Page Comparison

...

maxLevel	2
type	flat

Overview

This integration ingests Anomali Threat Indicators as Devo lookup tables that can be used for threat detection through Devo query enrichment and alerting.

...

Rw ui steps macro

Rw step

Log in to the Anomali ThreatStream Integrator application.

Rw step

Go to Destinations and create a new Anomali Integrator SDK Destination.

Rw step

Select the SDK option and click Add.

Rw step

Configure the following settings:

Name

SDK identifier, the field is auto-filled with a random name. Change this to a name that describes the destination, for example, “Devo Destination.”

Indicator filter

Apply filters that affect the output of the IoCs received from the source.

For example, you can select different confidence values, sort the output order, specify the number of search results, and select the desired fields to retrieve. It is possible to use a (*) character to receive all of the information from the source without any filters.

SDK executable command

Specify the path to the main.py file of the Anomali / Devo SDK integration.

Info
This setting is only available in integrator version 6.9.x and earlier. For versions 7.x.x, this information is specified later in this procedure.

Metadata in JSON Format

Specify the directory where all the Devo SSL certificates are stored. The Devo server address where the data is going to be sent and optionally the port (default 443).

Sample metadata:

Code Block

{"endpoint": "collector-us.devo.io", "domain_cert":
"<domain>.crt", "domain_key": "<domain>.key", "chain_cert":
"chain.crt", "cert_path": "/home/ubuntu/AnomaliSDK/certs/",
"port": 443, "endpoint_timeout": 60, "rejections":
"not_allowed", "mode": "verbose"}

Info
Check more info about the variables in the table below.

Integrator API version

Select version 2.0.

Timeout in seconds

The timeout for the SDK, the recommended and default value is 600 seconds.

Intelligence type

Select Indicators Only.

Indicator update mode

Both the Only Changed and Full Snapshot options are supported. The recommended setting for the best performance is the Only Changed option.

Key	Allowed values	Description
`endpoint` ^mandatory	For customers on the Devo US Cloud: `collector-us.devo.io` For customers on the Devo EU Cloud: `collector-eu.devo.io` For customers on dedicated instances, contact Devo support for this value.	The Devo endpoint where indicators are sent to.
`domain_cert` ^mandatory	`<domain>.crt` Where `<domain>` is the name of the Devo domain	The name of the Devo domain X.509 domain certificate copied to the ThreatStream server.
`domain_key` ^mandatory	`<domain>.key` Where `<domain>` is the name of the Devo domain	The name of the Devo domain X.509 domain key copied to the ThreatStream server.
`chain_cert` ^mandatory	`chain.crt`	The name of the Devo chain X.509 domain certificate copied to the ThreatStream server.
`cert_path` ^mandatory	File path	Path to the directory where the Devo X.509 certificates are located on the ThreatStream server.
`port` ^mandatory	Number	The port to connect to Devo on, typically 443.
`endpoint_timeout` ^mandatory	Number	The timeout in seconds applied to the connection to Devo.
`rejections`	`not_allowed` (default) or `allowed`	If `not_allowed` - if any indicators do not match the data format required by Devo, no data will be sent to Devo. If `allowed` - any indicators that do not match the data format required by Devo will not be sent to Devo, while indicators that do match the required data format will be sent.
`mode`	`verbose` or `no_verbose` (default)	The level of detail that the plugin will output to the log files. If `verbose`- all details about the plugin activity and settings will be available in the log files. If `no_verbose`- minimal details will be written to the log files.

Rw step

Save the Destination.

If you are using version 6.9 or earlier, continue to the next section.
If you are using version 7.x.x, the screen below is displayed to specify the SDK executable command.

Image Removed

Image Added

Choose one of the following available plugins:

Windows OS - Devo-Plugin-WinOS.exe
Ubuntu 18 - Devo-Plugin-UbuntuOS-18x
Ubuntu 20 - Devo-Plugin-UbuntuOS-20x
CentOS 7 - Devo-Plugin-CentOS-7x
CentOS 8 - Devo-Plugin-CentOS-8x

...

Launch the Data Search menu.
Open the Devo table you want to query.
Compose your initial base query to isolate the data you would like to enrich.
Select the add column function from the toolbar in the data search screen.
Image RemovedImage Added
Provide a Column Name.
Select custom as the operation type.
Select the Anomali lookup table and field you would like to use for the enrichment from the drop-down list:
Image RemovedImage Added
Add a new argument to select the field to correlate on. The data type of the selected field must match the data type of the key value in the selected Lookup Table.
Click Create Column.
The new column is added to the data search workspace.