Integrate Mandiant Attack Surface Management with Google SecOps
This document explains how to integrate Mandiant Attack Surface Management with Google Security Operations (Google SecOps).
Integration version: 8.0
In the Google SecOps platform, the integration for Mandiant Attack Surface Management is called Mandiant ASM.
Integration parameters
The Mandiant Attack Surface Management integration requires the following parameters:
| Parameters | Description |
|---|---|
API Root |
Required The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Access Key |
Optional The API access key of the Mandiant Attack Surface Management account. To generate the access key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Secret Key |
Optional The API secret key of the Mandiant Attack Surface Management account. To generate the secret key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Project |
Optional The project name to use in the integration. |
GTI API Key |
Optional
The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods. |
Verify SSL |
Required If selected, the integration verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Get ASM Entity Details
Use the Get ASM Entity Details action to return information about a Mandiant Attack Surface Management entity.
Note:This action doesn't run on Google SecOps entities.
Action inputs
The Get ASM Entity Details action requires the following parameters:
| Parameter | Description |
|---|---|
Entity ID |
Required A comma-separated list of entity IDs to retrieve the details for. |
Action outputs
The Get ASM Entity Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get ASM Entity Details action:
{
"uuid": "UUID",
"dynamic_id": "Intrigue::Entity::Uri#http://192.0.2.73:80",
"collection_name": "cpndemorange_oum28bu",
"alias_group": 8515,
"aliases": [
"http://192.0.2.73:80"
],
"allow_list": false,
"ancestors": [
{
"type": "Intrigue::Entity::NetBlock",
"name": "192.0.2.0/24"
}
],
"category": null,
"collection_naics": null,
"confidence": null,
"deleted": false,
"deny_list": false,
"details": {
"asn": null,
"ssl": false,
"uri": "http://192.0.2.73:80",
"code": "404",
"port": 80,
"forms": false,
"title": "404 Not Found",
"verbs": null,
"cookies": null,
"headers": [
"Date: Fri, 30 Sep 2022 06:51:11 GMT",
"Content-Type: text/html",
"Content-Length: 548",
"Connection: keep-alive"
],
"host_id": 8615,
"net_geo": "US",
"scripts": [],
"service": "http",
"auth.2fa": false,
"auth.any": false,
"dom_sha1": "540707399c1b58afd2463ec43da3b41444fbde32",
"net_name": "",
"protocol": "tcp",
"alt_names": null,
"auth.ntlm": false,
"generator": null,
"auth.basic": false,
"auth.forms": false,
"ip_address": "192.0.2.73",
"favicon_md5": null,
"fingerprint": [
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
]
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "example",
"product": "example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
]
}
],
"geolocation": {
"asn": {
"asn": 16509,
"isp": "Example Inc.",
"name": "example.com, Inc.",
"organization": "Example Services",
"connection_type": "Corporate"
},
"city": "Singapore",
"country": "Singapore",
"latitude": 1.35208,
"continent": "Asia",
"longitude": 103.82,
"time_zone": "Asia/Singapore",
"country_code": "SG",
"continent_code": "AS"
},
"vuln_checks": [
"log4shell_cve_2021_44228"
],
"api_endpoint": false,
"cloud_hosted": true,
"favicon_sha1": null,
"domain_cookies": null,
"log4shell_uuid": "55be320622c4937c01738e092579edaa338fd90e2a",
"redirect_chain": [],
"redirect_count": 0,
"cloud_providers": [
"Cloud Provider Name"
],
"hidden_original": "http://192.0.2.73:80",
"net_country_code": null,
"screenshot_exists": true,
"cloud_fingerprints": [],
"response_data_hash": "1GUXIXXTXUk/sWM+I3cAAivYSfoSMWR5CxaLgxissJA=",
