Integrate Mandiant Attack Surface Management with Google SecOps
This document explains how to integrate Mandiant Attack Surface Management with Google Security Operations (Google SecOps).
Integration version: 9.0
In the Google SecOps platform, the integration for Mandiant Attack Surface Management is called Mandiant ASM.
Integration parameters
The Mandiant Attack Surface Management integration requires the following parameters:
| Parameters | Description |
|---|---|
API Root |
Required. The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Access Key |
Optional. The API access key of the Mandiant Attack Surface Management account. To generate the access key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Secret Key |
Optional. The API secret key of the Mandiant Attack Surface Management account. To generate the secret key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Project Name |
Optional. The project name to use in the integration. If you use the |
GTI API Key |
Optional. The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the When you authenticate using the Google Threat Intelligence API key, it takes priority over other authentication methods. |
Verify SSL |
Required. If selected, the integration verifies the validity of the SSL certificate for the connection to the Mandiant server. Selected by default. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations.
You can make changes at a later stage if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and supporting multiple instances, see Supporting multiple instances.
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.
Get ASM Entity Details
Use the Get ASM Entity Details action to return information about a Mandiant Attack Surface Management entity.
This action doesn't run on Google SecOps entities.
Action inputs
The Get ASM Entity Details action requires the following parameters:
| Parameter | Description |
|---|---|
Entity ID |
Required. A comma-separated list of entity IDs to retrieve details. |
Action outputs
The Get ASM Entity Details action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Get ASM Entity Details action:
{
"uuid": "UUID",
"dynamic_id": "Intrigue::Entity::Uri#http://192.0.2.73:80",
"collection_name": "cpndemorange_oum28bu",
"alias_group": 8515,
"aliases": [
"http://192.0.2.73:80"
],
"allow_list": false,
"ancestors": [
{
"type": "Intrigue::Entity::NetBlock",
"name": "192.0.2.0/24"
}
],
"category": null,
"collection_naics": null,
"confidence": null,
"deleted": false,
"deny_list": false,
"details": {
"asn": null,
"ssl": false,
"uri": "http://192.0.2.73:80",
"code": "404",
"port": 80,
"forms": false,
"title": "404 Not Found",
"verbs": null,
"cookies": null,
"headers": [
"Date: Fri, 30 Sep 2022 06:51:11 GMT",
"Content-Type: text/html",
"Content-Length: 548",
"Connection: keep-alive"
],
"host_id": 8615,
"net_geo": "US",
"scripts": [],
"service": "http",
"auth.2fa": false,
"auth.any": false,
"dom_sha1": "540707399c1b58afd2463ec43da3b41444fbde32",
"net_name": "",
"protocol": "tcp",
"alt_names": null,
"auth.ntlm": false,
"generator": null,
"auth.basic": false,
"auth.forms": false,
"ip_address": "192.0.2.73",
"favicon_md5": null,
"fingerprint": [
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
]
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "example",
"product": "example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
]
}
],
"geolocation": {
"asn": {
"asn": 16509,
"isp": "Example Inc.",
"name": "example.com, Inc.",
"organization": "Example Services",
"connection_type": "Corporate"
},
"city": "Singapore",
"country": "Singapore",
"latitude": 1.35208,
"continent": "Asia",
"longitude": 103.82,
"time_zone": "Asia/Singapore",
"country_code": "SG",
"continent_code": "AS"
},
"vuln_checks": [
"log4shell_cve_2021_44228"
],
"api_endpoint": false,
"cloud_hosted": true,
"favicon_sha1": null,
"domain_cookies": null,
"log4shell_uuid": "55be320622c4937c01738e092579edaa338fd90e2a",
"redirect_chain": [],
"redirect_count": 0,
"cloud_providers": [
"Cloud Provider Name"
],
"hidden_original": "http://192.0.2.73:80",
"net_country_code": null,
"screenshot_exists": true,
"cloud_fingerprints": [],
"response_data_hash": "1GUXIXXTXUk/sWM+I3cAAivYSfoSMWR5CxaLgxissJA=",
"extended_favicon_data": null,
"extended_path_to_seed": [
{
"id": 8620,
"_id": 8605,
"name": "http://192.0.2.73:80",
"seed": false,
"type": "Intrigue::Entity::Uri",
"_type": "Entity",
"creates": [
{
"id": 6158,
"_id": 6152,
"name": "192.0.2.0/24",
"seed": true,
"type": "Intrigue::Entity::NetBlock",
"_type": "Entity",
"creates.verb": "queried",
"creates.source_name": "search_shodan",
"creates.source_type": "internet_scan_database"
}
]
}
],
"extended_configuration": [
{
"hide": false,
"name": "Example Page Content",
"task": null,
"type": "content",
"issue": null,
"result": 566218143
},
{
