ThreatStream UserGuide
Uploaded by
evsikovvThreatStream UserGuide
Uploaded by
evsikovvAnomali ThreatStream
User Guide
August 27, 2021
Copyright Notice
Copyright © 2021 Anomali, Inc. All rights reserved.
Anomali is a registered trademark, ThreatStream is a registered servicemark, and
Optic, Integrator, STAXX, Anomali Enterprise, Anomali Match, and Anomali Lens
are trademarks of Anomali, Inc.
All other brands, products, and company names used herein may be trademarks of
their respective owners.
Support
Support Portal https://support.anomali.com
Email support@anomali.com
Phone +1 844-4-THREATS (847328)
Twitter @anomali
Documentation Updates
Date Description
8/27/2021 Includes ThreatStream updates as of 8/27/2021.
7/27/2021 Includes ThreatStream updates as of 7/27/2021.
7/23/2021 Includes ThreatStream updates as of 7/23/2021.
6/30/2021 Includes ThreatStream updates as of 6/30/2021.
6/25/2021 Includes ThreatStream updates as of 6/25/2021.
6/8/2021 Includes ThreatStream updates as of 6/8/2021.
6/4/2021 Includes ThreatStream updates as of 6/4/2021.
6/2/2021 Includes ThreatStream updates as of 6/2/2021.
Anomali ThreatStream Page 2 of 750
CONTENTS
Chapter 1: Accessing ThreatStream 12
Chapter 2: Navigating ThreatStream 14
A Tour of the ThreatStream Overview Dashboard 17
Visualizing Threats With MyEvents Map 25
Viewing Weekly Summaries for Your Organization 27
Generating User Activity Reports 29
Available User Activity Widgets 32
Exporting User Reports 34
Viewing the Intelligence Initiatives Dashboard 35
Creating Custom Dashboards 36
Sunburst Backdoor Rapid Response Dashboard 48
Anomali Downloads 55
Chapter 3: First Steps in ThreatStream 57
First Steps for All Users 57
First Steps for Administrators 59
Chapter 4: Profile Settings 61
Profile Settings Operations 61
Managing Your Profile Settings 61
Receiving Notifications from ThreatStream 62
Receiving In App Notifications from ThreatStream 66
Managing Your ThreatStream Password 69
Chapter 5: Organization Administration 70
Organization Administration Operations 70
Viewing and Editing Organization Settings 71
Authentication in ThreatStream 81
Mailboxes For Receiving Observables 81
Managing Mailboxes 83
Anomali ThreatStream Page 3 of 750
User Guide
Adding Additional Email Import Addresses 93
Multi-Factor Authentication 93
Managing Organization Users 97
Customizing New User Emails 101
Enabling SSO with Active Directory and Active Directory Federated Services 102
Configuring Integration with AD and ADFS 103
Updating Your Exclude List 113
Integrating With Third-Party Services 117
Activating the ServiceNow Integration 133
Activating the Qualys Vulnerability Management Enrichment 155
Using the Qualys Vulnerability Management Enrichment 161
Using the Qualys Vulnerability Management Enrichment with Qualys Patch
Report 162
Exporting Qualys Data in CSV Format 162
Audit User Activity 192
Restricting Access to Intelligence with Workgroups 196
Adding Preferred Tags to Intelligence 200
Managing Organization Never Scan Lists for the Anomali Lens Plugin 202
ThreatStream User Roles 203
Chapter 6: Sharing Intelligence via TAXII on ThreatStream 208
Getting Started with TAXII on ThreatStream 210
Connecting To Your ThreatStream TAXII Server from a TAXII Client 211
Using ThreatStream as a TAXII Client 213
Managing TAXII Sites 215
Managing TAXII Site Collections 217
Managing TAXII Feeds 218
Chapter 7: Searching Intelligence in ThreatStream 222
Chapter 8: Observables 224
Observable Confidence in ThreatStream 235
Editing Observable Details 237
Associating an Observable with Other Observables 242
Adding Private Tags to Observables 243
Anomali ThreatStream Page 4 of 750
User Guide
Bulk Tag Management 244
Restricting Observable Visibility to Workgroups 246
Reporting False Positives 248
My Attacks Report 250
Viewing Attacks with Sightings 253
Deleting Observables 256
Chapter 9: Searching Observables in ThreatStream 258
Performing Basic Observable Searches 258
Performing Advanced Observable Searches 260
Searching for Defanged Observable Values 270
Filtering Search Results 271
Saving Observable Search Filters 275
Exporting Search Results 277
Case Sensitivity in ThreatStream Search 279
Chapter 10: Importing Observables with Import Assistant 280
Importing Observables 286
Importing Observables From an Email 293
Ingesting Phishing Emails 296
Importing STIX Data into the Anomali Threat Model 299
Viewing Import Jobs Associated With Your Organization 306
Approving Import Jobs 308
Rejecting Import Jobs 313
Restricting Observables Visibility to Workgroups During Import 314
Managing Import Sessions Without Approve Import Privileges 315
Managing Excluded Observables 318
Re-importing Observable Values 321
Editing Observable Values Before Approval 322
Deleting Import Jobs 323
Chapter 11: Investigating Threats in ThreatStream 325
Investigations List View 326
Creating Investigations 327
Anomali ThreatStream Page 5 of 750
User Guide
Understanding the Investigations User Interface 330
Collaborating on Investigations 338
Using the MITRE ATT&CK Framework in Investigations 341
Managing Investigation Entities 346
Exporting Investigations as Threat Model Entities 356
Exporting Investigations in CSV Format 358
Chapter 12: Using the Anomali Threat Model 361
How to Use the Threat Model 364
Threat Model Dashboard 365
Threat Model List View 366
Performing Basic Threat Model Searches 369
Performing Advanced Threat Model Searches 371
Saving Threat Model Search Filters 381
Adding a Threat Model Entity 383
Viewing Actor Details 395
Editing Actors 398
Viewing Attack Pattern Details 405
Editing Attack Patterns 408
Viewing Campaign Details 413
Editing Campaigns 416
Viewing Course of Action Details 422
Edit Courses of Action 425
Adding STIX 2.1 Custom Objects to the Anomali Threat Model 430
Summary 432
Actions 432
Attributes 433
Description 433
Associations 433
Attachments 433
History 433
Comments 434
Intelligence Actions 434
Export 434
Viewing Identity Details 440
Anomali ThreatStream Page 6 of 750
User Guide
Editing Identities 443
Viewing Incident Details 449
Editing Incidents 451
Viewing Infrastructure Details 458
Viewing Malware Details 466
Editing Malware 469
Viewing Signature Details 475
Editing Signatures 477
Viewing Threat Bulletin Details 483
Editing Threat Bulletins 485
Viewing Tool Details 492
Editing Tools 495
Viewing TTP Details 500
Editing TTPs 503
Viewing Vulnerability Details 508
Editing Vulnerabilities 510
Using the MITRE ATT&CK Framework in ThreatStream 516
Cloning Threat Model Entities 519
Managing STIX Relationship Objects (SROs) 520
Adding Labels to Associations 523
Viewing Threat Model Entity History 526
Sharing Threat Model Entities Through Email 527
Exporting Threat Model Entities in STIX Format 530
Exporting Threat Model Entities in PDF Format 531
About Threat Model Templates 540
Creating a Template 540
Editing a Template 541
Removing a Template 542
Reviewing Threat Model Entities for Publication 542
Restricting Threat Model Entities to Workgroups 544
Deleting a Threat Model Entity 544
Chapter 13: Subscribing to Premium Threat Intelligence Streams 547
Anomali ThreatStream Page 7 of 750
User Guide
Activating Premium Streams 548
Browsing Open Source Streams 551
Managing Open Source Intelligence (OSINT) Feeds 551
Chapter 14: Managing Your Organization MITRE ATT&CK Security
Coverage Framework 556
Configuring a Representation of your Security Coverage from a JSON File 558
Manually Configuring a Representation of your Security Coverage 560
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives 562
Information in an Intelligence Initiative 564
Creating Intelligence Initiatives 567
Completing Intelligence Initiatives 568
Exporting Intelligence Initiatives 569
Deleting Intelligence Initiatives 570
Chapter 16: Comparing Intelligence Sources with Source Optimizer 571
Chapter 17: Configuring Rules 574
Configuring Rules 578
Viewing Rule Details 587
Editing Configured Rules 588
Exporting Rules 590
Removing Configured Rules 591
Receiving Rules Email Notifications 592
Chapter 18: Managing Intelligence Streams 594
Anomali Threat Research Streams 596
Importing Streams Using Basic Submission 597
Importing Streams Using Advanced Submission 600
Viewing Stream Details 603
Editing Stream Sources 604
Disabling Stream Sources 605
Exporting Stream Details 605
Anomali ThreatStream Page 8 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox 607
Available Sandbox Services in ThreatStream 608
Information in a Sandbox Report 610
Submitting Malware for Detonation 611
Viewing Sandbox Reports 615
Importing Observables from the Sandbox Report 617
Exporting a Sandbox Report 617
Deleting a Sandbox Report 619
Editing Sandbox Report Visibility 620
Activating Joe Sandbox 621
Activating VMRay 623
Troubleshooting Joe Sandbox Submissions 629
Chapter 20: Analyzing Adversary Infrastructure with Explore 630
Exploring Known Attack Infrastructure 630
Exploring Previously Unknown Attack Infrastructure 631
Understanding the Explore Interface 633
Adding Nodes to Explore 636
Importing Observables from your Explore Chart 636
Exporting Your Explore Chart 637
Saving Your Explore Chart 637
Chapter 21: Collaborating with ThreatStream Chat 638
Accessing Chat 638
Chatting With Your Organization 640
Chatting With Trusted Circles 642
Enabling Chat for Your Organization 644
Chapter 22: Collaborating with Trusted Circles 647
Public and Non-Public Trusted Circles 648
Privacy of Data in a Trusted Circle 649
Understanding the Role of a Trusted Circle Administrator 649
Creating a Trusted Circle 650
Editing a Trusted Circle 652
Anomali ThreatStream Page 9 of 750
User Guide
Joining a Trusted Circle 653
Approving Membership Requests to Public Trusted Circles 654
Inviting Members to Join a Non-Public Trusted Circle 654
Leaving a Trusted Circle 655
Sharing Data with Trusted Circles 656
Viewing Members of a Trusted Circle 657
Viewing Trusted Circles 658
Deleting a Trusted Circle 658
Chapter 23: Using Anomali Lens in ThreatStream 659
Scanning Pages with Anomali Lens 662
Creating Content with Anomali Lens in ThreatStream 665
Chapter 24: Participating in the Anomali Community 672
Managing Your Profile 673
Earning Badges 675
Watching, Starring, Liking, and Sharing Intelligence 675
Tracking Intelligence with My Threats 677
Viewing the Community Threats Dashboard 677
Chapter 25: ThreatStream Integrator 679
Supported Integrations 679
Downloading ThreatStream Integrator 680
Chapter 26: ThreatStream API 681
Appendix A: Intelligence Fields in ThreatStream 682
Appendix B: Limits in ThreatStream 687
Appendix C: Supported Attributes for STIX Entities 688
Appendix D: Indicator Types in ThreatStream 702
Appendix E: Threat Types in ThreatStream 733
Anomali ThreatStream Page 10 of 750
User Guide
Appendix F: Bolstering Your Security Controls Against the Sunburst Supply
Chain Attacks 739
Threat Model Entities 740
Observables 740
Themed Custom Dashboard 741
My Events Map (customized to Sunburst attacks) 741
Appendix G: Bolstering Your Security Controls Against COVID-19 743
Threat Bulletin and Campaign 743
Trusted Circles 744
My Events Map (customized to COVID-19 matches) 745
My Alerts - Rules 746
Chat - COVID-19 747
Send Documentation Feedback 749
Anomali ThreatStream Page 11 of 750
Chapter 1: Accessing ThreatStream
Through a Web Browser
To connect to the ThreatStream Cloud platform: https://ui.threatstream.com
To connect to an on-premise ThreatStream OnPrem: https://<appliance_host_
name_OR_IP_address>
You will be prompted to enter your Email Address and Password.
Browser Requirements
The latest versions of the following browsers are supported for accessing the
ThreatStream user interface:
l Chrome
l Internet Explorer
l Firefox
l Safari
ThreatStream API
ThreatStream is accessible through REST APIs, which are available to all Premium
customers. The APIs allow you to pull threat intelligence from the ThreatStream
platform for use with other third-party tools, import observables into ThreatStream
from any source, and manage Threat Bulletins.
Anomali ThreatStream Page 12 of 750
User Guide
Chapter 1: Accessing ThreatStream
To learn more about the ThreatStream API, download the ThreatStream
API Reference Guide from the Downloads page on ThreatStream.
Anomali ThreatStream Page 13 of 750
Chapter 2: Navigating ThreatStream
Dashboards
l Overview: Get a real-time overview of observables relevant to your organization
and view alerts that require your immediate action. See "A Tour of the
ThreatStream Overview Dashboard " on page 17 for more information.
l Weekly Summary: Visualize the quality of data coming through the various
feeds supplying your organization with intelligence. See "Viewing Weekly
Summaries for Your Organization" on page 27 for more information.
l MyEvents Map: Visualize the geographic location of threats around the world.
See "Visualizing Threats With MyEvents Map" on page 25 for more information.
l Community Threats: View the most Watched, Starred, Liked, and
Commented observables and Threat Model entities in your community over the
previous 30 days. See "Viewing the Community Threats Dashboard" on
page 677 for more information.
l Reporting: Generate reports on user activity within your organization. See
"Generating User Activity Reports" on page 29 for more information.
Manage
l Import: Import threat intelligence via raw text, CSV, Excel, PDF, or STIX. See
"Importing Observables " on page 286for more information.
l Trusted Circles: Enable the sharing of information between your organization
and other organizations on ThreatStream. See "Collaborating with Trusted
Circles " on page 647for more information.
Anomali ThreatStream Page 14 of 750
User Guide
Chapter 2: Navigating ThreatStream
l Streams: Add any additional threat intelligence feeds in your possession not
provided by Anomali. See "Managing Intelligence Streams" on page 594 for more
information.
l Rules: Configure rules that take automated actions when specific keywords
appear in newly created Threat Bulletins, Sandbox Reports, Signatures,
Vulnerabilities, or recently received observables. See "Configuring Rules" on
page 574 for more information.
l Source Optimizer: Compare observable overlap between open-source
intelligence sources that feed your threat intelligence. See "Comparing
Intelligence Sources with Source Optimizer" on page 571 for more information.
Analyze
l Overview: View the five most recent Actors, Campaigns, Malware, Incidents,
Signatures, Threat Bulletins, TTPs, and Vulnerabilities that were updated on
ThreatStream. See "Threat Model Dashboard" on page 365 for more information.
l Observables: Search for and drill down on observables relevant to your
organization. See "Searching Observables in ThreatStream" on page 258 for
more information.
l Threat Model: Your hub for threat model management on ThreatStream. Search
the threat model entities you have access to on ThreatStream via keywords and
easy-to-use filtering. You can also create new threat model entities from this
page. See "Using the Anomali Threat Model" on page 361 for more information.
Research
l Investigations: Centrally manage threat investigations of interest to your
organization. See "Investigating Threats in ThreatStream" on page 325 for more
information.
l Explore: Explore relationships between observables and other entities using a
graphical tool. See "Analyzing Adversary Infrastructure with Explore" on
page 630 for more information.
l Sandbox: Perform automated observable extraction through uploading files or
adding URLs. See "Analyzing Malware with the ThreatStream Sandbox" on
page 607 for more information.
Anomali ThreatStream Page 15 of 750
User Guide
Chapter 2: Navigating ThreatStream
l Collaborate: Leverage instant messaging within ThreatStream to chat with
Organization and Trusted Circle members. See "Collaborating with
ThreatStream Chat" on page 638 for more information.
APP Store
l APP Store: Purchase and load-in additional streams to increase the quality of
your data.
Search
l Search: Perform basic keyword searches for observables, Actors, Campaigns,
Malware, Incidents, Signatures, Threat Bulletins, TTPs, and Vulnerabilities. For
more, see "Searching Intelligence in ThreatStream " on page 222.
What's New in ThreatStream
View the five most recent features or enhancements added to the ThreatStream
platform. For a full list of ThreatStream releases, see What's New in ThreatStream.
Notification Center
ThreatStream displays in-app notifications when certain events occur.
For a detailed list of notifications and how to subscribe to them, see "Receiving In
App Notifications from ThreatStream" on page 66
Help
l Help: Access comprehensive context sensitive online help for the area of
ThreatStream you are currently viewing.
l Downloads: Find the latest available software from Anomali.
l Support: Contact Anomali support.
Settings
Manage user and organization level settings. See "Profile Settings" on page 61 and
"Organization Administration" on page 70 for more information.
Anomali ThreatStream Page 16 of 750
User Guide
Chapter 2: Navigating ThreatStream
Anomali User Profile
l My Threats: View recent observables and Threat Model entities that you have
Watched, Starred, Like, and Commented on.
l Profile: View and edit your profile.
l Anomali Community: Browse public ThreatStream user profiles.
l Logout: Terminate your current ThreatStream session.
A Tour of the ThreatStream Overview
Dashboard
The Overview Dashboard is your hub for proactive threat detection on
ThreatStream. It displays summaries of the latest threat intelligence available to you
on ThreatStream, recent activity within your organization, alerts that require your
attention, and notifications for open tasks assigned to you.
Each user is free to customize the appearance of their dashboard. In addition to
selecting the widgets displayed on your dashboard, you can drag and drop widgets
to change the order in which they are arranged.
The information in this section focuses on the Overview Dashboard. For:
l My Events dashboard, see "Visualizing Threats With MyEvents Map" on page 25
l Weekly Summary dashboard, see "Viewing Weekly Summaries for Your
Organization" on page 27
l Community Threats dashboard, see "Viewing the Community Threats
Dashboard" on page 677
l Reporting dashboard, see "Generating User Activity Reports" on page 29
l Custom dashboards, see "Creating Custom Dashboards" on page 36
Anomali ThreatStream Page 17 of 750
User Guide
Chapter 2: Navigating ThreatStream
Click Add Dashboard Widget to select additional widgets to display on your
dashboard.
Remove the widget from your dashboard.
Change the location of the widget on your dashboard. Click and drag the widget
to the desired location.
Select a date range for the data displayed on the dashboard. By default, data
from the last seven days is displayed.
Reset your dashboard to the default configuration.
Available Dashboard Widgets
Note: The following table contains an alphabetical list of all available widgets.
Once you add a widget, it is no longer available in the Add New Dashboard
Widget dropdown list. Therefore, your dropdown list will only contain widgets
that are not yet added to your dashboard.
Anomali ThreatStream Page 18 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Contributions View a summary of recent intelligence contributed to
ThreatStream. Note that this is the top-most horizontal box
at the top, which spans across the entire dashboard.
l Total # of Observables: Number of observables added
during the time range selected for the dashboard.
l Your Total Contribution: Number of observables added by
your organization during the selected time range. Sources
include imports, streams configured by your organization, or
TAXII feeds.
l Sightings: Number of observables from the selected time
range that triggered alerts in your integrated destinations.
You can view expanded Sightings data on the My Recent
Attacks widget.
l Total Community Contribution: Number of observables to
which you have access that were contributed by other
organizations.
l # of False Positives Filtered: Number of observables to
which you have access that were reported as false positive.
l Last Indicator Received: Time elapsed since the most
recent observable to which you have access was added to
ThreatStream.
Anomali ThreatStream Page 19 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Indicators by View observables added to ThreatStream by indicator type on a
Type bar chart. Click bar chart segments to view observables on the
Observables search page.
Use the top right menu to toggle between a view of All Types,
Top 5 Indicator Types, and Top 10 Indicator Types.
Indicator types represented on the chart are listed in the chart
key. You can click indicator types on the chart key to add or
remove them from the chart. Click Deselect All to remove all
indicator types from the chart, or Select All to add all indicator
types from the chart key to the chart.
Anomali ThreatStream Page 20 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Intelligence View statistics on observables added to ThreatStream via your
Sources organization, private feeds, and open source feeds. You can
click the columns to view the top 10 sources in each category,
as displayed below.
l Overall: Total number of observables provided by the
source.
l This Period: Number of observables provided by the source
during the selected time range.
l % Change: Ratio of observables provided by the source
during the selected time range over the overall total.
l # of False Positives: Observables from the source that
have been identified as false positive.
Anomali ThreatStream Page 21 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Investigations View investigations assigned to you or a workgroup to which
you belong by status. You can filter investigations by assignee
by using the Assigned to filter.
To drill into investigations of a status, click the status count.
Investigations are listed on the Investigations list view screen.
See "Investigations List View " on page 326 for more
information.
Investigation View open and completed investigation tasks which have been
Task List assigned to you. The To Do tab lists tasks which you have yet
to complete. Completed tasks are listed on the Completed tab.
You can mark an open task as complete by checking its box on
the To Do tab. When you mark a task complete, it is moved to
the Completed tab.
Similarly, you can uncheck tasks on the Completed tab to
reopen and move them back to the To Do tab.
You can click tasks to visit the relevant investigation.
Anomali ThreatStream Page 22 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Latest Activity View the 10 most recent notifications on ThreatStream activity.
Notifications are displayed when:
l Import sessions created by your organization or trusted
circles of which you are a member are approved. Click the
activity to view the import session.
l Import sessions created by your organization are ready for
review and you have the Approve Import user privilege. Click
the activity to view the import session.
l Threat model entities to which your organization has access
are created, published, or updated. Click the activity to view
the threat model entity.
l Investigations owned by your organization or accessible via
trusted circles are updated. Click the activity to view the
investigation.
l Submissions are made to an organization Import or Phishing
mailbox. Links to associated import sessions, Threat
Bulletins, or investigations are included in the activity.
Unsuccessful submissions are also displayed.
Latest Rule View matches for keywords in recent intelligence configured by
Matches your organization in Rules. Click the Details link to drill down on
the matched intelligence. For more on Rules, see "Configuring
Rules" on page 574.
Anomali ThreatStream Page 23 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
My Alerts View statistics on recently triggered rules and corresponding
automated actions taken by ThreatStream.
l No Actions Taken: Number of matches during the selected
time period for which no actions were configured.
l Tagged With Terms: Number of matches that resulted in
intelligence being tagged with configured terms.
l Added to Investigation: Number of matches resulting in
intelligence being added to investigations.
l Added to Threat Model: Number of matches resulting in
intelligence being added to threat model entities.
You can click any of the rule categories to view a list of
triggered rules in a pop up window.
My Recent View observables that triggered alerts in integrated
Attacks destinations such as ArcSight ESM and Splunk. Count shows
the number of times observables have been seen in
ThreatStream. Click the Observable to drill down for deeper
analysis on the observable details page.
Data must be provided to ThreatStream in a My Attacks Report
in order to populate the My Recent Attacks widget. See
"My Attacks Report" on page 250 for more information.