"extended_favicon_data": null,
"extended_path_to_seed": [
{
"id": 8620,
"_id": 8605,
"name": "http://192.0.2.73:80",
"seed": false,
"type": "Intrigue::Entity::Uri",
"_type": "Entity",
"creates": [
{
"id": 6158,
"_id": 6152,
"name": "192.0.2.0/24",
"seed": true,
"type": "Intrigue::Entity::NetBlock",
"_type": "Entity",
"creates.verb": "queried",
"creates.source_name": "search_shodan",
"creates.source_type": "internet_scan_database"
}
]
}
],
"extended_configuration": [
{
"hide": false,
"name": "Example Page Content",
"task": null,
"type": "content",
"issue": null,
"result": 566218143
},
{
"hide": false,
"name": "Example",
"task": null,
"type": "content",
"issue": null,
"result": 566218143
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
]
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
]
}
],
"extended_response_body": "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>example</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
"exfil_lookup_identifier": "55be320622c4937c01738e092579edaa",
"extended_shodan_details": {
"ip": 50387017,
"os": null,
"asn": "ASN",
"isp": "Example.com, Inc.",
"org": "Example Services",
"data": "HTTP/1.1 404 Not Found\r\nDate: Fri, 30 Sep 2022 05:16:32 GMT\r\nContent-Type: text/html\r\nContent-Length: 548\r\nConnection: keep-alive\r\n\r\n",
"hash": -744989972,
"http": {
"host": "192.0.2.73",
"html": "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>example</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
"title": "404 Not Found",
"robots": null,
"server": null,
"status": 404,
"sitemap": null,
"location": "/",
"html_hash": -2090962452,
"redirects": [],
"components": {},
"robots_hash": null,
"securitytxt": null,
"headers_hash": -873436690,
"sitemap_hash": null,
"securitytxt_hash": null
},
"tags": [
"cloud"
],
"cloud": {
"region": "ap-southeast-1",
"service": "Example",
"provider": "Example"
},
"ip_str": "192.0.2.73",
"_shodan": {
"id": "ID",
"ptr": true,
"module": "http",
"region": "eu",
"crawler": "f4bb88763d8ed3a0f3f91439c2c62b77fb9e06f3",
"options": {}
},
"domains": [
"example.com"
],
"location": {
"city": "Singapore",
"latitude": 1.28967,
"area_code": null,
"longitude": 103.85007,
"region_code": "01",
"country_code": "SG",
"country_name": "Singapore"
},
"hostnames": [
"ec2-192-0-2-73.ap-southeast-1.compute.example.com"
],
"timestamp": "2022-09-30T05:16:33.068993"
},
"hidden_port_open_confirmed": true,
"extended_screenshot_contents": "iVBORw0KGgoAAA"
},
"details_file": "data/v4/cpndemorange_oum28bu/2022_09_30/cpndemorange_oum28bu/entities/ID.json",
"description": null,
"first_seen": "2022-09-30T21:20:19.000Z",
"hidden": false,
"last_seen": "2022-09-30T21:20:19.000Z",
"name": "http://192.0.2.73:80",
"scoped": true,
"scoped_reason": "entity_scoping_rules: fallback value",
"seed": false,
"source": null,
"status": null,
"task_results": [],
"type": "Intrigue::Entity::Uri",
"uid": "UID",
"created_at": "2022-09-30T21:25:05.232Z",
"updated_at": "2022-09-30T21:25:05.239Z",
"collection_id": 117139,
"elasticsearch_mappings_hash": null,
"collection": "cpndemorange_oum28bu",
"collection_uuid": "UUID",
"organization_uuid": "UUID",
"collection_type": "user_collection",
"fingerprint": [
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
],
"local_icon_path": "/assets/fingerprints/example.png"
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
],
"local_icon_path": "/assets/fingerprints/example.png"
}
],
"summary": {
"scoped": true,
"issues": {
"current_with_cve": 0,
"current_by_severity": {
"1": 1
},
"all_time_by_severity": {
"1": 1
},
"current_count": 1,
"all_time_count": 1,
"critical_or_high": true
},
"task_results": [
"search_shodan",
"port_scan",
"port_scan_lambda",
