
Mandiant
Threat Intelligence- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Mandiant connector integrates with the Mandiant Threat Intelligence platform (Google Threat Intelligence). It synchronizes vulnerability intelligence records from the Mandiant Threat Intelligence API into Brinqa, enriching CVE records with Mandiant-specific intelligence such as risk ratings, exploitation state and consequence, observed-in-the-wild and zero-day indicators, EPSS scores, CISA KEV status, CVSS v2/v3 metrics, associated threat actors and malware, available mitigations, and references.
Each Mandiant vulnerability is mapped to the Brinqa CveRecord model. The connector supports incremental synchronization based on the record's last-updated timestamp.
Data retrieved from Mandiant
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Vulnerability | Yes | Cve Record |
For detailed steps on how to view the data retrieved from Mandiant in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Mandiant from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | No | — | Mandiant Threat Intelligence api URL |
| API key | No | — | Mandiant API key |
| API secret | No | — | Mandiant API secret |
| Maximum retries | No | — | The maximum number of retry attempts before giving up a request |
Authentication
The connector authenticates using OAuth2 (client credentials grant). The configured API key and API secret are combined as apiKey:apiSecret, Base64-encoded, and sent as an HTTP Basic credential to the token endpoint to obtain a short-lived Bearer access token. The returned access token is cached and reused (re-fetched automatically when it expires) and is sent as a Bearer token on every subsequent API request.
Token Endpoint
| Method | URL |
|---|---|
| POST | https://api.intelligence.mandiant.com/token |
Request Headers
| Header | Value |
|---|---|
Authorization | Basic {base64(apiKey:apiSecret)} |
Content-Type | application/x-www-form-urlencoded |
Accept | application/json |
X-App-Name | BrinqaMandiantConnector/{version} |
Request Body
Form-encoded:
grant_type=client_credentials
Sample Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 86399
}
Response Fields
| Field | Description |
|---|---|
access_token | The bearer token used to authorize subsequent API requests. |
token_type | The token type returned by the API (e.g. Bearer). |
expires_in | Lifetime of the token in seconds. The connector computes an expiry timestamp and refreshes the token before it lapses. |
Authorized Requests
Subsequent requests to the data API include the following headers:
| Header | Value |
|---|---|
Authorization | {token_type} {access_token} (e.g. Bearer eyJ...) |
Accept | application/json |
X-App-Name | BrinqaMandiantConnector/{version} |
Sync Behavior
The connector supports incremental (delta) syncs. It maintains a sync token between runs and applies it as an incremental timestamp filter, so each run re-processes only the records that changed after the previous sync. The initial run retrieves the complete data set; later runs are incremental. The specific timestamp field applied to each object is documented under that object's Sync Duration Parameter.
How to obtain Mandiant credentials
Generate Mandiant API credentials
For the Mandiant connector to use the Mandiant API, you must provide API credentials. To generate API credentials, follow these steps:
-
Log in to your organization's Mandiant account at https://advantage.mandiant.com.
-
Click Settings.
-
Click API Access and Keys.
-
Click Get Key ID and Secret.
Your Key ID and Key Secret display. Copy and paste the Key ID value into the "API key" field, and the Key Secret value into the "API secret" field in the integration configuration.
Note: If you do not have the permissions to create API credentials, contact your Mandiant administrator. For additional information, see Mandiant documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Vulnerability
| Source Field Name | SDM Attribute |
|---|---|
| affects_ot | AFFECTS_OT |
analysis | ANALYSIS |
associated_actors[].name | ASSOCIATED_ACTORS |
associated_malware[].name | ASSOCIATED_MALWARE |
| available_mitigation | AVAILABLE_MITIGATIONS |
cisa_known_exploited (presence) | CISA_EXPLOITED |
cisa_known_exploited.added_date | CISA_ADDED_DATE |
cisa_known_exploited.due_date | CISA_DUE_DATE |
common_vulnerability_scores (v2 vector) | CVSS_V2_VECTOR |
common_vulnerability_scores (v2) | CVSS_V2_AC |
common_vulnerability_scores (v2) | CVSS_V2_AI |
common_vulnerability_scores (v2) | CVSS_V2_AU |
common_vulnerability_scores (v2) | CVSS_V2_AV |
common_vulnerability_scores (v2) | CVSS_V2_CI |
common_vulnerability_scores (v2) | CVSS_V2_II |
common_vulnerability_scores (v2) | CVSS_V2_E |
common_vulnerability_scores (v2) | CVSS_V2_RL |
