About the connector
Anomali Enterprise is a threat and breach analytics platform that applies correlation rules and advanced security analysis to cross-correlate data from SIEMs (ArcSight ESM and Splunk) and other event sources deployed in your network to threat intelligence available from Anomali ThreatStream.
This document provides information about the Anomali Enterprise connector, which facilitates automated interactions, with an Anomali Enterprise system using FortiSOAR™ playbooks. Add the Anomali Enterprise connector as a step in FortiSOAR™ playbooks and perform automated operations, such as automatically running a search on all the data in the Anomali Enterprise system or retrieving the status of a specific forensic job from the Anomali Enterprise system.
Version information
Connector Version: 1.0.0
FortiSOAR™ Version Tested on: 5.0.1-098
Authored By: Fortinet
Certified: Yes
Installing the connector
From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-anomali-enterprise
Prerequisites to configuring the connector
- You must have the IP address of Anomali Enterprise system to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- You must have the port number on which your Anomali Enterprise system listens for web connections.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Anomali Enterprise connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
IP address of your Anomali Enterprise system to which you will connect and perform automated operations. |
| Server Port |
Port on which your Anomali Enterprise system listens for web connections. |
| Username |
Username to access the Anomali Enterprise system to which you will connect and perform automated operations. |
| Password |
Password to access the Anomali Enterprise system to which you will connect and perform automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:
| Function |
Description |
Annotation and Category |
| Search in Anomali Enterprise Data |
Runs a search on all the data in the Anomali Enterprise system, based on the type of search, search query, and other input parameters you have specified. Based on the Index name (type of search) you have specified, you can search for matches to IOC, DGA, Threat Bulletin, Actor, TTP, etc. |
run_search
Investigation |
| Run a Retrospective/Forensic Search |
Runs a forensic search on your event data, in the Anomali Enterprise system, to analyze indicator matches, based on the time range and indicators to search you have specified.
This operation returns a job ID that you can use to check the status of the search request. |
run_retrospective_search
Investigation |
| Get Retrospective Search Status |
Retrieves the status of a specific forensic job from the Anomali Enterprise system, based on the job ID you have specified.
Note: You can get the job ID using the Run a Retrospective/Forensic Search operation. |
Investigation |
| Download the Search Results |
Downloads the results of a search in the .gz file format from the Anomali Enterprise system adds the same in the FortiSOAR™ "Attachments" module. |
download_search_results
Investigation |
| Upload Asset Information |
Uploads asset information to the Anomali Enterprise system, based on the Attachment IRI, File IRI, or File Path you have specified. |
upload_assets
Investigation |
| Identify DGA Domains |
Retrieves the DGA probability and malware family from the Anomali Enterprise system, for sets of domains processed by the Anomali DGA detection algorithm, based on the domains you have specified. |
identify_dga_domain
Investigation |
operation: Search in Anomali Enterprise Data
Note: The Anomali Enterprise API returns only the first 400 results. This is a limitation of Anomali Enterprise.
Input parameters
| Parameter |
Description |
| Type of Search |
Name of the index based on which you want to perform a search in the Anomali Enterprise system.
You can choose from the following options: IOC Match, DGA Match, Threat Bulletin, Actor, Campaign, TTP, Vulnerability, Incident, Alert, or All Intelligence. |
| Limit Fields to Return |
(Optional) Choose the fields that you want this operation to return. |
| Search Query |
Search query based on which you want to perform the search in the Anomali Enterprise system. |
| Time Range |
Time range for which you want to perform the search on the Anomali Enterprise system.
Note: By default, the search is performed on the event data of the last 7 days.
You can choose Relative time, such as Previous Month or choose Custom to specify a custom time range.
If you choose Custom, then from the Choose Time Range option choose Absolute or Relative.
- If you choose Absolute, then specify the From Date and To Date values using the Calendar tool.
