Add Socket-based Actions

For advanced users, Actions can be created at the socket level to ingest specific TTPs . This Action type uses a basic TCP or UDP connection that data is sent over. This is helpful when a PCAP is not available. 

  1. From the Director, go to Library > Actions.
  2. Click Add Action and then select Socket. The Add Socket Action form displays.
  3. Select Comm Type (TCP or UDP) and enter the Server port.
  4. Add Step information:
    1. Click on the Step 1 label to expand the step.
    2. Enter the Request.
    3. Optional: Enter the Response.
    4. If you want to add additional steps, click Add Another Step and then repeat steps b & c.

      Adding steps to socket-based Actions

  5. After all steps are entered, click Next.
  6. Populate the Action Name, Description, and Dimensions.
    1. Name
    2. Description
    3. Attack Vector
    4. Attacker Location
    5. Behavior Type
    6. Covert
    7. OS/Platform
    8. Stage of Attacks
    9. Optional: User Tags
  7. Click Save Action. The Action Library displays. A confirmation message that your Action was created successfully is shown and the Action is selected and displayed in the Action preview.
© Copyright Mandiant. All rights reserved
  • First Published: June 5, 2022
  • Last updated: August 13, 2025
In This Article
Related Articles
  • None
Copyright © 2020 – 2021 Your Company, LLC. All rights reserved.