# Anomali ThreatStream ## Overview You can use [Anomali ThreatStream](https://www.anomali.com/products/threatstream) as an enrichment source in Panther. ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators. Learn how to [view stored enrichment data here](https://docs.panther.com/enrichment/..#viewing-and-managing-enrichments), and how to [view log events with enrichment data here](https://docs.panther.com/enrichment/..#viewing-log-events-with-enrichment-data). {% hint style="warning" %} Anomali ThreatStream enrichment in Panther requires an Anomali ThreatStream license. {% endhint %} ### How the Anomali ThreatStream Enrichment Provider works in Panther By default, Anomali ThreatStream is configured to run against every log source in your Panther environment (yet is [possible to disable](#enabling-or-disabling-anomali-threatstream-enrichment-for-a-log-source), if desired). Panther will attempt to match each incoming log event, across all log types, against the Anomali enrichment data before it passes through the detection engine. If Panther [identifies a match](#how-a-match-between-a-log-event-and-anomali-is-made) between an incoming event and Anomali entry, Anomali data is appended to the matching log event under a top-level `p_enrichment` key, and able to be referenced in detection logic and searches. If Anomali contains multiple entries for the same indicator, if only one Anomali entry is active, Panther will use that one. If multiple Anomali entries are active, Panther will use the active entry with the highest confidence score. For more information on detection writing using an enrichment source, see [Writing a detection using Enrichment data](https://docs.panther.com/custom#writing-a-detection-using-lookup-table-data). #### How a match between a log event and Anomali is made A log event is enriched with Anomali enrichment data (under `p_enrichment`) if a match is found between: * Any of the values of the Selector field(s) configured for each associated log type. * For each log type, the default Selectors are its [Indicator Fields](https://docs.panther.com/search/panther-fields#indicator-fields) (represented by `p_any_*`), though [the selectors are configurable](#enabling-disabling-or-modifying-anomali-threatstream-enrichment-for-a-log-source). * The value of the `match` key in an Anomali table entry in Panther. * `match` is the primary key of the Anomali table and is preset by Panther. * See an example of `match` in the [Example Anomali table entry below](#example). ## Setting up Anomali ThreatStream enrichment ### Step 1: Create an API key in Anomali * Follow the [Anomali documentation](https://ui.threatstream.com/optic-doc/Content/Optic%20Administration/updateContactInformation.htm?Highlight=setting%20api%20key) to generate an API key with `read-only` access, for use in Panther. ### Step 2: Add your Panther IP address to an allowlist in Anomali #### Step 2.1: Find your Panther gateway public IP address 1. In the upper-right corner of your Panther Console, click Gear icon> **General**. 2. In the footer at the bottom of the page, find **Gateway Public IP**. * Store this value in a secure location, as you'll use it in the next step. #### Step 2.2: Add the IP to an allowlist in Anomali * Follow the [Anomali documentation](https://ui.threatstream.com/login) to add your Panther gateway IP address to your Anomali IP allowlist. ### Step 3: Create the Anomali ThreatStream Enrichment Provider in Panther To enable the Anomali ThreatStream Enrichment Provider in Panther: 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Enrichments**. 2. Click the **Custom Enrichment** card. 3. In the upper-right corner, click **Create New**. 4. Click **Anomali**.\ ![The Panther Console shows "What type of enrichment would you like to set up?" above three options: Anomali (circled), Google Workspace, and Okta.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-ef22c85c58643a0e28d98d291429c1a09fc39a6a%2FScreenshot%202023-10-04%20at%2012.00.03%20PM.png?alt=media) 5. In the **Enrichment Settings** form, provide values for the following fields: * **Name**: Enter a descriptive name for your integration. * **Anomali subdomain**: Enter your Anomali subdomain. * **Username**: Enter your Anomali username. * **API Token**: Enter the API token you generated in [Step 1](#step-1-create-an-api-key-in-anomali). * **ThreatStream indicator query**: Provide the indicator query that Panther will use to construct the Enrichment. * This field's placeholder text shows an example query: `feed_id=42 and status="active"` * It's recommended to test your query in the Anomali ThreatStream interface before providing it to Panther. * **Refresh period (min)**: Set a refresh period, which determines how often Panther will refresh the Anomali ThreatStream Enrichment Provider data. The default and minimum refresh period is 60 minutes.