Anomali
Anomali is a Threat Intelligence Platform that enables businesses to integrate security products and leverage threat data to defend against cyber threats.
Connect Anomali with Devo SOAR
Navigate to Automations > Integrations.
Search for Anomali.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Base URL (Optional): Leave Empty For Default): Specify the base URL of the Anomali server. Leave empty for default Anomali server. Example: https://192.168.1.1:443 or https://yourhostname.example.com.
API Key: API key for connecting to Anomali.
Username: Username for connecting to Anomali.
After you've entered all the details, click Connect.
Actions for Anomali
URL Scan
Submits a URL or IP address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Column name | Column name from the parent table containing URL. | Required |
Output
Scan results in JSON format.
Get Reputation
Submits a URL/ IP/ Domain/ md5 of a file/email address to Anomali for lookup against their threat intelligence database. Based on the results, automate how Incident Response is handled.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Observable Column name | Column name from parent table containing observable such as IP address/domain/URL and so on. | Required |
Select Observable Type | URL/ IP/ Domain/ md5 of a file/email | Required |
Output
Reputation results in JSON format.
Get Intelligence
Get intelligence from Threatstream. You can specify the criteria by which the intelligence should be retrieved.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Jinja Template For Filter Criteria | Provide jinja-template for filter Criteria. | Â |
Example: q=(confidence>={{confidence_value}}+AND+(itype="apt_ip"+OR+itype="bot_ ip"+OR+itype="c2_ip")) | Required | Â |
Explode Results | Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows. | Optional |
Output
Intelligence search results in JSON format.
Submit File or URL
Submit files or URLs to the ThreatStream-hosted Sandbox.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Submission Column Name | Column name from parent table that contains file or URL. | Required |
Sandbox Submission Type | Select File / URL. | Required |
Select Platform | Platform on which the submitted URL or file will be run. Example: WINDOWS7 / WINDOWSXP. | Â |
Sandbox Submission Classification | Classification of the Sandbox submission—public or private. Default is private. | Optional |
Use Premium Sandbox | Specify whether the premium sandbox should be used for detonation. Default is False. | Optional |
Jinja Template for Detail | Jinja Template for a comma-separated list that provides additional details for the indicator. This information is displayed in the Tag column of the ThreatStream UI. Example: {{tag1}},{{tag2}} | Optional |
Output
Submission results in JSON format.
Get Submission Status
Get the status of the submitted file or URL.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Submission Id Column Name | Column name from parent table that contains submission ID. | Required |
Should Wait | Should wait till status is done. Default is False. By default, it will return the current status. | Optional |
Output
Status results in JSON format.
Get Submission Report
Get a submission report of the submitted file or URL.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
 |  |  |
---|---|---|
Submission Id Column Name | Column name from parent table that contains submission ID. | Required |
Should Wait | Should wait till the report is generated. Default is False. | Optional |
Output
Report data in JSON format.
Create Threat Model Entity
Create threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Entity Name Column Name | Column name from parent table that contains entity name. The name should be unique for an entity. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Is Public | Whether the entity is public or private. Default is False. | Required |
TLP Column Name | Column name from parent table that contains TLP. TLP is the Traffic Light Protocol designation for the entity i.e. Red, Amber, Green, White. | Optional |
Jinja Template For Description | Jinja Template for description. Example: This is sample {{desc}}. | Optional |
Jinja Template For Tags | Jinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}}. | Optional |
Jinja Template For Additional Param in Json Format | Jinja Template for additional parameters in JSON format. Example: {"intelligence": [{{intelligence_id_list}}]}. | Optional |
Output
A JSON object containing multiple rows of results:
Update Threat Model Entity
Update threat model entities that are, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Entity Id Column Name | Column name from parent table that contains entity ID. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Entity Name Column Name | Column name from parent table that contains entity name. The name should be unique for an entity. | Optional |
TLP Column Name | Column name from parent table that contains TLP. TLP is Traffic Light Protocol designation for the entity that is, red, amber, green, white. | Optional |
Jinja Template For Description | Jinja Template for description. Example: This is sample {{desc}} | Required |
Jinja Template For Tags | Jinja Template for comma-separated list of tags. Example: {{tag1}},{{tag2}} | Optional |
Jinja Template For Additional Param in Json Format) | Jinja Template for additional parameters in json format. Example: {"intelligence": [{{intelligence_id_list}}] } | Optional |
Output
A JSON object containing multiple rows of results:
Get List of Models
Get list of threat model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Jinja template for filters in JSON Format | Provide Jinja template for filters in JSON format. Example: {"tlp":"{{tlp}}"} | Optional |
Explode Results | Select whether to return separate rows for each result or a single row containing all results. Default is Separate Rows. | Optional |
Output
A JSON object containing multiple rows of results:
Get Model Description
Get details of model entities that is, actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Entity Id Column Name | Column name from parent table that contains entity ID. | Required |
Model Entity Type | Select a model entity type. Example: Actor, Campaign, Incident, and so on. | Required |
Output
A JSON object containing multiple rows of results:
Import With Manual Approval
Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
File Id | Column name from parent table that contains file id. | Required |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100). | Optional |
