Device Integration: Mandiant Device

TABLE OF CONTENTS

• Overview
• Prerequisites
• Step 1: Generate Google Threat Intelligence (GTI) API Key
• Step 2: Configure in ADR
• Step 3: Validation
• Troubleshooting

Overview

This document provides steps to integrate Mandiant (Google Threat Intelligence) with ADR/aiXDR for automated threat intelligence ingestion via API.

Prerequisites

• Access to Google Cloud Console / Mandiant GTI platform.

• Valid GTI API Key (Google Threat Intelligence).

• ADR CCE Host IP or 127.0.0.1 (for local setup).

• Network access from ADR CCE to GTI API endpoints.

Step 1: Generate Google Threat Intelligence (GTI) API Key

(Adapted from GTI official documentation)

1. In order to get your API Key, just have to register. Once registered, sign in into your account and you will find your public API Key under your username:

   

2. In this page you can find your Google Threat Intelligence API Key string, your API allowances and consumption:

   
   

Step 2: Configure in ADR

1. Login to ADR UI as admin.

2. Navigate to:
   Administration → Device Management → Add Device

3. In the Add Device form:

   • Device: Mandiant

   • Name: mandiant

   • CCE Host: Enter your valid CCE IP (e.g., 192.168.x.x), or 127.0.0.1 if not applicable.

   • Access ID/User Name: empty

   • Password/Secret Key: Paste the GTI API Key obtained earlier.

   • Config: Enter {} (empty JSON).

     Example:

     {}

4. Click Save to complete the integration.

Step 3: Validation

• Go to Device Ingestion Inventory → Verify device status is Active/Connected.

• Validate ingestion count under Logs and Flow Collection Status Tab--> Device Type: Mandiant (e.g., total count shown in the dashboard).

Troubleshooting