We know customers benefit when they can capture and execute the latest content. The Mandiant Content Service and your Director work together to automate this process to continuously ensure authenticity, relevance, and freshness of Actions.
The Mandiant Content Service integrates between your Director and the Mandiant Advantage Platform, providing access to Mandiant's real-time content updates. Without the Content Service, you have to manually apply new content packs you first download from the Validation Customer portal. With the Content Service, when Mandiant publishes new content, it is automatically delivered to your Director.
Mandiant Advantage Security Validation (MA-SV) licenses issued after January 1, 2022, including licenses for on-premises deployments, require a persistent connection to the Mandiant Content Service. If a successful connection has not occurred for 15 days, the Director immediately halts execution of Jobs. Once connection to the Content Service is restored and verified by the Director, you are able to run Jobs again.
Content Service Access
The Content Service sits behind the Update Service (the service used to download software updates). Direct access to the Content Service is limited to only the Update Service. Requests from the Director to the Content Service are proxied through the Update Service using the same security measures as other non-Content Service requests made by the Director to the Update Service (for example, use of HTTPS with signed certificates, PKI checks, and so on).
Integrity Checks
The same checks that are performed during a manual content import through the GUI are performed during an automated Content Service import (for example, MD5 fingerprint checks). Most of the content downloaded from the Content Service (the files that contain potentially malicious content) is encrypted to avoid triggering any alarms while the data is in transit.
User Account Permissions
The user account on the Director, on which the Content Service functionality runs, has sufficient privileges to import and apply content. Therefore, no approval process is necessary.