Anomali

Version: 4.0.0

Anomali is a Threat Intelligence Platform that enables businesses to integrate security products and leverage threat data to defend against cyber threats.

Connect Anomali with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Anomali.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Base URL (Optional): Leave Empty For Default): Specify the base URL of the Anomali server. Leave empty for default Anomali server. Example: https://192.168.1.1:443 or https://yourhostname.example.com.
    • API Key: API key for connecting to Anomali.
    • Username: Username for connecting to Anomali.
  4. After you've entered all the details, click Connect.

Actions for Anomali

URL Scan

Submits a URL or IP address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Column nameColumn name from the parent table containing URL.Required

Output

Scan results in JSON format.

1222

Get Reputation

Submits a URL/ IP/ Domain/ md5 of a file/email address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Observable Column nameColumn name from parent table containing observable such as IP address/domain/URL and so on.Required
Select Observable TypeURL/ IP/ Domain/ md5 of a file/emailRequired

Output

Reputation results in JSON format.

1222

Get Intelligence

Get intelligence from Threatstream. You can specify the criteria by which the intelligence should be retrieved.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Jinja Template For Filter CriteriaProvide jinja-template for filter Criteria.
Example: q=(confidence>={{confidencevalue}}+AND+(itype="apt_ip"+OR+itype="bot ip"+OR+itype="c2_ip"))
Required
Explode ResultsSelect whether to return separate rows for each result or a single row containing all results. Default is Separate Rows.Optional

Output

Intelligence search results in JSON format.

1222

Submit File or URL

Submit files or URLs to the ThreatStream-hosted Sandbox.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Submission Column NameColumn name from parent table that contains file or URL.Required
Sandbox Submission TypeSelect File / URL.Required
Select PlatformPlatform on which the submitted URL or file will be run. Example: WINDOWS7 / WINDOWSXP.
Sandbox Submission ClassificationClassification of the Sandbox submission—public or private. Default is private.Optional
Use Premium SandboxSpecify whether the premium sandbox should be used for detonation. Default is False.Optional
Jinja Template for DetailJinja Template for a comma-separated list that provides additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. Example: {{tag1}},{{tag2}}Optional

Output

Submission results in JSON format.

1246

Get Submission Status

Get the status of the submitted file or URL.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Submission Id Column NameColumn name from parent table that contains submission ID.Required
Should WaitShould wait till status is done. Default is False. By default, it will return the current status.Optional

Output

Status results in JSON format.

1246

Get Submission Report

Get a submission report of the submitted file or URL.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Submission Id Column NameColumn name from parent table that contains submission ID.Required
Should WaitShould wait till the report is generated. Default is False.Optional

Output

Report data in JSON format.

1246

Create Threat Model Entity

Create threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Entity Name Column NameColumn name from parent table that contains entity name. The name should be unique for an entity.Required
Model Entity TypeSelect a model entity type. Example: Actor, Campaign, Incident, and so on.Required
Is PublicWhether the entity is public or private. Default is False.Required
TLP Column NameColumn name from parent table that contains TLP. TLP is the Traffic Light Protocol designation for the entity i.e. Red, Amber, Green, White.Optional
Jinja Template For DescriptionJinja Template for description. Example: This is sample {{desc}}.Optional
Jinja Template For TagsJinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}}.Optional
Jinja Template For Additional Param in Json FormatJinja Template for additional parameters in JSON format. Example: {"intelligence": [{{intelligence_id_list}}]}.Optional

Output

A JSON object containing multiple rows of results:

1246

Update Threat Model Entity

Update threat model entities that are, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Entity Id Column NameColumn name from parent table that contains entity ID.Required
Model Entity TypeSelect a model entity type. Example: Actor, Campaign, Incident, and so on.Required
Entity Name Column NameColumn name from parent table that contains entity name. The name should be unique for an entity.Optional
TLP Column NameColumn name from parent table that contains TLP. TLP is Traffic Light Protocol designation for the entity that is, red, amber, green, white.Optional
Jinja Template For DescriptionJinja Template for description. Example: This is sample {{desc}}Required
Jinja Template For TagsJinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}}Optional
Jinja Template For Additional Param in Json Format)Jinja Template for additional parameters in json format. Example: {"intelligence": [{{intelligence_id_list}}] }Optional

Output

A JSON object containing multiple rows of results:

1246

Get List of Models

Get list of threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Model Entity TypeSelect a model entity type. Example: Actor, Campaign, Incident, and so on.Required
Jinja template for filters in JSON FormatProvide Jinja template for filters in JSON format. Example: {"tlp":"{{tlp}}"}Optional
Explode ResultsSelect whether to return separate rows for each result or a single row containing all results. Default is Separate Rows.Optional

Output

A JSON object containing multiple rows of results:

1246

Get Model Description

Get details of model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Entity Id Column NameColumn name from parent table that contains entity ID.Required
Model Entity TypeSelect a model entity type. Example: Actor, Campaign, Incident, and so on.Required

Output

A JSON object containing multiple rows of results:

1246

Import With Manual Approval

Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
File IdColumn name from parent table that contains file id.Required
ClassificationSelect a classification of the observable (default is Private).Optional
SeveritySelect severity of the observable (default is Low).Optional
Source Confidence WeightThe ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100).Optional
ConfidenceLevel of certainty that an observable is of the reported indicator type (default is 100).Optional
IP MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_ip).Optional
Domain MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_domain).Optional
URL MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_url).Optional
Email MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_email).Optional
MD5 MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_md5).Optional
Trusted CirclesComma-separated IDs of the trusted circle to which this threat data should be imported (default is no association).Optional