You can view My Recent Attacks data in the Sightings widget
on observable details pages. For more on Sightings, see
"Viewing Attacks with Sightings" on page 253.
Organization View recent submissions to your Sandbox. Org Admins can
Recent click the Status to review and approve submissions.
Sandbox
Submissions
Anomali ThreatStream Page 24 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Pending Tasks View open tasks which have been specifically assigned to you
or available for you to complete based on your user privileges.
Tasks include reviewing import sessions, reviewing threat
model entities, triaging investigations that are in pending state,
and approving requests to join your trusted circles.
Click the task type to drill down on open tasks.
Streams by View streams feeding your threat intelligence in ThreatStream
Confidence and by the Confidence and Severity scores of the observables they
Severity provide.
The quantity of intelligence is represented by the size of each
circle. You can hover over a stream for the name of the stream,
average Confidence score, average Severity score, iTypes
provided by the stream, and the number of observables
provided by the stream.
Threat Model View the most recently published threat model entities to which
Entities you have access on ThreatStream. Click See more threat
models to view expanded results on the Threat Model List
View.
Top ASNs View the most widely seen ASNs associated with recent
observables in ThreatStream.
Top Impacts View the most widely seen indicator types associated with
recent observables in ThreatStream.
Top Threats by View the most widely seen geographical source of recent
Country observables in ThreatStream.
Visualizing Threats With MyEvents Map
MyEvents Map is an interactive tool that enables you to visualize the geographic
location of threats around the world. Though not a live view, MyEvents Map replays
the most recent intelligence available to you on ThreatStream. When opened, the
map queries the most recent 1000 observables based on the display mode you
selected.
Anomali ThreatStream Page 25 of 750
User Guide
Chapter 2: Navigating ThreatStream
There are three display modes:
l Recent observables: Replays the most recent observables added to
ThreatStream.
l Saved Searches: Replays the most recent observables from search queries you
have saved.
l Recent MyAttacks Events: Replays observables that triggered alerts on
integrated destinations such as ArcSight ESM or Splunk.
Toggle the Display Mode. In addition to viewing Recent Intelligence, you can
view data on MyEvents Map based on saved searches created by your
organization. Saved searches appear in the order they were saved.
Hover over the globe to stop rotation. You can zoom in on the globe by hovering
over and scrolling. Country names are displayed when you zoom in.
Types of threats displayed on the map. You can disable a Threat Type and
remove all related observables from the map by clicking it.
List of countries ordered by the number of observables on the map relating to
each.
Playback controls. Rewinding the map removes observables and Fast
Forwarding adds them back. Pausing the map prevents new observables from
being added.
Anomali ThreatStream Page 26 of 750
User Guide
Chapter 2: Navigating ThreatStream
Feed of observables as they are added to the map. The length of each bar
represents the Confidence score of the observable. You can hover over
observables to view Confidence scores.
Toggle Full Screen view.
Viewing Weekly Summaries for Your
Organization
The Weekly Summary page contains reports regarding organization data and
ThreatStream Integrator status. You can use these reports to gauge data quality,
the importing activity of your organization users, the effectiveness of your
intelligence feeds, and more.
If data is not available for a particular chart, the chart is not shown. Reports are read
only and cannot be exported. Data is refreshed every Sunday at midnight.
Organization Intelligence Summaries
l Data Quality: View the total number of observables from the last seven days by
status. The ratio of False Positive to Active threats is a primary gauge of data
quality.
l Threats by Severity: View the severity of data collected over the last seven
days.
Anomali ThreatStream Page 27 of 750
User Guide
Chapter 2: Navigating ThreatStream
l Top Importing Users: View the users in your organization who have imported
the most threat intelligence data over the last seven days.
l Threat Volume: View which type of data provided the largest number of
threats—data shared with Anomali Community, data from your trusted circles, or
data restricted to your organization. Streams purchased in the Anomali APP
Store are classified as private streams.
l Top Threat Streams: View which feeds have provided the most intelligence for
your organization over the last seven days.
ThreatStream Integrator Summaries
l ThreatStream Integrator Status: View recent connections from your
ThreatStream Integrator integrations.
Column Definition
ID Unique ID assigned to the integration within ThreatStream.
Update Time of the most recent data pull for the integration.
Time
Status Up: Integration is pulling data on a scheduled interval.
Down: Integration has missed pulling data for two scheduled
intervals.
Manual: Integration is not pulling on a schedule.
Anomali ThreatStream Page 28 of 750
User Guide
Chapter 2: Navigating ThreatStream
User Credentials of the user that set up the ThreatStream Integrator
connection.
Version Integration version.
l Stream Quality: View the number of observables provided by each stream your
organization subscribes to.
Generating User Activity Reports
The User Activity dashboard enables you to generate ad-hoc reports on up to one
year of user activity. While any user in ThreatStream can generate user activity
reports, only Org Admins can generate reports on the activity of all users in their
organizations. Non-admin users can only generate reports on their own activity.
User reports include statistics on investigations, threat model entities, sandbox
detonations, imports, and false positives.
Add Dashboard Widget: By default, all widgets are displayed on the User
Activity dashboard. However, if you remove widgets from the dashboard you can
click Add Dashboard Widget to re-add them.
Widget Settings: View and edit parameters that set how the widget displays
data.
Delete Widget: Remove the widget from your dashboard.
Move Widget: Change the location of the widget on your dashboard. Click and
drag the widget to the desired location.
Anomali ThreatStream Page 29 of 750
User Guide
Chapter 2: Navigating ThreatStream
Data Bucket Size: Depending on the time range you select for your report, daily,
weekly, or monthly data is displayed. If the selected date range is less than or equal
to 14 days, daily data is displayed; if the selected date range is between 15 and 150
days, weekly data is displayed; if the selected date range is between 151 and 365
days, monthly data is displayed.
Report Date Range: Date range for the generated report.
Report Timestamp: Date and time when the report was generated. UTC time is
always displayed.
Date Range: Select a date range for the report.
User: Select the user or workgroup for whose activity the report will be
generated. Org Admins can select a single user, workgroup, or choose to generate
a report on All users in their organizations. Non-admin users can only generate
reports on their own activity.
Actions:
l Generate Data: Click Generate Data to generate a report based on the selected
parameters.
l Export to PDF: Export the current report in PDF format.
l Reset Layout: Restore dashboard layout to its default setting. Any widgets you
have removed will be added to the dashboard.
To generate a user report:
1. In the top navigation menu, click Dashboard and then User Activity.
2. Select a date range from the dropdown.
3. Select the user whose activity you want to view.
4. In the Actions menu, click Generate Data.
Anomali ThreatStream Page 30 of 750
User Guide
Chapter 2: Navigating ThreatStream
Data will populate the User Activity dashboard. The data is available to view until
you generate a new report.
Note: Only data buckets that contain data are displayed in the report.
Generating User Activity Reports By Workgroup
Org Admins can generate workgroup based user activity reports from the User
Activity dashboard.
To generate user activity reports by workgroup:
1. In the top navigation menu, click Dashboard and then User Activity.
2. Select a date range from the dropdown.
3. Under User, select the workgroup for which you want to generate the report.
4. In the Actions menu, click Generate Data.
Data will populate the User Activity dashboard. The data is available to view until
you generate a new report.
Note: Only data buckets that contain data are displayed in the report.
Anomali ThreatStream Page 31 of 750
User Guide
Chapter 2: Navigating ThreatStream
Available User Activity Widgets
The following table contains an alphabetical list of all available widgets. Once you
add a widget, it is no longer available in the Add New Dashboard Widget dropdown
list. Therefore, your dropdown list will only contain widgets that are not yet added to
your dashboard. All widgets are displayed on the dashboard by default.
Widget Description
False Positives Displays the number of false positives reported by the user.
Observables are displayed based on the time they were
reported as false positive.
Anomali ThreatStream Page 32 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
Investigations Displays investigation workflow status updates made by the
user by status—Unassigned, In Progress, Pending, Completed,
and Created. You can click the settings wheel to configure how
information is displayed on the widget.
You can click the settings wheel to configure how information is
displayed on the widget.
You can configure the following widget parameters:
l Included Categories—The investigation statuses displayed
on the widget. Available statuses are Unassigned, In
Progress, Pending, and Completed. You can also select
Created to include the number of investigations created by
the user or workgroup.
l Presentation—Specify how you want the widget to display
data. You can select Table, Bar Chart, Stacked Line Chart, or
Donut Chat.
Anomali ThreatStream Page 33 of 750
User Guide
Chapter 2: Navigating ThreatStream
Widget Description
l Display Legend—Toggle whether the chart key is displayed
on the widget.
New Import Displays the number of import jobs that were approved,
Jobs rejected, or submitted by the user. Import jobs with errors are
also displayed.
Note: Counts do not include re-imported instances of
existing observables.
New Displays the number of observables imported by the user.
Observables Observables can be filtered by indicator type.
New Threat Displays the number of threat model entities created and
Models published by the user. Entities can be filtered by entity type and
publication status.
Sandbox Displays the number of Malware samples detonated by the user.
Reports Submissions can be filtered by detonation findings; Benign or
Malicious.
Exporting User Reports
User reports can be exported in PDF format. When you export a report, all widget
parameters configured in Widget Settings are honored. However, exports do not
honor data filtering selections you make using widget keys.
To export a user report:
1. Generate the user report that you want to export.
2. In the Actions menu, click Export to PDF. Your download will begin
automatically.
Note: PDF exports always include the report that is displayed on the
dashboard, regardless of any unexecuted date range or user selections.
Anomali ThreatStream Page 34 of 750
User Guide
Chapter 2: Navigating ThreatStream
Viewing the Intelligence Initiatives Dashboard
The Intelligence Initiatives dashboard gives you a high level view of open
intelligence initiatives created by your organization.
Note: Read Only users cannot view the Intelligence Initiatives dashboard.
Widgets: The following widgets are available:
Widget Description
Sources Threat Intelligence feeds currently associated with open
intelligence initiatives. Feeds are color coded and grouped by
initiative type. You can click an initiative to expand the view of
associated feeds.
Collections Pie chart displaying threat intelligence feeds (Collections)
associated with open intelligence initiatives by percentage.
Investigations Pie chart displaying investigations associated with open
intelligence initiatives by percentage.
Threat Models Pie chart displaying investigations associated with open
intelligence initiatives by percentage.
Investigation Bar chart displaying a count of investigation assignees
Contributors associated with open intelligence initiatives.
Anomali ThreatStream Page 35 of 750
User Guide
Chapter 2: Navigating ThreatStream
Refresh: Manually refresh the dashboard. The dashboard automatically
refreshes every 30 minutes.
Export PDF: Click Export PDF to download a point in time snapshot of the
dashboard widgets. Your download begins immediately. If you use a popup blocker,
you will see the following message:
Downloading the exported PDF was blocked by your pop-up blocker. Please click
HERE to download the PDF instead.
Click Here to download your PDF.
Creating Custom Dashboards
ThreatStream enables you to surface Threat Intelligence data of interest and
customize your landing page experience through the creation of custom
dashboards. Each dashboard can contain up to 10 customizable widgets. Widgets
display Threat Intelligence data on chart types of your choosing based on saved
observable or Threat Model search filters. You can drill into data sets on the
observables or Threat Model search screen by clicking any of the data
visualizations, such as a section of a pie chart, a line on a sparkline chart, a number
chart, and so on.
Individual ThreatStream users can add up to 10 custom dashboards to their home
screen on ThreatStream. There is no limit on the total number of dashboards across
all users in an organization.
Anomali ThreatStream Page 36 of 750
User Guide
Chapter 2: Navigating ThreatStream
When you create a custom dashboard, you choose whether the dashboard is visible
only to you or made available to all users in your organization.
Read Only users cannot create or clone custom dashboards. However, Read Only
users can add shared custom dashboards created by fellow organization users and
themed dashboards created by the Anomali Threat Research team to their home
screens on ThreatStream. See "Adding Organization Shared Custom Dashboards"
on page 46or "Sunburst Backdoor Rapid Response Dashboard" on page 48 for
more information.
Note: If you want to refresh a custom dashboard, use the Refresh link next to
the Actions menu. Using the refresh function on your browser can lead to
unexpected results.
To create a custom dashboard:
1. Click Dashboard in the top navigation menu.
2. Click + Add Dashboard.
3. On the New tab of the Create A New Dashboard window, enter a Dashboard
Name.
Note: Dashboard Names can be no more than 255 characters.
4. Specify a Visibility setting for the dashboard. Dashboards can be visible only to
you (Private) or shared with other users in your organization (My Organization).
Dashboards cannot be shared with the Anomali Community, Trusted Circles, or
specific workgroups in your organization.
Anomali ThreatStream Page 37 of 750
User Guide
Chapter 2: Navigating ThreatStream
5. (Optional) Select Set as Default Dashboard if you want the new dashboard to
launch automatically each time you navigate to the Dashboard screen. Default
dashboards refresh automatically every 30 minutes.
6. Click Save. You are directed to the new dashboard. New dashboards are blank.
You can start displaying desired Threat Intelligence data on your new
dashboard through creating new widgets or selecting from a set of default
widgets.
To add widgets to your custom dashboard:
1. On your custom dashboard, click + Add a widget.
Note: You can only add widgets to custom dashboards which you created.
Each dashboard can contain up to 10 widgets.
2. If you want to add any of the default widgets to your dashboard, select the
widgets of interest on the Standard tab.
Anomali ThreatStream Page 38 of 750
User Guide
Chapter 2: Navigating ThreatStream
Note: Anomali Lens+ users have access to additional custom dashboard
widgets that surface information from Anomali Lens on trending threat
intelligence. See "Adding Anomali Lens Trending Widgets to Custom
Dashboards" on page 51 for more information.
If you want to create a new widget, navigate to the Custom tab and specify the
following parameters:
Field Description
Widget Name of the new widget. Names can be no more than 255
Name characters.
Anomali ThreatStream Page 39 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
Select If you want the new widget to display observable data, navigate to
Data Set the Observable tab.
If you want the new widget to display Threat Model data, navigate
to the Threat Model tab.
Note: Once you create the widget, the widget cannot be
edited to switch between Observable or Threat Model data.
You can use the search function to search for saved search filters
by name. Click Show Filter to filter the search results by last
modified date.
When you select a saved search, the filter is displayed below the
search results for reference. Anomali recommends using filters
that do not include time-based conditions such as created_ts or
modified_ts. Instead, use the Select Date Range and Select
Date Field options to set time-based conditions for your widget.
For information on creating saved observable searches, see
"Saving Observable Search Filters" on page 275.
For information on creating saved Threat Model searches, see
Anomali ThreatStream Page 40 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
"Saving Threat Model Search Filters" on page 381.
Tip: For best results, ensure your saved search filter adheres
to these "Best Practices for Saved Search Filters" on
page 276.
Select Select from the following date ranges: Last 24 hours, Last 7 days,
Date Last 30 days, Last 60 days, or Last 90 days.
Range
The selected date range is applied to the data set after the search
filter. For example, if the selected search filter returns observables
created in the last year and you select Last 7 days, only results
from the last 7 days are displayed on the widget.
Note: Since all widgets contain two date constraints—the date
range specified by the saved search and the date range
selected for the widget—unexpected results can occur when
the constraints are not aligned. For example, if a widget uses a
saved search which queries data from January 2020 to June
2020 and you select a widget date range outside these
constraints (such as Last 24 Hours), the widget will not display
any data as the constraints are out of alignment.
Select Specify whether the selected date range is based on the Created
Date or Modified date of data displayed on the widget.
Field
Anomali ThreatStream Page 41 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
Display Select one of the following display types for the widget:
Type
n Pie Chart: Displays results as percentages based on a
specified parameter.
For observables, you can select one of the following Chart
Fields for the Pie Chart: iType, Type, Status, Confidence, TLP,
Severity, Country, or Stream.
For Threat Model entities, you can select one of the
following: Stream/Source, Type, Publication Status, or TLP.
n Bar Chart: Displays results as counts based on a specified
parameter.
You can select one of the following Chart Fields for the Bar
Chart: iType, Type, Status, Confidence, TLP, Severity,
Anomali ThreatStream Page 42 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
Country, or Stream.
For Threat Model entities, you can select one of the
following: Stream/Source, Type, Publication Status, or TLP.
n Table: Displays results returned for the search filter and
specified date range in a table.
You can select any of the following Table Columns: Date First,
Last Modified, Source Created, Source Modified, Expiration
Date, iType, Type, Indicator, Status, Confidence, TLP, Import
Source, Created By, Severity, Country, Stream, and Tags.
For Threat Model entities, you can select one of the
following: Type, Name, Publication Status, TLP,
Stream/Source, Visibility, Assignee, Owner, Modified, Created,
Date Published, Source Created, Source Modified, CVSS 2.0,
or CVSS 3.0.
Tables include See more Observables or See more Threat
Models links, through which you can drill into the entire data set
on the search screen.
n Sparkline Chart: Displays variation of a selected
parameter over time.
Anomali ThreatStream Page 43 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
You can select one of the following Chart Fields for the
Sparkline Chart: iType, Type, Status, Confidence, TLP,
Severity, Country, or Stream.
For Threat Model entities, you can select one of the
following: Stream/Source, Type, Publication Status, or TLP.
n Trend Chart: Displays trend of a selected parameter over
time in a stacked line chart.
You can select one of the following Chart Fields for the Trend
Chart to visualize: iType, Type, Status, Confidence, TLP,
Severity, Country, or Stream.
For Threat Model entities, you can select one of the
following: Stream/Source, Type, Publication Status, or TLP.
n Number Chart: Displays a count of results in the dataset.
Anomali ThreatStream Page 44 of 750
User Guide
Chapter 2: Navigating ThreatStream
Field Description
Use the Background Color menu to select a color for the
widget.
3. Click Save. The widget is added to the dashboard.
The following is an example of a widget on a custom dashboard:
Anomali ThreatStream Page 45 of 750
User Guide
Chapter 2: Navigating ThreatStream
Edit the parameters of the widget. You can edit the widget name, saved search,
date range, display type, and chart field.
Click Change under Current Saved Search to select a different saved search.
Note: Once you create the widget, the widget cannot be edited to switch
between Observable or Threat Model data.
Remove the widget from your dashboard.
Change the location of the widget on your dashboard. Click and drag the widget
to the desired location.
Resize the widget.
Adding Organization Shared Custom Dashboards
In addition to creating your own custom dashboards, you can add shared
dashboards created by other members of your organization to your home screen.
For non-creators, shared dashboards are read only.
Tip: You can clone shared dashboards to create an editable version. See
"Cloning Shared Dashboards" on the next page for more information.
To add a shared custom dashboard to your home screen:
Anomali ThreatStream Page 46 of 750
User Guide
Chapter 2: Navigating ThreatStream
1. Click Dashboard in the top navigation menu.
2. Click + Add Dashboard.
3. On the Add Existing tab of the Create A New Dashboard window, select the
shared dashboard you want to add to your home screen.
4. (Optional) Select Set as Default Dashboard if you want the new dashboard to
launch automatically each time you navigate to the Dashboard screen. Default
dashboards refresh automatically every 30 minutes.
5. Click Add. The shared dashboard is added to your home screen.
Cloning Shared Dashboards
You can clone shared dashboards for the purposes of creating customizable
versions.
Note: Read Only users cannot clone dashboards.
To clone a shared dashboard:
1. Click Dashboard in the top navigation menu.
2. Navigate to the shared dashboard you want to clone.
3. Click Clone Dashboard in the Actions menu.
Anomali ThreatStream Page 47 of 750
User Guide
Chapter 2: Navigating ThreatStream
4. Enter a Dashboard Name.
5. Specify a Visibility setting for the cloned dashboard. Dashboards can be visible
only to you (Private) or shared with other users in your organization (My
Organization).
6. (Optional) Select Set as Default Dashboard if you want the new dashboard to
launch automatically each time you navigate to the Dashboard screen. Default
dashboards refresh automatically every 30 minutes.
7. Click Save. You are directed to the cloned dashboard.
Utilizing Themed Custom Dashboards from the Anomali Threat
Research Team
The Anomali Threat Research (ATR) team creates and maintains custom
dashboards to alert you to new and relevant threat intelligence. You can add these
dashboards to your home screen. Current dashboards made by the ATR team
include:
l Vulnerabilities & Exploits
l Global Activity
l Covid-19 Indicators
l Sunburst Backdoor
More custom dashboards from ATR are forthcoming. Stay tuned!
Sunburst Backdoor Rapid Response Dashboard
The Anomali Threat Research team has developed a rapid response dashboard to
surface the latest observables related to the Sunburst Backdoor supply chain
attacks.
Anomali ThreatStream Page 48 of 750
User Guide
Chapter 2: Navigating ThreatStream
Use the instructions below to add this dashboard to your home screen on
ThreatStream. Look for the Sunburst Backdoor dashboard on the Add Existing
tab.
Adding Themed Custom Dashboards to Your Home Screen
The process of adding ATR dashboards to your home screen is identical to that of
custom dashboards made by members of your organization.
You can add up to five custom dashboards to your home screen. ATR dashboards
count toward this limit.
To add ATR dashboards to your home screen:
1. Click Dashboard in the top navigation menu.
2. Click + Add Dashboard.
3. On the Add Existing tab of the Create A New Dashboard window, select the
dashboard you want to add to your home screen. ATR dashboards display
Anomali Threat Research and an Anomali logo in the Created By column.
Anomali ThreatStream Page 49 of 750
User Guide
Chapter 2: Navigating ThreatStream
4. (Optional) Select Set as Default Dashboard if you want the dashboard to
launch automatically each time you navigate to the Dashboard screen. Default
dashboards refresh automatically every 30 minutes.
5. Click Add.
The shared dashboard is added to your home screen.
Cloning Themed Custom Dashboards
You can clone themed custom dashboards from the ATR team for the purposes of
creating customizable versions.
Note: Read Only and Sharing Organization users cannot clone dashboards.
To clone a shared dashboard:
1. Click Dashboard in the top navigation menu.
2. Navigate to the themed custom dashboard you want to clone.
Note: To clone a themed custom dashboard, it must first be added to your
home screen. Additionally, the Clone Dashboard action is unavailable when
you have the maximum five custom dashboards added to your home
screen.
3. Click Clone Dashboard in the Actions menu.
4. Enter a Dashboard Name.
Anomali ThreatStream Page 50 of 750
User Guide
Chapter 2: Navigating ThreatStream
5. Specify a Visibility setting for the cloned dashboard. Dashboards can be visible
only to you (Private) or shared with other users in your organization (My
Organization).
6. (Optional) Select Set as Default Dashboard if you want the new dashboard to
launch automatically each time you navigate to the Dashboard screen. Default
dashboards refresh automatically every 30 minutes.
7. Click Save.
You are directed to the cloned dashboard. Edit Dashboard and Add Widget are
now available actions in the Actions menu.
