Threat Intelligence

Know your adversary…

Comprehensive platform for Threat Detection, Investigation & Response

Anomali helps organizations find and respond to cyber threats. That’s our mission. We bring to your security team the one thing that’s been missing – external context. With Anomali you can now identify suspicious or malicious traffic before it even reaches your network. We turn threat intelligence into your cyber no-fly list, and seamlessly integrate this with your internal security and IT systems.


Harness threat data, information, and intelligence to drive effective cyber security decisions…

Intelligence – Knowing your adversaries helps your organization stay one step ahead with a proactive security posture. Anomali arms security teams with the cyber threat intelligence necessary to identify and prioritize critical threats to your organization.

  • Collect intelligence from premium feeds, OSINT, STIX/TAXII, ISACs
  • Evaluate and purchase intelligence feeds via Anomali APP Store
  • Apply machine learning optimized threat intelligence and reduce false positives
  • Normalize disparate sources and enrich with additional threat context
  • Give your analysts decision advantage and improve situational awareness

Detection – Threat intelligence is a critical component of threat detection and prioritization. Anomali fuses threat intelligence with current and historical event data to identify threats inside your network.

  • Weighted scoring algorithm prioritizes your most viable threats
  • Evaluate historical exposure to newly identified threats
  • Counter threats through integrations with your existing security stack
  • Amplify your detection capability using the world’s best threat intelligence sources
  • Customize and iterate detection and response patterns

Automation – Automation can make the difference between two or twenty hours of work. Anomali automates the machine, repetitive tasks of threat intelligence to give security analysts the time, visibility, and tools needed to understand and take action against threats.

  • Eliminate the need to reconcile and normalize vast quantities of threat data
  • Enrich indicators with additional context for advanced insights
  • Improve workflows inside your existing orchestration platforms
  • Integrate with SIEM and EDR solutions to correlate information and prioritize alerts
  • Actively block high-severity threats through integrations with FW, IPS

Investigation – Analysts are critical to assessing, researching, and responding to security threats. Anomali enables analysts to conduct investigations through automated, scalable workflows and collaboration between internal and external teams.

  • Visualize known IOCs and investigate unknown threats
  • Pivot on indicators to find related intelligence (WHOis, PassiveDNS, VirusTotal)
  • Produce relevant observables and threat bulletins
  • Associate indicators with threat actors and understand their TTPs

Collaboration – Sharing intelligence amplifies more than just your own defenses – it protects the community at large. Anomali enables organizations to share intelligence and collaborate on investigations with internal teams and established partners.

  • Instantaneous bi-directional sharing of intelligence
  • Maintain full control of privacy levels and shared information
  • Proactively respond to security events before they become breaking news
  • Align yourself with industry peers through Information Sharing and Analysis Centers (ISACs)
  • Benefit from security expertise, research, and recommended responses of other organizations


Mission control for threat intelligence… 

ThreatStream speeds detection of threats by uniting your security solutions under one platform and providing tools to operationalize threat intelligence. ThreatStream also automates many of the tasks typically assigned to security professionals, freeing analysts to quickly handle threats.

Collect – ThreatStream collects threat intelligence data from hundreds of sources. Users can also trial and purchase 3rd party premium feeds directly through the Anomali APP Store.

Threat intelligence sources include:

  • STIX/TAXII feeds
  • Open source threat feeds
  • Commercial threat intelligence providers
  • Structured and unstructured intelligence
  • ISAC/ISAO shared threat intelligence

Manage – ThreatStream makes it easy to operationalize threat intelligence by:

  • Normalizing feeds into a common taxonomy
  • De-duplicating data across feeds
  • Removing false positives via machine learning algorithms
  • Enriching data with Actor, Campaign, TTP
  • Adding context from WHOIS, PassiveDNS, others
  • Associating related threat indicators

Integrate – IOCs can be directly managed within the ThreatStream platform and pushed out to other systems for blocking and monitoring. These integrations include but are not limited to:

  • SIEM
  • Firewall
  • IPS
  • Endpoint
  • API

Enabling SOC teams and threat intelligence analysts – Anomali ThreatStream provides tools to help analysts and SOC teams respond to threats. The ThreatStream platform includes features such as:

  • Phishing – Extract indicators from suspected emails
  • Sandbox – Detonate malware and extract relevant indicators
  • Brand Monitoring – Detection of brand abuse
  • Threat investigation engine with analyst workflows
  • Threat bulletin creation, management, and collaboration

Trusted Circles within the ThreatStream Platform ensure that users can participate seamlessly in two-way sharing. Company-proprietary information can be kept private to guarantee confidentiality of shared information.