"hide": false,
"name": "Example",
"task": null,
"type": "content",
"issue": null,
"result": 566218143
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
]
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
]
}
],
"extended_response_body": "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>example</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
"exfil_lookup_identifier": "55be320622c4937c01738e092579edaa",
"extended_shodan_details": {
"ip": 50387017,
"os": null,
"asn": "ASN",
"isp": "Example.com, Inc.",
"org": "Example Services",
"data": "HTTP/1.1 404 Not Found\r\nDate: Fri, 30 Sep 2022 05:16:32 GMT\r\nContent-Type: text/html\r\nContent-Length: 548\r\nConnection: keep-alive\r\n\r\n",
"hash": -744989972,
"http": {
"host": "192.0.2.73",
"html": "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>example</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
"title": "404 Not Found",
"robots": null,
"server": null,
"status": 404,
"sitemap": null,
"location": "/",
"html_hash": -2090962452,
"redirects": [],
"components": {},
"robots_hash": null,
"securitytxt": null,
"headers_hash": -873436690,
"sitemap_hash": null,
"securitytxt_hash": null
},
"tags": [
"cloud"
],
"cloud": {
"region": "ap-southeast-1",
"service": "Example",
"provider": "Example"
},
"ip_str": "192.0.2.73",
"_shodan": {
"id": "ID",
"ptr": true,
"module": "http",
"region": "eu",
"crawler": "f4bb88763d8ed3a0f3f91439c2c62b77fb9e06f3",
"options": {}
},
"domains": [
"example.com"
],
"location": {
"city": "Singapore",
"latitude": 1.28967,
"area_code": null,
"longitude": 103.85007,
"region_code": "01",
"country_code": "SG",
"country_name": "Singapore"
},
"hostnames": [
"ec2-192-0-2-73.ap-southeast-1.compute.example.com"
],
"timestamp": "2022-09-30T05:16:33.068993"
},
"hidden_port_open_confirmed": true,
"extended_screenshot_contents": "iVBORw0KGgoAAA"
},
"details_file": "data/v4/cpndemorange_oum28bu/2022_09_30/cpndemorange_oum28bu/entities/ID.json",
"description": null,
"first_seen": "2022-09-30T21:20:19.000Z",
"hidden": false,
"last_seen": "2022-09-30T21:20:19.000Z",
"name": "http://192.0.2.73:80",
"scoped": true,
"scoped_reason": "entity_scoping_rules: fallback value",
"seed": false,
"source": null,
"status": null,
"task_results": [],
"type": "Intrigue::Entity::Uri",
"uid": "UID",
"created_at": "2022-09-30T21:25:05.232Z",
"updated_at": "2022-09-30T21:25:05.239Z",
"collection_id": 117139,
"elasticsearch_mappings_hash": null,
"collection": "cpndemorange_oum28bu",
"collection_uuid": "UUID",
"organization_uuid": "UUID",
"collection_type": "user_collection",
"fingerprint": [
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?([\\d.]*)<\/center>)"
}
],
"local_icon_path": "/assets/fingerprints/example.png"
},
{
"cpe": "cpe:2.3:a:example:example::",
"hide": false,
"tags": [
"Web Server"
],
"type": "fingerprint",
"tasks": null,
"issues": null,
"method": "ident",
"update": null,
"vendor": "Example",
"product": "Example",
"version": null,
"inference": false,
"description": "example (default page - could be redirect)",
"match_logic": "all",
"positive_matches": [
{
"match_type": "content_body",
"match_content": "(?i-mx:<hr><center>example\/?[\\d.]*<\/center>)"
}
],
"local_icon_path": "/assets/fingerprints/example.png"
}
],
"summary": {
"scoped": true,
"issues": {
"current_with_cve": 0,
"current_by_severity": {
"1": 1
},
"all_time_by_severity": {
"1": 1
},
"current_count": 1,
"all_time_count": 1,
"critical_or_high": true
},
"task_results": [
"search_shodan",
"port_scan",
"port_scan_lambda",
"search_shodan"
],
"screenshot_exists": true,
"geolocation": {
"city": "Singapore",
"country_code": "SG",
"country_name": null,
"latitude": 1.35208,
"longitude": 103.82,
"asn": null
},
"http": {
"code": 404,
"title": "404 Not Found",
"content": {
"favicon_hash": null,
"hash": null,
"forms": false
},
"auth": {
"any": false,
"basic": false,
"ntlm": false,
"forms": false,
"2fa": false
}
},
"ports": {
"tcp": [
80
],
"udp": [],
"count": 1
},
"network": {
"name": "example.com, Inc.",
"asn": 16509,
"route": null,
"type": null
},
"technology": {
"cloud": true,
"cloud_providers": [
"Cloud Provider Name"
],
"cpes": [],
"technologies": [],
"technology_labels": []
},
"vulns": {
"current_count": 0,
"vulns": []
}
},
"tags": [],
"id": "ID",
"scoped_at": "2022-09-30 06:51:57 +0000",
"detail_string": "Fingerprint: Example | Title: 404 Not Found",
"enrichment_tasks": [
"enrich/uri",
"sslcan"
],
"generated_at": "2022-09-30T21:21:18Z"
}
Output messages
The Get ASM Entity Details action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Get ASM Entity Details". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Get ASM Entity Details action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Search ASM Entities
Use the Search ASM Entities action to search entities in Mandiant Attack Surface Management.
