The Anomali team continues to work with customers to add features they need. The August release introduces a new feature that keeps your organization focused to keep your organization one step ahead of the enemy.
The main highlights of this quarter are:
- Create extended visibility with Anomali and MITER ENGENUITY
- Automate routine tasks that reduce analyst average response times
- Scheduled Retrospective Search
- Automated response to the Anomali platform
- Lens + MITER ATT&CK Enterprise v10 and v11 support
- Easy installation of Integrator 8.1
Abnormal attack pattern detection and MITER ATT&CK®:
In 2021, Anomali joined MITER Engenuity’s Center for Threat-Informed Defense, working on the Attack Flow project to better understand enemy behavior and improve defense capabilities. The partnership culminated with the public release of the project in March 2022.
The Attack Flow project provides context for an attacker’s behavior and helps security teams professionally profile an attacker. You can also better protect your organization before an attack, detect in real time, and respond after an attack.
I am looking forward to this project and future work. Hear excerpts from a recent webinar describing the project below.
Automate your daily workflows:
Customers are always looking for solutions that make their lives easier. This release introduces the first step in the routine task automation framework within ThreatStream Cloud, which adds support for the automation of routine analyst tasks.
This first step allows the user to define a hardening routine that can be triggered for a given indicator in the investigation. Users can build a library of regular workflows by creating multiple automated routines to create one-click actions instead of a series of hardened pivots or transforms.
Users can also functionally share generated routines to facilitate team collaboration and increase efficiency.
Automating routine tasks in ThreatStream helps reduce noise by filtering out unwanted enrichment data, freeing analysts to focus and prioritize their analysis efforts.
Screenshot: Configure routine task automation – run multiple (up to 20) enrichments with one click of a button
Scheduled Retrospective Search
One of the important features of the Cloud XDR solution is the ability to retrospectively search for matches in the environment. Customers can schedule automated retrospective searches to automatically correlate with new intelligence findings.
This automated process enables security teams to detect real-time threats in their environment and provide insight into emerging threat actors, bulletins, and other threat models.
Screenshot: Showing a list of already configured retrospective searches scheduled to run at specific intervals
Automated response to the Anomali platform
Alerts within The Anomali Platform identify malicious IoCs within customer environments that trigger a set of actions that enable an effective response. The key is to deploy the IOC to the client’s security tools within an appropriate time frame for mitigation and remediation.
This release enabled a workflow where matching metrics can tag IOC content automatically deployed to downstream security controls.
In this first step, we enabled a predefined set of response-centric tags as XDR alerts that can be linked and pushed to relevant configured destinations.
Find more information in future releases.
Lens+ support for MITER ATT&CK Framework v10 and v11
Lenses are one of the best Anomali has to offer. Lens is a powerful natural language processing engine that automatically scans digital content for rapid threat intelligence. Lens can be deployed as a browser extension or as a Microsoft Office application (Word, Excel, Outlook).
This release adds support for MITER ATT&CK Enterprise v10 and v11 and awareness of the latest MITER variants. Users can now see MITER TTP and attack pattern information, as well as any risk scores, contexts, and event matches they see in the environment.
This update is currently only available to Anomali Lens+ subscribers.
Screenshot: Lens highlighting TTP
Easy installation of Integrator 8.1
Integrator is central to operating intelligence on your security stack. This release streamlines the installation process to significantly improve the customer experience when configuring new/existing extensions.
This simplified installation process means that extensions can be configured once and reused as needed. All configuration options are displayed individually (no need to manually edit JSON configuration text).
Also added.
- Saved Search Filtering – ThreatStream saved searches are available in both source and destination filters. Instead of asking users to create new filters for Integrator, you can query them in ThreatStream through the Integrator UI. (Requires Intel API version 2).
- Saved search filters are copied to the destination filter and are not dynamically updated.
- Digitally Signed – All Integrator download files (for both applications and extensions) are now digitally signed with a trusted certificate.
- Prevent windows from triggering AV alerts and allow safe delivery of new extension processes. (Digital signatures will be added in Integrator 8.1 later in September/October)
- Priority tagging now means intelligence that is discovered through match notifications, is properly tagged as in Integrator, and is not negatively affected by target restrictions.
These updates will remove much of the manual work previously required and will be fully functional once all extensions are repackaged by October.
For a complete list of updates, check out our monthly release webinar available at Anomali University or contact your Customer Success Manager.
Until next time.