ANOMALI¶
About¶
Anomali delivers intelligence-driven cybersecurity solutions, including ThreatStream®, Match™, and Lens™. Companies use Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.
Product Details¶
Vendor URL: ANOMALI
Product Type: Threat Intelligence Feed
Integration Method: API
Parser Details¶
Fill in the following fields for parser details
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: ANOMALI_IOC
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| cn1 | metadata.threat.confidence_details |
| cn2 | metadata.threat.rule_id |
| cs2 | metadata.threat.threat_name |
| cs5 | metadata.threat.description |
| cs6 | metadata.threat.category_details |
| device_product | metadata.product_name |
| device_vendor | metadata.vendor_name |
| device_version | metadata.product_version |
| msg | metadata.threat.summary |
| object.country | entity.location.country_or_region |
| object.created_ts | metadata.interval.start_time |
| object.expiration_ts | metadata.interval.end_time |
| object.id | metadata.product_entity_id |
| object.ip | entity.ip |
| object.itype | metadata.threat.category_details |
| object.latitude | entity.location.region_longitude |
| object.meta.detail2 | metadata.threat.description |
| object.meta.severity | metadata.threat.severity |
| object.org | entity.administrative_domain |
| object.resource_uri | entity.url |
| object.source | metadata.threat.threat_name |
| object.source | metadata.threat.threat_name |
| object.value | entity.ip |
| sec_result_status | metadata.threat.threat_status |
| shost | entity.hostname |
| shost | entity.url |
| src | entity.ip |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| "9","10","VERY-HIGH", "very-high" | CRITICAL | URL | yes |
| "ip","ipv6" | IP_ADDRESS | ||
| "domain" | DOMAIN_NAME | ||
| "email" | USER |