Anomali Enterprise

Use Anomali Enterprise to search indicators and enrich domains. This integration was integrated and tested with version xx of Anomali Enterprise

Configure Anomali Enterprise on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Anomali Enterprise.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
urlServer URL (e.g., https://www.test.com\)True
credentialsUsernameTrue
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

anomali-enterprise-retro-forensic-search


Initiates a forensic search of the indicators.

Base Command

anomali-enterprise-retro-forensic-search

Input

Argument NameDescriptionRequired
fromThe time the indicators first appeared, in the format: <number> <time unit>, e.g., 1 hour, 30 minutes. Default is 1 day ago.Optional
toThe time the indicators last appeared, in the format: <number> <time unit>, e.g., 1 hour, 30 minutes. Default is now.Optional
indicatorsA comma-separated list of indicators to search.Required

Context Output

PathTypeDescription
AnomaliEnterprise.ForensicSearch.job_idStringThe job ID of the search.
AnomaliEnterprise.ForensicSearch.statusStringThe status of the search.

Command Example

!anomali-enterprise-retro-forensic-search indicators=1.1.1.1 from="1 month"

Context Example

{
"AnomaliEnterprise": {
"ForensicSearch": {
"job_id": "job1271604409989806",
"status": "in progress"
}
}
}

Human Readable Output

Forensic search started:

job_idstatus
job1271604409989806in progress

anomali-enterprise-retro-forensic-search-results


Retrieves the forensic search results.

Base Command

anomali-enterprise-retro-forensic-search-results

Input

Argument NameDescriptionRequired
job_idThe forensic search job ID.Required
limitLimit the stream results to return. Default is 20.Optional
verboseWhether to print the stream results to the War Room. Default is "true".Optional

Context Output

PathTypeDescription
AnomaliEnterprise.ForensicSearch.job_idStringThe job ID of the search.
AnomaliEnterprise.ForensicSearch.statusStringThe status of the search.
AnomaliEnterprise.ForensicSearch.scannedEventsNumberThe number of scanned events.
AnomaliEnterprise.ForensicSearch.processedFilesNumberThe number of processed files.
AnomaliEnterprise.ForensicSearch.result_file_nameStringThe matched file name.
AnomaliEnterprise.ForensicSearch.totalMatchesNumberThe number of total matches.
AnomaliEnterprise.ForensicSearch.completeBoolWhether the search was complete.
AnomaliEnterprise.ForensicSearch.categoryStringThe search category.
AnomaliEnterprise.ForensicSearch.streamResultsUnknownThe stream results for the search.

Command Example

!anomali-enterprise-retro-forensic-search-results job_id=job1251604409794526

Context Example

{
"AnomaliEnterprise": {
"ForensicSearch": {
"category": "forensic_api_result",
"complete": true,
"job_id": "job1251604409794526",
"processedFiles": 1,
"result_file_name": "org0_20201103_job1251604409794526_result.tar.gz",
"scannedEvents": 361295,
"status": "completed",
"streamResults": [
{
"age": "",
"confidence": "",
"count": "1",
"event.dest": "1.1.1.1",
"event.src": "1.1.1.1",
"event_time": "2020-10-14T09:10:00.000+0000",
"indicator": "",
"itype": "",
"severity": ""
}
],
"totalFiles": 1,
"totalMatches": 1
}
}
}

Human Readable Output

Forensic search metadata:

statusjob_idcategorytotalFilesscannedEvents
completedjob1251604409794526forensic_api_result1361295

Forensic search results:

countevent.destevent.srcevent_time
11.1.1.11.1.1.12020-10-14T09:10:00.000+0000

anomali-enterprise-dga-domain-status


The search domains Domain Generation Algorithm (DGA).

Base Command

anomali-enterprise-dga-domain-status

Input

Argument NameDescriptionRequired
domainsA comma-separated list of domains to search.Required

Context Output

PathTypeDescription
AnomaliEnterprise.DGA.domainStringThe domain that was checked.
AnomaliEnterprise.DGA.malware_familyStringThe malware family associated with the domain.
AnomaliEnterprise.DGA.domainNumberThe probability of the domain being malicious.

Command Example

!anomali-enterprise-dga-domain-status domains=amazon.com

Context Example

{
"AnomaliEnterprise": {
"DGA": {
"domain": "amazon.com",
"malware_family": "",
"probability": 0
}
}
}

Human Readable Output

Domains DGA:

domainprobability
amazon.com0

domain


The search domains Domain Generation Algorithm (DGA). Includes DBotScore and domain information. There is no distinction between benign to unknown domains in Anomali Enterprise. The Domain reputation is calculated per the product documentation. if malware family exists and prob > 0.6 the reputation is Malicious, if malware family exists and prob < 0.6 the reputation is Suspicious, else, the reputation is Unknown.

Base Command

domain

Input

Argument NameDescriptionRequired
domainA comma-separated list of domains to search.Optional

Context Output

PathTypeDescription
AnomaliEnterprise.DGA.domainStringThe domain that was checked.
AnomaliEnterprise.DGA.malware_familyStringThe malware family associated with the domain.
AnomaliEnterprise.DGA.domainNumberThe probability of the domain being malicious.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual DBot score.
Domain.NameStringThe domain name. For example, "google.com".
Domain.Malicious.VendorStringThe vendor that reported that the domain is malicious.
Domain.Malicious.DescriptionStringA description of the malicious domain.

Command Example

!domain domain=google.com

Context Example

{
"AnomaliEnterprise": {
"DGA": {
"domain": "google.com",
"malware_family": "",
"probability": 0
}
},
"DBotScore": {
"Indicator": "google.com",
"Score": 0,
"Type": "domain",
"Vendor": "Anomali Enterprise"
},
"Domain": {
"Name": "google.com"
}
}

Human Readable Output

Domains DGA:

domainprobability
google.com0