- If you choose Relative, then specify the number to be considered in the Number of units fields and specify the unit to be considered in the Unit field.
|
Output
When you choose “IOC Match” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"age": [],
"app_type": [],
"asn": [],
"classification": [],
"confidence": [],
"count": [],
"country": [],
"customer_id": [],
"customer_name": [],
"date_first": [],
"date_last": [],
"dcid": [],
"date_last": [],
"detail": [],
"detail2": [],
"domain": [],
"email": [],
"event.action": [],
"event.dest": [],
"event.dest_port": [],
"event.filehash": [],
"event.host": [],
"event.protocol": [],
"event.receiver": [],
"event.sender": [],
"event.sourcetype": [],
"event.src": [],
"event.src_port": [],
"event.status": [],
"event.url": [],
"event.user": [],
"event.time": [],
"id": [],
"indicator": [],
"itype": [],
"lat": [],
"lon": [],
"maltype": [],
"malware_family": [],
"md5": [],
"node_name": [],
"org": [],
"org_name": [],
"originator": [],
"resource_uri": [],
"severity": [],
"source": [],
"source_feed_id": [],
"srcip": [],
"state": [],
"tags": [],
"trusted_circle_id": [],
"url": [],
"uuid": [],
},
"sort": [],
"id": ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “DGA Match” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"app_type": [],
"count": [],
"customer_id": [],
"customer_name": [],
"dcid": [],
"dga_prob": [],
"domain": [],
"event.action": [],
"event.dest": [],
"event.host": [],
"event.sourcetype": [],
"event.src": [],
"event.url": [],
"event.user": [],
"event.time": [],
"indicator": [],
"malware_family": [],
"node_name": [],
"org_name": [],
"originator": [],
"resource_uri": [],
"uuid": [],
},
"sort": [],
"_id": ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Threat Bulletin” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee_org_name": [],
"assignee_user_name": [],
"created_ts": [],
"is_public": [],
"name": [],
"modified_ts": [],
"owner_org_name": [],
"owner_user_name": [],
"source": [],
"status": [],
"tags": [],
"tlp": []
},
"sort": [],
"_id": ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Actor” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee_org_name": [],
"assignee_user_name": [],
"created_ts": [],
"is_public": [],
"name": [],
"modified_ts": [],
"owner_org_name": [],
"owner_user_name": [],
"source": [],
"status": [],
"tags": [],
"tlp": []
},
"sort": [],
"_id": ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Campaign” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee_org_name": [],
"assignee_user_name": [],
"created_ts": [],
"is_public": [],
"name": [],
"modified_ts": [],
"owner_org_name": [],
"owner_user_name": [],
"source": [],
"status": [],
"tags": [],
"tlp": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “TTP” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee_org_name": [],
"assignee_user_name": [],
"created_ts": [],
"is_public": [],
"name": [],
"modified_ts": [],
"owner_org_name": [],
"owner_user_name": [],
"source": [],
"status": [],
"tags": [],
"tlp": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Vulnerability” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee_org_name": [],
"assignee_user_name": [],
"created_ts": [],
"is_public": [],
"name": [],
"modified_ts": [],
"owner_org_name": [],
"owner_user_name": [],
"source": [],
"status": [],
"tags": [],
"tlp": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Incident” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"assignee": [],
"created_ts": [],
"description": [],
"id": [],
"name": [],
"match_context": [],
"match_count": [],
"match_last_event_timestamp": [],
"modified_ts": [],
"priority": [],
"reporter": [],
"rule_link": [],
"rule_name": [],
"status": [],
"tags": [],
"title": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “All Intelligence” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"alert_info": [],
"alert_sent": [],
"alert_time": [],
"alert_title": [],
"confidence": [],
"dest": [],
"incident_link": [],
"indicator": [],
"itype": [],
"match_context": [],
"match_count": [],
"rule_filter": [],
"rule_link": [],
"rule_name": [],
"script_output": [],
"severity": [],
"src": [],
"tags": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
When you choose “Alert Trigger Records” as the type of search, then the output contains the following populated JSON schema:
{
"timed_out"": "",
"_shards": {
"successful": "",
"total": "",
"failed": ""
}
"hits": {
"total": "",
"hits": [
{
"_type": "",
"_index": "",
"_score": "",
"fields": {
{
"alert_info": [],
"alert_sent": [],
"alert_time": [],
"alert_title": [],
"confidence": [],
"dest": [],
"incident_link": [],
"indicator": [],
"itype": [],
"match_context": [],
"match_count": [],
"rule_filter": [],
"rule_link": [],
"rule_name": [],
"script_output": [],
"severity": [],
"src": [],
"tags": []
},
"sort": [],
"_id: ""
}
]
"max_score": ""
},
"took": ""
}
operation: Run a Retrospective/Forensic Search
Input parameters
| Parameter |
Description |
| Time Range |
Time range for which you want to perform the retrospective or forensic search on the Anomali Enterprise system.