If you use the Access Key and Secret Key parameters to authenticate, also
configure the Project Name parameter in the integration
parameters.
This action doesn't run on Google SecOps entities.
Action inputs
The Search ASM Entities action requires the following parameters:
| Parameter | Description |
|---|---|
Entity Name |
Optional. A comma-separated list of entity names to find entities. To prevent action failure, avoid using the |
Minimum Vulnerabilities Count |
Optional. The number of vulnerabilities related to the returned entity. |
Minimum Issues Count |
Optional. The number of issues related to the returned entity. |
Tags |
Optional. A comma-separated list of tag names to use when searching for entities. |
Max Entities To Return |
Optional. The number of entities to return. The default
value is |
Critical or High Issue |
Optional. If selected, the action returns only entities with
Not selected by default. |
Action outputs
The Search ASM Entities action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search ASM Entities action:
{
"id": "ID",
"dynamic_id": "Intrigue::Entity::IpAddress#192.0.2.92",
"alias_group": "1935953",
"name": "192.0.2.92",
"type": "Intrigue::Entity::IpAddress",
"first_seen": "2022-02-02T01:44:46Z",
"last_seen": "2022-02-02T01:44:46Z",
"collection": "cpndemorange_oum28bu",
"collection_type": "Intrigue::Collections::UserCollection",
"collection_naics": [],
"collection_uuid": "COLLECTION_UUID",
"organization_uuid": "ORGANIZATION_UUID",
"tags": [],
"issues": [],
"exfil_lookup_identifier": null,
"summary": {
"scoped": true,
"issues": {
"current_by_severity": {},
"current_with_cve": 0,
"all_time_by_severity": {},
"current_count": 0,
"all_time_count": 0,
"critical_or_high": false
},
"task_results": [
"search_shodan"
],
"geolocation": {
"city": "San Jose",
"country_code": "US",
"country_name": null,
"latitude": "-121.8896",
"asn": null
},
"ports": {
"count": 0,
"tcp": null,
"udp": null
},
"resolutions": [
"ec2-192-0-2-92.us-west-1.compute.example.com"
],
"network": {
"name": "EXAMPLE-02",
"asn": "16509.0",
"route": "2001:db8::/32",
"type": null
},
"technology": {
"cloud": true,
"cloud_providers": [
"Cloud Provider Name"
]
}
}
}
Output messages
The Search ASM Entities action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Search ASM Entities". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search ASM Entities action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Search Issues
Use the Search Issues action to search issues in Mandiant Attack Surface Management.
If you use the Access Key and Secret Key parameters to authenticate, also
configure the Project Name parameter in the integration
parameters.
This action doesn't run on Google SecOps entities.
Action inputs
The Search Issues action requires the following parameters:
| Parameter | Description |
|---|---|
Issue ID |
Optional. A comma-separated list of issue IDs to return the details. |
Entity ID |
Optional. A comma-separated list of entity IDs to find related issues. |
Entity Name |
Optional. A comma-separated list of entity names to find related issues. To prevent action failure, avoid using the
|
Time Parameter |
Optional. A filter option to set the issue time. The possible values are The default value is |
Time Frame |
Optional. A period to filter issues. If you select
The possible values are as follows:
The default value is |
Start Time |
Optional. The start time for the results. If you selected
|
End Time |
Optional. The end time for the results. If you selected
|
Lowest Severity To Return |
Optional. The lowest severity of the issues to return. The possible values are as follows:
The default value is If you select |
Status |
Optional. The status filter for the search. The possible values are The default value is If you select |
Tags |
Optional. A comma-separated list of tag names to use when searching for issues. |
Max Issues To Return |
Optional. The number of issues to return. The default
value is |
Action outputs
The Search Issues action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Available |
| Output messages | Available |
| Script result | Available |
JSON result
The following example shows the JSON result output received when using the Search Issues action:
{
"id": "ID",
"uuid": "UUID",
"dynamic_id": 20073997,
"name": "exposed_ftp_service",
"upstream": "intrigue",
"last_seen": "2022-02-02T01:44:46.000Z",
"first_seen": "2022-02-02T01:44:46.000Z",
"entity_uid": "3443a638f951bdc23d3a089bff738cd961a387958c7f5e4975a26f12e544241f",
"entity_type": "Intrigue::Entity::NetworkService",
"entity_name": "192.0.2.204:24/tcp",
"alias_group": "1937534",
"collection": "cpndemorange_oum28bu",
"collection_uuid": "COLLECTION_UUID",
"collection_type": "user_collection",
"organization_uuid": "ORGANIZATION_UUID",
"summary": {
"pretty_name": "Exposed FTP Service",
"severity": 3,
"scoped": true,
"confidence": "confirmed",
"status": "open_new",
"category": "misconfiguration",
"identifiers": null,
"status_new": "open",
"status_new_detailed": "new",
"ticket_list": null
},
"tags": []
}
Output messages
The Search Issues action can return the following output messages:
| Output message | Message description |
|---|---|
|
The action succeeded. |
Error executing action "Search Issues". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Search Issues action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Update Issue
Use the Update Issue action to update an issue in Mandiant Attack Surface Management.
