Mandiant, a monitoring source, enables you to sync alerts directly to Chronicle. Mandiant's Digital Threat Monitoring (DTM) service, which has existing client instances, continuously monitors data for any potential threats. When threats are detected, alerts are sent to Chronicle.
A scheduled job in Google Cloud runs every 10 minutes to ensure that alerts from Mandiant are consistently sent to Chronicle. Within Chronicle, the YARA-L rules are used to identify security threats in the alert data. Once detected, these detections are forwarded to Resolution Intelligence Cloud for further action.
Prerequisites
- Enable Chronicle and configure a Chronicle instance
- Mandiant API key and secret key
Enabling Mandiant Integration
Use this procedure to enable Mandiant Integration to sync threat intelligence data into the Resolution Intelligence Cloud.
- Click Configurations to navigate to the Configurations options.
- Select Integrations, under the Data Ingestion section to see all the data sources and monitoring tools that you want to integrate.
- Select Monitoring from the list to see only the Monitoring sources available to integrate with the platform.
- Search for Mandiant integration in the search box.
- Click on the Mandiant card to open. This takes you to the Mandiant Integration page.
- Click Add and select New Integration to add a new integration to the platform. This enables Mandiant Integration.
The authentication section will be enabled.
Note: Authentication functionality is visible only when you enable the Mandiant integration.
7. Under Configurations, click Authentication.
You will be navigated to an authentication page where you enter the following details:
-
- Provide the authentication type as BASIC.
- Specify the API key and Secret key to establish the connection with Mandiant.
- Click Save.
Comments
0 comments
Please sign in to leave a comment.