Anomali

  • Updated on Apr 28, 2025
  • Published on May 14, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Anomali Intelligence API

✅

anomali_intelligence

NDJSON

API

Overview

imageAnomali delivers intelligence-driven cybersecurity solutions, including ThreatStream, Match, and Lens. ThreatStream is a Threat Intelligence Management that automates the collection and processing of raw data, filters out the noise and transforms it into relevant, actionable threat intelligence for security teams.

Hunters uses Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

In addition, Hunters uses it for its Threat Intel detection and investigation pipeline. The Threat Intel pipeline detects IOCs in your raw data from your different data sources, and enriches existing detections containing IOCs.

Supported data types

Intelligence API

Table name: anomali_intelligence

An API used to retrieve threat intelligence from ThreatStream. Learn more.

Send data to Hunters

Hunters supports the collection of Anomali logs using API.

To connect Anomali logs:

  1. Gather the following API authentication details from Anomali:

    • Username - The email address associated with your ThreatStream account. Example: johnsmith@acme.com

    • Domain - Your user email domain. Example: if your user email address is johnsmith@acme.com, then your domain will be acme.com.

      Password - The associated API Key. Example: 1234567890abcdef1234567890abcdef01234567

      📘 Learn more

      You can find your username and API Key on your Anomali console, on the My Profile tab within ThreatStream settings.

  2. Complete the process on the Hunters platform, following this guide.

Expected format

Logs are expected in JSON format.

{
    "source_created": "2022-01-31T00:00:00.000Z",
    "status": "active",
    "itype": "mal_file_name",
    "expiration_ts": "2022-01-31T00:00:00.000z",
    "ip": 1.1 .1 .1,
    "is_editable": false,
    "feed_id": 0,
    "update_id": 111111,
    "value": "abc.txt",
    "is_public": false,
    "threat_type": "malware",
    "workgroups": [],
    "rdns": null,
    "confidence": 100,
    "uuid": "111-222",
    "retina_confidence": -1,
    "trusted_circle_ids": [10],
    "id": 50,
    "source": "FirstEnergy",
    "owner_organization_id": 2,
    "import_session_id": 4,
    "source_modified": null,
    "type": "string",
    "sort": [2],
    "description": null,
    "tags": [{
        "id": "V",
        "name": "#malware"
    }, {
        "id": "i",
        "name": "#virustotal"
    }],
    "threatscore": 80,
    "latitude": null,
    "modified_ts": "2021-11-02T00:00:00.000Z",
    "org": "",
    "asn": "",
    "created_ts": "2021-05-02T12:10:33.111Z",
    "tlp": null,
    "is_anonymous": false,
    "country": null,
    "source_reported_confidence": -1,
    "can_add_public_tags": true,
    "longitude": null,
    "subtype": null,
    "meta": {
        "detail2": "imported by user 2",
        "severity": "high"
    },
    "resource_uri": "/api/v2/intelligence/555/"
}