This action doesn't run on Google SecOps entities.
Action inputs
The Update Issue action requires the following parameters:
| Parameter | Description |
|---|---|
Issue ID |
Required. The ID of the issue to update. |
Status |
Required. The status to set for the issue. The possible values are as follows:
The default value is |
Action outputs
The Update Issue action provides the following outputs:
| Action output type | Availability |
|---|---|
| Case wall attachment | Not available |
| Case wall link | Not available |
| Case wall table | Not available |
| Enrichment table | Not available |
| JSON result | Not available |
| Output messages | Available |
| Script result | Available |
Output messages
The Update Issue action can return the following output messages:
| Output message | Message description |
|---|---|
Successfully updated issue with ID
"ISSUE_ID" in Mandiant ASM.
|
The action succeeded. |
Error executing action "Update Issue". Reason:
ERROR_REASON |
The action failed. Check the connection to the server, input parameters, or credentials. |
Script result
The following table lists the value for the script result output when using the Update Issue action:
| Script result name | Value |
|---|---|
is_success |
True or False |
Connectors
For detailed instructions on how to configure a connector in Google SecOps, see Ingest your data (connectors).
Mandiant ASM – Issues Connector
Use the Mandiant ASM – Issues Connector to pull information about issues from Mandiant Attack Surface Management.
The dynamic list filter works with the category parameter.
The Mandiant ASM – Issues Connector requires the following parameters:
| Parameter | Description |
|---|---|
Product Field Name |
Required. The name of the field where the product name is stored. The default value is The
product name primarily impacts mapping. To streamline and improve the
mapping process for the connector, the default value |
Event Field Name |
Required. The name of the field where the event name is stored. The default value is |
Environment Field Name |
Optional. The name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
Environment Regex Pattern |
Optional. A regular expression pattern to run on the value found in the
Use the default value If the regular expression pattern is null or empty, or the environment
value is null, the final environment result is |
Script Timeout (Seconds) |
Required. The timeout limit, in seconds, for the Python process running the current script. The default value is
|
API Root |
Required. The API root of the Mandiant instance. The default value is To authenticate with Google Threat Intelligence credentials, enter
the following value: |
Access Key |
Optional. The API access key of the Mandiant Attack Surface Management account. To generate the access key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Secret Key |
Optional. The API secret key of the Mandiant Attack Surface Management account. To generate the secret key in Mandiant Attack Surface Management, go to Account settings > API keys > Generate new key. |
Project Name |
Optional. The project name to use in the integration. Required if you use the |
GTI API Key |
Optional. The API key of Google Threat Intelligence. To authenticate
using Google Threat Intelligence, set the Authenticating using the Google Threat Intelligence API key has a priority over other authentication methods. |
Lowest Severity To Fetch |
Optional. The lowest severity of the issues to retrieve. The possible values are as follows:
If you don't set a value, the connector ingests issues with all severity types. |
Max Hours Backwards |
Optional. A number of hours prior to the first connector iteration to retrieve incidents. This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp. The default value is |
Max Issues To Fetch |
Optional. The number of issues to process in a single connector iteration. The default value
is |
Use dynamic list as a blocklist |
Required. If selected, the connector uses the dynamic list as a blocklist. Not selected by default. |
Verify SSL |
Required. If selected, verifies that the SSL certificate for the connection to the Mandiant server is valid. Selected by default. |
Proxy Server Address |
Optional. The address of the proxy server to use. |
Proxy Username |
Optional. The proxy username to authenticate with. |
Proxy Password |
Optional. The proxy password to authenticate with. |
Need more help? Get answers from Community members and Google SecOps professionals.