Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Anomali Intelligence API | ✅ | anomali_intelligence | NDJSON | API |
Overview
Anomali delivers intelligence-driven cybersecurity solutions, including ThreatStream, Match, and Lens. ThreatStream is a Threat Intelligence Management that automates the collection and processing of raw data, filters out the noise and transforms it into relevant, actionable threat intelligence for security teams.
Hunters uses Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.
In addition, Hunters uses it for its Threat Intel detection and investigation pipeline. The Threat Intel pipeline detects IOCs in your raw data from your different data sources, and enriches existing detections containing IOCs.
Supported data types
Intelligence API
Table name: anomali_intelligence
An API used to retrieve threat intelligence from ThreatStream. Learn more.
Send data to Hunters
Hunters supports the collection of Anomali logs using API.
To connect Anomali logs:
Gather the following API authentication details from Anomali:
Username - The email address associated with your ThreatStream account. Example:
johnsmith@acme.com
Domain - Your user email domain. Example: if your user email address is
johnsmith@acme.com
, then your domain will beacme.com
.Password - The associated API Key. Example:
1234567890abcdef1234567890abcdef01234567
📘 Learn more
You can find your username and API Key on your Anomali console, on the My Profile tab within ThreatStream settings.
Complete the process on the Hunters platform, following this guide.
Expected format
Logs are expected in JSON format.
{
"source_created": "2022-01-31T00:00:00.000Z",
"status": "active",
"itype": "mal_file_name",
"expiration_ts": "2022-01-31T00:00:00.000z",
"ip": 1.1 .1 .1,
"is_editable": false,
"feed_id": 0,
"update_id": 111111,
"value": "abc.txt",
"is_public": false,
"threat_type": "malware",
"workgroups": [],
"rdns": null,
"confidence": 100,
"uuid": "111-222",
"retina_confidence": -1,
"trusted_circle_ids": [10],
"id": 50,
"source": "FirstEnergy",
"owner_organization_id": 2,
"import_session_id": 4,
"source_modified": null,
"type": "string",
"sort": [2],
"description": null,
"tags": [{
"id": "V",
"name": "#malware"
}, {
"id": "i",
"name": "#virustotal"
}],
"threatscore": 80,
"latitude": null,
"modified_ts": "2021-11-02T00:00:00.000Z",
"org": "",
"asn": "",
"created_ts": "2021-05-02T12:10:33.111Z",
"tlp": null,
"is_anonymous": false,
"country": null,
"source_reported_confidence": -1,
"can_add_public_tags": true,
"longitude": null,
"subtype": null,
"meta": {
"detail2": "imported by user 2",
"severity": "high"
},
"resource_uri": "/api/v2/intelligence/555/"
}