\ ![The Enrichment Setting form has empty fields for: Name, Anomali subdomain, Username, API Token, ThreatStream indicator query, and Refresh period (min).](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-5c711c2ebb3d16b1db597ffac3a8f2ff90bff499%2FScreenshot%202023-10-04%20at%2012.05.54%20PM.png?alt=media) 6. Click **Setup**. 7. On the next page, click **Save.** * Your new Anomali ThreatStream configuration will be visible in the **Configure** > **Enrichment Providers** page. ## Enabling, disabling, or modifying Anomali ThreatStream enrichment for a log type Anomali ThreatStream is enabled by default for each log type in your Panther instance. If you would like to disable (or later enable) Anomali for a certain log type, or alter its Selectors: 1. In the left-hand navigation bar in your Panther Console, click **Configure** > **Enrichments**. 2. Within the **Enrichments** list, locate the Anomali ThreatStream source you'd like to modify, and click its name. 3. On the provider's details page, to the right of the **Enriched Log Types** header, click **Edit**.\ ![Next to an Enriched Log Types (114) header, there's a circled Edit button. Below, there is a table with columns for Log Type and Log Attribute.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-424ff156da3323dc35990a0cadc40153090f475a%2FScreenshot%202023-10-05%20at%209.00.26%20AM.png?alt=media) * If you'd like to enable this enrichment for a new log type, click **Add Log Type**. * In the new row that populates, select a **Log Type** and, in the **Selectors** field, at least one event field.\ ![An arrow points from a Add Log Type button to a Log Type selector. To its right is a Selectors field and a trash can icon.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e696d626db122339c770e1cb1bdeebc30106914d%2FScreenshot%202023-10-05%20at%209.20.17%20AM.png?alt=media) * If you'd like to disable this enrichment for a log type, locate that log type's row, and click the trash icon.\ ![A trash can icon is circled. Also in its row are a Log Type field (with Okta.SystemLog selected), and $.actor.id selected in the Selectors field.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-b2f7987a55b7e6394feeda4f368bb6d2a4bef197%2FScreenshot%202023-10-05%20at%209.22.04%20AM.png?alt=media) * If you'd like to alter the selectors for a log type, click into the **Selectors** field and add or remove selections for event fields.\ ![A list of rows each with a Log Type, Selectors, and trash fields is shown. The Selectors field of the first row is open, with an arrow pointing from it to one of the option's checkboxes.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-e16a5bf9fb4d35c4d258fe085a2aa8ef976cb8b2%2FScreenshot%202023-10-05%20at%209.22.59%20AM.png?alt=media) 4. In the upper-right corner of the **Enriched Log Types** tile, click **Save**. ## Example Anomali ThreatStream enrichment table entry The below is an example of an Anomali ThreatStream response normalized by Panther, from the query `feed_id=336`: ```json { "asn": "306", "can_add_public_tags": true, "confidence": 50, "country": "US", "created_ts": "2023-08-11 10:35:52.302", "expiration_ts": "2023-11-09 13:35:49", "feed_id": "336", "id": "457335623", "ip": "55.44.33.22", "is_anonymous": false, "is_editable": true, "is_public": false, "itype": "mal_ip", "latitude": 37.751, "longitude": -97.822, "match": [ "55.44.33.22" ], "meta": { "detail2": "imported by user 450", "severity": "medium" }, "modified_ts": "2023-08-11 10:35:52.302", "org": "US Department of Defense Network", "owner_organization_id": "151", "p_any_ip_addresses": [ "55.44.33.22" ], "p_event_time": "2023-08-11 10:35:52.302", "p_log_type": "Anomali.Indicator", "p_parse_time": "2023-09-29 17:24:09.176", "p_row_id": "1a4857af055ca1eb94e79eef1a04", "p_schema_version": 0, "resource_uri": "/api/v2/intelligence/457335623/", "retina_confidence": -1, "sort": [ 1691750152302, 457335623 ], "source": "Panther Dev Feed", "source_reported_confidence": 50, "status": "active", "tags": [ { "id": "d4j", "name": "sdk_demo", "org_id": "151", "tlp": "white" } ], "threat_type": "malware", "threatscore": 40, "type": "ip", "update_id": "1155874106", "uuid": "0d126865-0b34-4d60-b51b-24083ba53313", "value": "55.44.33.22" } ```