Respond_Analyst
Use the Mandiant Automated Defense integration to fetch and update incidents from Mandiant Automated Defense. Mandiant Automated Defense fetches open incidents and updates them every minute. Changes made within XSOAR are reflected in Mandiant Automated Defense platform with bi-directional mirroring capabilities enabled.
Analytics & SIEM · Mandiant Automated Defense
Configuration parameters
mirror_direction— Incident Mirroring Directionbase_url— Base Url (required)insecure— Trust any certificate (not secure)incidentType— Incident typeisFetch— Fetch incidentstoken— API Token (required)max_fetch— Max Fetchfirst_fetch— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)incidentFetchInterval— Incidents Fetch Interval
Commands (5)
-
mad-assign-userassign a user to a Respond incident.
-
mad-close-incidentclose an incident in Respond and provide feedback on that incident. If the incident is already closed, feedback can still be updated. Additional comments and an updated closure code are viable options for updates on an incident that has already been closed (and on incidents that have not been closed yet as well).
-
mad-get-escalationsGet escalation data associated with incident. In Respond, an 'escalation' is a specific event derived from a cybersecurity telemetry. Escalations are compiled together to form Incidents in Respond.
-
mad-get-incidentpull data for a specific incident from MAD. This command will only return an output of the incident data. it does not create a new incident.
-
mad-remove-userunassign a user from a Respond incident.