Anomali Match

Anomali Match is a Threat Detection Engine purpose-built to automate and speed time to detection in your environment. Anomali Match correlates twelve months of metadata against active threat intelligence to expose previously unknown threats to your organization.

Integration with LogicHub

Connecting with Anomali Match

To connect to Anomali following details are required:

  • IP or Hostname: IP address or Hostname of your Anomali Match instance
  • Port: Port on which your Anomali Match instance listens for web connections
  • Username: Username for Anomali
  • Password: Password for Anomali Match

Actions with Anomali Match

Run Search

Performs a search for events or intelligence in Anomali Match.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Index: Select column from parent table containing index on which the search is to be performed. Some valid column values: iocmatch*, dga*, threat_bulletin*, actor*, campaign*, ttp*, vulnerability*, incidents*, intelligence*, alert_trigger_records*
  • Query: Jinja-templated search query string in either of these formats: keyword or field-based.
  • Fields (Optional): Select column from parent table containing comma-separated fields to return in the search results.
  • Start Time (Optional): Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.
  • End Time (Optional): Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.

Output of Action
Correlated results with each item in a separate row.

Retrospective/Forensic Search

Performs a retrospective/forensic search on event data in Anomali Match.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Indicators: Select a column from the parent table containing comma-separated indicators to pass to the search.
  • Start Time (Optional): Select column from parent table containing start-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.
  • End Time (Optional): Select column from parent table containing end-time of time-range for the search. The time values can be specified in absolute (ISO) or relative format. For example: 2019-05-01T13:45:30.000000-04:00, Now/w, now/M, -30d/d, -1y/M, now, now-3h, 1601545500000.
  • Search Timeout (Optional): Enter search timeout in seconds for each search/row. The action will poll for 10 times in this duration equally spaced for each row of input. (Default is 60 seconds).

Output of Action
Correlated JSON results containing lhub_file_id that contains the results of running the above action per input row.

{
  "status": "completed",
  "category": "forensic_api_result",
  "result_file_name": "org0_20170915_job2731505511245505_result.tar.gz",
  "complete": true,
  "processedFiles": 223,
  "totalMatches": 223,
  "jobid": "job2731505511245505",
  "lhub_file_id": "hadksdyuiekajncmxnc",
  "has_error": false,
  "error": null
}

Identify DGA Domains

Retrieve the DGA Probability and Malware Family for sets of domains processed by the Anomali Match DGA detection algorithm.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Domain: Select column from parent table containing domains.

Output of Action:
Multiple rows of correlated JSON containing the following items:

{
  "registered_domain": false,
  "malware_family": "Conficker,Dircrypt,Gameover_P2P,Hesperbot,MadMax,Necurs,Nymaim,Oderoor,Proslikefan,Pushdo,Pykspa,Pykspa2,QakBot,Ramnit,Recurs,Tempedreve,Urlzone,Vidro",
  "probability": 1,
  "has_error": false,
  "error": null
}

Whitelist DGA Domains

Adds DGA Domains to the DGA Whitelist.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Domain: Select column from parent table containing domains.

Output of Action
Multiple rows of correlated JSON containing the following items:

{
  "status_code": 200,
  "message": "",
  "has_error": false,
  "error": true
}

Un-Whitelist DGA Domains

Removes DGA Domains from the DGA Whitelist.

Inputs to Action

  • Connection: Choose a connection that you have created.
  • Domain: Select column from parent table containing domains.

Output of Action
Multiple rows of correlated JSON containing the following items:

{
  "status_code": 200,
  "message": "",
  "has_error": false,
  "error": true
}

Did this page help you?