Identify adversaries in your network…

Detect and identify adversaries early in your organization’s network by correlating tens of millions of threat indicators against your real time network activity logs and forensic log data.

Threat Visibility Challange

Every day new threats are discovered, adding to the list of millions of known Indicators of Compromise (IOCs). This presents organizations with two challenges:

  1. Evaluating newly identified threats to identify an existing breach
  2. Checking millions of IOCs daily to identify newly launched attacks

Anomali Match integrates with SIEMs and other log sources, maintaining a year or more of historical visibility without duplicating logs. Historical data is continuously analyzed against new and existing threat intelligence to uncover evidence of breaches. Real-Time Forensics immediately discovers matches between these data sets, and provides analysts with tools to categorize and elevate indicator matches for triage and response.

Detect New Threats – As new threats are discovered, organizations need to know if attackers have already targeted their networks. This means being able to look over historical data going back 6 months or longer to identify potential breaches. Anomali Match:

  • Evaluates all incoming, new threat data
  • Analyzes every network event in past 12+ months
  • Returns all threat matches in seconds
  • Delivers matches to SIEM or other integration

Detect Existing Threats – Security teams must also continuously monitor network traffic for activity from known threats. Organizations commonly collect and track millions of IOCs, making it difficult to monitor all network activity for matches. Anomali Match:

  • Collects and manages unlimited volumes of IOCs
  • Matches IOCs against unlimited volumes of logs
  • Automatically alerts on IOC activity in logs
  • Feeds indicator matches to SIEMs and other systems

Essential Integrations – Anomali Match integrates with threat intelligence sources, log sources, SIEMs and other systems. As indicators of interest are positively identified Anomali Match can automatically feed alerts into SIEMs for ongoing monitoring or blocking.

  • Inputs threat intelligence from ThreatStream
  • Analyzes log data from Syslog, SIEMs, AWS S3, Netflow/sFlow
  • Enables in depth threat investigations within ThreatStream
  • Integrates threat matches with SIEMs, incident response systems

Domain Generation Algorithms (DGA) – DGA’s are widely used in malware to set up command and control domains. These domains often have short lifespans, meaning they do not make it onto threat intelligence lists. Anomali Match immediately detects and alerts on traffic to DGA domains using sophisticated machine-learning algorithms. Further, it associates the detected DGA domains with specific families of malware.

Identify cyber threats right in your browser… 

Anomali Lens is the first natural language processing (NLP) based web content parser that highlights all cyber threat information for further investigation.

Supercharging threat research & reporting – Attackers inevitably set the agenda for cybersecurity analysts. Yet CISOs want answers and actions from those same analysts—and they want them now. Analysts are constantly racing against the clock to understand attacks and how to prevent threats from harming their networks.

Anomali Lens enables analysts to work and stay in any single web-content location for faster research and to communicate cyber risk better to the executive leadership. This is especially critical in high-pressure environments such as widespread cyber attacks and high-profile data breaches.

Instant insights into action for cybersecurity analyst – Anomali Lens scans and converts unstructured data, such as news stories, social media, research papers, blogs, paste sites, coding repositories, and internal content sources like SIEM user interfaces, into actionable intelligence. Anomali Lens leverages natural language programming (NLP) that takes unstructured data and identifies threat actors, malware families, and attack techniques as they relate to threat intelligence.

Elevate every security analyst to veterans – Executives and CISOs often struggle to hire qualified security personnel to maintain a proper and consistent security posture. But even success in meeting those staffing goals isn’t enough. Data feeds must be translated into boardroom-ready presentations—an often complex and time-consuming process in itself.

Anomali Lens amplifies the productivity of every frontline Security Operations Center staff, enabling them to produce intelligence products with the quality of seasoned cyber professionals.

Easy and direct access for CISO’s – CISOs often try to access analyst tools directly just to stay informed. However, most cyber tools are not designed to directly alert CISOs that their organization is at risk of being victimized by the threats appearing in online news sources on a daily basis.

Anomali Lens puts the power directly into the hands of the CISO. With a Lens-enabled Web browser, CISOs can determine the relevance of online cyberattack reports, by leveraging Anomali detection capabilities. Anomali searches an organization’s historic cyber security event logs to uncover evidence of compromise by comparing them against Anomali’s vast database of high fidelity threat indicators. Lens gives CISOs a direct look at the relevant data with a single click.


Learn More
Discover how SecureNation can help you better protect your IT assets.