Anomali Match
Version: 2.0.0
Anomali Match is a Threat Detection Engine purpose-built to automate and speed time to detection in your environment. Anomali Match correlates twelve months of metadata against active threat intelligence to expose previously unknown threats to your organization.
Connect Anomali Match with LogicHub
- Navigate to Automations > Integrations.
- Search for Anomali Match.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- IP or Hostname: IP address or Hostname of your Anomali Match instance.
- Port: Port on which your Anomali Match instance listens for web connections.
- Username: Username for Anomali.
- Password: Password for Anomali Match.
- After you've entered all the details, click Connect.
Actions for Anomali Match
Run Search
Performs a search for events or intelligence in Anomali Match.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Index | Select column from parent table containing index on which the search is to be performed. Some valid column values: iocmatch*, dga*, threat_bulletin*, actor*, campaign*, ttp*, vulnerability*, incidents*, intelligence*, alert_trigger_records* | Required |
Query | Jinja-templated search query string in either of these formats: keyword or field-based. | Required |
Fields | Select column from parent table containing comma-separated fields to return in the search results. | Optional |
Start Time | Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000. | Optional |
End Time | Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000. | Optional |
Output
Correlated results with each item in a separate row.
Retrospective/Forensic Search
Performs a retrospective/forensic search on event data in Anomali Match.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Indicators | Select a column from the parent table containing comma-separated indicators to pass to the search. | Required |
Start Time | Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000. | Optional |
End Time | Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000. | Optional |
Search Timeout | Enter search timeout in seconds for each search/row. The action will poll for 10 times in this duration equally spaced for each row of input. (Default is 60 seconds). | Optional |
Output
Correlated JSON results containing lhub_file_id
that contains the results of running the above action per input row.
{
"status": "completed",
"category": "forensic_api_result",
"result_file_name": "org0_20170915_job2731505511245505_result.tar.gz",
"complete": true,
"processedFiles": 223,
"totalMatches": 223,
"jobid": "job2731505511245505",
"lhub_file_id": "hadksdyuiekajncmxnc",
"has_error": false,
"error": null
}
Identify DGA Domains
Retrieve the DGA Probability and Malware Family for sets of domains processed by the Anomali Match DGA detection algorithm.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain | Select column from parent table containing domains. | Required |
Output
A JSON object containing multiple rows of correlated results:
{
"registered_domain": false,
"malware_family": "Conficker,Dircrypt,Gameover_P2P,Hesperbot,MadMax,Necurs,Nymaim,Oderoor,Proslikefan,Pushdo,Pykspa,Pykspa2,QakBot,Ramnit,Recurs,Tempedreve,Urlzone,Vidro",
"probability": 1,
"has_error": false,
"error": null
}
Whitelist DGA Domains
Adds DGA Domains to the DGA Whitelist.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain | Select column from parent table containing domains. | Required |
Output
A JSON object containing multiple rows of correlated results:
{
"status_code": 200,
"message": "",
"has_error": false,
"error": true
}
Un-Whitelist DGA Domains
Removes DGA Domains from the DGA Whitelist.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain | Select column from parent table containing domains. | Required |
Output
A JSON object containing multiple rows of correlated results:
{
"status_code": 200,
"message": "",
"has_error": false,
"error": true
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
Updated 12 months ago