Note: Saved search filters used by the ATR team on themed custom dashboard
widgets are note cloned when you clone the dashboard. When you edit widgets
on a cloned copy of a themed custom dashboard, you can click Save Query as
Search Filter to create an editable version of the saved search.
After saving the search filter, you can edit it using the instructions in "Managing
Saved Search Filters" on page 276.
Adding Anomali Lens Trending Widgets to Custom Dashboards
Anomali Lens+ users have access to custom dashboard widgets that surface
information from Anomali Lens on trending threat intelligence. The widgets display
trend data for actors, malware, and vulnerabilities. Lens determines that entities are
trending based on the number of times they have appeared in recent security news
feeds and blogs. Widgets are available that display data from the last 30, 60, and 90
days.
Each widget displays the top 10 trending entities based on its parameters. Widgets
include entity names, the number of mentions for the specified time period, and a
sparkline chart of the mentions over time. You can hover over the sparkline chart to
view mentions per day. The following is an example of an Anomali Lens Trending
widget:
Anomali ThreatStream Page 51 of 750
User Guide
Chapter 2: Navigating ThreatStream
Note: Anomali Lens Trending widgets are available to Anomali Lens+ users
only. Interested in purchasing Lens+? Contact sales@anomali.com for more
information.
To add an Anomali Lens Trending widget to your custom dashboard:
1. On your custom dashboard, click + Add a widget.
Note: You can only add widgets to custom dashboards which you created.
Each dashboard can contain up to 10 widgets.
2. Navigate to Standard > Trends on the Add a Dashboard Widget window.
Anomali ThreatStream Page 52 of 750
User Guide
Chapter 2: Navigating ThreatStream
3. Select the widgets of interest.
4. Click Save.
The Anomali Lens Trending widgets have been added to your custom dashboard.
Editing Custom Dashboards
You can edit dashboard parameters, including the dashboard name, visibility
setting, and whether the dashboard is your default dashboard. Dashboards can only
be edited by their creators.
To edit your custom dashboard:
1. Click Dashboard in the top navigation menu.
2. Navigate to the dashboard you want to edit.
3. Click Edit Dashboard in the Actions menu.
4. Make desired changes.
5. Click Save.
Exporting Custom Dashboards
Custom dashboards can be exported in PDF format. Exported PDFs display
dashboard names and snapshots of the widgets included in the dashboard from the
time of export. You can export any custom dashboard to which you have access,
Anomali ThreatStream Page 53 of 750
User Guide
Chapter 2: Navigating ThreatStream
including dashboards you have created, shared custom dashboards created by
organization members, and themed custom dashboards created by the Anomali
Threat Research team.
Additionally, you can export individual dashboard widgets in PNG format.
Note: PNG export is not supported on Internet Explorer.
To export custom dashboards in PDF format:
1. Click Dashboard in the top navigation menu.
2. Navigate to the dashboard you want to export.
3. Click Export to PDF.
Your download begins automatically.
If your browser is configured to use a pop-up blocker, you will see the following
message:
Click Here to download the PDF.
Note: Widgets may be resized for optimal PDF viewing. Table widgets that
contain more than four columns are given a dedicated row in the PDF.
To export custom dashboard widgets in PNG format:
Anomali ThreatStream Page 54 of 750
User Guide
Chapter 2: Navigating ThreatStream
1. Click Dashboard in the top navigation menu.
2. Navigate to the dashboard containing the widget of interest.
3. Locate the widget and click the Export icon.
Your download begins automatically.
Deleting Custom Dashboards
Dashboards can be deleted by their creators. When you delete shared dashboards
which you created, dashboards are removed from ThreatStream and the home
screens of all organization users who added them.
You can also use the delete function as a non-creator to remove shared dashboards
from your home screen. When you delete a shared dashboard as a non-creator, the
dashboard is not deleted from ThreatStream.
To delete a custom dashboard:
1. Click Dashboard in the top navigation menu.
2. Navigate to the dashboard you want to delete.
3. Click Delete Dashboard in the Actions menu.
4. Click Yes to confirm.
The dashboard is deleted.
Anomali Downloads
Anomali ThreatStream Page 55 of 750
User Guide
Chapter 2: Navigating ThreatStream
The Downloads page contains downloadable software and help documentation
regarding ThreatStream Integrator, Integrations, Anomali Match (Lens+ Edition),
ThreatStream OnPrem, the Anomali Lens browser extension, and API information.
ThreatStream users with free accounts may not have access to all downloads.
To access the Downloads page, visit https://ui.threatstream.com/downloads
Anomali Match Lens+ Edition
Anomali Match Lens+ Edition is a free Anomali Match deployment, available to
Anomali Lens+ users at no extra cost. With Anomali Match Lens+ Edition, users
who do not own Match but have purchased Anomali Lens+ can see event matches
on the Anomali Match Lens+ Edition console as well as the Anomali Lens+ plugin.
Refer to the User Guide hosted next to the product download link on the Downloads
page for more information.
Anomali ThreatStream Page 56 of 750
Chapter 3: First Steps in ThreatStream
This chapter covers the following topics:
First Steps for All Users 57
First Steps for Administrators 59
Use the topics below as a sample map for acquainting yourself with some of the
central tasks in ThreatStream and performing vital administrative tasks.
First Steps for All Users
The following tasks are recommended for all users new to ThreatStream.
Familiarize yourself with search
Conduct a basic observable search
ThreatStream provides your organization with a multitude of threat intelligence data.
Familiarizing yourself with the basic and advanced search functions on
ThreatStream is an important first step in making all of that data work for you.
Basic search on ThreatStream is a full text search. Basic search is recommended
when searching for a keyword in any of the available fields. You can perform a basic
search from the search bar in the top navigation bar or the Observables page.
Start out by performing a basic search for your domain or organization name.
To read more about conducting basic searches, see "Performing Basic Observable
Searches" on page 258.
Conduct an advanced observable search
Advanced search enables you to add additional metadata to your query and restrict
the search to specific fields. Use Advanced search when searching for a specific
value in a specific field.
A great way to familiarize yourself with performing advanced searches in
ThreatStream is to conduct a structured search. This involves selecting filters from
basic search and then switching to advanced search. The filters you selected will
automatically populate the search bar as an advanced search query.
Anomali ThreatStream Page 57 of 750
User Guide
Chapter 3: First Steps in ThreatStream
To read more about conducting advanced searches, see "Performing Advanced
Observable Searches" on page 260.
Save an advanced search
You can save frequently used advanced search queries as filters. Saving filters
enables you to perform common queries with the click of a button. Saved filters can
be accessed from the Search filter menu on the advanced search bar.
To read more about saving advanced search queries, see "Saving Observable
Search Filters" on page 275.
To read more about how search works in ThreatStream, see "Searching Intelligence
in ThreatStream " on page 222.
Acquaint yourself with the ThreatStream Dashboards and Weekly Summary
reports
The Overview Dashboard gives you an overview of the observables relevant to
your organization in real time, displays any alerts that require your immediate action,
and enables you to drill down on summaries for deeper analysis. To learn more
about the ThreatStream Dashboard, read "A Tour of the ThreatStream Overview
Dashboard " on page 17.
The Weekly Summary page contains weekly summaries regarding organization
data and ThreatStream Integrator status. Reports are a great way to gauge data
fidelity, the importing activities of organization users, the effectiveness of various
data feeds, and more. To read more about the information provided by the Weekly
Summary page, read "Viewing Weekly Summaries for Your Organization" on
page 27.
Experiment with Explore
Explore enables you to visualize relationships between observables that would be
difficult to comprehend otherwise. You can pivot on observables without having to
manually cross reference dozens of observable details pages.
To learn more about how to use Explore, read "Analyzing Adversary Infrastructure
with Explore" on page 630.
Try out Sandbox
Sandboxes provide a secluded environment to run Malware and review the results
without compromising your primary systems. On ThreatStream, you can upload
potentially compromised files or link to suspicious URLs.
To learn more about sandbox, read "Analyzing Malware with the ThreatStream
Sandbox" on page 607.
Anomali ThreatStream Page 58 of 750
User Guide
Chapter 3: First Steps in ThreatStream
Read Threat Bulletins
Threat Bulletins are analyst-written articles that provide information about an
events. They consist of threat event summaries, tags associated with events (an
alias by which the event may also be known), details of the event, any observables
associated with the event, and more. As part of the Anomali Threat Model, there are
many Threat Bulletins available for you to read from across the threat intelligence
landscape. For more on accessing Threat Bulletins, see "Threat Model List View" on
page 366.
Subscribe to email notifications
Email subscriptions control which notifications you receive from ThreatStream and
keep you up to date on the latest threat intelligence impacting your organization,
including configured rules (formerly known as keyword alerts). For more on
managing your email subscriptions, read Managing Your Email Subscriptions.
Explore the ThreatStream Downloads page
The Downloads page on ThreatStream is full of helpful resources including the
ThreatStream Integrator installation guide, release notes, clients, integration
information, browser extensions, the API reference guide, and more. To access the
Downloads page, click Downloads within the help menu in the ThreatStream top
navigation bar.
Read ThreatStream online help
Anomali provides comprehensive technical documentation for ThreatStream. The
ThreatStream online help center is context sensitive, so whenever you click Help in
the top navigation bar you are shown the help article relevant to the current page
you are on in ThreatStream.
Participate in the Anomali Community
ThreatStream enables you to create your own unique user profile. After doing so,
you can interact with the wider Anomali community including users outside of your
organization. You can also Watch, Star, Like, and Share Threat Model entities and
Sandbox Reports for the purposes of tracking, rating, and sharing intelligence with
other users.
For more information, read "Participating in the Anomali Community" on page 672.
First Steps for Administrators
The following tasks are recommended for Org Admins setting up their organizations
on ThreatStream.
Anomali ThreatStream Page 59 of 750
User Guide
Chapter 3: First Steps in ThreatStream
Add additional analysts and administrators
Do you need to add additional administrators? Will anyone else on your team of
analysts (Non-admin) use ThreatStream?
To learn more about adding additional users to your organization on ThreatStream,
see "Managing Organization Users" on page 97.
There are three user types: Org Admins, Non-admins, and Read Only users. To
read more about privileges for each user type, read "ThreatStream User Roles" on
page 203
Configure multi-factor authentication
ThreatStream enables the use of multi-factor authentication (MFA) with Google
authenticator to provide your organization and data with an extra layer of security.
While not required, Anomali highly recommends the use of multi-factor
authentication on ThreatStream.
To read more about multi-factor authentication and how to set it up, read "Multi-
Factor Authentication" on page 93.
Set up organization exclude list
Setting up a exclude list for your organization can save you valuable time in the
future by preventing users within your organization from importing known safe
CIDRs, IP Addresses, Domain Names, URLs, or Email Addresses from your
organization.
To learn more about setting up a exclude list and view recommended entries to
include, read "Updating Your Exclude List" on page 113
Configure Rules
Rules are valuable tools in combating attacks and enable your organization to take
immediate action when specific keywords appear in observables, Sandbox reports,
or Threat Bulletins.
To learn more about configuring rules, see "Configuring Rules" on page 574.
Join Trusted Circles
Trusted circles are communities within ThreatStream in which you can participate,
share threat intelligence in real-time, and get access to information others have
shared. To read learn more about joining Trusted Circles on ThreatStream, read
"Collaborating with Trusted Circles " on page 647.
Anomali ThreatStream Page 60 of 750
Chapter 4: Profile Settings
This chapter covers the following topics:
Profile Settings Operations 61
Managing Your Profile Settings 61
Receiving Notifications from ThreatStream 62
Receiving In App Notifications from ThreatStream 66
Managing Your ThreatStream Password 69
All ThreatStream users are responsible for managing their personal profile
information, including contact information, ThreatStream email subscriptions, and
passwords.
Profile Settings Operations
Manage Profile Settings
View and update your personal profile settings, including your email, name, and
phone number.
Manage Email Subscriptions
Control which notifications you receive from ThreatStream.
Manage Your ThreatStream Password
Change or reset your password used for ThreatStream login.
Managing Your Profile Settings
You can view and update your profile settings, including Email, Name, and Phone
number on the My Profile tab. Additionally, you can manage the email notifications
that you receive from ThreatStream.
You can also reference important information, including your Account Type and the
fields detailed below.
Anomali ThreatStream Page 61 of 750
User Guide
Chapter 4: Profile Settings
Field Description
Shared Static code used for setting up multi-factor authentication on the
Secret for Google Authenticator application the first time you login to
MFA ThreatStream using MFA.
To view the scannable QR code that serves the same purpose, click
Show QRCode. This field is only displayed if MFA is enabled for your
organization.
API Key Key used for authentication when you access ThreatStream from
outside the user interface, such as through API calls or ThreatStream
Integrator.
Click Reveal to show your API key.
Note: API keys may be hidden depending on how your Org Admin
has configured your ThreatStream account.
Last API Time of the your most recent ThreatStream login.
Check-in
Date
To update your contact information:
1. In the top navigation bar, click and then My Profile.
2. Make required changes to the Email, Name, or Phone fields.
3. Click Save Changes.
Receiving Notifications from ThreatStream
From the My Profile tab in ThreatStream Settings, ThreatStream enables you to
customize the email and in app notifications you receive. These notifications keep
you up-to-date on the latest threat intelligence impacting your organization.
Refer to the table below for specifics on available notifications.
Email Available
Notification Description to
Threat Models
Anomali ThreatStream Page 62 of 750
User Guide
Chapter 4: Profile Settings
Email Available
Notification Description to
Threat Model Sends immediate email or in app notifications All users
Creation every time a Threat Model entity is created.
Threat Model Sends immediate email or in app notifications All users
Update every time a Threat Model entity is updated.
Threat Model Sends daily email summaries of Threat Model All users
Daily Digest entities created during the day
Trusted Circles
Trusted Circles Sends immediate email notifications when All users
organizations join or leave your trusted circles.
Rules
Rule Matches Sends immediate email notifications when All users
keywords that your organization have configured
in rules matches new intelligence. See
"Configuring Rules" on page 574 for more
information.
Rule Matches Sends an hourly email summary of all keywords All users
Hourly Digest configured in rules that have matched new
intelligence in the last hour. See "Configuring
Rules" on page 574 for more information.
Imports
Import Session Sends immediate email notifications when Users with
Creation intelligence is imported. Approve
Intel
privileges
only
Import Session Sends hourly email summaries of all imported Users with
Hourly Digest intelligence from the past hour. Approve
Intel
privileges
only
Anomali ThreatStream Page 63 of 750
User Guide
Chapter 4: Profile Settings
Email Available
Notification Description to
Investigations
When any Sends immediate email or in app notifications All users
investigation is when a new investigation is created in your
created organization.
When any task Sends immediate email or in app notifications All users
is created when investigation tasks are created.
When an Sends immediate email or in app notifications All users
investigation is when an investigation is assigned to you.
assigned to me
or my
workgroup
When a task is Sends immediate email or in app notifications All users
assigned to me when an investigation task is assigned to you.
or my
workgroup
When an Sends immediate email or in app notifications All users
investigation is when a user in your organization updates an
updated by investigation.
another user
When a task is Sends immediate email or in app notifications All users
updated by when investigation tasks are updated by users in
another user your organization.
To manage your email notifications:
1. In the top navigation bar, click and then My Profile.
2. Scroll down to the Notifications section.
3. Locate the email notification to which you want to subscribe or unsubscribe.
4. To subscribe, select the notification interval corresponding to the notification
from the drop down menu.
To unsubscribe, select Unsubscribe from the drop down menu.
Anomali ThreatStream Page 64 of 750
User Guide
Chapter 4: Profile Settings
Updates are saved automatically.
To manage in app notifications:
1. In the top navigation bar, click and then My Profile.
2. Scroll down to the Notifications section.
3. Locate the in app notification to which you want to subscribe or unsubscribe.
4. To subscribe, move the slider to the right position. The slider turns green upon
subscription.
To unsubscribe, move the slider to the left position. The slider turns gray upon
unsubscribing.
Note: If a slider is not displayed in the In App column, in app notifications are
not available for the event.
Updates are saved automatically.
Note: The in app notifications listed on the My Profile screen represent only the
notifications you can customize. See "Receiving In App Notifications from
ThreatStream" on the next page for a complete list of in app notifications and
information on managing your subscriptions.
Anomali ThreatStream Page 65 of 750
User Guide
Chapter 4: Profile Settings
Receiving In App Notifications from
ThreatStream
ThreatStream displays notifications in the Notification Center when certain events
occur.
Viewing Notifications on the Notifications List View
You can view a complete list of the notifications sent to you by ThreatStream on the
Notifications List View.
To access the Notifications List View, click the notification icon—to view notifications
from the last week—or View All Notifications—to view all received notifications—
in the Notification Center.
Notifications. Click the blue link to drill down on the entity referenced in the
notification.
Time the notification was received.
Anomali ThreatStream Page 66 of 750
User Guide
Chapter 4: Profile Settings
Status of the notification—whether you have already read the notification or if it is
pending review.
Filter notifications on the list view by Status, Types, and Date Range.
Toggle the number of notifications displayed per page.
Notification Types
The table below describes the types of in-app notifications on ThreatStream and
whether you are automatically subscribed or must opt-in to receive them.
Notification Description Subscription
Badges Displays notifications when you earn new Automatic
badges commemorating your threat
intelligence achievements.
For more information on badges, see
"Earning Badges" on page 675.
Watched Displays notifications when intelligence you Automatic
Intelligence have watched is updated.
For more information on watching
intelligence, see "Watching Intelligence" on
page 676.
Shared Displays notifications when a user in your Automatic
Intelligence organization shares intelligence with you.
For more information on watching
intelligence, see "Sharing Intelligence" on
page 676.
Anomali ThreatStream Page 67 of 750
User Guide
Chapter 4: Profile Settings
Notification Description Subscription
Threat Models ThreatStream enables you to receive in app Opt-in
notifications for the following scenarios:
l Threat Model entity creation
l Threat Model entity updates
You can opt-in to receive these in app
notifications from the My Profile tab within
ThreatStream settings. See "Receiving
Notifications from ThreatStream" on page 62
for more information.
Investigations ThreatStream enables you to receive in app Opt-in
notifications for the following scenarios:
l Investigation creation
l Task creation
l Investigation assigned to you or a
workgroup to which you belong
l Task assigned to you or a workgroup to
which you belong
l Investigation updated by another user
l Task updated by another user
You can opt-in to receive these in app
notifications from the My Profile tab within
ThreatStream settings. See "Receiving
Notifications from ThreatStream" on page 62
for more information.
Note: ThreatStream also sends notifications via email. See "Receiving
Notifications from ThreatStream" on page 62 for a complete list of available
notifications and information on managing your subscriptions.
Anomali ThreatStream Page 68 of 750
User Guide
Chapter 4: Profile Settings
Managing Your ThreatStream Password
You can change your ThreatStream account password on the My Profile tab within
ThreatStream settings.
To change your password:
1. In the top navigation bar, click and then My Profile.
2. Enter your Current Password.
3. Enter a New Password.
4. Retype your new password in the Retype New Password field.
5. Click Save Changes.
If you ever forget your password, you can reset it from the ThreatStream login page.
To reset your password:
1. On the login page, click Forgot Password?
2. Enter the email address associated with your ThreatStream account.
3. Check your inbox for an email titled "[ThreatStream] Password reset request."
4. Follow the link in the email.
5. Enter and re-enter your new password on the subsequent page.
6. Click Save Changes.
When your password change is saved, you are immediately logged out of
ThreatStream and can login using your new password.
Anomali ThreatStream Page 69 of 750
Chapter 5: Organization Administration
This chapter covers the following topics:
Organization Administration Operations 70
Viewing and Editing Organization Settings 71
Authentication in ThreatStream 81
Mailboxes For Receiving Observables 81
Multi-Factor Authentication 93
Managing Organization Users 97
Customizing New User Emails 101
Enabling SSO with Active Directory and Active Directory Federated Services 102
Configuring Integration with AD and ADFS 103
Updating Your Exclude List 113
Integrating With Third-Party Services 117
Audit User Activity 192
Restricting Access to Intelligence with Workgroups 196
Adding Preferred Tags to Intelligence 200
Managing Organization Never Scan Lists for the Anomali Lens Plugin 202
ThreatStream User Roles 203
Users with Org Admin privileges in ThreatStream can configure vital organization
settings. If you have Org Admin status, you can add and edit organization users,
configure multi-factor authentication, update your organization exclude list, and set
alerts for your organization, among other tasks.
Organization Administration Operations
View and Edit Organization Settings
Update your organization name, configure PDF download settings, configure
organization-wide session timeout, set import defaults, and enable multi-factor
authentication.
Anomali ThreatStream Page 70 of 750
User Guide
Chapter 5: Organization Administration
Multi-Factor Authentication
Add an additional layer of security to protect your organization and its data on
ThreatStream.
Update Organization Exclude List
Prevents organization users from importing organization CIDRs, IP Addresses,
Domain Names, URLs, or Email Addresses by accident.
Viewing and Editing Organization Settings
As an administrator, you can view and edit basic settings for your organization in the
Organization tab.
The following fields can be edited:
Field Description
Organization Name of your organization.
Name
Upload a Custom Add a custom logo for your organization. This image will be
Logo for Threat displayed on the banners of all threat model entities
Model created by your organization.
Message of the Add a message that is displayed in a banner across the top
Day of the screen to all organization users.
ThreatStream provides an intuitive text editor to compose
messages. Select Enable Message of the Day to display
the message to organization users.
Messages may include compliance information on issues
such as customer data, as shown in the following example.
After users dismiss the message, it will no longer be
displayed unless updated by an org admin.
Anomali ThreatStream Page 71 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Maximum Number Maximum number of observables included in Snort,
of Search Results OpenIOC, and PDF exports from the Search page.
for PDFs
Note: The maximum number of observables included
in CSV exports is configurable by export job. For more
on CSV exports, see "Exporting Search Results" on
page 277.
Maximum Places a limit on the number of associations per
Associations Per association type included in Threat Model entity PDF
Entity Type in PDF exports.
Exports If threat model entities contain import session
associations, it also limits the number of observables
included from each session.
Resync Integrators For ThreatStream Integrator users: When enabled,
when joining a ThreatStream Integrator performs a full intelligence
new Trusted Circle resynchronization at the time of your next scheduled
or Feed synchronization each time you join a Trusted Circle or
subscribe to a new threat intelligence feed. Doing so
enables ThreatStream Integrator to provide historical data
from the Trusted Circle or feed to your configured
downstream integrations.
This setting is enabled by default.
When disabled, ThreatStream Integrator only receives
threat intelligence from the point of subscription onward
until you force a full resynchronization from ThreatStream
Integrator.
You can force a full resynchronization (known as a Full
Refresh) from ThreatStream Integrator at any time,
regardless of your configuration of this setting on
ThreatStream.
See the Anomali ThreatStream Integrator Installation &
Administration Guide for information on executing a Full
Refresh from the ThreatStream Integrator user interface.
Anomali ThreatStream Page 72 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Email Report Restrict the email domains to which users in your
Distribution organization can send Threat Model entities.
