Anomali

Anomali is a Threat Intelligence Platform that enables businesses to integrate security products and leverage threat data to defend against cyber threats.

Integration with LogicHub

Connecting with Anomali

To connect to Anomali following details are required:

Actions with Anomali

URL Scan

Submits a URL or IP address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • COLUMN NAME: Column name from the parent table containing URL.

Output of Action
Scan results in JSON format.

Get Reputation

Submits a URL/ IP/ Domain/ md5 of a file/email address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.

Inputs to Action

  • Connection: Choose a connection that you have created
  • OBSERVABLE COLUMN NAME: Column name from parent table containing observable such as IP address/domain/URL and so on.
  • SELECT OBSERVABLE TYPE: Select Observable Type : URL/ IP/ Domain/ md5 of a file/email

Output of Action
Reputation results in JSON format.

Get Intelligence

Get intelligence from Threatstream. You can specify the criteria by which the intelligence should be retrieved.

Inputs to Action

  • Connection: Choose a connection that you have created
  • JINJA TEMPLATE FOR FILTER CRITERIA: Provide Jinja Template for filter Criteria. e.g. q=(confidence>={{confidencevalue}}+AND+(itype="apt_ip"+OR+itype="bot ip"+OR+itype="c2_ip"))
  • EXPLODE RESULTS (OPTIONAL): Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows.

Output of Action
Intelligence search results in JSON format.

Submit File or URL

Submit files or URLs to the ThreatStream-hosted Sandbox.

Inputs to Action

  • Connection: Choose a connection that you have created
  • SANDBOX SUBMISSION TYPE: Select File / URL
  • SUBMISSION COLUMN NAME: Column name from parent table that contains file or URL.
  • SELECT PLATFORM: Platform on which the submitted URL or file will be run. Example: WINDOWS7 / WINDOWSXP.
  • SANDBOX SUBMISSION CLASSIFICATION (OPTIONAL): Classification of the Sandbox submission—public or private. Default is private.
  • USE PREMIUM SANDBOX (OPTIONAL): Specify whether the premium sandbox should be used for detonation. Default is False.
  • JINJA TEMPLATE FOR DETAIL (OPTIONAL): Jinja template for a comma-separated list that provides additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. Example: {{tag1}},{{tag2}}

Output of Action
Submission results in JSON format.

Get Submission Status

Get the status of the submitted file or URL.

Inputs to Action

  • Connection: Choose connection that you have created.
  • SUBMISSION ID COLUMN NAME: Column name from parent table that contains submission ID.
  • SHOULD WAIT (OPTIONAL): Should wait till status is done. Default is False. By default, it will return the current status.

Output of Action
Status results in JSON format.

Get Submission Report

Get a submission report of the submitted file or URL.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • SUBMISSION ID COLUMN NAME: Column name from parent table that contains submission ID.
  • SHOULD WAIT (OPTIONAL): Should wait till the report is generated. Default is False.

Output of Action
Report data in JSON format.

Create Threat Model Entity

Create threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Inputs to Action

  • Connection: Choose a connection that you have created
  • MODEL ENTITY TYPE: Select a model entity type. Example: Actor, Campaign, Incident, and so on.
  • ENTITY NAME COLUMN NAME: Column name from parent table that contains entity name. The name should be unique for an entity.
  • IS PUBLIC (OPTIONAL): Whether the entity is public or private. Default is False
  • TLP COLUMN NAME (OPTIONAL): Column name from parent table that contains TLP. TLP is the Traffic Light Protocol designation for the entity i.e. red, amber, green, white.
  • JINJA TEMPLATE FOR DESCRIPTION (OPTIONAL): Jinja template for description. Example: This is sample {{desc}}
  • JINJA TEMPLATE FOR TAGS (OPTIONAL): Jinja template for comma-separated list of tags. Example: {{tag1}},{{tag2}}
  • JINJA TEMPLATE FOR ADDITIONAL PARAM IN JSON FORMAT (OPTIONAL): Jinja template for additional parameters in JSON format. Example: {"intelligence": [{{intelligence_id_list}}] }
  • Output of Action
    Result in JSON format.