common_vulnerability_scores (v2) | CVSS_V2_RC |
common_vulnerability_scores (v2, derived) | CVSS_V2_SEVERITY |
common_vulnerability_scores (v2.0) | CVSS_V2_BASE_SCORE |
common_vulnerability_scores (v2.0) | CVSS_V2_TEMPORAL_SCORE |
common_vulnerability_scores (v3 vector) | CVSS_V3_VECTOR |
common_vulnerability_scores (v3) | CVSS_V3_AC |
common_vulnerability_scores (v3) | CVSS_V3_AI |
common_vulnerability_scores (v3) | CVSS_V3_AV |
common_vulnerability_scores (v3) | CVSS_V3_CI |
common_vulnerability_scores (v3) | CVSS_V3_II |
common_vulnerability_scores (v3) | CVSS_V3_PR |
common_vulnerability_scores (v3) | CVSS_V3_UI |
common_vulnerability_scores (v3) | CVSS_V3_SCOPE |
common_vulnerability_scores (v3) | CVSS_V3_E |
common_vulnerability_scores (v3) | CVSS_V3_RL |
common_vulnerability_scores (v3) | CVSS_V3_RC |
common_vulnerability_scores (v3, derived) | CVSS_V3_SEVERITY |
common_vulnerability_scores (v3.1/v3.0) | CVSS_V3_BASE_SCORE |
common_vulnerability_scores (v3.1/v3.0) | CVSS_V3_TEMPORAL_SCORE |
| cve_id | NAME |
cve_id (falls back to mve_id, then id) | UID |
cwe_details.id | WEAKNESSES |
| date_of_disclosure | DISCLOSURE_DATE |
| days_to_patch | DAYS_TO_PATCH |
description | DESCRIPTION |
epss.percentile | EPSS_PERCENTILE |
epss.score | EPSS_SCORE |
| executive_summary | EXECUTIVE_SUMMARY |
| exploitation_consequence | EXPLOITATION_CONSEQUENCE |
| exploitation_state | EXPLOITATION_STATE |
| exploitation_vectors | EXPLOITATION_VECTORS |
exploits[].exploit_url | EXPLOITS |
| first_publish_date | PUBLISHED_DATE |
| is_predicted | PREDICTED |
| mve_id | MVD_ID |
| observed_in_the_wild | OBSERVED_IN_THE_WILD |
| risk_rating | SOURCE_RISK_RATING |
risk_rating (derived) | SEVERITY_SCORE |
risk_rating (normalized) | SEVERITY |
sources[].url | REFERENCES |
title | TITLE |
| updated_date | SOURCE_LAST_MODIFIED |
vulnerable_cpes[].cpe | AFFECTED |
| was_zero_day | ZERO_DAY |
workarounds | RECOMMENDATION |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Vulnerability
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
ratingTypes | analyst,predicted,unrated | Rating types to include (sent as rating_types). | |
riskRatings | CRITICAL,HIGH,MEDIUM,LOW,UNRATED | Risk rating levels to include (sent as risk_ratings). |
Delta sync
Supported.
API
- Type: REST endpoint · Endpoint:
GET v4/vulnerability - Default filters:
rating_types=analyst,predicted,unrated,risk_ratings=CRITICAL,HIGH,MEDIUM,LOW,UNRATED; incremental syncs add astart_epoch/end_epochwindow
Changelog
The Mandiant connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.2 | New Features - Added CVSS v2 and CVSS v3 temporal scores to vulnerability records, giving a more complete picture of how a vulnerability's risk evolves over time. - Added a numeric severity score alongside the severity rating, making it easier to sort, filter, and prioritize vulnerabilities by severity. Improvements - Vulnerability severity is now expressed using standard, human-readable labels (Low, Medium, High, Critical) instead of numeric codes, providing consistency with the rest of the platform. - CVSS v2 and v3 details (attack vector, complexity, impact metrics, severity, etc.) are now derived from the standard CVSS vector string when available, improving accuracy and consistency of the parsed metrics. - Improved handling of redacted or missing CVSS vectors so that records continue to sync cleanly when full vector data is not available. | • Vulnerability: The severity rating now stores standard text labels (Low, Medium, High, Critical) instead of numeric codes (1–5), and CVSS v2/v3 severity values changed in the same way. A new numeric severity score attribute was also added. — Action: Re-sync the Mandiant connector to refresh existing Vulnerability records with the new severity values and populate the new attributes. |
| 3.0.1 | Bug Fixes - Fixed synchronization failures that could occur when using a free (non-commercial) Mandiant subscription, where certain fields such as associated threat actors, associated malware, exploits, affected products, observed-in-the-wild, and zero-day status are returned as redacted placeholders instead of their normal values. These records now sync successfully. Improvements Dependency Upgrades - Upgraded internal framework and model libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | N/A |
| 3.0.0 | Overview The Mandiant connector integrates with Mandiant Threat Intelligence (Google Threat Intelligence) to synchronize vulnerability intelligence records, enriching CVE data with Mandiant-specific intelligence such as risk ratings, exploitation state, observed-in-the-wild and zero-day indicators, EPSS scores, CISA KEV status, CVSS metrics, and associated threat actors and malware. Category: Threat Intelligence Models | N/A |