Note: For more information on sharing Threat Models
through email, see "Sharing Threat Model Entities
Through Email" on page 527.
By default, users in your organization can share Threat
Model entities with any email address.
To implement domain restrictions, disable Users can
send reports to any email domain. After doing so, the
email domains registered with your account on
ThreatStream automatically populate the text box. You can
add additional domains to the list. Domains can be
separated by commas or line breaks. After manually
modifying the domain list, click Save to implement the
domain restrictions.
Anomali Match For Anomali Match users only: Enter the URLs which you
Integration URL use to connect to your Anomali Enterprise system. Doing
so validates which Anomali Match systems can make
connections to your organization on ThreatStream.
SSO Logout URL If your organization leverages a third party single sign-on
(SSO) service for ThreatStream, enter the URL for the
portal of your SSO provider. You will be directed to this
URL when logging out of ThreatStream.
If left blank, the default ThreatStream login URL is used.
Anomali ThreatStream Page 73 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Maximum Session Enable a maximum limit for active sessions in
Lifetime ThreatStream. When this setting is enabled, ThreatStream
terminates sessions for users in your organization which
have been active for the specified length of time. Users
must reauthenticate in order to continue using
ThreatStream after the limit has been reached.
To enable this setting, specify a length of time and click
Save.
Sessions Inactivity Enable ThreatStream session timeout for users in your
Timeout organization and decide when timeouts occur after periods
of inactivity. By default, sessions timeout after 30 days of
inactivity.
To enable timeout after a specific period of inactivity,
select a length of time and click Save.
To enable timeout each time users close their browser,
click Terminate session on browser close. Note that
timeouts will not occur when users simply close browser
tabs on which they are running ThreatStream.
If you need to disable Session Timeout, contact Anomali
support.
Analysis Time Amount of time that the sandbox records runtime activity of
detonated files after execution.
Tip: In some cases, malicious software may delay the
execution of malicious activity in order to evade
sandboxes. Increasing the analysis time can help
ensure activity is recorded in these cases.
Anomali ThreatStream Page 74 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Allow Observable When switched on, users have an additional Import
Imports from Observables when submitting Sandbox detonations. This
Sandbox option enables users to automatically import observables
discovered during detonation. Select Import Observables
option is selected by default if you want the option to be
pre-selected on the Sandbox detonation window.
Organization users can still disable the option on an ad-
hoc basis.
When switched off, the Import Observables option is
grayed out and users are unable to select it, as displayed
in the image below.
Password Lockout Configure a policy for locking accounts after consecutive
failed login attempts. You can set the following
parameters:
l Attempts Before Lockout: Number of consecutive
failed login attempts allowed before an account is
locked. The count is reset after users successfully login.
l Lockout Duration: Amount of time in minutes accounts
will remain locked. Specifying a duration of zero
minutes makes the lockout duration indefinite. Org
Admins can unlock locked accounts from the User
Admin tab within ThreatStream settings. See
"Managing Organization Users" on page 97 for
information on unlocking accounts.
Password Age Specify the maximum number of days that organization
users can use a password. Passwords will expire after the
time period you select and users are forced to set new
ones. You can select 30, 60, or 90 days.
Anomali ThreatStream Page 75 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Notify users Specify the number of days before password expiration
before password when users receive notification from ThreatStream to
expiration change their passwords. Users receive notifications
through email and the ThreatStream user interface.
MITRE ATT&CK® View the current version. You can click Change Version
to set a later version. However, you cannot revert to an
earlier version. See "Using the MITRE ATT&CK
Framework in ThreatStream" on page 516 for details about
version support.
Timezone Click Change Timezone to set a default timezone for your
organization. All timestamps displayed on the
ThreatStream user interface reflect the timezone you
select.
Organization users will be notified of the change the next
time they login to ThreatStream.
Note: This setting only impacts timestamps displayed
on the ThreatStream user interface. Timestamps
retrieved through the ThreatStream API or provided to
downstream integrations through ThreatStream
Integrator are in UTC, regardless of the timezone you
configure for the ThreatStream user interface.
Use Source When switched on, confidence scores reported by
Reported intelligence feeds or importers are displayed on
Confidence on observable details pages instead of ThreatStream
Intelligence detail confidence scores.
page
Anomali ThreatStream Page 76 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Use My When switched on, imported intelligence is shared only
Organization as with your organization by default. Enabling this setting
default Visibility does not prevent users from selecting the "Anomali
Community" sharing setting—it simply sets "Organization"
as the default selected setting.
Use My When switched on, comments left on intelligence are
Organization as assigned the TLP color red by default and only visible to
default tag TLP users with in your organization. Commenters can select
the TLP color white to make comments visible to users
outside of your organization.
Use SSO for login When switched on, users must use the portal of your SSO
exclusively provider for ThreatStream login and cannot use the
ThreatStream login page. If users attempt to login via the
ThreatStream login page, a message will instruct them to
use the SSO portal instead.
When Use SSO for login exclusively is enabled, users no
longer receive password expiration warning emails from
ThreatStream.
Use Multi-FActor When switched on, users must provide a randomly
Authentication generated MFA Token to login.
(MFA)
Anomali ThreatStream Page 77 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Use Password When switched on, users must adhere to the password
Requirements requirements you configure. Requirements you can
configure include:
l Minimum Length—Minimum number of total
characters passwords must include.
l Password History Retention—Number of previous
passwords ThreatStream retains and blocks users from
using as new passwords.
For example, if you enter 3, when resetting their
passwords, users in your organization are unable to use
any of their three most recent ThreatStream passwords.
Note: ThreatStream can retain a maximum of 12
previously used passwords.
l Lowercase Characters—Minimum number of
lowercase characters passwords must include.
l Uppercase Characters—Minimum number of
uppercase characters passwords must include.
l Numeric Characters—Minimum number of numeric
characters passwords must include.
l Special Characters—Minimum number of special
characters passwords must include.
Additionally, when switched on, you can force individuals
to change their passwords by checking the Change
Password box on the User Admin page. See "Managing
Organization Users" on page 97 for more information.
Anomali ThreatStream Page 78 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Allow Anomali When switched on, Anomali can add users to your
staff to add users organization that attempt to register on ThreatStream with
an email address from your domain. This is the default
setting.
When switched off, you are responsible for adding new
users to your organization. New users can be added
manually from the User Admin page. When new users
attempt to register via the registration form with email
addresses from your domain, Org Admins receive email
notifications and can then add the new users manually.
Note: When this setting is disabled, all new users must
be added manually to your organization through the
User Admin page. For more information on adding new
users, see "Managing Organization Users" on page 97.
Restrict When switched on, non-admin users are restricted from
ThreatStream accessing the ThreatStream Cloud user interface and
Cloud Access must use your ThreatStream OnPrem user interface
exclusively. Org Admins can still access ThreatStream
Cloud.
In order to enable this setting, you must first enable "Use
local server for email delivery" on the Organization tab
within ThreatStream Settings on your ThreatStream
OnPrem.
Note: "Restrict ThreatStream Cloud Access" is only
displayed for organizations that use ThreatStream
OnPrem.
Anomali ThreatStream Page 79 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Allow public tags When enabled, users outside of your organization are
on data owned by allowed to add Anomali Community tags to data owned by
my organization your organization.
When disabled, users outside of your organization are
prevented from adding Anomali Community tags to data
owned by your organization.
However, users from other organizations can always add
My Organization tags—those that are visible to only their
organization—to any data they have the privileges to
access.
Help Improve When enabled, Anomali collects usage data on the actions
ThreatStream you take in ThreatStream to improve the platform and
customize your user experience. Usage data is also
collected on the Anomali Lens browser extension for users
on v4.2.0 and above.
See the Anomali Cookie Policy for more information on
usage data collection.
Enable Enable instant messaging for your organization on
ThreatStream Chat ThreatStream. See "Collaborating with ThreatStream
Chat" on page 638 for more information.
Once Chat is enabled for your organization, an additional
column is available on the User Admin screen within
ThreatStream settings, which allows Org Admins to grant
or deny organization users permission to use Chat. All
users are excluded from Chat by default and must be
granted permission by an Org Admin to use Chat.
Anomali ThreatStream Page 80 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Permitted CIDRs Grant exclusive access to your organization on
ThreatStream Cloud to IP addresses that fall within
specified CIDRs.
After entering a valid CIDR, all organization members must
access ThreatStream from an IP address within the
CIDR in order to login.
You can enter up to 1000 CIDRs.
Note: If you configure Permitted CIDRs, ThreatStream
automatically ensures connection with multiple internal
IP addresses which enable communication between
ThreatStream and the Anomali Lens browser plugin.
Custom If your organization uses SSO for authenticating to
SSO Authenticatio ThreatStream, you can enter a custom error message that
n Error Message ThreatStream will display when users attempt to
authenticate using an account that does not exist in
ThreatStream.
To view or edit your organization settings:
1. In the top navigation bar, click and then Organization.
2. Make required changes.
Authentication in ThreatStream
User authentication ensures the security of your organization on ThreatStream by
confirming that the people logging into accounts associated with your organization
are who they say they are. By default, all users must enter a password to login to
ThreatStream, but, as an administrator, you can also enable multi-factor
authentication to add another layer of security for your organization on
ThreatStream. For more on multi-factor authentication, see "Multi-Factor
Authentication" on page 93.
Mailboxes For Receiving Observables
Anomali ThreatStream Page 81 of 750
User Guide
Chapter 5: Organization Administration
Mailboxes enable you to ingest data to ThreatStream via email, without connecting
to the user interface. These emails must be sent to designated mailboxes on
ThreatStream, which are associated with unique email addresses.
There are two types of mailboxes on ThreatStream.
l Phishing mailboxes enable you to forward phishing scams you receive to
ThreatStream for analysis. These mailboxes can be configured to create an
import session for observables parsed from the email or an investigation from
which you can centrally manage the analysis process. The investigation will
contain all discovered observables from the email, for which you can initiate an
import session from the investigation. You can additionally configure phishing
mailboxes to create Threat Bulletins from the email content and detonate URLs
or attachments in the sandbox.
l Import mailboxes enable you to initiate import sessions for structured or
unstructured data without connecting to the ThreatStream user interface. You
can additionally configure import mailboxes to add imported observables to new
investigations and create Threat Bulletins for each import.
Any ThreatStream user can create multiple mailboxes to meet their needs. For
example, you can set up one mailbox to submit the phishing attachments to
Sandbox and another one to create a Threat Bulletin when phishing emails are
received.
Actions:
l Add—create a new mailbox.
l Edit—edit the selected mailbox.
Anomali ThreatStream Page 82 of 750
User Guide
Chapter 5: Organization Administration
l Delete—delete the selected mailbox.
View observables imported via the mailbox on the Observables search page
Copy the email address associated with the mailbox
View status of import jobs submitted via the mailbox and access any associated
import sessions, investigations, or Threat Bulletins.
Whether or not an import session is automatically created when the mailbox
receives submissions.
Type of mailbox—Import or Phishing
Actions associated with the mailbox
Enable up to 10 email addresses not registered with your organization to import
intelligence via email. See "Adding Additional Email Import Addresses" on page 93
for more information.
Managing Mailboxes
Note: You do not need to be an Org Admin to add a mailbox to ThreatStream.
To add phishing mailboxes:
1. In the top navigation bar, click and then Mailboxes
2. Click Add in the Actions menu.
3. Select Parse Phishing Email and click Next.
4. Configure the following mailbox settings:
Anomali ThreatStream Page 83 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Name A meaningful name for the mailbox.
Proxy When submissions are received from email addresses that are
User not registered with your organization, this user is listed as the
creator of any resulting import sessions, investigations, or Threat
Bulletins.
Anomali ThreatStream Page 84 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Actions Automatic actions that ThreatStream will take when an email is
received by the mailbox.
n Create Import Session: An import session is created for
observables parsed from the phishing email.
n Create an Investigation: An investigation is created. Email
contents are added to the Investigation. The user you select
under Assignee below is made reporter for the investigation.
Notes:
- You must select Create Import Session, Create an
Investigation, or both.
- If you select Create an Investigation only, an import
session is not initiated when the mailbox receives
submissions. Parsed observables which have already been
imported to ThreatStream are added to the investigation as
Already Imported Observables. Parsed observables which
do not exist in ThreatStream are added to the Investigation
as Not Imported Observables. In these cases, global and
organization exclude lists are not applied to candidate
observables until they are imported. Hence, observables
present on your organization Import Exclude List can be
added to the investigation as Not Imported Observables.
n Create Threat Bulletin: Create a Threat Bulletin with the
contents of attached phishing emails . The user you select
under Select Reporter/Assignee is assigned the Threat
Bulletin. Typically, in the context of Threat Bulletin created via
phishing email mailboxes, default assignees triage newly
created Threat Bulletins and route them to other users for
review. See "Phishing Email Threat Bulletins" on page 298 for
more information. Select Attach Original Email if you want to
make the original email available in the Attachments section of
the Threat Bulletin.
Anomali ThreatStream Page 85 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Note: Upon creation, Threat Bulletins are assigned the
New status and only visible to your organization. See
"Reviewing Threat Model Entities for Publication" on
page 542 for more information on the Threat Model
publication workflow.
n Detonate URLs in Sandbox: Submit parsed URLs to the
sandbox for detonation. When you select this option, you can
also specify a Sandbox Service and Platform on which to
detonate the URLs.
Notes:
- Sandbox imposes a restriction of a maximum of 1024
characters on URLs. Therefore, make sure the URLs
adhere to this limit.
- Only the first five parsed URLs are submitted to the
sandbox.
n Detonate Attachment in Sandbox: Submit email
attachments to the sandbox. When you select this option, you
can also specify a Sandbox Service and Platform on which to
detonate the attachment.
Note: Password protected attachments are not supported
for detonation through phishing mailboxes.
n Parse Headers: When this option is selected, ThreatStream
parses the headers of emails received by the mailbox.
Observables parsed from the email headers are included in the
import session associated with the ingestion. Additionally,
email headers are included alongside email bodies in Threat
Bulletins or investigations that result from the ingestion. Email
headers will be ignored by ThreatStream if this option is not
selected.
5. Click Next and configure the following Additional Settings:
Anomali ThreatStream Page 86 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Tags (Optional) Add any Tags that you want to associate with the
imported intelligence. Tags can contain spaces. You can also
select pre-defined tags from the Add Kill Chain Phase drop
down. If you are specifying multiple tags, comma-separate the
tags.
As you type, the 20 most used tags in your organization from the
previous seven days are displayed. Enter * to display a list of
preferred tags configured by your organization, in addition to
pre-defined kill chain phase tags.
Assignee Organization user to which investigations and Threat Bulletins
will be assigned.
Anomali ThreatStream Page 87 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Visibility Select a Visibility setting for import sessions created through the
mailbox—Anomali Community, My Organization, or Trusted
Circles.
If you select Trusted Circles, check the Trusted Circles from the
provided list.
If you select My Organization, you can further restrict the
visibility to specific workgroups in your organization. To do so,
select the workgroups to which you want to give exclusive
access to the observables imported through the mailbox. For
more information on workgroups, see "Restricting Access to
Intelligence with Workgroups " on page 196.
Sandbox Reports, Threat Bulletins, and Investigations created
through phishing mailboxes are always assigned the My
Organization visibility setting.
Note: For mailboxes configured to share import sessions or
investigations with workgroups, submissions made from
email addresses outside of your organization fail if the
configured Proxy User is not a member of the workgroup.
6. Click Done.
The mailbox is added to the list on the Mailboxes screen. If you want to copy the
email address of this mailbox, click in the Email column. The address is
copied to a the copy buffer. You can paste this email address in a mail client of
your choice to send an email to ThreatStream.
To add import mailboxes:
1. In the top navigation bar, click and then Mailboxes
2. Click Add in the Actions menu.
3. Select Parse Email for Intelligence and click Next.
Anomali ThreatStream Page 88 of 750
User Guide
Chapter 5: Organization Administration
4. Configure the following mailbox settings:
Setting Description
Name A meaningful name for the mailbox.
Proxy When submissions are received from email addresses that are
User not registered with your organization, this user is listed as the
creator of any resulting import sessions, investigations, or Threat
Bulletins.
Anomali ThreatStream Page 89 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Actions Automatic actions that ThreatStream will take when an email is
received by the mailbox.
Note: All Import mailboxes create import sessions for
observables parsed from the bodies of submitted emails. You
can select any of the following actions in addition to this
primary action.
n Create an Investigation: An investigation is created. Email
contents are added to the Investigation.
n Create Threat Bulletin: Create a Threat Bulletin with the
contents of the emails. Select Attach Original Email if you
want to make the original email available in the Attachments
section of the Threat Bulletin.
5. Click Next and configure the following Additional Settings:
Anomali ThreatStream Page 90 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Tags (Optional) Add any Tags that you want to associate with the
imported intelligence. Tags can contain spaces. You can also
select pre-defined tags from the Add Kill Chain Phase drop
down. If you are specifying multiple tags, comma-separate the
tags.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a list
of preferred tags configured by your organization, in addition
to pre-defined kill chain phase tags.
Assignee Organization user to which investigations and Threat Bulletins
will be assigned.
Confidence Select the Confidence value you want to assign to the
imported observables.
The Confidence value is re-assessed when ThreatStream
analyzes the imported data. To enforce the Confidence value
you selected, check Override System Confidence.
Visibility Select a Visibility setting for import sessions created through
the mailbox—Anomali Community, My Organization, or
Trusted Circles.
If you select Trusted Circles, check the Trusted Circles from
the provided list.
If you select My Organization, you can further restrict the
visibility to specific workgroups in your organization. To do so,
select the workgroups to which you want to give exclusive
access to the observables imported through the mailbox. For
more information on workgroups, see "Restricting Access to
Intelligence with Workgroups " on page 196.
Investigations and Threat Bulletins created through import
mailboxes are always assigned the My Organization visibility
setting.
Anomali ThreatStream Page 91 of 750
User Guide
Chapter 5: Organization Administration
Setting Description
Threat Type Threat Type for the imported observables. ThreatStream will
assign extracted observables an indicator type based on the
threat type you specify.
Malware is the default threat type. Imported observables will
be assigned a Malware related indicator type if you do not
select a different threat type.
See "Threat Types in ThreatStream" on page 733 for more
information.
Associate Associate observables with threat model entities. Select the
Threat threat model entity type—Actor, Campaign , Incident, Threat
Models Bulletin, TTP—and its name.
6. Click Done.
The mailbox is added to the list on the Mailboxes screen. If you want to copy the
email address of this mailbox, click in the Email column. The address is
copied to a the copy buffer. You can paste this email address in a mail client of
your choice to send an email to ThreatStream.
To edit a mailbox on ThreatStream:
1. In the top navigation bar, click and then Mailboxes.
2. Click the mailbox you want to edit OR select the mailbox and click Edit under
Actions.
3. Make required changes.
4. Click Save.
To delete a mailbox on ThreatStream:
1. In the top navigation bar, click and then Mailboxes.
2. Select the mailbox you want to delete.
Anomali ThreatStream Page 92 of 750
User Guide
Chapter 5: Organization Administration
Tip: You can select multiple mailboxes.
3. Select Delete from the Actions drop down at the top right of the screen.
Adding Additional Email Import Addresses
By default, only email addresses registered with your organization on ThreatStream
can import intelligence via organization mailboxes. However, you can enable up to
10 email addresses not registered with your organization to submit intelligence to
your mailboxes. Only Org Admins can add additional email import addresses.
To add additional email import addresses:
1. In the top navigation bar, click and then Mailboxes.
2. Under Email Import Addresses, add up to 10 email addresses not registered
with your organization. Enter one email address per line.
3. Click Save.
Note: Ensure that a Proxy User is specified for mailboxes to which these non-
organization email addresses will submit intelligence.
Multi-Factor Authentication
Multi-factor authentication (MFA) uses at least two factors to authenticate users.
Typically, the first factor is the user name and password of a user and the second
factor is an authentication code generated by an MFA app or MFA device.
Enabling multi-factor authentication adds an additional layer of security to protect
your organization and its data.
ThreatStream supports multi-factor authentication. When you configure
ThreatStream for MFA, users are required to provide an authentication code in
addition to their email and password for authenticating. The code must be generated
through the Google Authenticator App, which is available in the App stores for Apple
and Android devices.
The process of setting up MFA for ThreatStream includes these steps:
Anomali ThreatStream Page 93 of 750
User Guide
Chapter 5: Organization Administration
1. Configure ThreatStream for MFA.
2. Require your organization's users to download the Google Authenticator App
and configure it for generating authentication codes for ThreatStream.
Configure MFA for Your Organization on ThreatStream
Note: By default, the MFA setting is applied at the organization level. Once
enabled, all users in your organization are automatically configured to
authenticate using MFA. However, you can selectively exclude users from this
setting after you have enabled MFA at the organization level. See "Excluding
Specific Users From MFA" on page 97 for details.
To set up your organization on ThreatStream for MFA:
1. Log in to ThreatStream as an administrator of your organization.
2. In the top navigation bar, click and then Organization.
3. Click the switch to the right of Use Multi-FActor Authentication (MFA) to
enable it.
The switch should turn green when enabled. Once ThreatStream is configured
for MFA, the Log in screen will change as follows.
Log in the First Time Using MFA
Follow these steps to log in to ThreatStream for the first time after it has been
configured for MFA.
To log in in the first time using MFA:
Anomali ThreatStream Page 94 of 750
User Guide
Chapter 5: Organization Administration
1. Download the Google Authenticator App on your Apple or Android device.
2. Connect to ThreatStream at https://ui.threatstream.com.
3. Enter your email and password, and click Login.
A Shared Secret code is displayed, as shown below. You are prompted to enter
this code in the Google Authenticator App.
4. Set up the Google Authenticator App on your Apple or Android device as
follows:
a. Scan the QR Code displayed on the Log in screen on your device to
automatically configure the App.
OR
b. Launch the App and manually enter these values:
Account: Your ThreatStream email
Key: Shared Secret code from the above screen
The Google Authenticator App generates a six-digit numeric authentication
code.
5. Enter the authentication code in the MFA Token field on the Log in screen.
6. Click Login.
Log in Using MFA After the First Time
To log in to ThreatStream after setting up the Google Authenticator App:
Anomali ThreatStream Page 95 of 750
User Guide
Chapter 5: Organization Administration
1. Connect to ThreatStream at https://ui.threatstream.com.
2. Enter your email address and password.
3. Check I have a Multi-FActor Authentication (MFA) token.
4. Obtain the six-digit numeric code from your Google Authenticator App and enter
it in the MFA Token field, as shown in the following screen.
5. Click Login.
Reset Your MFA Token
If users are unable to login to ThreatStream with their current MFA configuration,
organization administrators can reset MFA tokens for individual users. Users are
then prompted to set up MFA with a new shared secret.
