From 866e30f87d93f8bbe89a488ab5ec78716d26d5e7 Mon Sep 17 00:00:00 2001
From: Seth Grover <seth.d.grover@gmail.com>
Date: Wed, 6 Nov 2024 12:45:24 -0700
Subject: [PATCH] work in progress for mandiant threat intel integration,
 cisagov/Malcolm#358

---
 shared/bin/zeek_intel_from_threat_feed.py | 2 ++
 shared/bin/zeek_threat_feed_utils.py      | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/shared/bin/zeek_intel_from_threat_feed.py b/shared/bin/zeek_intel_from_threat_feed.py
index 7fbf76fa6..5319064a6 100755
--- a/shared/bin/zeek_intel_from_threat_feed.py
+++ b/shared/bin/zeek_intel_from_threat_feed.py
@@ -34,6 +34,7 @@ def main():
                 'Outputs a Zeek intelligence framework file from various formats used to represent threat information:',
                 ' - "Indicator" objects in STIX™ v2.0/v2.1 JSON files',
                 ' - MISP attributes or core format JSON files',
+                ' - Indicators from Mantiant Threat Intelligence',
                 '',
                 'See:',
                 ' - Malcolm documentation: https://idaholab.github.io/Malcolm/docs/zeek-intel.html#ZeekIntel',
@@ -47,6 +48,7 @@ def main():
                 ' - MISP default feeds: https://www.misp-project.org/feeds/',
                 ' - Managing MISP feeds: https://misp.gitbooks.io/misp-book/content/managing-feeds/',
                 ' - Expand MISP usage: https://github.com/idaholab/Malcolm/issues/336',
+                ' - Mandiant Threat Intelligence Indicators API: https://docs.mandiant.com/home/mati-threat-intelligence-api-v4#tag/Indicators'
                 '',
                 'Note: The Zeek intelligence framework only supports simple indicators matched against a single value.',
                 'The STIX™ standard can express more complex indicators that cannot be expressed with Zeek intelligence items.',
diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py
index 4f87c9e7b..4ca41cd73 100644
--- a/shared/bin/zeek_threat_feed_utils.py
+++ b/shared/bin/zeek_threat_feed_utils.py
@@ -845,11 +845,10 @@ def ProcessThreatInputWorker(threatInputWorkerArgs):
                                         api_base_url=inarg.get('api_base_url', mandiant_threatintel.API_BASE_URL),
                                         client_name=inarg.get('client_name', mandiant_threatintel.CLIENT_APP_NAME),
                                     ):
-                                        print(since)
                                         for indicator in mati_client.Indicators.get_list(
                                             minimum_mscore=inarg.get('minimum_mscore', 60),
                                             exclude_osint=inarg.get('exclude_osint', False),
-                                            start_epoch=since if since else datetime.now() - relativedelta(years=10),
+                                            start_epoch=since if since else datetime.now() - relativedelta(months=1),
                                         ):
                                             try:
                                                 if zeekPrinter.ProcessMandiant(indicator):