Skip to content

ANOMALI

ANOMALI

About

Anomali delivers intelligence-driven cybersecurity solutions, including ThreatStream®, Match™, and Lens™. Companies use Anomali to enhance threat visibility, automate threat processing and detection, and accelerate threat investigation, response, and remediation.

Product Details

Vendor URL: ANOMALI

Product Type: Threat Intelligence Feed

Integration Method: API

Parser Details

Fill in the following fields for parser details

Log Format: JSON

Expected Normalization Rate: 95%

Data Label: ANOMALI_IOC

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
cn1 metadata.threat.confidence_details
cn2 metadata.threat.rule_id
cs2 metadata.threat.threat_name
cs5 metadata.threat.description
cs6 metadata.threat.category_details
device_product metadata.product_name
device_vendor metadata.vendor_name
device_version metadata.product_version
msg metadata.threat.summary
object.country entity.location.country_or_region
object.created_ts metadata.interval.start_time
object.expiration_ts metadata.interval.end_time
object.id metadata.product_entity_id
object.ip entity.ip
object.itype metadata.threat.category_details
object.latitude entity.location.region_longitude
object.meta.detail2 metadata.threat.description
object.meta.severity metadata.threat.severity
object.org entity.administrative_domain
object.resource_uri entity.url
object.source metadata.threat.threat_name
object.source metadata.threat.threat_name
object.value entity.ip
sec_result_status metadata.threat.threat_status
shost entity.hostname
shost entity.url
src entity.ip

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
"9","10","VERY-HIGH", "very-high" CRITICAL URL yes
"ip","ipv6" IP_ADDRESS
"domain" DOMAIN_NAME
"email" USER