Source Integration with Anomali ThreatStream

Introduction

Anomali ThreatStream is a threat intelligence platform designed to aggregate, normalize, and correlate threat data from multiple internal and external sources. The article focuses on how Anomali ThreatStream Integration enables organizations to enrich threat intelligence, improve visibility, and operationalize indicators of compromise (IOCs) across security workflows.

Key Takeaways

• Loginsoft uses Anomali SDK to integrate threat sources, transforming data into actionable intelligence.
• Integration includes context/pivot-based enrichments with widgets like TextWidget and TableWidget.
• Supported entities cover Domain, IP, Hash, Email, URL, Phrase, ASN, and DNS records.
• Benefits feature aggregation of diverse intel, access via Anomali Preferred Partner Store, and enhanced detection with curated metadata.

Loginsoft, a leading provider of cyber engineering services for Threat Intel Platform Companies has built the expertise in integrating with Anomali, a leading provider of intelligence-driven cybersecurity solutions.

There are ever growing cyber product companies creating products with multiple API endpoints as threat data sources and proprietary feeds. Feeds alone aren't enough; they also need a way to turn information into actionable intelligence through a technology partner. This is where Loginsoft has built the integration to ingest their source into Anomali using Anomali SDK.

Anomali ThreatStream aggregates and organizes sources from multiple trusted partners, providing diverse threat intelligence within their platform.

Loginsoft's MiTRA Threat Feeds are outcome of its threat hunting research by deploying honeypots for a specific component or an emerging threat from which we analyze the attack patterns, payloads and the threat actors behind it. This curated metadata will be transformed into an actionable Threat Intelligence either to detect or prevent the attacks.

Loginsoft has integrated their threat feed with Anomali Preferred Partner Store (APP Store), which is an unique cyber security marketplace providing instant access to a growing catalog of threat intelligence providers, integration partners and threat analysis tools.

INTEGRATION HIGHLIGHTS:

• Developing Context-Based Enrichments
• Developing Pivot-Based Enrichments
• Anomali Enrichments Library (SDK) provides various options to display enrichment data (Example: TextWidget, TableWidget and ChartWidget etc.)
• Creating Enrichment Bundles after development and testing
• Submitting ThreatStream Cloud Enrichments for Certification

Entity Types supported by Anomali Enrichments SDK: Domain, IP, Hash, Email, URL, Phrase, Autonomous System Numbers, DNS Name Server Records

Here's a look inside Anomali's ThreatSteam as Context based Enrichment for Domain entity.

Here's a look inside Anomali's ThreatSteam for Domain entity as TableWidget for different endpoints:

WhoIs API endpoint

Passive DNS API endpoint

Malware API endpoint

Conclusion

Integrating data sources with Anomali ThreatStream strengthens an organization’s threat intelligence capabilities by consolidating and contextualizing security data. Through effective Anomali ThreatStream Integration, security teams can transform raw indicators into actionable intelligence, enabling faster detection, informed decision-making, and improved response to evolving threats. Centralized intelligence and automated enrichment help organizations maintain stronger situational awareness across their security ecosystem.

FAQ

Q1. What is Anomali ThreatStream?

Anomali ThreatStream is a robust Threat Intelligence Platform (TIP) that automates the ingestion, normalization, and analysis of vast threat data from diverse sources, OSINT, commercial feeds, and internal inputs, it converts raw indicators into prioritized, actionable intelligence, seamlessly integrating with SIEMs, SOARs, and EDR tools to enrich context and enable automated responses against threats like malware, phishing, and ransomware

Q2. Why is source integration important in Anomali ThreatStream?

Source integration is the cornerstone of Anomali ThreatStream, By aggregating, normalizing, and operationalizing intelligence from diverse feeds, OSINT, commercial, and internal, which helps turning raw data into actionable insights for effective defense.

Q3. What types of data can be integrated into Anomali ThreatStream?

Anomali ThreatStream seamlessly integrates diverse threat data, IoCs (IPs, domains, hashes), TTPs, malware signatures, actor profiles, and vulnerabilities from a wide array of sources (OSINT, commercial, ISACs, internal) and formats (STIX, CSV, JSON, Syslog, CEF).

Q4. How does Anomali ThreatStream Integration improve security operations?

Anomali ThreatStream integration elevates security operations by converting vast raw threat data into prioritized, actionable intelligence, it automatically disseminates this intel across existing tools and infrastructure

Q5. Can Anomali ThreatStream integrate with existing security platforms?

Yes. Anomali ThreatStream is designed to integrate with SIEMs, SOC tools, and other security solutions for operational use.