"search_shodan"
],
"screenshot_exists": true,
"geolocation": {
"city": "Singapore",
"country_code": "SG",
"country_name": null,
"latitude": 1.35208,
"longitude": 103.82,
"asn": null
},
"http": {
"code": 404,
"title": "404 Not Found",
"content": {
"favicon_hash": null,
"hash": null,
"forms": false
},
"auth": {
"any": false,
"basic": false,
"ntlm": false,
"forms": false,
"2fa": false
}
},
"ports": {
"tcp": [
80
],
"udp": [],
"count": 1
},
"network": {
"name": "example.com, Inc.",
"asn": 16509,
"route": null,
"type": null
},
"technology": {
"cloud": true,
"cloud_providers": [
"Cloud Provider Name"
],
"cpes": [],
"technologies": [],
"technology_labels": []
},
"vulns": {
"current_count": 0,
"vulns": []
}
},
"tags": [],
"id": "ID",
"scoped_at": "2022-09-30 06:51:57 +0000",
"detail_string": "Fingerprint: Example | Title: 404 Not Found",
"enrichment_tasks": [
"enrich/uri",
"sslcan"
],
"generated_at": "2022-09-30T21:21:18Z"
}
Output messages
The Get ASM Entity Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get ASM Entity Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get ASM Entity Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Search ASM Entities
Use the Search ASM Entities action to search entities in Mandiant Attack Surface Management.
This action doesn't run on Google SecOps entities.
Action inputs
The Search ASM Entities action requires the following parameters:
| Parameter | Description |
|---|---|
Entity Name |
Optional A comma-separated list of entity names to find entities for. |
Minimum Vulnerabilities Count |
Optional The number of vulnerabilities that are related to the returned entity. |
Minimum Issues Count |
Optional The number of issues that are related to the returned entity. |
Tags |
Optional A comma-separated list of tag names to use when searching for entities. |
Max Entities To Return |
Optional The number of entities to return. The default value is 50. The maximum value is 200. |
Critical or High Issue |
Optional If selected, the action returns only entities with
Not selected by default. |
Action outputs
The Search ASM Entities action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search ASM Entities action:
{
"id": "ID",
"dynamic_id": "Intrigue::Entity::IpAddress#192.0.2.92",
"alias_group": "1935953",
"name": "192.0.2.92",
"type": "Intrigue::Entity::IpAddress",
"first_seen": "2022-02-02T01:44:46Z",
"last_seen": "2022-02-02T01:44:46Z",
"collection": "cpndemorange_oum28bu",
"collection_type": "Intrigue::Collections::UserCollection",
"collection_naics": [],
"collection_uuid": "COLLECTION_UUID",
"organization_uuid": "ORGANIZATION_UUID",
"tags": [],
"issues": [],
"exfil_lookup_identifier": null,
"summary": {
"scoped": true,
"issues": {
"current_by_severity": {},
"current_with_cve": 0,
"all_time_by_severity": {},
"current_count": 0,
"all_time_count": 0,
"critical_or_high": false
},
"task_results": [
"search_shodan"
],
"geolocation": {
"city": "San Jose",
"country_code": "US",
"country_name": null,
"latitude": "-121.8896",
"asn": null
},
"ports": {
"count": 0,
"tcp": null,
"udp": null
},
"resolutions": [
"ec2-192-0-2-92.us-west-1.compute.example.com"
],
"network": {
"name": "EXAMPLE-02",
"asn": "16509.0",
"route": "2001:db8::/32",
"type": null
},
"technology": {
"cloud": true,
"cloud_providers": [
"Cloud Provider Name"
]
}
}
}
Output messages
The Search ASM Entities action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Search ASM Entities". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search ASM Entities action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Search Issues
Use the Search Issues action to search issues in Mandiant Attack Surface Management.
This action doesn't run on Google SecOps entities.
