Anomali Match

Use Anomali Match to search indicators and enrich domains.

Configure Anomali Match on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Anomali Enterprise.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g., https://www.test.com\)True
credentialsUsernameTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

anomali-enterprise-retro-forensic-search#


Initiates a forensic search of the indicators.

Base Command#

anomali-enterprise-retro-forensic-search

Input#

Argument NameDescriptionRequired
fromThe time the indicators first appeared, in the format: <number> <time unit>, e.g., 1 hour, 30 minutes. Default is 1 day ago.Optional
toThe time the indicators last appeared, in the format: <number> <time unit>, e.g., 1 hour, 30 minutes. Default is now.Optional
indicatorsA comma-separated list of indicators to search.Required

Context Output#

PathTypeDescription
AnomaliEnterprise.ForensicSearch.job_idStringThe job ID of the search.
AnomaliEnterprise.ForensicSearch.statusStringThe status of the search.

Command Example#

!anomali-enterprise-retro-forensic-search indicators=1.1.1.1 from="1 month"

Context Example#

{
"AnomaliEnterprise": {
"ForensicSearch": {
"job_id": "job1271604409989806",
"status": "in progress"
}
}
}

Human Readable Output#

Forensic search started:#

job_idstatus
job1271604409989806in progress

anomali-enterprise-retro-forensic-search-results#


Retrieves the forensic search results.

Base Command#

anomali-enterprise-retro-forensic-search-results

Input#

Argument NameDescriptionRequired
job_idThe forensic search job ID.Required
limitLimit the stream results to return. Default is 20.Optional
verboseWhether to print the stream results to the War Room. Default is "true".Optional

Context Output#

PathTypeDescription
AnomaliEnterprise.ForensicSearch.job_idStringThe job ID of the search.
AnomaliEnterprise.ForensicSearch.statusStringThe status of the search.
AnomaliEnterprise.ForensicSearch.scannedEventsNumberThe number of scanned events.
AnomaliEnterprise.ForensicSearch.processedFilesNumberThe number of processed files.
AnomaliEnterprise.ForensicSearch.result_file_nameStringThe matched file name.
AnomaliEnterprise.ForensicSearch.totalMatchesNumberThe number of total matches.
AnomaliEnterprise.ForensicSearch.completeBoolWhether the search was complete.
AnomaliEnterprise.ForensicSearch.categoryStringThe search category.
AnomaliEnterprise.ForensicSearch.streamResultsUnknownThe stream results for the search.

Command Example#

!anomali-enterprise-retro-forensic-search-results job_id=job1251604409794526

Context Example#

{
"AnomaliEnterprise": {
"ForensicSearch": {
"category": "forensic_api_result",
"complete": true,
"job_id": "job1251604409794526",
"processedFiles": 1,
"result_file_name": "org0_20201103_job1251604409794526_result.tar.gz",
"scannedEvents": 361295,
"status": "completed",
"streamResults": [
{
"age": "",
"confidence": "",
"count": "1",
"event.dest": "1.1.1.1",
"event.src": "1.1.1.1",
"event_time": "2020-10-14T09:10:00.000+0000",
"indicator": "",
"itype": "",
"severity": ""
}
],
"totalFiles": 1,
"totalMatches": 1
}
}
}

Human Readable Output#

Forensic search metadata:#

statusjob_idcategorytotalFilesscannedEvents
completedjob1251604409794526forensic_api_result1361295

Forensic search results:#

countevent.destevent.srcevent_time
11.1.1.11.1.1.12020-10-14T09:10:00.000+0000

anomali-enterprise-dga-domain-status#


The search domains Domain Generation Algorithm (DGA).

Base Command#

anomali-enterprise-dga-domain-status

Input#

Argument NameDescriptionRequired
domainsA comma-separated list of domains to search.Required

Context Output#

PathTypeDescription
AnomaliEnterprise.DGA.domainStringThe domain that was checked.
AnomaliEnterprise.DGA.malware_familyStringThe malware family associated with the domain.
AnomaliEnterprise.DGA.domainNumberThe probability of the domain being malicious.

Command Example#

!anomali-enterprise-dga-domain-status domains=amazon.com

Context Example#

{
"AnomaliEnterprise": {
"DGA": {
"domain": "amazon.com",
"malware_family": "",
"probability": 0
}
}
}

Human Readable Output#

Domains DGA:#

domainprobability
amazon.com0

domain#


The search domains Domain Generation Algorithm (DGA). Includes DBotScore and domain information. There is no distinction between benign to unknown domains in Anomali Enterprise. The Domain reputation is calculated per the product documentation. if malware family exists and prob > 0.6 the reputation is Malicious, if malware family exists and prob < 0.6 the reputation is Suspicious, else, the reputation is Unknown.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainA comma-separated list of domains to search.Optional

Context Output#

PathTypeDescription
AnomaliEnterprise.DGA.domainStringThe domain that was checked.
AnomaliEnterprise.DGA.malware_familyStringThe malware family associated with the domain.
AnomaliEnterprise.DGA.domainNumberThe probability of the domain being malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual DBot score.
Domain.NameStringThe domain name. For example, "google.com".
Domain.Malicious.VendorStringThe vendor that reported that the domain is malicious.
Domain.Malicious.DescriptionStringA description of the malicious domain.

Command Example#

!domain domain=google.com

Context Example#

{
"AnomaliEnterprise": {
"DGA": {
"domain": "google.com",
"malware_family": "",
"probability": 0
}
},
"DBotScore": {
"Indicator": "google.com",
"Score": 0,
"Type": "domain",
"Vendor": "Anomali Enterprise"
},
"Domain": {
"Name": "google.com"
}
}

Human Readable Output#

Domains DGA:#

domainprobability
google.com0