To reset configured MFA tokens for individual users:
1. Log in to ThreatStream as an administrator of your organization.
2. Click and then User Admin.
3. Locate the required user in the table and click Reset MFA.
Recover Your MFA Shared Secret
If you are the sole Org Admin for your organization and cannot login to
ThreatStream with your current MFA configuration, you must contact Anomali
Support to reset your MFA shared secret.
To prevent this situation from occurring, users who are the only Org Admin for their
organization can disable MFA for their accounts or add another Org Admin user.
Anomali ThreatStream Page 96 of 750
User Guide
Chapter 5: Organization Administration
Excluding Specific Users From MFA
To exclude specific users from using MFA after it has been enabled for your
organization:
1. Log in to ThreatStream as an administrator of your organization.
2. Click Settings.
3. Select User Admin.
4. Deselect the box corresponding to the Use MFA icon, as shown in the example
below.
Managing Organization Users
Org Admins can add new users and edit the privileges of existing users. From the
User Admin tab within ThreatStream settings, you can add users, remove users,
edit permissions of existing users, and export user information in CSV format.
Read Only Account: Gives users read only access to ThreatStream. Read only
users can view and export intelligence on ThreatStream but cannot create
intelligence of any kind. For more information see "Read Only User Privileges" on
page 206.
Org Admin: Makes users Org Admins. For more on user roles in ThreatStream,
see "ThreatStream User Roles" on page 203.
Approve Intel: Enables users to approve imported intelligence.
Anomali ThreatStream Page 97 of 750
User Guide
Chapter 5: Organization Administration
Create Anomali Community Intel: Allows users to create intelligence shared
with the Anomali Community. This includes importing observables, creating
Sandbox Reports, as well as modifying tags and commenting on observables and
Sandbox Reports shared with the Anomali Community.
Import to TAXII Feeds: Allows organization users to push data from
TAXII clients to your ThreatStream TAXII server.
Show API Key For Users: When selected, users can access their dedicated
ThreatStream API key on the My Profile tab within ThreatStream settings. This
permission also determines whether users can view software downloads on the
ThreatStream Downloads page.
Note: A new user-specific API key is generated each time you enable
API access for a user.
Change Password: When selected, users are asked to change their passwords
the next time they login.
Note: The Change Password option is only available if the Use Password
Requirement setting is enabled on the Organization tab. See "Viewing and
Editing Organization Settings" on page 71 for more information.
Submit Sandbox: Enables users to submit malware to a sandbox for
detonation. This privilege also applies to sandbox submissions made through the
phishing mailboxes. See "Analyzing Malware with the ThreatStream Sandbox" on
page 607 for more information.
Note: The Submit Sandbox permission is currently available only for users
managed through the local ThreatStream authentication source. Support for
users managed through SSO integrations is coming soon.
Use MFA: Includes users in multi-factor authentication.
Note: The Use MFA permission is only available if the Use Multi-Factor
Authentication (MFA) setting is enabled on the Organization tab. See "Viewing
and Editing Organization Settings" on page 71 for more information.
Reset MFA: Reset MFA configuration for the user. The user will need to
reconfigure their MFA settings on their Google Authenticator app the next time they
login. See "Log in the First Time Using MFA" on page 94 for more information on
reconfiguring MFA.
Anomali ThreatStream Page 98 of 750
User Guide
Chapter 5: Organization Administration
Deactivate: Remove the user from your organization user list. After taking this
action, the user is disabled. The user is no longer displayed on the Users tab and
cannot login to ThreatStream.
If your use case involves multiple organizations: ThreatStream does not support
moving users between organizations. After removing a user, the user cannot be
created on a different organization with the same email address. If you need to
move users between organizations, please contact Anomali Support.
Unlock Account: If a user account is locked due to consecutive failed login
attempts, an Unlock Account button is displayed. If you click Unlock Account, the
can login with their existing password. See "Password Lockout" on page 75 for
information on configuring a password lockout policy.
Note: Accounts added to your organization by Anomali for administrative or
support purposes appear in the user list as displayed below.
To add a new user:
1. In the top navigation bar, click and then User Admin.
2. Click Add User.
3. Enter the email address for the new user. The domain must match the domain of
your organization.
Anomali ThreatStream Page 99 of 750
User Guide
Chapter 5: Organization Administration
4. Select the permissions you want to give the new user.
Note: The Use MFA permission is only available if the Use Multi-Factor
Authentication (MFA) setting is enabled on the Organization tab. See
"Viewing and Editing Organization Settings" on page 71 for more
information.
5. Click Add.
6. Instruct the new user to check their email for further instructions.
To edit the permissions of existing users:
1. In the top navigation bar, click and then User Admin.
2. Locate the email address of the required user in the Member column.
3. Make required changes. Changes are saved automatically.
To remove users from your organization:
1. In the top navigation bar, click and then User Admin.
2. Locate the email address of the user you'd like to remove in the Member
column.
Anomali ThreatStream Page 100 of 750
User Guide
Chapter 5: Organization Administration
3. Click Remove.
4. Click OK to confirm.
Note: Removed users cannot be reactivated. Please contact Anomali support if
you need to reactivate a user.
Exporting User Information
You can export user information in CSV format. Exports include all information
visible from the User Admin tab—such as usernames, email addresses, dates users
were added, and permissions—and timestamps of most recent logins.
Exports are limited to 10,000 users.
To export user information:
1. In the top navigation bar, click and then User Admin.
2. Click Export to CSV in the Actions menu.
Your download starts automatically.
Customizing New User Emails
Org Admins can customize the default email sent to new users when they are added
to your organization on ThreatStream. If your organization requires additional steps
from users the first time they login in to ThreatStream, you can notify new users
automatically via new user emails.
Custom text is added to new user emails and does not replace the default text, as
illustrated below.
Hello <new_user>,
You've been added to an organization on the Threat Stream platform by <org_
admin>, an administrator of your ThreatStream organization.
<custom_text>
You may use your email address and the password <default_password> to log
in at https://ui.threatstream.com.
To customize new user emails:
Anomali ThreatStream Page 101 of 750
User Guide
Chapter 5: Organization Administration
1. In the top navigation bar, click and then User Admin.
2. On the New User Email tab, enter your custom email text. Custom text can be a
maximum of 10,000 characters.
3. Click Save.
Enabling SSO with Active Directory and
Active Directory Federated Services
ThreatStream provides the capability to integrate with Microsoft Active Directory
Federation Services (ADFS), thus enabling single sign-on (SSO) and ThreatStream
user administration from Microsoft Active Directory (AD) or Azure AD.
Additionally, you can configure the integration to force all ThreatStream users in
your organization to connect to ThreatStream through AD using SSO.
Organizations that configure the ADFS integration are given one "break glass" user
which maintains access to the ThreatStream user interface through the login page in
the event that access through AD is unavailable. Break glass users cannot login to
ThreatStream using SSO.
Note: This integration is available for ThreatStream Cloud and ThreatStream
OnPrem users on version 5.1 and beyond. Integrating with ThreatStream
OnPrem version 5.0 and earlier and ThreatStream AirGap are not supported at
this time. If you are on ThreatStream OnPrem 5.0 or earlier, ensure Manage
users with: is set to ThreatStream.
Managing Organization Users From AD
After configuring the integration, administrators perform all user administration
tasks, including the creation of new users and assigning of privileges, from AD and
without connecting to the ThreatStream user interface. During configuration, AD
administrators define security groups in AD and map them to each of the user
permissions in ThreatStream. When administrators grant or revoke permissions for
a user from AD, these updates are synchronized to ThreatStream through ADFS the
next time the user logs in to ThreatStream.
Administrators should note the following when managing organization users from
AD:
l Permissions are restricted for Read Only users. When you assign users the Read
Only permission, all other permissions—besides the "Can Use Chat"
Anomali ThreatStream Page 102 of 750
User Guide
Chapter 5: Organization Administration
permission—are unavailable. Thus, if you assign a user the Read Only
permission and a restricted permission such as the "Approve Intel" permission,
the restricted permission you assigned to the user is ignored.
l Org Admins are not granted API Access by default. When you assign the Org
Admin permission from the ThreatStream user interface, users are automatically
granted the "User Can View API Key" permission. This mechanism does not exist
in AD. Thus, when assigning the Org Admin permission from AD, you must also
assign the "User Can View API Key" in order to grant API access.
l There is no mechanism to delete users through ADFS. Thus, you must delete
users from both AD and ThreatStream to fully remove them. For information on
removing users from ThreatStream, see "Managing Organization Users" on
page 97 While you cannot delete users through ADFS, users can be prevented
from accessing ThreatStream by disabling them in AD.
Requirements
l The integration supports the following platforms:
n Windows Server 2019 with an AD on Server 2019
n Windows Server 2016 with an AD on Server 2016
Note: Windows Server platforms must have an active ADFS service
configured. Windows Server 2012 is not supported.
n Azure AD with an Azure AD Directory Services environment
l You must have an active SAML2 configuration on ThreatStream. Contact
Anomali Support for assistance.
Configuring Integration with AD and ADFS
Configuring the integration is a multi-step process. It involves:
1. Configuring the integration on Microsoft AD or Azure AD. This document
contains instructions for both Microsoft AD and Azure AD.
For Microsoft AD instructions: "Configure the Integration on Microsoft AD" below
Anomali ThreatStream Page 103 of 750
User Guide
Chapter 5: Organization Administration
For Azure AD instructions: "Configuring the Integration on Azure AD" on
page 108
2. (Microsoft AD users only) Creating a Transform Claim Rule in ADFS. See
"Create the Transform Claim Rules in ADFS" on page 106
3. Enabling the integration on ThreatStream. See "Enable the integration on
ThreatStream" on page 111.
Configure the Integration on Microsoft AD
Note: These instructions pertain to Microsoft AD only. If you use Azure AD, see
"Configuring the Integration on Azure AD" on page 108.
Configuring the integration on Microsoft AD involves creating groups corresponding
to each permission in ThreatStream and one additional group which grants users
access to ThreatStream. The table below lists all required permissions and the
default group names recognized by ThreatStream. Groups can be given any name
and mapped to their corresponding ThreatStream permission in a later step.
However, if you use the default values, mapping is automatic.
Default AD Group Name ThreatStream Permission
SecGrp_TSAdminUser Org Admin
SecGrp_TSChatUser Can Use Chat
SecGrp_TSCreateCommunityIntelUser Create Anomali Community Intel
SecGrp_TSIntelApprover Approve Intel
SecGrp_TSReadOnlyUser Read Only Account
SecGrp_TSSubmitSandbox Submit Sandbox*
SecGrp_TSTaxiiUser Import to TAXII Feeds
SecGrp_TSUser ThreatStream User
SecGrp_TSViewAPIKeyUser Show API Key for Users
*Submit Sandbox permission is coming soon for users managed through
Microsoft AD and Azure AD. Contact your Anomali Customer Support
representative for more information.
To create groups in Microsoft AD:
Anomali ThreatStream Page 104 of 750
User Guide
Chapter 5: Organization Administration
1. Right-click in the AD window and select New > Group.
2. Enter a Group name for the new group. Refer to the table above for the default
group name values recognized by ThreatStream or enter a non-default value.
3. Under Group Scope, select Global.
4. Under Group Type, select Security.
5. Click OK. The group is created.
Repeat this process for each permission listed in the table above. After creating
each group, you can add desired permissions to each ThreatStream user in AD.
These permissions will be synchronized to ThreatStream when you finish
configuring the integration.
When configuration on Microsoft AD is complete, proceed to "Create the
Transform Claim Rules in ADFS" below to continue configuring the integration.
Anomali ThreatStream Page 105 of 750
User Guide
Chapter 5: Organization Administration
Create the Transform Claim Rules in ADFS
To export groups from Microsoft AD to ThreatStream, you must configure a
Transform Claim Rule for each ThreatStream related group you created in
Microsoft AD.
Note: This section pertains to Microsoft AD users only. No configuration in
ADFS is required for Azure AD users.
To create transform claim rules in ADFS:
a. From ADFS, open the Relying Party Trusts directory.
b. Right-click the Relying Party Trust associated with ThreatStream and select
Edit Claim Issuance Policy.
c. Click Add Rule. This opens the Add Transform Claim Rule Wizard.
Anomali ThreatStream Page 106 of 750
User Guide
Chapter 5: Organization Administration
d. Under Claim rule template, select Send Group Membership as a Claim.
e. Enter a Claim rule name for the rule. Anomali recommends using the name
of the AD group for which you are creating the rule.
f. Under User's group, click Browse and select the group for which you are
creating the rule.
Anomali ThreatStream Page 107 of 750
User Guide
Chapter 5: Organization Administration
g. Under Outgoing claim value, enter the exact value of the AD group name
for which you are creating the rule.
h. Click Finish.
Repeat this process for each ThreatStream permission you created in AD. After
adding rules for each group, proceed to "Enable the integration on
ThreatStream" on page 111 to complete configuration within ThreatStream.
Configuring the Integration on Azure AD
If you use Azure AD, you can use the instructions in this section to complete the
Azure AD configuration steps. Before you continue, ensure you have obtained a
Reply URL from Anomali Support for your SAML configuration.
Note: These instructions pertain to Azure AD only. If you use Microsoft AD, see
"Configure the Integration on Microsoft AD" on page 104.
To configure the integration on Azure AD:
1. Create a Non-Gallery Enterprise Application for ThreatStream.
a. Within Azure AD, click Enterprise applications under Manage in the left
menu.
b. Click New Application.
c. Under Add your own app, click Non-gallery application.
d. Enter a Name for the application.
Recommended value: ThreatStream
e. Click Add. The application is created. You are directed to the Overview
screen of the application.
2. Enable SAML for the application.
a. From the Overview screen of the ThreatStream application, click 2. Set up
single sign on.
b. Under Select a single sign on method, click SAML.
c. In the Basic SAML Configuration box, click Edit.
Anomali ThreatStream Page 108 of 750
User Guide
Chapter 5: Organization Administration
d. Under Identifier (Entity ID), enter an ID for the SAML configuration.
Anomali recommends using the ThreatStream API URL:
api.threatstream.com
e. Under Reply URL, enter the URL provided by Anomali Support for your
SAML configuration.
f. Click Save.
3. Add a Claim for the SAML configuration.
a. In the User Attributes & Claims box, click Edit.
b. Click Add new claim.
c. Enter a Name for the claim.
Required value: emailaddress
d. Enter the following Namespace value:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
e. For Source, select Attribute.
f. For Attribute, select user.mail.
g. Click Save.
4. Add a Group Claim for the SAML configuration.
a. On the User Attributes & Claims screen, click Add a group claim.
b. Under Which groups associated with the user should be returned in the
claim?, select Security Group.
c. For Source attribute, select Group ID.
d. Select Customize the name of the group claim.
e. Select Emit groups as role claims.
f. Click Save.
Anomali ThreatStream Page 109 of 750
User Guide
Chapter 5: Organization Administration
5. Provide Anomali Support your SAML Signing Certificate, Login URL, and Azure
AD identifier. To locate this information:
a. From the SAML-based Sign-on screen for the application, locate the SAML
Signing Certificate box. Next to Certificate (base 64), click Download.
b. Locate the Set up <application name> box. Note the Login URL (also known
as SAML Single Sign-On Service URL) and Azure AD Identifier (also
known as SAML Entity ID) values.
c. Provide the Certificate and the Login URL and Azure AD Identifier values to
Anomali Suppport.
6. Create a group for each permission in ThreatStream. You must create a group
corresponding to each of the following permissions:
n Grant Access to ThreatStream
n Read Only Account
n Org Admin
n Approve Intel
n Import to TAXII Feeds
n User Can View API Key
n Create Anomali Community Intel
n Can Use Chat
To add groups in Azure AD:
a. From the Azure Active Directory Overview screen, click Groups under
Manage in the left menu.
b. Click New Group.
c. Under Group type, select Security.
d. Under Group name, enter the name of the permission.
e. Click Create. The group is created.
Anomali ThreatStream Page 110 of 750
User Guide
Chapter 5: Organization Administration
Repeat this process for each permission listed in the table above. After
creating each group, you can add desired permissions to each
ThreatStream user in AD. These permissions will be synchronized to
ThreatStream when you finish configuring the integration.
Note the Object ID values for each permission you created. You will use
these IDs to finish configuring the integration within ThreatStream in a later
step.
When configuration on Azure AD is complete, proceed to "Enable the
integration on ThreatStream" below to complete configuration within
ThreatStream.
Enable the integration on ThreatStream
To finish configuring the integration, you must configure a Break Glass account and
map the groups created in Microsoft or Azure AD onto their corresponding
permissions in ThreatStream.
Note: You must use a ThreatStream account with the Org Admin permission in
order to complete the steps in this section.
To enable the integration on ThreatStream:
1. In the top navigation bar, click and then User Admin.
2. Select a user who will serve as the Break Glass Account and click Update. Only
Org Admin users are available in the dropdown.
Anomali ThreatStream Page 111 of 750
User Guide
Chapter 5: Organization Administration
3. (Optional) Enable the Use SSO for login exclusively if you want to prevent users
from logging in through the ThreatStream login page.
4. Under Available Identity Providers, specify your Identity Provider—ADFS or
Azure AD—and click Update.
5. If you selected ADFS, you must specify the Group Name corresponding to each
permission. If you used the Default AD Group Name values, the Group Names
are automatically mapped to the correct permission. If you used non-default
names, click the first permission in the list. Specify the correct Group name in
the Edit SSO Permission Mapping window and click Save.
Repeat this process for each permission.
If you selected Azure AD, you must specify the Group IDs corresponding to
each permission. You noted the Group IDs in the final step of the Azure AD
configuration process. To do so, click the first permission in the list. Specify the
correct Group ID in the Edit SSO Permission Mapping window and click Save.
Anomali ThreatStream Page 112 of 750
User Guide
Chapter 5: Organization Administration
Repeat this process for each permission.
Configuration is complete and your integration is now active.
Updating Your Exclude List
The Exclude List enables you to configure CIDRs, Domains, Email Addresses, IP
Addresses, Hashes, URLs, or User Agents you want to prevent users within your
organization from importing. Adding an entry to your Exclude List does not prevent
other organizations from importing it.
Entries currently configured on your Exclude List.
Filter configured entries by Type.
Anomali ThreatStream Page 113 of 750
User Guide
Chapter 5: Organization Administration
Show or hide entries added to your Exclude List through being reported false
positive. See "Reporting False Positives" on page 248 for more information.
Search configured Exclude List entries by keyword.
Actions:
l Import CSV—Add Exclude List entries from a CSV file. See "Adding Exclude List
Entries from a CSV File" on the next page.
l Export CSV—Download a list of your Exclude List entries is CSV format. See
"Exporting Exclude List Entries " on page 117
l Remove—remove selected entries from your Exclude List. See "Removing
Entries from Your Exclude List" on page 116.
l Edit Note—edit the contextual note associated with the selected entry. See
"Editing Exclude List Entries" on page 116.
Add entries to your Exclude List. See "Adding Entries to Your Exclude List"
below for more information.
Adding Entries to Your Exclude List
Follow these guidelines when adding entries to your Exclude List:
l In addition to the domain itself, Domain entries cover all email addresses and
URLs associated with the domain.
l To add all subdomains associated with a domain to your Exclude List, add a
separate Domain entry to the Exclude List that adheres to the following
expression:
*.<domain_name>
Entries adhering to this expression cover subdomains only and not the domain
with which they are associated. You must add a separate entry without the
expression to cover the domain itself and its associated email addresses and
URLs.
For example, to add the domain example.com to your Exclude List—and its
associated email addresses and URLs—add example.com as a Domain
Name entry to your Exclude List. To cover all subdomains associated with
Anomali ThreatStream Page 114 of 750
User Guide
Chapter 5: Organization Administration
example.com in your Exclude List, such as my.example.com, add
*.example.com as a separate Domain Name entry to your Exclude List.
l Alphanumeric characters are normalized to lower-case when entries are added.
l You can add multiple entries of the same type at once. When adding multiple
entries, enter one per line to separate them.
l IPv6 addresses cannot be added to the Exclude List.
To add entries to your Exclude List:
1. In the top navigation bar, click and then Exclude List.
2. Under Add To Exclude List, select a Type.
3. Type or paste the entries into the text box. Each entry must be on its own line.
4. (Optional) Add contextual information on the entries in the Additional Notes box.
Notes are applied to all new Exclude List entries and can be edited at any time.
5. Click Add.
Adding Exclude List Entries from a CSV File
In addition to manually entering exclude list entries on the Exclude List tab, you can
also upload a CSV file that contains the entries you want to add to your Exclude List.
The CSV file must adhere to the following requirements:
l The entries must be contained in a valid CSV file with the following header line:
value_type,value,notes.
l value_type must be specified for each entry. Possible types include domain,
email, ip, md5, url, user-agent, and cidr.
l value must be specified for each entry. Values must be valid entries based on
the specified type. For example, if you specify ip for type, the corresponding
value must be a valid IP address.
l notes is optional for each entry.
l All text in the CSV file must be lower-cased.
The following is an example of a valid CSV file:
value_type,value,notes
domain,*wildcard-example.com,this is a valid domain
Anomali ThreatStream Page 115 of 750
User Guide
Chapter 5: Organization Administration
email,account@example.com,
ip,1.2.3.4,
md5,fe01ce2a7fbac8fafaed7c982a04e229,
url,http://example.com,
user-agent,myagent1,
cidr,192.0.2.0/24,
To add exclude list entries from a CSV file:
1. In the top navigation bar, click and then Exclude List.
2. In the Actions menu, click Import CSV.
3. Click Select File and browse for the CSV file.
4. Click Import.
The entries from the CSV file are then added to your Exclude List. If the import
failed, ensure your CSV file adheres to the above requirements and try again.
Editing Exclude List Entries
You can edit the contextual notes associated with existing exclude list entries. Only
one entry can be edited at a time.
To edit Exclude List entries:
1. In the top navigation bar, click and then Exclude List.
2. Select the entry you want to edit.
3. In the Actions menu, click Edit note.
4. Make desired edits to the note.
5. Click Save Change.
Changes are reflected in the Notes column of the Exclude List table.
Removing Entries from Your Exclude List
You can remove multiple entries from your Exclude List at once.
To remove entries from your Exclude List:
Anomali ThreatStream Page 116 of 750
User Guide
Chapter 5: Organization Administration
1. In the top navigation bar, click and then Exclude List.
2. Select the entries you want to remove.
3. In the Actions menu, click Remove.
Exporting Exclude List Entries
You can export a complete list of your Exclude List entries in CSV format.
To export Exclude List entries:
1. In the top navigation bar, click and then Exclude List.
2. In the Actions menu, click Export CSV.
Your download starts immediately.
Integrating With Third-Party Services
ThreatStream provides integrations with third-party services for Sandbox, DNS,
ticket management and more. Most third party services require that you obtain
credentials from the vendor before you can activate integrations on ThreatStream.
Once you configure the user credentials for these services on ThreatStream, they
are available for use by your organization.
