Respond_Analyst

Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within XSOAR are reflected in Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled.

Analytics & SIEM · Mandiant Automated Defense

Configuration parameters

  • mirror_direction — Incident Mirroring Direction
  • base_url — Base Url (required)
  • insecure — Trust any certificate (not secure)
  • incidentType — Incident type
  • isFetch — Fetch incidents
  • token — API Token (required)
  • max_fetch — Max Fetch
  • first_fetch — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • incidentFetchInterval — Incidents Fetch Interval

Commands (5)

  • mad-assign-user

    assign a user to a Respond incident.

  • mad-close-incident

    close an incident in Respond and provide feedback on that incident. If the incident is already closed, feedback can still be updated. Additional comments and an updated closure code are viable options for updates on an incident that has already been closed (and on incidents that have not been closed yet as well).

  • mad-get-escalations

    Get escalation data associated with incident. In Respond, an 'escalation' is a specific event derived from a cybersecurity telemetry. Escalations are compiled together to form Incidents in Respond.

  • mad-get-incident

    pull data for a specific incident from MAD. This command will only return an output of the incident data. it does not create a new incident.

  • mad-remove-user

    unassign a user from a Respond incident.