Note: By default, the search is performed on the event data of the last 7 days.
You can choose Relative time, such as Previous Month or choose Custom to specify a custom time range.
If you choose Custom, then from the Choose Time Range option choose Absolute or Relative.
- If you choose Absolute, then specify the From Date and To Date values using the Calendar tool.
- If you choose Relative, then specify the number to be considered in the Number of units fields and specify the unit to be considered in the Unit field.
|
| Indicators to Search |
Values of the indicators that you want to search for on the Anomali Enterprise system.
Note: You can specify multiple indicators in the CSV format. |
Output
The output contains the following populated JSON schema:
{
"jobid": ""
}
operation: Get Retrospective Search Status
Input parameters
| Parameter |
Description |
| Job ID |
Identifier of the job whose status you want to retrieve from the Anomali Enterprise system. |
Output
The output contains the following populated JSON schema:
{
"category": "",
"complete": "",
"anyKeyMaxed": "",
"searchNodes": "",
"totalMatches": "",
"status": "",
"repliedNodes": "",
"result_file_name": "",
"collectNodes": [],
"processedFiles": "",
"metrics": {},
"scannedEvents": "",
"abortedReplies": "",
"streamResults": [],
"totalFiles": ""
}
operation: Download the Search Results
Input parameters
| Parameter |
Description |
| Result File Name |
Name of the file that contains the search results in the Anomali Enterprise system.
You can find the name of the search results file using the Get Retrospective Search Status operation. Once job status changes to "Complete", the response will contain the filename of the search results. |
Output
The output contains the following populated JSON schema:
{
"data": [
{
"modifyDate": "",
"createDate": "",
"name": "",
"@context": "",
"@id": "",
"id": "",
"description": "",
"modifyUser": {
"modifyDate": "",
"createDate": "",
"name": "",
"@id": "",
"@settings": "",
"modifyUser": "",
"avatar": "",
"userType": "",
"@type": "",
"userId": "",
"id": "",
"createUser": ""
},
"createUser": {
"modifyDate": "",
"createDate": "",
"name": "",
"@id": "",
"@settings": "",
"modifyUser": "",
"avatar": "",
"userType": "",
"@type": "",
"userId": "",
"id": "",
"createUser": ""
},
"@type": "",
"type": "",
"file": {
"metadata": "",
"file": {
"@type": ""
},
"size": "",
"@type": "",
"owners": [
""
],
"@context": "",
"mimeType": "",
"@id": "",
"filename": "",
"uploadDate": ""
}
}
]
}
operation: Upload Asset Information
Input parameters
| Parameter |
Description |
| Upload File Using |
Select the type of file reference that you will be uploading to the Anomali Enterprise system. You can choose from the following options: Attachment IRI, File IRI, or File Path.
- If you choose Attachment IRI, then you must specify the IRI of the attachment that is used to access the file directly from the FortiSOAR™ "Attachments" module in the Attachment IRI field.
- If you choose File IRI, then you must specify the IRI of the file that is present in FortiSOAR™ in the File IRI field.
- If you choose File Path, then you must specify the full path of the file that is present in FortiSOAR™ in the File Path field.
Note: The file that you want to upload to the Anomali Enterprise system must be in the csv format. |
Output
The output contains the following populated JSON schema:
{
"status_code": "",
"data": {
"dropped": "",
"total": ""
}
}
operation: Identify DGA Domains
Input parameters
| Parameter |
Description |
| Domains |
Comma-separated list of domains for which you want to retrieve the DGA probability and malware family from the Anomali Enterprise system. |
Output
The output contains the following populated JSON schema:
{
"result": "",
"data": {}
}
Included playbooks
The Sample - Anomali Enterprise - 1.0.0 playbook collection comes bundled with the Anomali Enterprise connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Anomali Enterprise connector.
- Download the Search Results
- Get Retrospective Search Status
- Identify DGA Domains
- Run a Retrospective_Forensic Search
- Search in Anomali Enterprise Data
- Upload Asset Information
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