Unless otherwise noted, integrations listed on this screen support both paid and free
subscriptions. As such, there is no distinction between paid and free integrations. In
cases where services support paid and free subscriptions, both paid and free
credentials can be used to activate the same service.
Note: Only org admins can activate third party services on ThreatStream.
The Integrations screen includes a filter to help you browse available third-party
integrations.
Anomali ThreatStream Page 117 of 750
User Guide
Chapter 5: Organization Administration
You can filter on the following integration types:
l Integration—integrations with third party services such as ticket management
tools, sandboxes, DNS services, and more. See "Activating Integrations and
Feeds" on the next page for more information.
l Enrichment—data enrichment services that enable you to leverage third party
data on observable details pages or the explore pivoting tool. See "Activating
Enrichments" on page 135 for more information.
l Free—integrations which can be activated at no cost. In most cases, free
registration with the service is required before activation.
l Feed—premium threat intelligence feeds. See "Activating Integrations and
Feeds" on the next page for more information.
Integrations and Feeds
Click any of the logos below for more information on activating and using available
integrations and feeds.
Cofense Crowdstrik DomainTools IBM Resilient JIRA
e
Joe Sandbox OpenDNS ServiceNow Splunk Cloud VMRay
Umbrella
Zscaler
Anomali ThreatStream Page 118 of 750
User Guide
Chapter 5: Organization Administration
Enrichments
Click any of the logos below for more information on activating and using available
third-party data enrichments.
AbuseIPDB AlienVault Anomali Anomali Anomali
ThreatCrowd GeoIP Open Ports Whois
History
CipherTrace Cisco DNSTwister DomainToo Farsight
Sentry Umbrella ls Iris DNSDB
Investigate
GreyNoise Have I Been HYAS Insight Hybrid Pastebin
Pwned? Analysis Dump
Collection
PolySwarm Qualys Recorded ReversingL RiskIQ
Future abs
Shodan Silobreaker Splunk Sighti Spur IP URLScan.i
ngs Context o
VirusTotal v2 VirusTotal v3 Web Of Trust
Activating Integrations and Feeds
To activate Integrations and Feeds listed on the integrations screen, click Activate
in the box corresponding to the service of interest and enter the required credentials.
Anomali ThreatStream Page 119 of 750
User Guide
Chapter 5: Organization Administration
You are responsible for registering with the service and obtaining the required
credentials.
Integrating with Cofense Intelligence
If your organization subscribes to the Cofense Intelligence service, enter your API
Username and API Password to receive intelligence from Cofense.
Note: The Cofense Intelligence activation widget is not displayed on the
Integrations tab unless you have subscribed to the Cofense Intelligence service
in the ThreatStream APP Store. See "Subscribing to Premium Threat
Intelligence Streams" on page 547 for more information on the APP Store.
To activate purchased Cofense intelligence streams:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the Cofense box.
3. Enter your the API Username and API Password you received upon
purchasing the stream.
4. Click Save.
Integrating with CrowdStrike
If your organization subscribes to the CrowdStrike service, you can activate the
Crowdstrike Falcon X feed from the APP Store. See "Credentialed Activation" on
page 549 for more information.
Integrating with DomainTools
The DomainTools integration enables you to view Whois data provided by
DomainTools from observable details pages.
If Whois data is available for an observable, you can toggle between viewing Whois
data provided by Anomali and Whois data provided by DomainTools. An additional
dropdown menu is available on the Whois tab of observable details pages.
Anomali ThreatStream Page 120 of 750
User Guide
Chapter 5: Organization Administration
To integrate with DomainTools:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the DomainTools box.
3. Enter the Username you use to log in to DomainTools.
4. Enter the API Key provided to you by DomainTools.
5. Click Save.
The status button for the service changes to Deactivate. The service is
activated.
Integrating with IBM Resilient
The ThreatStream integration with IBM Resilient enables you to export investigation
information to IBM Resilient in the form of Incidents.
After activating the integration, a Create/Update IBM Resilient Incident option is
available from the Actions menu within investigations on ThreatStream.
The table below lists the ThreatStream investigation fields included in exports and
the IBM Resilient fields to which they are mapped in resulting Incidents.
Anomali ThreatStream Page 121 of 750
User Guide
Chapter 5: Organization Administration
ThreatStream Investigation Field IBM Resilient Incident Field
Description Description
Observables Artifacts
Priority Priority
Title Title
In addition to creating new IBM Resilient Incidents through the integration, you can
run the integration on previously exported ThreatStream investigations to update
corresponding Incidents within IBM Resilient.
In order to send investigation information to IBM Resilient, you must activate the
integration. To activate the integration, you must have a subscription to
IBM Resilient.
To activate IBM Resilient integrations:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the IBM Resilient box.
3. Enter your IBM Resilient Instance URL.
4. Enter your IBM Resilient Organization Name.
5. Enter your IBM Resilient Email.
6. Enter your IBM Resilient Password.
7. Click Save.
Integrating with JIRA
The JIRA integration enables you to create and update JIRA tickets from the
Investigations user interface within ThreatStream. The following is an example of a
JIRA ticket created through the integration:
Anomali ThreatStream Page 122 of 750
User Guide
Chapter 5: Organization Administration
JIRA tickets are bidirectionally linked to the investigations from which they are
created. The JIRA integration enables you to update JIRA tickets from
ThreatStream without connecting to the JIRA user interface. Likewise, ticket status
updates made within JIRA are reflected on investigations from which tickets were
created.
Linked JIRA tickets are listed under JIRA Issues in the investigation.
You can click the ticket number to view full ticket details in JIRA.
Additionally, JIRA integration activity is logged in the History section of the
investigation.
Anomali ThreatStream Page 123 of 750
User Guide
Chapter 5: Organization Administration
For more information on using investigations in ThreatStream, see "Investigating
Threats in ThreatStream" on page 325.
Creating JIRA Tickets from ThreatStream
JIRA tickets created through the JIRA integration reflect information from the
investigation where ticket creation was executed. The table below lists the
investigation fields from which content is pulled and the fields in JIRA to which they
are mapped.
Investigation
Field JIRA Field
Name Summary
Tags Labels
Description Descriptions
Note: In addition to the content contained in the
investigation descriptions, JIRA descriptions contain links
to the investigation in ThreatStream and the email address
of the user that created the ticket.
Additionally, the JIRA user whose account was used to activate the integration is
made Reporter of resulting JIRA tickets.
To create a JIRA ticket from ThreatStream:
1. Navigate to the investigation for which you want to create a JIRA ticket.
2. In the Actions menu, click Create a JIRA ticket.
Anomali ThreatStream Page 124 of 750
User Guide
Chapter 5: Organization Administration
3. On the resulting window, the default JIRA Project and Issue Type settings are
displayed. If desired, modify the settings.
4. Click Create. The following message indicates that a JIRA ticket was created
successfully:
Click the ticket number under in the message to view the ticket in JIRA.
Updating JIRA Tickets from ThreatStream
From the investigation, you can update the JIRA Summary, Description, Labels, and
Status. Updates to mapped fields within investigations are not automatically
synchronized to linked JIRA tickets and must be manually pushed.
Note: Updates to JIRA summaries are not reflected on the Investigations user
interface in ThreatStream when made on JIRA.
To update a linked JIRA ticket from an investigation:
1. Navigate to the investigation of interest.
2. After making desired updates to the investigation Description, Name, or Tags,
click the status of the JIRA ticket you want to update under JIRA Issues.
Anomali ThreatStream Page 125 of 750
User Guide
Chapter 5: Organization Administration
3. On the resulting window, select the JIRA fields you want to update. You can also
select a new Status for the JIRA ticket.
4. Click Update.
Updates are immediately pushed to JIRA.
Removing JIRA Tickets from Investigations
The JIRA integration also allows you to unlink JIRA tickets and the investigations
from which they were created. When you remove JIRA tickets from investigations,
tickets are not deleted in JIRA. Rather, tickets are no longer displayed on
investigations and updates can no longer be synchronized.
Only Org Admins and non admin users who created tickets can remove tickets from
investigations.
Note: Removing JIRA tickets from investigations is final and cannot be undone.
To remove a JIRA ticket from an investigation:
1. Navigate to the investigation of interest.
2. Under JIRA Issues, click the JIRA ticket you want to remove.
3. On the resulting window, click Remove from investigation.
The JIRA ticket is immediately removed from the investigation.
Anomali ThreatStream Page 126 of 750
User Guide
Chapter 5: Organization Administration
Activating the JIRA Integration
Activating the JIRA integration involves specifying your JIRA credentials and
configuring default settings for tickets created through the integration.
To activate the JIRA integration:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the JIRA box. Information on the integration is displayed.
You can click the Source link to visit the JIRA website. Under License, Anomali
license indicates that the enrichment was developed by Anomali and therefore
subject to its terms of service.
3. To proceed with activation, enter the following information:
Field Description
Instance URL of the JIRA instance used by your organization.
URL
Example: https://mycompany.atlassian.net
Anomali ThreatStream Page 127 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Email Email address associated with the JIRA account you want to use
for activation.
Note: The user associated with this email address is listed as
the Reporter for all JIRA tickets created through the
integration.
API Key API key associated with the account whose email you specified.
For information on obtaining your API key, see
https://support.atlassian.com/statuspage/docs/create-and-
manage-api-keys/
4. Click Activate.
Note: 403 errors indicate that there was an issue with the API key you
entered. Verify your API key and try again.
5. After activation, select a Default project and Default issue type for tickets
created through the integration.
Anomali ThreatStream Page 128 of 750
User Guide
Chapter 5: Organization Administration
6. Click OK.
The integration is active and ready for use.
Integrating with Joe Sandbox
If desired, you can use an individual Joe Sandbox subscription instead of the
ThreatStream provided Joe Sandbox service or the default ThreatStream Sandbox
service. Malware you submit is sent to Joe Sandbox for detonation. Results of
detonation are obtained and displayed on ThreatStream. See "Activating Joe
Sandbox" on page 621 for more information.
Integrating with OpenDNS Umbrella
If your organization uses OpenDNS for DNS services, you can integrate a domain
feed from ThreatStream to OpenDNS. The domain feed updates every four hours
to ensure your OpenDNS uses the latest threat intelligence.
When integrated, the top 10,000 domains from ThreatStream populate a Custom
Integration List set up on OpenDNS based on a search filter that you specify in
ThreatStream.
There are two steps to setting up the integration:
1. Generate an OpenDNS Customer Key.
2. Activate the integration within ThreatStream.
To generate an OpenDNS Umbrella Customer Key:
Anomali ThreatStream Page 129 of 750
User Guide
Chapter 5: Organization Administration
1. Login to OpenDNS.
2. Click Policies and navigate to Policy Components > Integrations.
3. Click Add.
4. Enter a name for the integration. Example: ThreatStream Domains.
5. Check Enable.
6. Copy the Customer Key from the URL. Customer Keys are located after
customerKey= in the URL.
Note: Make sure you only copy the Customer Key and not the entire URL.
7. Click Save.
To integrate ThreatStream with OpenDNS:
1. Login to the ThreatStream portal.
2. In the top navigation bar, click and then Integrations.
3. Click Activate in the OpenDNS Umbrella box.
Anomali ThreatStream Page 130 of 750
User Guide
Chapter 5: Organization Administration
4. Paste or enter your OpenDNS Customer Key.
Note: Make sure you enter only the Customer Key and not the entire
URL that contains the key.
5. Enter a Filter Query. For more on constructing a search query, see
"Constructing Advanced Search Filters" on page 262.
For example: (status="active") AND (type=domain) AND
(confidence>=85) AND (modified_ts>=90d) AND (severity!=low) AND
(severity!=medium)
Notes:
- As a best practice, test your filter on the Advanced Search screen. Note
that only the top 10,000 domains returned for the filter will be sent to
OpenDNS.
- Regardless of the filter you enter, only domain observables with active
status will be sent to OpenDNS. The filter you specify can be used to restrict
the observables sent to OpenDNS to a more specific subset.
6. Click Save.
The status button for the service changes to Deactivate. The service is
activated.
To verify that your OpenDNS integration is active:
1. Login to OpenDNS.
2. Click Configuration and navigate to System Settings > Integrations.
3. Expand the ThreatStream integration.
4. Click See Domains.
Anomali ThreatStream Page 131 of 750
User Guide
Chapter 5: Organization Administration
5. Verify that the list of domains is populated.
Integrating with ServiceNow
ThreatStream provides a bidirectional integration with ServiceNow, which enables
you to create or update ServiceNow security incidents with details and observables
from ThreatStream investigations. To achieve this, you must enable the ServiceNow
integration on ThreatStream using the steps in "Activating the ServiceNow
Integration" on the next page.
ThreatStream provides a bidirectional integration with ServiceNow, which enables
you to:
l Create or update ServiceNow security incidents with details and observables
from ThreatStream investigations. To achieve this, you must enable the
ServiceNow integration on ThreatStream using the steps in "Activating the
ServiceNow Integration" on the next page.
l Create or update ThreatStream investigations from ServiceNow security
incidents. To achieve this, you must install the Anomali ServiceNow Integration
on your ServiceNow system using the steps in the Anomali ThreatStream
ServiceNow Integration Installation and Configuration Guide. To locate this guide
and the Anomali ServiceNow App, search for "Anomali ThreatStream Integration"
on the ServiceNow Store. Look for Installation Guide under Supporting Links and
Docs.
After activating the integration, you can create a security incident in ServiceNow by
clicking Create/Update a Security Incident in ServiceNow in the Investigation
menu from an investigation in ThreatStream.
Anomali ThreatStream Page 132 of 750
User Guide
Chapter 5: Organization Administration
When you take this action, two tags are added to the investigation. These tags link
the investigation to the created security incident, and are used to update the security
incident after initial creation. To update a security incident with the latest
investigation information, click Create/Update a Security Incident in
ServiceNow. If the tags on the investigation match a security incident in Service
Now, the existing security incident is updated.
Note: You must take action to update the security incident. Information is not
automatically synchronized.
Activating the ServiceNow Integration
To activate the ServiceNow integration:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the ServiceNow box.
3. Under Instance ID, enter your ServiceNow instance name.
4. Enter your ServiceNow Username.
5. Enter your ServiceNow Password.
6. Click Save.
The ServiceNow integration is now active.
Integrating with Splunk Cloud
If your organization subscribes to the Splunk Cloud service, you can use this
integration to send intelligence from ThreatStream to the Splunk Cloud.
ThreatStream generates intelligence snapshots based on a filter you specify. Before
generating intelligence snapshots, ThreatStream removes observables that match
entries on your organization Exclude List from the snapshot.
To integrate ThreatStream with Splunk Cloud:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the Splunk Cloud box.
Anomali ThreatStream Page 133 of 750
User Guide
Chapter 5: Organization Administration
3. Enter a Search Filter. This determines which observables are included in
snapshot downloads. For a list of valid fields and operators, see Search
Operators.
4. Click Save.
Integrating with VMRay
ThreatStream enables integration with VMRay for sandbox detonation from the
ThreatStream user interface. For more information on activating the subscription-
based or freemium VMRay integration, see "Activating VMRay" on page 623.
Integrating with Zscaler
When activated, ThreatStream forwards IP addresses, domains, and URLs to
Zscaler on a daily basis for blocking. ThreatStream will forward a maximum of
25,000 observables based on a search query that you define.
Your organization must have a Service Account on Zscaler with API access to
activate this integration. Observables are stored on Zscaler under the User Defined
URL Categories within anomali, as displayed below.
To integrate with Zscaler:
1. In the top navigation bar, click and then Integrations.
2. Click Activate in the Zscaler box.
3. Enter your Zscaler API Base URI.
Tip: See Getting Started in the Zscaler API documentation for information
on retrieving the base URI.
4. Enter your Username associated with the Zscaler API.
5. Enter your Zscaler Password.
Anomali ThreatStream Page 134 of 750
User Guide
Chapter 5: Organization Administration
6. Enter your Zscaler API Key.
Tips:
- See Getting Started in the Zscaler API documentation for information on
retrieving your API key.
- See About API Key Management for information on regenerating your
API key.
7. Enter a Search Query that defines the subset of data you want to send to
Zscaler. See "Constructing Advanced Search Filters" on page 262 for more
information.
8. Click Save.
Note: Data is synchronized between ThreatStream and Zscaler on a daily basis.
Therefore, it may take up to 24 hours for "anomali" to propagate in Zscaler as a
URL Category. You must wait for this category to propagate before configuring a
URL filtering policy in Zscaler.
Activating Enrichments
To activate Enrichments listed on the integrations screen, click Set Up in the box
corresponding to the service of interest and use the resulting set up wizard to
complete activation.
For free enrichments, you can click Register with vendor to visit the registration
page of the vendor. Once you have registered, click I Have Already Registered on
the wizard to enter the credentials you obtained during registration.
Anomali ThreatStream Page 135 of 750
User Guide
Chapter 5: Organization Administration
For enrichments that require a paid subscription, you are responsible for registering
with the vendor. Click the Source link to visit the website of the vendor.
Enriching Data with AbuseIPDB
AbuseIPDB provides a central list for web administrators, system administrators,
and other stakeholders to report and reference IP addresses associated with
malicious activity.
When activated, the AbuseIPDB enrichment enables you to leverage AbuseIPDB
data enrichments on IP observables from observable details pages in
ThreatStream.
ThreatStream consumes and displays the following information from AbuseIPDB:
l Summary Information (Abuse Confidence Score, Is in Exclude List, Total Reports
in Last 365 Days, Last Reported)
l Individual Reports
l Geo Information
You must have an API Key from AbuseIPDB in order to activate this enrichment.
To activate the AbuseIPDB enrichment:
Anomali ThreatStream Page 136 of 750
User Guide
Chapter 5: Organization Administration
1. If you do not have a AbuseIPDB account, use these steps to register and obtain
your API key:
a. Visit the AbuseIPDB registration page, enter the required information, and
click Register. After completing this step, AbuseIPDB sends you an
activation email.
b. Locate the AbuseIPDB activation email in your inbox and click confirm your
email. You are redirected to the AbuseIPDB profile settings screen.
c. On the APIv2 tab, click Create Key.
d. Enter a Name for the key and click Create. You will use the resulting API key
to activate the enrichment on the ThreatStream user interface.
2. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
3. Click Set Up in the AbuseIPDB box.
4. Click I have already registered.
5. Enter your AbuseIPDB API Key.
6. Click Activate.
The AbuseIPDB enrichment is now active.
Notes:
- To learn more about the AbuseIPDB public API, visit
https://docs.abuseipdb.com/#introduction
- The AbuseIPDB public API imposes the following daily quotas: 1,000 IP checks
and reports, 100 IP block checks, and 100 exclude list checks.
Enriching Data with AlienVault ThreatCrowd
AlienVault ThreatCrowd enables you to identify infrastructure and Malware related
to objects such as domains, IP addresses, email addresses, file hashes, and
antivirus detections. When activated, you can leverage AlienVault ThreatCrowd
data from observable details pages and the Explore pivoting tool for domain, email,
IP, and hash observables.
Anomali ThreatStream Page 137 of 750
User Guide
Chapter 5: Organization Administration
On Explore, ThreatCrowd enables the following data transformations:
l Enrich Email
l Enrich Domain
l Enrich Hash
l Enrich IP
Enrichment data is also available on the ThreatCrowd tab in the Enrichments
section on observable details pages. The following is an example of ThreatCrowd
data returned on an IP address.
The ThreatCrowd enrichment returns the following information for each observable
type on the ThreatCrowd tab:
Observable Type Enrichment Data
Anomali ThreatStream Page 138 of 750
User Guide
Chapter 5: Organization Administration
Domain Files that talk to the domain , DNS Resolutions, Subdomains
Email Reverse E-mail
IP Malicious status, Reverse DNS, Malware
Hash Related hashes, domains, IPs, and Antivirus references
To read more about ThreatCrowd, see https://otx.alienvault.com
To activate the ThreatCrowd enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the AlienVault ThreatCrowd box.
3. Click Activate.
The ThreatCrowd enrichment is now active.
Enriching Data with Anomali GeoIP
The Anomali GeoIP enrichment provides geographical information on
IP observables and their associated ISPs. You can leverage Anomali GeoIP from
the Explore pivoting tool after activation.
Anomali GeoIP enables the following data transformations:
Anomali ThreatStream Page 139 of 750
User Guide
Chapter 5: Organization Administration
l IP to All
l IP to ASN
l IP to City Name
l IP to Connection Type
l IP to Continent Name
l IP to Country Name
l IP to ISP
l IP to ISP Country Name
l IP to Longitude
l IP to Org Name
l IP to Postal Code
l IP to Region Name
l IP to Time Zone
Executing the IP to All transformation runs all GeoIP transformations and returns all
available data.
To activate the Anomali GeoIP enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Anomali GeoIP box.
3. Click I have already registered.
4. Enter your Anomali GeoIP API Key.
5. Click Activate.
The Anomali GeoIP enrichment is now active.
Enriching Data with Anomali Open Ports
The Anomali Open Ports enrichment provides a history of open ports and services
for IP addresses (v4 only) on an interactive timeline.
Anomali ThreatStream Page 140 of 750
User Guide
Chapter 5: Organization Administration
When activated, Anomali Open Ports displays enrichment data on the Open Ports
tab in the Enrichments section of observable details pages.
To activate the Open Ports enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Anomali Open Ports box.
3. Click Activate.
The Anomali Open Ports enrichment is now active.
Enriching Data with Anomali Whois History
The Anomali Whois History enrichment leverages data from various providers and
internal databases to provide details on target hosts.
When activated, Anomali Whois History displays Whois data for domains on the
Whois History tab in the Enrichments section of observable details pages. The
enrichment calls attention to updated information by displaying it in red text.
To activate the Whois History enrichment:
Anomali ThreatStream Page 141 of 750
User Guide
Chapter 5: Organization Administration
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Whois History box.
3. Click Activate.
The Whois History enrichment is now active.
Enriching Data with Cisco Umbrella Investigate
When activated, Cisco Umbrella Investigate (formerly OpenDNS Investigate)
enables you to pivot on domains, IP addresses (v4 only), email addresses, and
hashes. Enrichment data is also displayed on details pages for domains, email
addresses, IP addresses (v4 only), hashes, and URLs.
You can leverage Cisco Umbrella Investigate data in the Cisco Umbrella menu item
on Explore after activation.
Cisco Umbrella Investigate enables the following data transformations:
l Domain to Risk Score: provides the likelihood that a domain is related to
malicious activity.
l Hash to Connections: returns IP addresses and domains related to the hash.
l Domain to Related Domains: returns domains looked up within 60 seconds of
accessing the selected domain.
l IP to Domains: returns domains that resolve to the IP address.
l Domain to Registrants: returns email addresses parsed from Whois data for the
domain.
l Domain to IPs: returns IP addresses that resolve to the domain.
