Anomali Match

Version: 2.0.0

Anomali Match is a Threat Detection Engine purpose-built to automate and speed time to detection in your environment. Anomali Match correlates twelve months of metadata against active threat intelligence to expose previously unknown threats to your organization.

Connect Anomali Match with LogicHub

Navigate to Automations > Integrations.
Search for Anomali Match.
Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- IP or Hostname: IP address or Hostname of your Anomali Match instance.
- Port: Port on which your Anomali Match instance listens for web connections.
- Username: Username for Anomali.
- Password: Password for Anomali Match.
After you've entered all the details, click Connect.

Actions for Anomali Match

Run Search

Performs a search for events or intelligence in Anomali Match.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Index	Select column from parent table containing index on which the search is to be performed. Some valid column values: iocmatch, dga, threat_bulletin, actor, campaign, ttp, vulnerability, incidents, intelligence, alert_trigger_records	Required
Query	Jinja-templated search query string in either of these formats: keyword or field-based.	Required
Fields	Select column from parent table containing comma-separated fields to return in the search results.	Optional
Start Time	Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.	Optional
End Time	Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.	Optional

Output

Correlated results with each item in a separate row.

Retrospective/Forensic Search

Performs a retrospective/forensic search on event data in Anomali Match.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Indicators	Select a column from the parent table containing comma-separated indicators to pass to the search.	Required
Start Time	Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.	Optional
End Time	Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.	Optional
Search Timeout	Enter search timeout in seconds for each search/row. The action will poll for 10 times in this duration equally spaced for each row of input. (Default is 60 seconds).	Optional

Output

Correlated JSON results containing lhub_file_id that contains the results of running the above action per input row.

{
  "status": "completed",
  "category": "forensic_api_result",
  "result_file_name": "org0_20170915_job2731505511245505_result.tar.gz",
  "complete": true,
  "processedFiles": 223,
  "totalMatches": 223,
  "jobid": "job2731505511245505",
  "lhub_file_id": "hadksdyuiekajncmxnc",
  "has_error": false,
  "error": null
}

Identify DGA Domains

Retrieve the DGA Probability and Malware Family for sets of domains processed by the Anomali Match DGA detection algorithm.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain	Select column from parent table containing domains.	Required

Output

A JSON object containing multiple rows of correlated results:

{
  "registered_domain": false,
  "malware_family": "Conficker,Dircrypt,Gameover_P2P,Hesperbot,MadMax,Necurs,Nymaim,Oderoor,Proslikefan,Pushdo,Pykspa,Pykspa2,QakBot,Ramnit,Recurs,Tempedreve,Urlzone,Vidro",
  "probability": 1,
  "has_error": false,
  "error": null
}

Whitelist DGA Domains

Adds DGA Domains to the DGA Whitelist.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain	Select column from parent table containing domains.	Required

Output

A JSON object containing multiple rows of correlated results:

{
  "status_code": 200,
  "message": "",
  "has_error": false,
  "error": true
}

Un-Whitelist DGA Domains

Removes DGA Domains from the DGA Whitelist.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain	Select column from parent table containing domains.	Required

Output

A JSON object containing multiple rows of correlated results:

{
  "status_code": 200,
  "message": "",
  "has_error": false,
  "error": true
}

Release Notes

v2.0.0 - Updated architecture to support IO via filesystem

Updated about 1 year ago