Anomali ThreatStream

Overview

Anomali ThreatStream aggregates multiple threat feeds into a single high-fidelity repository by normalizing, deduplicating, removing false positives from, and enriching threat data—then associating all related threat indicators. The Anomali ThreatStream integration is an Enrichment Provider, also known as a Panther-managed Lookup Table.

Learn how to view stored Enrichment Provider data here, and how to view log events with enrichment data here.

How the Anomali ThreatStream Enrichment Provider works in Panther

By default, Anomali ThreatStream is configured to run against every log source in your Panther environment (yet is possible to disable, if desired). Panther will attempt to match each incoming log event, across all log types, against the Anomali Panther-managed Lookup Table before it passes through the detection engine.

If Panther identifies a match between an incoming event and Anomali entry, Anomali data is appended to the matching log event under a top-level p_enrichment key, and able to be referenced in detection logic and searches.

If Anomali contains multiple entries for the same indicator, if only one Anomali entry is active, Panther will use that one. If multiple Anomali entries are active, Panther will use the active entry with the highest confidence score.

For more information on detection writing using an enrichment source, see Writing a detection using Lookup Table data.

How a match between a log event and Anomali is made

A log event is enriched with Anomali Panther-managed Lookup Table data (under p_enrichment) if a match is found between:

• Any of the values of the selector field(s) configured for each associated log type.

  • For each log type, the default selectors are its Indicator Fields (represented by p_any_*), though the selectors are configurable.

• The value of the match key in an Anomali table entry in Panther.

  • match is the primary key of the Anomali table and is preset by Panther.

  • See an example of match in the Example Anomali table entry below.

Setting up Anomali ThreatStream enrichment

Step 1: Create an API key in Anomali

• Follow the Anomali documentation to generate an API key with read-only access, for use in Panther.

Step 2: Add your Panther IP address to an allowlist in Anomali

Step 2.1: Find your Panther gateway public IP address

2. In the footer at the bottom of the page, find Gateway Public IP.

   • Store this value in a secure location, as you'll use it in the next step.

Step 2.2: Add the IP to an allowlist in Anomali

• Follow the Anomali documentation to add your Panther gateway IP address to your Anomali IP allowlist.

Step 3: Create the Anomali ThreatStream Enrichment Provider in Panther

To enable the Anomali ThreatStream Enrichment Provider in Panther:

1. In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.

2. In the upper-right corner, click Create New.

4. In the Enrichment Settings form, provide values for the following fields:

   • Name: Enter a descriptive name for your integration.

   • Anomali subdomain: Enter your Anomali subdomain.

   • Username: Enter your Anomali username.

   • API Token: Enter the API token you generated in Step 1.

   • ThreatStream indicator query: Provide the indicator query that Panther will use to construct the Lookup Table.

     • This field's placeholder text shows an example query: feed_id=42 and status="active"

     • It's recommended to test your query in the Anomali ThreatStream interface before providing it to Panther.
5. Click Setup.

6. On the next page, click Save.

   • Your new Anomali ThreatStream configuration will be visible in the Configure > Enrichment Providers page.

Enabling, disabling, or modifying Anomali ThreatStream enrichment for a log type

Anomali ThreatStream is enabled by default for each log type in your Panther instance.

If you would like to disable (or later enable) Anomali for a certain log type, or alter its selectors:

1. In the left-hand navigation bar in your Panther Console, click Configure > Enrichment Providers.

2. Within the list of Enrichment Providers, locate the Anomali ThreatStream source you'd like to modify, and click its name.

3. • If you'd like to enable this Enrichment Provider for a new log type, click Add Log Type.
4. In the upper-right corner of the Enriched Log Types tile, click Save.

Example Anomali ThreatStream enrichment table entry

The below is an example of an Anomali ThreatStream response normalized by Panther, from the query feed_id=336:

{
	"asn": "306",
	"can_add_public_tags": true,
	"confidence": 50,
	"country": "US",
	"created_ts": "2023-08-11 10:35:52.302",
	"expiration_ts": "2023-11-09 13:35:49",
	"feed_id": "336",
	"id": "457335623",
	"ip": "55.44.33.22",
	"is_anonymous": false,
	"is_editable": true,
	"is_public": false,
	"itype": "mal_ip",
	"latitude": 37.751,
	"longitude": -97.822,
	"match": [
		"55.44.33.22"
	],
	"meta": {
		"detail2": "imported by user 450",
		"severity": "medium"
	},
	"modified_ts": "2023-08-11 10:35:52.302",
	"org": "US Department of Defense Network",
	"owner_organization_id": "151",
	"p_any_ip_addresses": [
		"55.44.33.22"
	],
	"p_event_time": "2023-08-11 10:35:52.302",
	"p_log_type": "Anomali.Indicator",
	"p_parse_time": "2023-09-29 17:24:09.176",
	"p_row_id": "1a4857af055ca1eb94e79eef1a04",
	"p_schema_version": 0,
	"resource_uri": "/api/v2/intelligence/457335623/",
	"retina_confidence": -1,
	"sort": [
		1691750152302,
		457335623
	],
	"source": "Panther Dev Feed",
	"source_reported_confidence": 50,
	"status": "active",
	"tags": [
		{
			"id": "d4j",
			"name": "sdk_demo",
			"org_id": "151",
			"tlp": "white"
		}
	],
	"threat_type": "malware",
	"threatscore": 40,
	"type": "ip",
	"update_id": "1155874106",
	"uuid": "0d126865-0b34-4d60-b51b-24083ba53313",
	"value": "55.44.33.22"
}