Update Threat Model Entity

Update threat model entities that are, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • ENTITY ID COLUMN NAME: Column name from parent table that contains entity ID.
  • MODEL ENTITY TYPE: Select a model entity type. Example: Actor, Campaign, Incident, and so on.
  • ENTITY NAME COLUMN NAME (OPTIONAL): Column name from parent table that contains entity name. The name should be unique for an entity.
  • TLP COLUMN NAME (OPTIONAL): Column name from parent table that contains TLP. TLP is Traffic Light Protocol designation for the entity that is, red, amber, green, white.
  • JINJA TEMPLATE FOR DESCRIPTION (OPTIONAL): Jinja template for description. Example: This is sample {{desc}}
  • JINJA TEMPLATE FOR TAGS (OPTIONAL): Jinja template for comma-separated list of tags. Example: {{tag1}},{{tag2}}
  • JINJA TEMPLATE FOR ADDITIONAL PARAM IN JSON FORMAT (OPTIONAL): Jinja template for additional parameters in json format. Example: {"intelligence": [{{intelligence_id_list}}] }

Output of Action
Result in JSON format.

Get List of Models

Get list of threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • MODEL ENTITY TYPE: Select a model entity type. Example: Actor, Campaign, Incident, and so on.
  • JINJA TEMPLATE FOR FILTERS IN JSON FORMAT (OPTIONAL): Provide jinja template for filters in JSON format. Example: {"tlp":"{{tlp}}"}
  • EXPLODE RESULTS (OPTIONAL): Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows.

Output of Action
Results in JSON format.

Get Model Description

Get details of model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • ENTITY ID COLUMN NAME: Column name from parent table that contains entity ID.
  • MODEL ENTITY TYPE: Select a model entity type. Example: Actor, Campaign, Incident, and so on.

Output of Action
Result in JSON format.

Import With Manual Approval

Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • FILE ID COLUMN NAME: Column name from parent table that contain entity ID.
  • CLASSIFICATION: Select a classification of the observable (default is Private).
  • SEVERITY: Select severity of the observable (default is Low).
  • SOURCE CONFIDENCE WEIGHT: The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100).
  • CONFIDENCE: Level of certainty that an observable is of the reported indicator type (default is 100).
  • IP MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_ip).
  • DOMAIN MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_domain).
  • URL MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_url).
  • Email Mapping: Indicator type to assign if a specific type is not associated with an observable (default is mal_email).
  • MD5 MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_md5).
  • TRUSTED CIRCLES: Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association).

Output of Action
Result in JSON format.

Import Without Manual Approval

Import threat data (observables) into ThreatStream without the approval of the imported data through the ThreatStream UI.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • FILE ID COLUMN NAME: Column name from parent table that contains entity ID.
  • CLASSIFICATION: Select a classification of the observable (default is Private).
  • SEVERITY: Select severity of the observable (default is Low).
  • SOURCE CONFIDENCE WEIGHT: The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100).
  • CONFIDENCE: Level of certainty that an observable is of the reported indicator type (default is 100).
  • IP MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_ip).
  • DOMAIN MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_domain).
  • URL MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_url).
  • Email Mapping: Indicator type to assign if a specific type is not associated with an observable (default is mal_email).
  • MD5 MAPPING: Indicator type to assign if a specific type is not associated with an observable (default is mal_md5).
  • TRUSTED CIRCLES: Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association).

Output of Action
Result in JSON format.

Search Threat Models

Retrieve threat model from ThreatStream.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • JINJA TEMPLATE For Search String (OPTIONAL): Jinja-templated search string. Example: {{financial_column_name}}, {{services_column_name}}.
  • Threat Model Type (Optional): Select the type of threat model (default is All types).
  • Result Limit (Optional): Result limit (default is 1000).
  • Result Offset (Optional): Result offset (default is 0).

Output of Action
Results in JSON format.

Get Threat Model By Indicator IDs

Get threat model details by indicator ids from ThreatStream.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Indicator IDs: Column name from parent table that contains comma-separated indicator IDs.
  • Threat Model Type: Select the type of threat model.
  • Result Limit (OPTIONAL): Result limit (Default is 1000).
  • Result Offset (OPTIONAL): Result offset (Default is 0).

Output of Action
Results in JSON format.

Get Associations for Threat Model

Get association details for the threat model from ThreatStream.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Threat Model ID: Column name from parent table that contains the ID of the threat model.
  • Threat Model Type: Select the type of threat model.
  • Threat Model Association Type: Select the association type of threat model.
  • Result Limit (Optional): Result limit (default is 1000).
  • Result Offset (Optional): Result offset (default is 0).

Output of Action
Results in JSON format.


Did this page help you?