Action inputs
The Search Issues action requires the following parameters:
| Parameter | Description |
|---|---|
Issue ID |
Optional A comma-separated list of issue IDs for which to return the details. |
Entity ID |
Optional A comma-separated list of entity IDs for which to find related issues. |
Entity Name |
Optional A comma-separated list of entity names for which to find related issues. |
Time Parameter |
Optional A filter option to set the issue time. The possible values are The default value is |
Time Frame |
Optional A period to filter issues. If you select
The possible values are as follows:
The default value is |
Start Time |
Optional The start time for the results. If you selected
|
End Time |
Optional The end time for the results. If you selected
|
Lowest Severity To Return |
Optional The lowest severity of the issues to return. The possible values are as follows:
The default value is If you select |
Status |
Optional The status filter for the search. The possible values are The default value is If you select |
Tags |
Optional A comma-separated list of tag names to use when searching for issues. |
Max Issues To Return |
Optional The number of issues to return. The default value is 50. The maximum value is 200. |
Action outputs
The Search Issues action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search Issues action:
{
"id": "ID",
"uuid": "UUID",
"dynamic_id": 20073997,
"name": "exposed_ftp_service",
"upstream": "intrigue",
"last_seen": "2022-02-02T01:44:46.000Z",
"first_seen": "2022-02-02T01:44:46.000Z",
"entity_uid": "3443a638f951bdc23d3a089bff738cd961a387958c7f5e4975a26f12e544241f",
"entity_type": "Intrigue::Entity::NetworkService",
"entity_name": "192.0.2.204:24/tcp",
"alias_group": "1937534",
"collection": "cpndemorange_oum28bu",
"collection_uuid": "COLLECTION_UUID",
"collection_type": "user_collection",
"organization_uuid": "ORGANIZATION_UUID",
"summary": {
"pretty_name": "Exposed FTP Service",
"severity": 3,
"scoped": true,
"confidence": "confirmed",
"status": "open_new",
"category": "misconfiguration",
"identifiers": null,
"status_new": "open",
"status_new_detailed": "new",
"ticket_list": null
},
"tags": []
}
Output messages
The Search Issues action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Search Issues". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search Issues action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Update Issue
Use the Update Issue action to update an issue in Mandiant Attack Surface Management.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Issue action requires the following parameters:
| Parameter | Description |
|---|---|
Issue ID |
Required The ID of the issue to update. |
Status |
Required The status to set for the issue. The possible values are as follows:
The default value is |
Action outputs
The Update Issue action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Issue action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated issue with ID
"ISSUE_ID" in Mandiant ASM.
|
The action succeeded. |
Error executing action "Update Issue". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Issue action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
Mandiant ASM – Issues Connector
Use the Mandiant ASM – Issues Connector to pull information about issues from Mandiant Attack Surface Management.
The dynamic list filter works with the category parameter.
The Mandiant ASM – Issues Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required The name of the field where the product name is stored. The default value is |
Event Field Name |
Required The name of the field where the event name is stored. The default value is |
Environment Field Name |
Optional
The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
Environment Regex Pattern |
Optional
A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is |
Script Timeout (Seconds) |
Required The timeout limit in seconds for the Python process running the current script. The default value is 180. |
API Root |
Required The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Access Key |
Optional The API access key of the Mandiant Attack Surface Management account. To generate the access key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Secret Key |
Optional The API secret key of the Mandiant Attack Surface Management account. To generate the secret key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Project |
Optional The project name to use in the integration. |
GTI API Key |
Optional
The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the Authenticating using the Google Threat Intelligence API key has a priority over other authentication methods. |
Lowest Severity To Fetch |
Optional The lowest severity of the issues to retrieve. The possible values are as follows:
If you don't set a value, the connector ingests issues with all severity types. |
Max Hours Backwards |
Optional A number of hours before the first connector iteration to retrieve incidents from. This parameter applies to the initial connector iteration after you enable the connector for the first time or the fallback value for an expired connector timestamp. The default value is 1. |
Max Issues To Fetch |
Optional The number of issues to process in a single connector iteration. The default value is 10. |
Use dynamic list as a blocklist |
Required
If selected, the integration uses the dynamic list as a blocklist. Not selected by default. |
Verify SSL |
Required
If selected, verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
Proxy Server Address |
Optional The address of the proxy server to use. |
Proxy Username |
Optional The proxy username to authenticate with. |
Proxy Password |
Optional The proxy password to authenticate with. |