Anomali ThreatStream Page 142 of 750
User Guide
Chapter 5: Organization Administration
l Domain to Co-Occurrences: returns domains that are queried along with the
domain.
l Registrant to Domains: returns domains registered with the email address.
l Domain to NS IPs: returns name server IP addresses for the domain.
l Domain to Samples: returns samples that have beaconed to the domain.
l Domain to ASNs: returns ASNs to which the domain has resolved.
Enrichment data is also available on observable details pages. The following is an
example of enrichment data returned on a domain.
The above DNS queries chart is fully interactive. Click and drag to zoom in on
selected data.
The Cisco Umbrella Investigate enrichment returns the following information for
each observable type:
Observable
Type Enrichment Data
Domain DNS Queries, Requester Distribution (by country), Associated
Samples, IP Addresses, Security Features, DGA Detection,
Subdomains, Name Servers, Co-occurrences, Related Domains
URL Subdomains, Associated Samples
IP AS, Malicious Domains, Associated Samples, Known Domains
Email Associated Domains
Anomali ThreatStream Page 143 of 750
User Guide
Chapter 5: Organization Administration
Hash Behavioral Indicators, Network Connections, Associated
Samples
To read more about Cisco Umbrella Investigate, see
https://docs.umbrella.com/investigate-ui/docs.
To activate the Cisco Umbrella Investigate enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Cisco Umbrella Investigate box.
3. Click I have already registered.
4. Enter your Cisco Umbrella Investigate API Key.
5. Click Activate.
The Cisco Umbrella Investigate enrichment is now active.
Enriching Data with Deloitte Codex
The Deloitte Codex enrichment gives you context on APT names from multiple
vendors associated with malware, easy to understand malware naming, typing,
execution information, and more. Enrichment information is displayed in the
Enrichments section of observable details pages for domain, IP, email, hash and
URL observables.
View documentation on the Deloitte Codex enrichment for Anomali
If you have an active Deloitte Codex account, you can activate the enrichment with
your Deloitte Codex username and password from the Integrations tab within
ThreatStream settings.
To activate the Deloitte Codex enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the Deloitte Codex box.
3. Click I have already registered.
4. Enter your Deloitte Codex Username and Password.
Anomali ThreatStream Page 144 of 750
User Guide
Chapter 5: Organization Administration
5. Specify a Query Limit to limit the number of records returned when querying
Deloitte. The default is 25. Specifying a query limit of 0 implies no limit.
6. Click Activate.
The Deloitte Codex enrichment is now active.
Enriching Data with DNSTwister
DNSTwister generates a list of variations of any domain name and populates
Explore charts with the subset of the variations that have been registered. You can
leverage DNSTwister from the Explore pivoting tool after activation.
DNSTwister enables the following data transformations:
l Addition—Returns variations in which a character is inserted at the end of the
preliminary domain.
l Bitsquatting—Returns variations in which a single character is altered from the
preliminary domain.
l Hyphenation—Returns variations in which hyphens are added to the preliminary
domain.
l Homoglyph—Returns variations that include lookalike Unicode characters.
Anomali ThreatStream Page 145 of 750
User Guide
Chapter 5: Organization Administration
l Insertion—Returns variations in which a single character is added throughout
the preliminary domain.
l Omission—Returns variations in which a single character is removed from the
preliminary domain.
l Repetition—Returns variations that include an additional repeating character.
l Replacement—Returns variations in which a single character replaces any
original character from the preliminary domain.
l Subdomain—Returns subdomains created as a result of adding a period to the
domain.
l Transposition—Returns variations in which two characters exchange places in
the preliminary domain.
l Vowel Swap—Returns variations in which vowels from the preliminary domain
are replaced with others.
l Various—Returns any variations provided by DNS Twister which do not fit into
any of the above categories.
Additionally, a Run All transformation enables you to return all variations of the
domain at once.
Note: To ensure all observables are returned, set the Node Search Limit to at
least 100.
To activate the DNSTwister enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the DNSTwister box.
3. Click I have already registered.
4. Enter your DNSTwister API Key.
5. Click Activate.
The DNSTwister enrichment is now active.
Enriching Data with DomainTools Iris
The DomainTools Iris enrichment enables you to leverage DomainTools data from
the Explore pivoting tool and observable details pages.
Anomali ThreatStream Page 146 of 750
User Guide
Chapter 5: Organization Administration
If you have a paid DomainTools Iris subscription, you can activate the enrichment
with your paid credentials.
The enrichment is also available on a freemium basis. You can request freemium
access by registering with DomainTools, as described below.
To request freemium access to the DomainTools enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the DomainTools Iris box.
3. Click Register with vendor.
4. Fill out the registration form on the DomainTools website.
DomainTools will provide credentials which you can use to activate the enrichment.
View documentation on the DomainTools enrichment for Anomali
To activate the DomainTools Iris enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the DomainTools Iris box.
3. Click I have already registered.
4. Enter your DomainTools API key and API username.
5. Click Activate.
The DomainTools Iris enrichment is now active.
Enriching Data with Farsight DNSDB
Farsight DNSDB is a freemium enrichment that enables you to leverage Farsight
DNSDB data on the Farsight tab in the Enrichments section on observable details
pages.
Additionally, Farsight provides Passive DNS lookup. If results are available, Passive
DNS data from Farsight is available on the Passive DNS tab.
View documentation on the Farsight DNSDB enrichment for Anomali
To activate the Farsight DNSDB enrichment:
Anomali ThreatStream Page 147 of 750
User Guide
Chapter 5: Organization Administration
1. If you do not have a Farsight DNSDB Community Edition account, use these
steps to register and obtain your API key:
a. Visit the Farsight DNSDB registration page, enter the required information,
and click Submit. After completing this step, Farsight sends you an
activation email.
b. Locate the Farsight DNSDB activation email in your inbox and complete the
enclosed steps required to activate your account.
c. After activating your account, Farsight sends you an email which contains
your username and API key. You will use this API key to activate the
enrichment on the ThreatStream user interface.
2. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
3. Click Set Up in the Farsight DNSDB box.
4. Click I have already registered.
5. Enter your Farsight DNSDB API Key.
6. Click Activate.
The Farsight DNSDB enrichment is now active.
Notes:
- To learn more about the Farsight DNSDB public API, visit
https://api.dnsdb.info/
- The Farsight DNSDB public API limits requests from individual users to 25 per
hour and 500 per month. Each query is limited to 256 results from the last 90
days.
Enriching Data with Have I Been Pwned?
The Have I Been Pwned enrichment enables you to assess whether an email
address was put at risk due to a data breach.
Have I Been Pwned data can be leveraged on email observables from the Explore
pivoting tool after activation. The enrichment returns domains that are related to
breaches which impacted the email address.
Anomali ThreatStream Page 148 of 750
User Guide
Chapter 5: Organization Administration
Enrichment data is also available on observable details pages, as displayed in the
following example.
On details pages, Have I Been Pwned? provides Breach and Paste information on
email addresses impacted by breaches.
To activate the Have I Been Pwned? enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Have I Been Pwned? box.
3. Click Activate.
The Have I Been Pwned? enrichment is now active.
To read more about the data provided by Have I Been Pwned?, see
https://haveibeenpwned.com/API/v2
Enriching Data with HYAS Insight
The HYAS Insight enrichment enables you to gain instant context regarding artifacts
associated with an incident on domain and IP address observable details pages in
ThreatStream. Enrichment data is also accessible through the Explore pivoting tool.
View documentation on the HYAS Insight enrichment for Anomali
Anomali ThreatStream Page 149 of 750
User Guide
Chapter 5: Organization Administration
If you have an active HYAS Insight account, you can activate the enrichment with
your HYAS Insight API key from the Integrations tab within ThreatStream settings.
To activate the HYAS Insight enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the HYAS Insight box.
3. Click I have already registered.
4. Enter your HYAS Insight API Key.
5. Click Activate.
The HYAS Insight enrichment is now active.
Enriching Data with Hybrid Analysis
Hybrid Analysis performs in-depth static and dynamic analysis of files. When
activated, the Hybrid Analysis enrichment provides data enrichments for the
following observable types: domains, and hashes.
You can leverage Hybrid Analysis data on Explore after activation.
Hybrid Analysis enables the following data transformations:
l Hash to MD5
l Hash to SHA-256
l Hash to Threat Score
l C2 IP to Hash
Anomali ThreatStream Page 150 of 750
User Guide
Chapter 5: Organization Administration
l Hash to C2 IP
l Hash to All
l Hash to File Name
l Hash to File Type
l Hash to Label
l Hash to Tag
l C2 Host to Hash
l Hash to C2 Host
l Hash to Similar
Enrichment data is available on the Hybrid Analysis tab in the Enrichments section
on hash observable details pages.
The enrichment returns the following information from Hybrid Analysis: Verdict,
Submission Name, Environment Description, AV Detection, Analysis Start Time,
MITRE Attack, DNS Requests, Compromised Hosts, Contacted Hosts, Certificates,
Extracted Files, and Spawned Processes.
To read more about Hybrid Analysis, see https://www.hybrid-analysis.com
To activate the Hybrid Analysis enrichment:
Anomali ThreatStream Page 151 of 750
User Guide
Chapter 5: Organization Administration
1. If you do not have a Hybrid Analysis account, use these steps to register and
obtain your API key:
a. Visit the Hybrid Analysis registration page, enter the required information,
and click Sign up. After completing this step, Hybrid Analysis sends you an
activation email.
b. Locate the Hybrid Analysis activation email in your inbox and complete the
enclosed steps required to activate your account.
c. Login to your Hybrid Analysis account.
d. Click Profile in the Hybrid Analysis menu at the top right of the screen.
e. On the API Key tab of the My Account screen, click Create API Key. You will
use the resulting API key and Secret to activate the enrichment on the
ThreatStream user interface.
Note: API Keys and Secrets are only displayed upon creation. Store
your API Key and Secret in a secure location. If you lose your API Key
and Secret, you must regenerate them and reset impacted endpoints.
Anomali ThreatStream Page 152 of 750
User Guide
Chapter 5: Organization Administration
f. Hybrid Analysis allows vetted researchers to download malicious files or
Malware samples from their service via the user interface or API. To request
this permission, click Upgrade API Key and complete the resulting form.
2. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
3. Click Set Up in the Hybrid Analysis box.
4. Click I have already registered.
5. Enter your Hybrid Analysis API Key.
6. Enter your Hybrid Analysis Secret key.
7. Click Activate.
The Hybrid Analysis enrichment is now active.
Notes:
- To learn more about the Hybrid Analysis public API, visit https://www.hybrid-
analysis.com/apikeys/info
- The Hybrid Analysis public API limits sandbox submissions to 30 per day.
Database requests—such as retrieving sandbox reports, keyword searches, or
downloading samples—are limited to 200 per minute and 2,000 per hour
Enriching Data with Pastebin Dump Collection
When activated, the Pastebin Dump Collection returns URLs of Pastebin pastes
which contain email addresses of interest.
You can leverage Pastebin Dump Collection data on Explore after activation.
Anomali ThreatStream Page 153 of 750
User Guide
Chapter 5: Organization Administration
Pastebin Dump Collection enables an Email to URL data transformation.
To activate the Pastebin Dump Collection enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Pastebin Dump Collection box.
3. Click Activate.
The Pastebin Dump Collection enrichment is now active.
Enriching Data with PolySwarm
The PolySwarm enrichment enables you to view reputation service information from
PolySwarm on hash and domain observable details pages in ThreatStream.
View documentation on the PolySwarm enrichment for Anomali
If you have an active PolySwarm account, you can activate the enrichment with your
PolySwarm API key from the Integrations tab within ThreatStream settings.
To activate the PolySwarm enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the PolySwarm box.
3. Click I have already registered.
4. Enter your PolySwarm API Key.
Note: You can retrieve your PolySwarm API Key
here: https://polyswarm.network/account/api-keys
5. Click Activate.
The PolySwarm enrichment is now active.
Qualys Vulnerability Management Enrichment
The Qualys Vulnerability Management enrichment renders vulnerable assets in
your network from Qualys on details pages of CVE compliant vulnerabilities in
ThreatStream. The availability of this network-specific information alongside
vulnerability details in ThreatStream enables you to quickly determine the number of
assets affected by a particular vulnerability in your network.
Anomali ThreatStream Page 154 of 750
User Guide
Chapter 5: Organization Administration
Each time you open the Qualys tab in the Enrichments section of vulnerability
details pages, the enrichment queries vulnerable assets in Qualys associated with
the CVE identifier in the Title or Tags field of the vulnerability in ThreatStream. If
results are returned, vulnerable assets are displayed on the Qualys tab. Results are
returned for multiple CVEs in cases where the Title or Tags fields contain more than
one CVE identifier.
Note: The enrichment can only retrieve results for vulnerabilities in
ThreatStream which have a CVE identifier, such as CVE-2019-0124, in the Title
or Tags field.
Activating the Qualys Vulnerability Management Enrichment
Activation involves specifying your Qualys username, password, and API URL.
Depending on the search option you specify, additional configuration is required.
Note: Qualys Community Edition accounts are not supported.
Anomali ThreatStream Page 155 of 750
User Guide
Chapter 5: Organization Administration
To activate Qualys Vulnerability Management:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Qualys VM box. The following window is displayed:
Information on the enrichment is displayed. Click the Source link to visit the
Qualys website. Under License, Anomali license indicates that the enrichment
Anomali ThreatStream Page 156 of 750
User Guide
Chapter 5: Organization Administration
was developed by Anomali and is therefore subject to its terms of service.
3. On the Credentials tab, enter the following information:
Field Description
User Name User name associated with your Qualys account.
The Qualys user whose credentials you will use for activation
must have API access. Additionally, the user must be a
manager OR a non-admin user with the "Allow user full
permissions and scope" permission.
To verify API access in Qualys:
a. In Qualys, navigate to User Profile in the account menu.
b. On the User Role tab, ensure Allow access to: API is
selected.
c. Click Save.
Anomali ThreatStream Page 157 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Password Password used to login to your Qualys account.
Note: If your Qualys password contains a colon (:),
ThreatStream is unable to activate the enrichment. You
must change your Qualys password to a value that does not
contain colons in order to activate the enrichment.
Qualys API URL to access the API associated with your Qualys account.
URL Protocols must be included.
Note: To determine the correct API URL for your Qualys
platform, see https://www.qualys.com/platform-
identification/
Anomali ThreatStream Page 158 of 750
User Guide
Chapter 5: Organization Administration
4. On the Settings tab, enter the following information:
Anomali ThreatStream Page 159 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Search Options The Qualys Vulnerability Management enrichment enables
two search options. The look and feel of the enrichment
differs slightly depending on the search option you select.
Available search options include:
n Query Assets API—Returns the most data from Qualys
but can result in timeouts for large datasets. Fields
displayed for returned assets include: Asset Tags, CVE,
Host IP, Host Name, Last Scanned timestamps, OS, and
Unpatched Days. Asset distributions are also depicted
on pie charts.
n Create a Qualys Patch Report—For best
performance, Anomali recommends this option for
organizations with large datasets. Fields displayed for
returned assets include: Host IP, Host Name, CVE, OS,
Last Scanned, Unpatched Days, and Asset Tags. Patch
reports do not include pie charts. Further, patch reports
do not include vulnerabilities for which no patches are
available. See "Using the Qualys Vulnerability
Management Enrichment with Qualys Patch Report" on
page 162 for additional features that are available when
you use the Qualys Patch Report search option.
Patch reports are generated based on the date range
you select and include assets from the Asset Group, IP
ranges, or tags you specify. You can use multiple
parameters to specify the assets of interest. By default,
patch reports are generated with no date limit and
include all assets.
Important: The Qualys user whose credentials you use
to activate the enrichment must have all permissions in
Qualys required to generate reports. For more
information on these permissions, see the Launch
Report API article in the Qualys API User Guide:
https://www.qualys.com/docs/qualys-api-vmpc-user-
guide.pdf
Anomali ThreatStream Page 160 of 750
User Guide
Chapter 5: Organization Administration
Field Description
Note: Patch Reports generated by launching the
integration in ThreatStream are automatically
deleted in Qualys after seven days.
Date Range Specify the date range for the vulnerability information you
want the patch report to include.
(Patch reports
only)
Asset groups Specify the asset groups you want the patch report to
include. Asset groups are case-sensitive. Enter the exact
(Patch reports name of the asset group of interest. If entering multiple
only) asset groups, specify one group per line.
Asset IP Specify the IP ranges of the assets you want the patch
(s)/range(s) report to include. If entering multiple IP ranges, specify one
IP range per line.
(Patch reports
only)
Asset tags Specify the asset tags you want the patch report to include.
All assets associated with the specified tags in Qualys are
(Patch reports included. Asset tags are case-sensitive. Enter the exact
only) name of the asset tag of interest. If entering multiple tags,
specify one group per line.
Note: Anomali recommends testing the specified asset filter options before
activating the enrichment on ThreatStream. You can test your filter on the
Qualys user interface by navigating to Reports > Templates > New > New
patch template and opening the Findings tab.
5. Click Save Changes.
The Qualys Vulnerability Management enrichment is now active.
Using the Qualys Vulnerability Management Enrichment
After activating the enrichment, vulnerability information from Qualys is retrieved
each time you open the Enrichments tab on a vulnerability details page. You can
click the Host IP of an asset to drill down on asset details within Qualys.
Anomali ThreatStream Page 161 of 750
User Guide
Chapter 5: Organization Administration
Note: If you are not authenticated to Qualys, clicking the Host IP takes you to the
Qualys login screen. You are not redirected to the asset details page after
logging in. To view the details of the asset in Qualys, click the Host IP within
ThreatStream after authenticating to Qualys.
Using the Qualys Vulnerability Management Enrichment with Qualys Patch
Report
If you configured the enrichment to use the Create a Qualys Patch Report search
option, two additional features are available to you.
First, ThreatStream notifies you when patch reports have been successfully
generated. When you open the Enrichments tab on a vulnerability details page, the
enrichment initiates the patch report generation process. When patch report
generation is complete, you receive a notification on the top navigation bar. If you
navigated away from the details page, you can click the notification to drill down on
the vulnerability and view the patch report.
Note: Notifications are sent on a five minute cadence. Therefore, notifications
are not always displayed immediately when patch reports are complete.
Second, a Refresh button is available. Click Refresh to generate a new patch report
and get the latest information from Qualys.
You cannot click Refresh while patch report generation is in progress.
Exporting Qualys Data in CSV Format
Returned data displayed in the table can be exported in CSV format.
To export Qualys information in CSV format:
Anomali ThreatStream Page 162 of 750
User Guide
Chapter 5: Organization Administration
1. Navigate to the details page of the vulnerability of interest.
To search for a vulnerability:
a. Navigate to Analyze > Threat Model.
b. Select Vulnerabilities in the filter on the right side of the screen.
Vulnerabilities are not included in search results unless this filter is selected.
c. Enter your search query.
d. Click the name of the vulnerability of interest in the search results to visit its
details page.
See "Threat Model List View" on page 366 for more information on searching for
Threat Model entities.
2. On the vulnerability details page, open the Enrichments tab and click Qualys
VM. If available, details on vulnerable assets in your network are displayed.
3. To export these results in CSV format, click CSV.
Your download starts automatically.
Enriching Data with Recorded Future
The Recorded Future enrichment provides enrichment data on domain, hash, IP
address, and URL observables on observable details pages. It enables you to
leverage Recorded Future data from ThreatStream, without leaving the platform.
Enrichment data is displayed on the Recorded Future tab in the Enrichments section
on hash observable details pages.
Anomali ThreatStream Page 163 of 750
User Guide
Chapter 5: Organization Administration
In addition to links to Intelligence Cards on the Recorded Future platform, the
enrichment provides the following data from Recorded Future:
l Context (Domain, IP Address, and Hash observables only)
l First References (Domain, IP Address, and Hash observables only)
l Insikt Group Research
l Triggered Risk Rules
l In Threat List (Domain, IP Address, and Hash observables only)
l Reference Count (Domain, IP Address, and Hash observables only)
l Recent References (Domain, IP Address, and Hash observables only)
l Risk Scores
You must obtain the API Key from your Recorded Future account to activate the
Recorded Future enrichment.
To read more about Recorded Future, see https://www.recordedfuture.com/
To activate the Recorded Future enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Recorded Future box.
3. Click I Have Already Registered.
Anomali ThreatStream Page 164 of 750
User Guide
Chapter 5: Organization Administration
4. Enter your API Key.
5. Click Activate.
Enriching Data with ReversingLabs
The ReversingLabs enrichment enables you to leverage ReversingLabs data from
the Explore pivoting tool.
View documentation on using the ReversingLabs enrichment
If you have a paid ReversingLabs Titanium subscription, you can activate the
enrichment with your paid credentials.
The enrichment is also available on a freemium basis. You can request freemium
access from the APP Store.
To request freemium access to the ReversingLabs enrichment:
1. Navigate to APP Store > APP Store.
2. Locate the ReversingLabs File Intelligence Evaluation Bundle box which
displays a Free tag.
3. Click Request Activation.
4. Read the evaluation agreement, select Accept Terms, and click Send
Activation Request.
Anomali ThreatStream Page 165 of 750
User Guide
Chapter 5: Organization Administration
ReversingLabs evaluates your request and will provide credentials for activation
via email if it is accepted.
To activate the ReversingLabs enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the ReversingLabs box.
3. Click I have already registered.
4. Enter your TitaniumCloud username, TitaniumCloud password, and
TitaniumCloud address.
5. (Optional) Enter your A1000 address.
6. Click Activate.
The ReversingLabs enrichment is now active.
Enriching Data with Risk IQ
The Risk IQ enrichment enables you to leverage Risk IQ data from observable
details pages and the Explore pivoting tool.
View documentation on the Risk IQ enrichment for Anomali
Additionally, data from Risk IQ is displayed on the Passive DNS and Passive SSL
tabs in the Enrichments section.
You must obtain your API Key from the settings page within Risk IQ to configure the
Risk IQ service.
Anomali ThreatStream Page 166 of 750
User Guide
Chapter 5: Organization Administration
To activate the Risk IQ enrichment:
1. If you do not have a Risk IQ Community Edition account, use these steps to
register and obtain your API key:
a. Visit the Risk IQ registration page, enter the required information, and click
Register. After completing this step, Risk IQ sends you an activation email.
b. Locate the Risk IQ activation email in your inbox and complete the enclosed
steps required to activate your account.
c. Login to your Risk IQ account.
d. Click Account Settings in the Risk IQ menu at the top right of the screen.
e. Click Sources and scroll down to the API Access section.
f. Click Show to expose your User API key.
You will use your API key to activate the enrichment on the ThreatStream
user interface.
Anomali ThreatStream Page 167 of 750
User Guide
Chapter 5: Organization Administration
2. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
3. Click Set up in the Risk IQ box.
4. Click I have already registered.
5. Enter the API Username associated with your Risk IQ account.
6. Enter your API Key.
7. Click Activate.
Notes:
- To learn more about the Risk IQ public API, visit
http://api.passivetotal.org/api/docs/
- The Risk IQ public API limits requests from individual users to 15 per day.
