagged vulnerabilities and take action immediately

Filter to view the most recent vulnerabilities with the highest Mandiant risk rating and assign tasks by taking a remediation action on a vulnerability.

There is a dedicated Threat tag for the Mandiant risk score so you can identify if there is TI info from Mandiant and assess the related risk.

Explore the Mandiant Report and CVE analysis through the Vulcan Platform

Look into CVE analysis by accessing the Mandiant TI data, the Vulcan TI data, available fixes, and related assets. Then, take your next step of remediation action based on the consolidated data in the Vulcan Platform.

Access aggregated and correlated CVE Threat Intelligence reports collected from Mandiant:

Go to Vulnerabilities > Enter a vulnerability that has the Mandiant Risk tag > Click on the Threat Intelligence tab > Explore the Mandiant Reports:

Expand a report to get valuable details such as description, related CVE, attacking ease, and more.

  • The Reports are organized from the most recent and highest risk score to the oldest and lowest risk score.

  • You are exposed to the most valuable cyber-related information from Mandiant consolidated into a concise block of data (Description, Risk rating, Exploit rating, Attaching ease, Exploitation consequence, Exploits, and related CVEs)


Connector Setup

Prerequisites and user permissions

To establish a sync between your Vulcan Platform and your Mandiant subscription, you need the following:

Getting a Mandiant Vulnerabilities Subscription

To get the user permissions for the endpoint and access reports, ensure you have a 'Vulnerabilities' subscription.

  1. Go to Mandiant Advantage and log in.

  2. Go to Settings and review your user permissions.

  3. Make sure the Vulnerabilities subscription is enabled. To enable a Vulnerabilities subscription, contact Mandiant support or click Request Upgrade.
    Login to Mandiant Advantage to check your subscription type.

    For more info, review Mandiant documentation at: https://docs.mandiant.com/home/mati-threat-intelligence-api-v4

Getting Mandiant API v4 Key

To use the API, you need to get Mandiant API v4 keys:

  1. Go to Mandiant Advantage and log in.

  2. Go to Settings > API Access and Keys

  3. Generate a set of API keys (Public and Private keys)

  4. Save the Keys somewhere safe.

Configuring the Mandiant v4 Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Mandiant icon.

  4. Set up the Connector as follows:

    • Enter the API Public and Private Keys you generated earlier.

  5. Set the number of days (1-14) to fetch to fetch past reports.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Mandiant instance, then click Create (or Save Changes).

  7. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  8. To confirm the sync is complete, navigate to the Connectors page. Once the Mandiant icon shows Connected, the sync is complete.


Mandiant in the Vulcan Platform

Viewing and Taking Action on Vulnerabilities with Mandiant Threat Tag

To view vulnerabilities with Mandiant Threat Tag:

  1. Use the Search or Filter input box to select the Vulnerability Threat Tag > Mandiant Risk Level and/or Exploitation state.

  2. (Optional) Click on any vulnerability for more vulnerability details.

    Here is an example of how the Mandiant-ingested information looks like in the Vulnerability details card in the Vulcan Platform:

  3. (Optional) To Take Action on a vulnerability or more, click Take Action.

Automating remediation actions on vulnerabilities with Manadiant Threat Tags

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. You can take advantage of the automation capabilities of Vulcan Cyber and the Mandiant Connector.

Use the Vulnerability> Threats Tags condition to create automation based on Threat Tags and Attack Vectors, such as Threat Intelligence tags by Mandiant or Recorded Future.


From Mandiant to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Mandiant through API (v4) to pull relevant vulnerability enrichment data and map it into the Vulcan Platform pages and fields.

Mandiant enrichment data is displayed in the Threat Intelligence tab for each relevant, unique vulnerability, according to the matching CVEs of the vulnerability.

The imported data is grouped by report.

Data Fields Mapping

Mandiant field

Vulcan field

cve_id

CVE ID

title

Vulnerability Title

cwe_details

CWE ID

cwe

CWE

exploitation_state

Exploitation State

risk_rating

Risk Rating

common_vulnerability_scores(base_score)

CVSS Base Score

common_vulnerability_scores(temporal_score)

CVSS Temporal Score

common_vulnerability_scores(vector_string)

CVSS Vector

common_vulnerability_scores(attack_complexity)

Attack Complexity

description

Description

executive_summary

Executive Summary

exploitation_consequence

Exploitation Consequence

was_zero_day

Was Zero Day

available_mitigation

Available Mitigation

workarounds

Workarounds

link

Mandiant link

exploits

Exploits

Vulnerability Risk Level mapping

Mandiant Risk Level

Mandiant Risk Level Threat Tag in Vulcan

Critical

Mandiant risk: CRITICAL

High

Mandiant risk: HIGH

Medium

Mandiant risk: MEDIUM

Low

Mandiant risk: LOW

Threat Tags Mapping

Mandiant Threat Tag (exploration state)

Mandiant Risk Tag in Vulcan

No Known

Mandiant Exploitation State - No Known

Available

Mandiant Exploitation State - Available

Confirmed

Mandiant Exploitation State - Confirmed

Anticipated

Mandiant Exploitation State - Anticipated

Wide

Mandiant Exploitation State - Wide

API Endpoints in Use

API version: v4

API

Use in Vulcan

Generate access tokens for running other APIs

Get Vulnerability data


FAQ

How is the risk score calculated when integrating with Mandiant?

Vulnerabilities that have the "Mandiant risk" threat tag will have a custom risk calculation as described in the table below:

Mandiant Threat tags

Risk calculation and score

Mandiant risk: CRITICAL

100

Mandiant risk: HIGH

85 + 0.15 (15%) Tags score

Mandiant risk: MEDIUM

The risk score in the Vulcan Cyber platform isn't affected

Mandiant risk: LOW

10 + 0.3 (30%) Tags score + 0.2 (20%) Threat tags

If a vulnerability has several CVEs and some of them have different Mandiant risk scores, what determines the Mandiant risk threat tag?

The CVE that has the higher Mandiant risk score determines the Mandiant risk tag the vulnerability gets.

For example, if there is a vulnerability that has 4 CVEs, 2 of which have a Mandiant risk score of Medium and one has Critical, the vulnerability will have the threat tag of Mandiant risk: CRITICAL.

What happens if a vulnerability is identified as Medium by the Vulcan Platform and High/Critical by Mandiant TI?

It means that the Mandiant research team has done some further research on the vulnerability and came to the conclusion that the risk is higher than we thought (i.e., higher than what the official threat intel sources report).

Did this answer your question?