This document applies to Classic/Legacy Integrations. You may continue to use these integration configurations. While no active development is happening for these integrations, we continue to provide Classic/Legacy Integrations in the product. You do not have to move to MSI Integrations. If your support engineer or TSC recommends or you choose to move to MSI Integrations, you can take advantage of the latest features and functionality. For more information, see the MSI Integration documentation in the Integrations Overview.
API Calls
The Validation Platform uses the Mandiant API v4 for its Mandiant Threat Intelligence integration. The integration provides APT and FIN threat actor details. It also includes different threat actor families and improved details for all threat actors.
The following API calls are used by the Validation Platform.
| Purpose | Call |
|---|---|
| Retrieves the Threat Actor Overview Report generalized data | /v4/actor/ |
| Retrieves the Threat Actor Description | /v4/actor/:id |
| Retrieves the MITRE ATT&CK tags associated with that threat actor | /v4/actor/:id/attack-patterns |
Prerequisites
Information to gather before you start:
- Identify the port and protocol.
- Use an active account with API access.
- Obtain the Mandiant Advantage Threat Intelligence (MATI) API Public Key and Private Key. For more information see Threat Intelligence Account Management.
Configuration
To add the Mandiant Threat Intelligence Integration
Go to Settings > Integrations.
- In the Threat Intelligence Platform Integrations table, click Add Integration > Mandiant Threat Intelligence.
- The API version auto-populates to V4.
Select the Mode.
The only time you'd change this from API to FILE is if you are in an air-gapped environment. If you do choose FILE, you will select the JSON file and then skip to step 10.
- The Host field auto-populates to api.intelligence.mandiant.com.
- Enter the Port.
- Select the Protocol.
- Enter the Public Key.
- Enter the Private Key.
- Enter the Sync Interval in hours (default: 24 hours).
(Optional) Assign a Name.
- Click Submit. The integration automatically starts to sync after it is added.
Set up Proxy Assignment
If all outbound connections go through a proxy, you may want to set up a proxy definition and assignment for your integration. For information on setting up your proxy rules, see Proxy Rules.