ANOMALI¶
About¶
Anomali delivers intelligence-driven cybersecurity solutions, including ThreatStream®, Match™, and Lens™. Companies use Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.
Product Details¶
Vendor URL: ANOMALI
Product Type: Threat Intelligence Feed
Integration Method: API
Parser Details¶
Fill in the following fields for parser details
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: ANOMALI_IOC
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
cn1 | metadata.threat.confidence_details |
cn2 | metadata.threat.rule_id |
cs2 | metadata.threat.threat_name |
cs5 | metadata.threat.description |
cs6 | metadata.threat.category_details |
device_product | metadata.product_name |
device_vendor | metadata.vendor_name |
device_version | metadata.product_version |
msg | metadata.threat.summary |
object.country | entity.location.country_or_region |
object.created_ts | metadata.interval.start_time |
object.expiration_ts | metadata.interval.end_time |
object.id | metadata.product_entity_id |
object.ip | entity.ip |
object.itype | metadata.threat.category_details |
object.latitude | entity.location.region_longitude |
object.meta.detail2 | metadata.threat.description |
object.meta.severity | metadata.threat.severity |
object.org | entity.administrative_domain |
object.resource_uri | entity.url |
object.source | metadata.threat.threat_name |
object.source | metadata.threat.threat_name |
object.value | entity.ip |
sec_result_status | metadata.threat.threat_status |
shost | entity.hostname |
shost | entity.url |
src | entity.ip |
Product Event Types¶
type,subtype | severity | UDM Event Classification | alerting enabled |
---|---|---|---|
"9","10","VERY-HIGH", "very-high" | CRITICAL | URL | yes |
"ip","ipv6" | IP_ADDRESS | ||
"domain" | DOMAIN_NAME | ||
"email" | USER |