Anomali Threat Indicator integration
Overview
This integration ingests Anomali Threat Indicators as Devo lookup tables that can be used for threat detection through Devo query enrichment and alerting.
Use cases
Alerting - detects and alerts on potential security threats through correlation with other data types ingested into Devo. For example: firewall, proxy, or EDR logs.
Alert enrichment - adds contextual data about each entity and enriches security alerts.
The integration is available to all Devo customers with a valid Anomali subscription.
Benefits
Reduce dwell time - through the correlation of Anomali Threat Intelligence and machine-generated data from systems in the network, your security team can uncover threats that they would otherwise not know about and therefore reduce the dwell time of potential cyber-attacks.
Reduce mean-time-to-respond (MTTR) - enriched alerts provide your security team with additional context about detected threats. This context can help to reduce the time required to complete the triage and / or investigation of the alert, and provide a suitable response to mitigate the threat.
System requirements
In order to use this integration, you will need:
An active Anomali subscription.
The Anomali ThreatStream Integrator application deployed and configured in your environment:
Anomali recommends updating to the latest version of the integrator if possible before you set up the Devo destination. At a minimum, you must have a ThreatStream Integrator installed that supports SDK (v6.6 or later).
If the threat intelligence source for your integrator is ThreatStream OnPrem, the ThreatStream Integrator must be running v6.9.x or later.
An active Devo subscription.
A direct connection from the server hosting ThreatStream OnPrem.
Devo X.509 certificates. See this article for more information.
Configuration and setup
Download the Devo SDK destination from the Anomali Integration downloads page.
Anomali-Devo SDK configuration
Copy the Anomali-Devo SDK to a directory on your Integrator server.
Copy the following Devo certificates from your Devo domain to the Integrator server:
Chain.crt
<your_domain>.crt
<your_domain>.key
Create a ThreatStream Integrator Destination
Log in to the Anomali ThreatStream Integrator application.
Go to Destinations and create a new Anomali Integrator SDK Destination.
Select the SDK option and click Add.
Configure the following settings:
a. Name: SDK identifier, the field is auto-filled with a random name. Change this to a name that describes the destination, for example, “Devo Destination.”
b. Indicator Filter: apply filters that affect the output of the IoCs received from the source.For example, you can select different confidence values, sort the output order, specify the number of search results, and select the desired fields to retrieve. It is possible to use a (*) character to receive all of the information from the source without any filters.
c. SDK Executable Command: specify the path to the
main.py
file of the Anomali / Devo SDK integration.This setting is only available in integrator version 6.9.x and earlier. For versions 7.x.x, this information is specified later in this procedure.
d. Metadata in JSON Format: specify the directory where all the Devo SSL certificates are stored. The Devo server address where the data is going to be sent and optionally the port (default 443).{"endpoint": "collector-us.devo.io", "domain_cert": "<domain>.crt", "domain_key": "<domain>.key", "chain_cert": "chain.crt", "cert_path": "/home/ubuntu/AnomaliSDK/certs/", "port": 443, "endpoint_timeout": 60, "rejections": "not_allowed", "mode": "verbose"}
Key
Mandatory
Allowed values
Description
endpoint
Yes
For customers on the Devo US Cloud:
collector-us.devo.io
For customers on the Devo EU Cloud:
collector-eu.devo.io
For customers on dedicated instances, contact Devo support for this value.
The Devo endpoint where indicators are sent to.
domain_cert
Yes
<domain>.crt
Where<domain>
is the name of the Devo domainThe name of the Devo domain X.509 domain certificate copied to the ThreatStream
server.domain_key
Yes
<domain>.key
Where<domain>
is the name of the Devo domainThe name of the Devo domain X.509 domain key copied to the ThreatStream
server.chain_cert
Yes
chain.crt
The name of the Devo chain X.509 domain certificate copied to the ThreatStream
server.cert_path
Yes
File path
Path to the directory where the Devo X.509 certificates are located on the ThreatStream server.
port
Yes
Number
The port to connect to Devo on, typically 443.
endpoint_timeout
Yes
Number
The timeout in seconds applied to the connection to Devo.
rejections
No
not_allowed
(default) orallowed
If
not_allowed
- if any indicators do not match the data format required by Devo, no data will be sent to Devo.If
allowed
- any indicators that do not match the data format required by Devo will not be sent to Devo, while indicators that do match the required data format will be sent.
mode
No
verbose
orno_verbose
(default)The level of detail that the plugin will output to the log files.
If
verbose
- all details about the plugin activity and settings will be available in the log files.If
no_verbose
- minimal details will be written to the log files.
e. Integrator API version: select version 2.0.
f. Timeout in seconds: The timeout for the SDK, the recommended and default value is 600 seconds.
g. Intelligence type: select Indicators Only.
h. Indicator update mode: both the Only Changed and Full Snapshot options are supported. The recommended setting for the best performance is the Only Changed option.
i. Save the Destination.
a. If you are using version 6.9 or earlier, continue to the next section.
b. If you are using version 7.x.x, the screen below is displayed to specify the SDK executable command.
Choose one of the following available plugins:
Windows OS -
Devo-Plugin-WinOS.exe
Ubuntu 18 -
Devo-Plugin-UbuntuOS-18x
Ubuntu 20 -
Devo-Plugin-UbuntuOS-20x
CentOS 7 -
Devo-Plugin-CentOS-7x
CentOS 8 -
Devo-Plugin-CentOS-8x
Verifying that data is being processed
The Integrator web application displays the status of each destination. You can verify that data is being processed from the Sources menu and by checking the values displayed on your newly created destination.
Viewing the data in Devo
Lookup management
When the indicators are sent to Devo, a number of Lookup Tables are created. You can verify that these lookups have been created from the Lookup Management tab in Data Search menu:
The integration creates five lookup tables:
Lookup table | Description |
---|---|
Anomali_IP_Address_Threat_Intelligence | Contains IP address indicators |
Anomali_URL_Threat_Intelligence | Contains URL indicators |
Anomali_FIle_Hash_Threat_Intelligence | Contains File Hash indicators |
Anomali_Email_Threat_Intelligence | Contains Email Address indicators |
Anomali_Domain_Threat_Intelligence | Contains Domain indicators |
To interact with a Lookup Table, hover over a row and click the three dots that appear as shown in the screenshot below:
Query enrichment
The primary use of lookup table data is to enrich Devo queries that can in turn be transformed into alerts. To enrich a query:
Launch the Data Search menu.
Open the Devo table you want to query.
Compose your initial base query to isolate the data you would like to enrich.
Select the add column function from the toolbar in the data search screen.
Provide a Column Name.
Select custom as the operation type.
Select the Anomali lookup table and field you would like to use for the enrichment from the drop-down list:
Add a new argument to select the field to correlate on. The data type of the selected field must match the data type of the key value in the selected Lookup Table.
Click Create Column.
The new column is added to the data search workspace.
Troubleshooting
The integration writes to a log file named sdk.info.log
in the /sdk/logging
directory on the Integrator server for troubleshooting purposes. This file contains:
NFO messages showing the status of the SDK destination.
The number of elements sent to Devo and the name of the target Devo Lookup Table.
The number of IoCs categorized as not active or false positive by Anomali as these will be removed from the Devo Lookup Table.
Errors encountered during the execution.
There is also a sdk.error.log
file that contains more detail on any WARNING and ERROR messages logged.