Output

A JSON object containing multiple rows of results:

1650

Import With Manual Approval V2

Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
File IdJinja-templated text for the file id. Example: {{file_id}}Optional
ClassificationSelect a classification of the observable (default is Private).Optional
SeveritySelect severity of the observable (default is Low).Optional
Source Confidence WeightJinja-templated number containing the ratio between the amount of the source confidence of each observable and the ThreatStream confidence.Optional
ConfidenceJinja-templated number containing the level of certainty that an observable is of the reported indicator type (default is 100).Optional
IP MappingJinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_ip).Optional
Domain MappingJinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_domain).Optional
URL MappingJinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_url).Optional
Email MappingJinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_email).Optional
MD5 MappingJinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_md5).Optional
Threat TypeJinja-templated text containing the Type of threat associated with the imported observables. (Default is malware_md5)Optional
TLPJinja-templated text containing the Traffic Light Protocol designation for the intelligence.Optional
Intelligence SourceJinja-templated text containing the Source from which the intelligence originated.Optional
Expiration TSJinja-templated text containing the Time stamp of when intelligence will expire on ThreatStream, in UTC format. For example, 2017-01-26T00:00:00 (Default is 90 days from the current date.)Optional
Trusted CirclesJinja-templated text containing the Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association).Optional

Output

A JSON object containing multiple rows of results:

1650

Import Without Manual Approval

Import threat data (observables) into ThreatStream without the approval of the imported data through the ThreatStream UI.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
File IdColumn name from parent table that contains entity ID.Required
ClassificationSelect a classification of the observable (default is Private).Optional
SeveritySelect severity of the observable (default is Low).Optional
Source Confidence WeightThe ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100).Optional
ConfidenceLevel of certainty that an observable is of the reported indicator type (default is 100).Optional
IP MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_ip).Optional
Domain MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_domain).Optional
URL MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_url).Optional
Email MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_email).Optional
MD5 MappingIndicator type to assign if a specific type is not associated with an observable (default is mal_md5).Optional
Trusted CirclesComma-separated IDs of the trusted circle to which this threat data should be imported (default is no association).Optional

Output

A JSON object containing multiple rows of results:

1640

Search Threat Models

Retrieve threat model from ThreatStream.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Search StringJinja-templated search string. Example: {{financial_column_name}}, {{services_column_name}}.Optional
Threat Model TypeSelect the type of threat model (default is All types).Optional
Result LimitResult limit (default is 1000).Optional
Result OffsetResult offset (default is 0).Optional

Output

A JSON object containing multiple rows of results:

1894

Get Threat Model By Indicator IDs

Get threat model details by indicator ids from ThreatStream.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Indicator IDsColumn name from parent table that contains comma-separated indicator IDs.Required
Threat Model TypeSelect the type of threat model.Required
Result LimitResult limit (Default is 1000).Optional
Result OffsetResult offset (Default is 0).Optional

Output

A JSON object containing multiple rows of results:

1864

Get Associations for Threat Model

Get association details for the threat model from ThreatStream.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Threat Model IDColumn name from parent table that contains the ID of the threat model.Required
Threat Model TypeSelect the type of threat model.Required
Threat Model Association TypeSelect the association type of threat model.Required
Result LimitResult limit (Default is 1000).Optional
Result OffsetResult offset (Default is 0).Optional

Output

A JSON object containing multiple rows of results:

1886

Add Attachment To Threat Model Entity

Add attachment to threat model entities i.e. actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Entity IdJinja template for Entity id.Required
Model Entity TypeSelect a model entity typeRequired
File IdJinja template for file id to be uploaded. e.g. {{file_id}} Required
File NameJinja template for file name to be uploaded. e.g. {{file_name}} Required
Time between consecutive API requests (in millis)Time to wait between consecutive API requests in milliseconds (Default is 0 milliseconds)Optional

Output

JSON containing the following items:

{
  "has_error": false,
  "result": {
    "created_ts": "2022-09-22T06:28:57.089",
    "tip_report": 435,
    "filename": "testData.csv",
    "signed_url": "https://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_userId-20772_testData.csv?Signature=M3NC33OB",
    "modified_ts": "2022-09-22T06:28:57.049",
    "user": {
      "name": "",
      "is_readonly": false,
      "is_active": true,
      "email": "[email protected]",
      "must_change_password": false,
      "can_share_intelligence": true,
      "organization": {
        "resource_uri": "/api/v1/userorganization/24/",
        "id": "284",
        "name": "Test company"
      },
      "avatar_s3_url": null,
      "nickname": null,
      "id": "272",
      "resource_uri": "/api/v1/user/272/"
    },
    "content_type": "",
    "signed_thumbnail_url": null,
    "s3_thumbnail_url": null,
    "s3_url": "http://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_06_userId-272_testData.csv",
    "id": "1403"
  },
  "error": null
}

Release Notes

  • v4.0.0 - Updated architecture to support IO via filesystem
  • v3.3.1 - Added new action - Add Attachment To Threat Model Entity.
  • v3.2.0 - Updated the authentication mechanism in all actions.
  • v3.1.2 - Bug Fix - Resolved the 0 value of confidence in import with manual approval v2 action.
  • v3.1.1 - Bug Fix - Resolved the default value of confidence in import with manual approval v2 action.
  • v3.1.0 - Added new action import with manual approval v2.
  • v3.0.2 - Added few parameters to the import with approval action.

© 2017-2021 LogicHub®. All Rights Reserved.