Anomali
- Anthony Shevlin (Deactivated)
Anomali is a Threat Intelligence Platform that enables businesses to integrate security products and leverage threat data to defend against cyber threats.
Connect Anomali with Devo SOAR
Navigate to Automations > Integrations.
Search for Anomali.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Base URL (Optional): Leave Empty For Default): Specify the base URL of the Anomali server. Leave empty for default Anomali server. Example: https://192.168.1.1:443 or https://yourhostname.example.com.
API Key: API key for connecting to Anomali.
Username: Username for connecting to Anomali.
After you've entered all the details, click Connect.
Actions for Anomali
URL Scan
Submits a URL or IP address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Column name | Column name from the parent table containing URL. | Required |
Output
Scan results in JSON format.
Get Reputation
Submits a URL/ IP/ Domain/ md5 of a file/email address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Observable Column name | Column name from parent table containing observable such as IP address/domain/URL and so on. | Required |
Select Observable Type | URL/ IP/ Domain/ md5 of a file/email | Required |
Output
Reputation results in JSON format.
Get Intelligence
Get intelligence from Threatstream. You can specify the criteria by which the intelligence should be retrieved.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Jinja Template For Filter Criteria | Provide jinja-template for filter Criteria. | Required |
Explode Results | Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows. | Optional |
Output
Intelligence search results in JSON format.
Submit File or URL
Submit files or URLs to the ThreatStream-hosted Sandbox.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Submission Column Name | Column name from parent table that contains file or URL. | Required |
Sandbox Submission Type | Select File / URL. | Required |
Select Platform | Platform on which the submitted URL or file will be run. Example: WINDOWS7 / WINDOWSXP. | Â |
Sandbox Submission Classification | Classification of the Sandbox submission—public or private. Default is private. | Optional |
Use Premium Sandbox | Specify whether the premium sandbox should be used for detonation. Default is False. | Optional |
Jinja Template for Detail | Jinja Template for a comma-separated list that provides additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. Example: {{tag1}},{{tag2}} | Optional |
Output
Submission results in JSON format.
Get Submission Status
Get the status of the submitted file or URL.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Submission Id Column Name | Column name from parent table that contains submission ID. | Required |
Should Wait | Should wait till status is done. Default is False. By default, it will return the current status. | Optional |
Output
Status results in JSON format.
Get Submission Report
Get a submission report of the submitted file or URL.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
 |  |  |
|---|---|---|
Submission Id Column Name | Column name from parent table that contains submission ID. | Required |
Should Wait | Should wait till the report is generated. Default is False. | Optional |
Output
Report data in JSON format.
Create Threat Model Entity
Create threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Entity Name Column Name | Column name from parent table that contains entity name. The name should be unique for an entity. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Is Public | Whether the entity is public or private. Default is False. | Required |
TLP Column Name | Column name from parent table that contains TLP. TLP is the Traffic Light Protocol designation for the entity i.e. Red, Amber, Green, White. | Optional |
Jinja Template For Description | Jinja Template for description. Example: This is sample {{desc}}. | Optional |
Jinja Template For Tags | Jinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}}. | Optional |
Jinja Template For Additional Param in Json Format | Jinja Template for additional parameters in JSON format. Example: {"intelligence": [{{intelligence_id_list}}]}. | Optional |
Output
A JSON object containing multiple rows of results.
Update Threat Model Entity
Update threat model entities that are, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Entity Id Column Name | Column name from parent table that contains entity ID. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Entity Name Column Name | Column name from parent table that contains entity name. The name should be unique for an entity. | Optional |
TLP Column Name | Column name from parent table that contains TLP. TLP is Traffic Light Protocol designation for the entity that is, red, amber, green, white. | Optional |
Jinja Template For Description | Jinja Template for description. Example: This is sample {{desc}} | Required |
Jinja Template For Tags | Jinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}} | Optional |
Jinja Template For Additional Param in Json Format) | Jinja Template for additional parameters in json format. Example: {"intelligence": [{{intelligence_id_list}}] } | Optional |
Output
A JSON object containing multiple rows of results.
Get List of Models
Get list of threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Jinja template for filters in JSON Format | Provide Jinja template for filters in JSON format. Example: {"tlp":"{{tlp}}"} | Optional |
Explode Results | Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows. | Optional |
Output
A JSON object containing multiple rows of results.