Confidence | Level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Trusted Circles | Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results:
Import With Manual Approval V2
Import threat data (observables) into ThreatStream and require the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
File Id | Jinja-templated text for the file id. Example: {{file_id}} | Optional |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | Jinja-templated number containing the ratio between the amount of the source confidence of each observable and the ThreatStream confidence. | Optional |
Confidence | Jinja-templated number containing the level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Jinja-templated text containing the Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Threat Type | Jinja-templated text containing the Type of threat associated with the imported observables. (Default is malware_md5) | Optional |
TLP | Jinja-templated text containing the Traffic Light Protocol designation for the intelligence. | Optional |
Intelligence Source | Jinja-templated text containing the Source from which the intelligence originated. | Optional |
Expiration TS | Jinja-templated text containing the Time stamp of when intelligence will expire on ThreatStream, in UTC format. For example, 2017-01-26T00:00:00 (Default is 90 days from the current date.) | Optional |
Trusted Circles | Jinja-templated text containing the Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results:
Import Without Manual Approval
Import threat data (observables) into ThreatStream without the approval of the imported data through the ThreatStream UI.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
File Id | Column name from parent table that contains entity ID. | Required |
Classification | Select a classification of the observable (default is Private). | Optional |
Severity | Select severity of the observable (default is Low). | Optional |
Source Confidence Weight | The ratio between the amount of the source confidence of each observable and the ThreatStream confidence (default is 100). | Optional |
Confidence | Level of certainty that an observable is of the reported indicator type (default is 100). | Optional |
IP Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_ip). | Optional |
Domain Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_domain). | Optional |
URL Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_url). | Optional |
Email Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_email). | Optional |
MD5 Mapping | Indicator type to assign if a specific type is not associated with an observable (default is mal_md5). | Optional |
Trusted Circles | Comma-separated IDs of the trusted circle to which this threat data should be imported (default is no association). | Optional |
Output
A JSON object containing multiple rows of results:
Search Threat Models
Retrieve threat model from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Search String | Jinja-templated search string. Example: {{financial_column_name}}, {{services_column_name}}. | Optional |
Threat Model Type | Select the type of threat model (default is All types). | Optional |
Result Limit | Result limit (default is 1000). | Optional |
Result Offset | Result offset (default is 0). | Optional |
Output
A JSON object containing multiple rows of results:
Get Threat Model By Indicator IDs
Get threat model details by indicator ids from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Indicator IDs | Column name from parent table that contains comma-separated indicator IDs. | Required |
Threat Model Type | Select the type of threat model. | Required |
Result Limit | Result limit (Default is 1000). | Optional |
Result Offset | Result offset (Default is 0). | Optional |
Output
A JSON object containing multiple rows of results:
Get Associations for Threat Model
Get association details for the threat model from ThreatStream.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Threat Model ID | Column name from parent table that contains the ID of the threat model. | Required |
Threat Model Type | Select the type of threat model. | Required |
Threat Model Association Type | Select the association type of threat model. | Required |
Result Limit | Result limit (Default is 1000). | Optional |
Result Offset | Result offset (Default is 0). | Optional |
Output
A JSON object containing multiple rows of results:
Add Attachment To Threat Model Entity
Add attachment to threat model entities i.e. actors, campaigns, incidents, signatures, TTPs, and vulnerabilities.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Entity Id | Jinja template for Entity id. | Required |
Model Entity Type | Select a model entity type | Required |
File Id | Jinja template for file id to be uploaded. e.g. {{file_id}} | Required |
File Name | Jinja template for file name to be uploaded. e.g. {{file_name}} | Required |
Time between consecutive API requests (in millis) | Time to wait between consecutive API requests in milliseconds (Default is 0 milliseconds) | Optional |
Output
JSON containing the following items:
{json}{
"has_error": false,
"result": {
"created_ts": "2022-09-22T06:28:57.089",
"tip_report": 435,
"filename": "testData.csv",
"signed_url": "https://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_userId-20772_testData.csv?Signature=M3NC33OB",
"modified_ts": "2022-09-22T06:28:57.049",
"user": {
"name": "",
"is_readonly": false,
"is_active": true,
"email": "test@threatstream.com",
"must_change_password": false,
"can_share_intelligence": true,
"organization": {
"resource_uri": "/api/v1/userorganization/24/",
"id": "284",
"name": "Test company"
},
"avatar_s3_url": null,
"nickname": null,
"id": "272",
"resource_uri": "/api/v1/user/272/"
},
"content_type": "",
"signed_thumbnail_url": null,
"s3_thumbnail_url": null,
"s3_url": "http://ts-optic.s3.amazonaws.com/userUploads/2022-09-22/202_06_userId-272_testData.csv",
"id": "1403"
},
"error": null
}
Release Notes
v4.0.0
- Updated architecture to support IO via filesystemv3.3.1
- Added new action -Add Attachment To Threat Model Entity
.v3.2.0
- Updated the authentication mechanism in all actions.v3.1.2
- Bug Fix - Resolved the 0 value of confidence in import with manual approval v2 action.v3.1.1
- Bug Fix - Resolved the default value of confidence in import with manual approval v2 action.v3.1.0
- Added new action import with manual approval v2.v3.0.2
- Added few parameters to the import with approval action.