Get Model Description
Get details of model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Entity Id Column Name | Column name from parent table that contains entity ID. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Output
A JSON object containing multiple rows of results.
Import With Manual Approval
Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
File Id | Column name from parent table that contains file id. | Required |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100). | Optional |
Confidence | Level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Trusted Circles | Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results:
Import With Manual Approval V2
Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
File Id | Jinja-templated text for the file id. Example: {{file_id}} | Optional |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | Jinja-templated number containing the ratio between the amount of the source confidence of each observable and the ThreatStream confidence. | Optional |
Confidence | Jinja-templated number containing the level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Threat Type | Jinja-templated text containing the Type of threat associated with the imported observables. (Default is malware_md5) | Optional |
TLP | Jinja-templated text containing the Traffic Light Protocol designation for the intelligence. | Optional |
Intelligence Source | Jinja-templated text containing the Source from which the intelligence originated. | Optional |
Expiration TS | Jinja-templated text containing the Time stamp of when intelligence will expire on ThreatStream, in UTC format. For example, 2017-01-26T00:00:00 (Default is 90 days from the current date.) | Optional |
Trusted Circles | Jinja-templated text containing the Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results.
Import Without Manual Approval
Import threat data (observables) into ThreatStream without the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
File Id | Column name from parent table that contains entity ID. | Required |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100). | Optional |
Confidence | Level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Trusted Circles | Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results.
Search Threat Models
Retrieve threat model from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Search String | Jinja-templated search string. Example: {{financial_column_name}}, {{services_column_name}}. | Optional |
Threat Model Type | Select the type of threat model (default is All types). | Optional |
Result Limit | Result limit (default is 1000). | Optional |
Result Offset | Result offset (default is 0). | Optional |
Output
A JSON object containing multiple rows of results.
Get Threat Model By Indicator IDs
Get threat model details by indicator ids from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Indicator IDs | Column name from parent table that contains comma-separated indicator IDs. | Required |
Threat Model Type | Select the type of threat model. | Required |
Result Limit | Result limit (Default is 1000). | Optional |
Result Offset | Result offset (Default is 0). | Optional |
Output
A JSON object containing multiple rows of results.
Get Associations for Threat Model
Get association details for the threat model from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Threat Model ID | Column name from parent table that contains the ID of the threat model. | Required |
Threat Model Type | Select the type of threat model. | Required |
Threat Model Association Type | Select the association type of threat model. | Required |
Result Limit | Result limit (Default is 1000). | Optional |
Result Offset | Result offset (Default is 0). | Optional |
Output
A JSON object containing multiple rows of results.
Add Attachment To Threat Model Entity
Add attachment to threat model entities i.e. actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Entity Id | Jinja template for Entity id. | Required |
Model Entity Type | Select a model entity type | Required |
File Id | Jinja template for file id to be uploaded. e.g. {{file_id}} | Required |
File Name | Jinja template for file name to be uploaded. e.g. {{file_name}} | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds (Default is 0 milliseconds) | Optional |
Output
JSON containing the following items:
JSON
{
"has_error": false,
"result": {
"created_ts": "2022-09-22T06:28:57.089",
"tip_report": 435,
"filename": "testData.csv",
"signed_url": "https://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_userId-20772_testData.csv?Signature=M3NC33OB",
"modified_ts": "2022-09-22T06:28:57.049",
"user": {
"name": "",
"is_readonly": false,
"is_active": true,
"email": "test@threatstream.com",
"must_change_password": false,
"can_share_intelligence": true,
"organization": {
"resource_uri": "/api/v1/userorganization/24/",
"id": "284",
"name": "Test company"
},
"avatar_s3_url": null,
"nickname": null,
"id": "272",
"resource_uri": "/api/v1/user/272/"
},
"content_type": "",
"signed_thumbnail_url": null,
"s3_thumbnail_url": null,
"s3_url": "http://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_06_userId-272_testData.csv",
"id": "1403"
},
"error": null
}Release Notes
v4.0.0- Updated architecture to support IO via filesystemv3.3.1- Added new action -Add Attachment To Threat Model Entity.v3.2.0- Updated the authentication mechanism in all actions.v3.1.2- Bug Fix - Resolved the 0 value of confidence in import with manual approval v2 action.v3.1.1- Bug Fix - Resolved the default value of confidence in import with manual approval v2 action.v3.1.0- Added new action import with manual approval v2.v3.0.2- Added few parameters to the import with approval action.