Enriching Data with Shodan
Shodan provides information on devices with internet connectivity—such as device
manufacturer and type—and evaluates services based on its comprehensive
search engine.
When activated, the Shodan enrichment enables you to leverage Shodan data
enrichments on IP address observables from observable details pages in
ThreatStream.
ThreatStream consumes and displays the following information from Shodan:
Anomali ThreatStream Page 168 of 750
User Guide
Chapter 5: Organization Administration
l HoneyScore—score between zero and one quantifying the likelihood that the
observable is a honeypot.
l Ports—ports used by the IP address.
l Vulnerabilities—Vulnerabilities (if any) associated with the IP address.
l Services—information on services hosted by the IP address such as ports,
protocols, modules, products, and service content.
l Geo Information— information about the IP address such as country,
organization, ISP, last update, hostnames, and ASNs.
A View on Shodan link is also available, enabling you to view raw enrichment data
from the Shodan user interface.
You must have an API Key from Shodan in order to activate this enrichment.
To activate the Shodan enrichment:
1. If you do not have a Shodan account, use these steps to register and obtain
your API key:
a. Visit the Shodan registration page, enter the required information, and click
Register. After completing this step, Shodan sends you an activation email.
b. Locate the AbuseIPDB activation email in your inbox and click the enclosed
link to activate your account. You are redirected to the Shodan login screen.
c. After logging in to Shodan, the Account Overview screen is displayed. Your
API key is listed at the top of the screen.
Anomali ThreatStream Page 169 of 750
User Guide
Chapter 5: Organization Administration
You will use the resulting API key to activate the enrichment on the
ThreatStream user interface.
2. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
3. Click Set Up in the Shodan box.
4. Click I have already registered.
5. Enter your Shodan API Key.
6. Click Activate.
The Shodan enrichment is now active.
Notes:
- To learn more about the Shodan public API, visit
https://developer.shodan.io/api
- The Shodan public API limits requests from individual users to 100 query
credits per month.
Splunk Sightings Enrichment
The Splunk Sightings enrichment renders matched raw events from your Splunk
Cloud instance on observable details pages, accessible by drilling down on an
observable in ThreatStream. The enrichment communicates directly with your
Splunk Cloud instance on a per observable basis. Each time you open the Splunk
Sightings tab in the Enrichments section of an observable details page, the
enrichment initiates a full text search for the observable value in your Splunk events.
If results are returned, raw events are displayed on the Splunk tab.
Note: The enrichment times out if searches do not complete within 30 seconds.
Anomali ThreatStream Page 170 of 750
User Guide
Chapter 5: Organization Administration
Configuration involves pointing the enrichment to your Splunk Cloud instance and
specifying the event set you want to search for matches.
Understanding Differences Between Splunk Sightings and My
Attacks Report
This section outlines the differences between My Attacks Report and the Splunk
Sightings Enrichment.
My Attacks Report:
l Fetches select data fields from matched events on the Anomali ThreatStream
Splunk App, such as attacker address and attack type.
l Available for the Anomali ThreatStream Splunk App.
l Does not fetch raw data.
l Is generated on the Anomali ThreatStream Splunk App and routed to
ThreatStream directly or through ThreatStream Integrator.
l Populates the Sightings chart on observable details pages and the My Recent
Attacks widget on the ThreatStream Overview Dashboard.
See "My Attacks Report" on page 250 for more information.
Splunk Sightings Enrichment:
Anomali ThreatStream Page 171 of 750
User Guide
Chapter 5: Organization Administration
l Fetches matched events from Splunk Cloud instances.
l Executes full text searches of Splunk events for observable values only when the
Splunk tab is opened on an observable details page.
l Fetches raw events rather than select fields.
l Pulls data directly to ThreatStream from Splunk Cloud and populates the Splunk
tab in the Enrichments section of observable details pages.
l Available for any Splunk instance running in Splunk Cloud.
To activate Splunk Sightings:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Splunk Sightings box. The following window is displayed:
Information on the enrichment is displayed. Click the Source link to visit the
Splunk website. Under License, Anomali license indicates that the enrichment
was developed by Anomali and therefore subject to its terms of service.
3. To proceed with activation, click I have already registered.
4. Click Activate.
Anomali ThreatStream Page 172 of 750
User Guide
Chapter 5: Organization Administration
5. Enter the following information:
Field Description
Host Domain name or IP address of your Splunk instance. Do not
include protocols.
Note: The Splunk Sightings enrichment only supports the
HTTPS protocol.
Port Port used by your Splunk instance.
Example: 8089
User Name User name associated with your Splunk account.
Password Password used to login to your Splunk account.
Index Splunk index from which you want to retrieve sightings. The
default value is used if not specified.
Default: index=main
Example: index=index1 OR index=index2
Sourcetype Sourcetype for which you want to retrieve sightings. The
default value is used if not specified.
Default: sourcetype=*
Example: sourcetype=fortinet OR sourcetype=websense
Limit Number of results returned per observable. The default value
is used if not specified.
Default: 10
Days back Amount of historical data in days you want to retrieve. The
default value is used if not specified.
Default: 1
Example: 7
Anomali ThreatStream Page 173 of 750
User Guide
Chapter 5: Organization Administration
6. Click Activate.
The Splunk Sightings enrichment is now active.
Enriching Data with Spur IP Context
Spur IP Context enrichment can provide high-fidelity contextual information on IP
addresses. This data includes precision geolocation, SSIDs, anonymity network
details, device count, device behaviors, and related IP addresses.
View documentation on the Spur IP Context enrichment for Anomali
To activate the Spur IP Context enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the Spur IP Context box.
3. Click I have already registered.
4. Enter your Spur IP Context API Key.
5. Click Activate.
The Spur IP Context enrichment is now active.
Enriching Data with URLScan.io
When activated, the URLScan.io enrichment provides data enrichments for domain
and email observables.
You can leverage URLScan.io data on Explore after activation.
URLScan.io enables the following data transformations:
l Email to URL
l Domain to IP
Anomali ThreatStream Page 174 of 750
User Guide
Chapter 5: Organization Administration
l Domain to URL
You can mouse over returned URLs and IP addresses to view additional fields.
Additional fields for IP addresses include ASN, ASN Name, and Country. Additional
fields for URLs include Source and Time.
To activate the URLScan.io enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the URLScan.io box.
3. Click I have already registered.
4. Enter your URLScan.io API Key.
5. Click Activate.
The URLScan.io enrichment is now active.
Enriching Data with Silobreaker
When activated, the Silobreaker enrichment provides data enrichments, including
observables and non-observables, for the following observable types: domains,
email addresses, hashes, and IP addresses (v4 only).
View documentation on the Silobreaker enrichment for Anomali
To activate the Silobreaker Enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Silobreaker box.
3. Click I have already registered.
4. Enter your Silobreaker API Key.
Anomali ThreatStream Page 175 of 750
User Guide
Chapter 5: Organization Administration
5. Enter your Silobreaker Shared Key.
6. Click Activate.
The Silobreaker enrichment is now active.
Enriching Data with VirusTotal v2
VirusTotal analyzes files and URLs for viruses, worms, trojans, and other malicious
content. When activated, the VirusTotal enrichment enables you to pivot on
domains, IP addresses (v4 only), and hashes. Enrichment data is also displayed on
observable details pages.
You can leverage VirusTotal data on Explore after activation.
VirusTotal enables the following data transformations:
l Hash to ITW
l Section to Hash
l C2 IP to Hash
l Hash to User Agent
l Hash to Timestamp
l Behavior to Hash
l Mutex to Hash
l Hash to SHA-256
l Domain to Subdomain
l Hash to File Name
l URL to Detect Ratio
l Hash to Detect Ratio
Anomali ThreatStream Page 176 of 750
User Guide
Chapter 5: Organization Administration
l Hash to First Seen
l Hash to C2 IP
l Hash to Import Hash
l Hash to C2 URL
l Hash to AV Detection
l Host to Downloaded Hash
l Hash to Mutex
l Import Hash to Hash
l Hash to MD5
l Domain to IP
l IP to Domain
l Hash to Similar
l Hash to Authentihash
l Import to Hash
l PE Resource to Hash
l Hash to Section
l Hash to Rescan
l IP to Downloaded Hash
l Hash to File Size
l Hash to File Type
l IP to Detected URL
l Hash to Import
l C2 Host to Hash
l Hash to PE Resource
Anomali ThreatStream Page 177 of 750
User Guide
Chapter 5: Organization Administration
l Hash to C2 Host
l User Agent to Hash
l Hash to Behavior
l Domain to Detected URL
l Hash to PDB
l Hash to Tag
To read more about VirusTotal transformations, see
https://github.com/tampererer/VirusTotal-Private-API-Maltego
Enrichment data can also be accessed from observable details pages under
Enrichments.
Where data is available, the VirusTotal enrichment returns the following information
for each observable type:
Observable
Type Enrichment Data
Domain Categories, Communicating Files, Downloaded Files, Observed
Subdomains, Passive DNS Replication, URLs
Hash Basic Properties, Community Score (displayed as Safe/Unsafe),
Detections, Detection Ratio, History, Last Analysis, Related
Hashes
Anomali ThreatStream Page 178 of 750
User Guide
Chapter 5: Organization Administration
IP Autonomous System, Communicating Files, Country, Domain
Replication, Downloaded Files, Passive DNS Replication, URLs
URL Detections, Detection Ratio, Last Analysis
Activating the VirusTotal Enrichment
The VirusTotal enrichment can be activated using a free public API key or a
subscription based premium API key.
If you activate the VirusTotal enrichment using a public API key, you can execute a
subset of the transforms listed above. If you attempt to execute a transform which is
not available through the public API, you will see the following error message:
If you activate the VirusTotal enrichment using a premium API key, you can execute
all of the transforms listed above.
To obtain a public VirusTotal API key:
1. Visit the VirusTotal registration page, enter the required information, and click
Join Us. After completing this step, VirusTotal sends you an activation email.
2. Locate the VirusTotal activation email in your inbox and complete the enclosed
steps required to activate your account.
3. Login to your VirusTotal account.
4. Click API key in the VirusTotal menu at the top right of the screen.
5. Copy your API key, available under the API Key heading.
Anomali ThreatStream Page 179 of 750
User Guide
Chapter 5: Organization Administration
You will use your API key to activate the enrichment on the ThreatStream user
interface.
Notes:
- To learn more about the VirusTotal public API, visit
https://developers.virustotal.com/reference#getting-started
- The VirusTotal public API limits requests from individual users. To view the
latest API request quota, visit the API Key screen on the VirusTotal user
interface.
To request a premium VirusTotal API key:
1. On the VirusTotal user interface, click API key in the menu at the top right of the
screen.
2. Click Request premium API Key.
3. Fill out the request form and click Send. VirusTotal will contact you with further
information on obtaining a premium API key.
Anomali ThreatStream Page 180 of 750
User Guide
Chapter 5: Organization Administration
Note: To read more about the premium VirusTotal API, see
https://www.virustotal.com/en/documentation/private-api/
To activate the VirusTotal enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the VirusTotal v2 box.
3. Click I have already registered.
4. Enter your VirusTotal API Key. You can enter a public or premium API key.
5. Click Activate.
The VirusTotal enrichment is now active.
Enriching Data with VirusTotal v3
VirusTotal analyzes files and URLs for viruses, worms, trojans, and other malicious
content. When activated, the VirusTotal enrichment enables you to pivot on
domains, IP addresses (v4 only), and hashes. Enrichment data is also displayed in
the Enrichments section on observable details pages.
Note: The information in this article pertains to activating and using the
ThreatStream integration with VirusTotal that leverages the VirusTotal v3 API.
For information on the legacy VirusTotal v2 API integration, see "Enriching Data
with VirusTotal v2" on page 176.
You can leverage VirusTotal data on Explore after activation.
VirusTotal enables the following data transformations:
l C2Host to Hash
l C2IP to Hash
Anomali ThreatStream Page 181 of 750
User Guide
Chapter 5: Organization Administration
l Domain to Detectedurl*
l Domain to IP
l Domain to Subdomain
l Enrich Domain
l Enrich Hash
l Enrich IP
l Enrich URL
l Hash to AV Detection
l Hash to Behavior
l Hash to C2Host
l Hash to C2IP
l Hash to C2URL
l Hash to Carbonblack Parent*
l Hash to Compressed Parent
l Hash to Emailparent*
l Hash to Execution Parent
l Hash to Filename
l Hash to Filesize
l Hash to Filetype
l Hash to Import
l Hash to ITW*
l Hash to MD5
l Hash to Mutex
l Hash to PE Debug
Anomali ThreatStream Page 182 of 750
User Guide
Chapter 5: Organization Administration
l Hash to Peresource
l Hash to Rescan
l Hash to Section
l Hash to SHA1
l Hash to SHA256
l Hash to Submission*
l Hash to Submitter ID*
l Hash to Tag
l Hash to Timestamp
l Hash to Total Votes
l Hash to Useragent
l Hash to VHash
l Host to Downloaded Hash
l Imphash to Hash
l IP to Detected URL*
l IP to Domain
l IP to Downloaded Hash*
l URL to Submitter ID*
l URL to Total Votes
* denotes pivots that are only available to users with premium VirusTotal API keys.
Enrichment data can also be accessed from observable details pages under
Enrichments.
Anomali ThreatStream Page 183 of 750
User Guide
Chapter 5: Organization Administration
Where data is available, the VirusTotal enrichment returns the following information
for each observable type:
Observable
Type Enrichment Data
Domain Categories, Communicating Files, Downloaded Files, Observed
Subdomains, Passive DNS Replication, URLs
Note: Downloaded Files information is available only to users
with premium VirusTotal API keys.
Hash Basic Properties, Community Score (displayed as Safe/Unsafe),
Detections, Detection Ratio, History, Last Analysis, Other
Hashes
IP Autonomous System, Communicating Files, Country, Domain
Replication, Downloaded Files, Passive DNS Replication, URLs
Note: Downloaded Files information is available only to users
with premium VirusTotal API keys.
URL Last Analysis Time, Last Analysis Stats, Last Analysis Results
Activating the VirusTotal Enrichment
The VirusTotal enrichment can be activated using a free public API key or a
subscription based premium API key.
Anomali ThreatStream Page 184 of 750
User Guide
Chapter 5: Organization Administration
If you activate the VirusTotal enrichment using a public API key, you can execute a
subset of the transforms listed above. If you attempt to execute a transform which is
not available through the public API, you will see the following error message:
If you activate the VirusTotal enrichment using a premium API key, you can execute
all of the transforms listed above.
To obtain a public VirusTotal API key:
1. Visit the VirusTotal registration page, enter the required information, and click
Join Us. After completing this step, VirusTotal sends you an activation email.
2. Locate the VirusTotal activation email in your inbox and complete the enclosed
steps required to activate your account.
3. Login to your VirusTotal account.
4. Click API key in the VirusTotal menu at the top right of the screen.
5. Copy your API key, available under the API Key heading.
You will use your API key to activate the enrichment on the ThreatStream user
interface.
Notes:
- To learn more about the VirusTotal public API, visit
Anomali ThreatStream Page 185 of 750
User Guide
Chapter 5: Organization Administration
https://developers.virustotal.com/v3.0/reference#public-vs-premium-api
- The VirusTotal public API limits requests from individual users. To view the
latest API request quota, visit the API Key screen on the VirusTotal user
interface.
To request a premium VirusTotal API key:
1. On the VirusTotal user interface, click API key in the menu at the top right of the
screen.
2. Click Request premium API Key.
3. Fill out the request form and click Send. VirusTotal will contact you with further
information on obtaining a premium API key.
Note: To read more about the premium VirusTotal API, see
https://developers.virustotal.com/v3.0/reference#public-vs-premium-api
To activate the VirusTotal enrichment:
1. On the ThreatStream user interface, click in the top navigation bar and then
Integrations.
2. Click Set Up in the VirusTotal v3 box.
3. Click I have already registered.
Anomali ThreatStream Page 186 of 750
User Guide
Chapter 5: Organization Administration
4. Enter your VirusTotal API Key. You can enter a public or premium API key.
5. Click Activate.
The VirusTotal enrichment is now active.
Enriching Data with Web Of Trust
Web Of Trust evaluates domains to assign safety and security ratings. When
activated, Web Of Trust provides trustworthiness, child safety, and third party
exclude list information for domain observables on observable details pages.
Information is delivered in the form of ratings and confidence scores on the Web Of
Trust tab in the Enrichments section of observable details pages.
To activate the Web Of Trust enrichment:
1. In the top navigation bar, click and then Integrations.
2. Click Set Up in the Web Of Trust box.
3. Click I have already registered.
4. Enter your API Key.
5. Click Activate.
Activating Freemium Services
Through relationships with top intelligence vendors, Anomali ThreatStream offers
access to certain premium third-party threat intelligence services at no additional
charge. These services, including data enrichments and feeds, generally contain a
subset of vendor premium feeds or enrichment data. Freemium services are not
Anomali ThreatStream Page 187 of 750
User Guide
Chapter 5: Organization Administration
trials. Therefore, access is perpetual and does not expire. Freemium users can
migrate to premium versions of the vendor services by contacting Anomali Support.
Note: All vendor terms of use are specific to their offerings.
Activating Freemium Enrichments
The following third-party freemium enrichments are available on ThreatStream:
l DomainTools Iris
l Farsight DNSDB
l Reversing Labs
These enrichments can be activated from the Integrations tab within ThreatStream
settings.
For information on using and activating the DomainTools Iris enrichment, see
"Enriching Data with DomainTools Iris" on page 146.
For information on using and activating the Farsight DNSDB enrichment, see
"Enriching Data with Farsight DNSDB" on page 147.
For information on using and activating the ReversingLabs enrichment, see
"Enriching Data with ReversingLabs" on page 165.
Activating Freemium Feeds
The following third-party freemium feeds are available on ThreatStream:
l Flashpoint Technical Intelligence
l Intel 471 Freemium Cybercrime Intelligence
l Polyswarm Freemium Hot Malware
l Sixgill Darkfeed™ Freemium
To activate the Flashpoint Technical Intelligence feed:
1. Navigate to APP Store > APP Store.
2. Locate the Flashpoint Technical Intelligence box which displays a Free tag.
Anomali ThreatStream Page 188 of 750
User Guide
Chapter 5: Organization Administration
3. Click Request Activation.
4. Read the evaluation agreement, select Accept Terms, and click Send
Activation Request.
You will receive notifications regarding the status of your request via email.
To activate the Intel 471 Freemium Cybercrime Intelligence feed:
1. Navigate to APP Store > APP Store.
2. Locate the Intel 471 Freemium Cybercrime Intelligence box.
Anomali ThreatStream Page 189 of 750
User Guide
Chapter 5: Organization Administration
3. Click Request Activation.
4. Read the evaluation agreement, select Accept Terms, and click Send
Activation Request.
You will receive notifications regarding the status of your request via email.
To activate Polyswarm Freemium Hot Malware:
1. Navigate to APP Store > APP Store.
2. Locate the Polyswarm Freemium Hot Malware box.
Anomali ThreatStream Page 190 of 750
User Guide
Chapter 5: Organization Administration
3. Click Request Access.
Polyswarm Freemium Hot Malware activations are automatic. The feed is now
active.
To activate Sixgill Darkfeed™ Freemium:
1. Navigate to APP Store > APP Store.
2. Locate the Sixgill Darkfeed™ Freemium box.
3. Click Request Activation.
4. Read the evaluation agreement, select Agree, and click Request Activation.
You will receive notifications regarding the status of your request via email.
Anomali ThreatStream Page 191 of 750
User Guide
Chapter 5: Organization Administration
Audit User Activity
The Audit page enables Org Admins to view user audit logs for both ThreatStream
user interface activity and API activity.
Toggle ThreatStream Interface or API
Time Period
User list
Activity list
Export audit log
Audit Log Activities
Audit logs are maintained for the following ThreatStream UI activities.
Activty Description
Login Logged in by specifying user name and password.
Anomali ThreatStream Page 192 of 750
User Guide
Chapter 5: Organization Administration
Activty Description
Login Via Logged in using SSO.
SSO
Active Logout Logged out by clicking the Logout link.
Maximum Logged out by the system when the Maximum Lifetime Logout
Lifetime time limit was reached.
Logout
Created Created the specified object.
Updated Updated the specified object.
Commented Added a comment to the specified object configuration.
Deleted Deleted the specified object.
Report PDF Report creation activity. Click Exported in the Activity
column to display a pop-up information box with details. In the
information box, under Export Type:
l Download indicates that the user created and downloaded the
report from a Threat Model entities detail page.
l Email indicates that the user created the report through the
Share via Email feature. When Email is listed, the emails to
which reports were sent are listed under Recipients.
Uploaded Uploaded an avatar to the user's own Profile page.
Avatar
Added Added or modified the Summary text on the user's own Profile
Description page.
Sent Sent feedback. The feedback link is a question mark (?) icon that
Feedback is visible when the gamification permission is enabled.
Added Granted a user permission on the Settings > User Admin page.
Permission
Removed Removed a user permission on the Settings > User Admin page.
Permission
Anomali ThreatStream Page 193 of 750
User Guide
Chapter 5: Organization Administration
Activty Description
Mitre Score Updated the MITRE ATT&CK Security Control Framework for
your organization. Click Mitre Score Update in the Activity
column to display a pop-up information box with details.
Information includes the Name of the TTP modified, timestamp
of the action, New Score (security coverage score assigned to
the TTP by the user), and Old Score (previous security coverage
score).
Audit logs are maintained for all API requests. The following table describes
API audit log columns.
Column Description
Date Timestamp the API request was received.
Method HTTP method.
Endpoint Endpoint URI requested.
User Agent User-agent request header for the API request.
User User that sent the request.
Creating a ThreatStream Interface Audit Log Report
By default, the Audit page shows logs for all activities for the logged in user for the
last 24 hours.
To create a ThreatStream Interface user audit log report based on filters you
specify:
1. In the top navigation bar, click and then Audit.
2. Select the ThreatStream Interface audit log option.
3. Select a time period:
n Last 24 Hours
n Last 30 Days
n Last 90 Days
Anomali ThreatStream Page 194 of 750
User Guide
Chapter 5: Organization Administration
n Custom Date Range
If you select this option, use the date selector to complete the time period
filter. You can specify a range within the last 90 days.
4. Select one or more users in the User list. You can find users by scrolling the list
or by searching.
5. Select one or more activities from the Activity list.
The audit table displayed on the page is updated instantly whenever you change a
filter option.
To export a report:
1. Create a filtered audit log report.
2. Click Actions and select Export.
Note: The export file is a CSV file that includes the columns and data displayed
on the Audit page. It does not include linked information.
Creating an API Audit Log Report
You cannot select activities for the API audit log report. This report displays all
API calls for up to 10 users.
To create an API audit log report:
1. In the top navigation bar, click and then Audit.
2. Select a time period:
n Last 24 Hours
n Last 30 Days
n Last 90 Days
n Custom Date Range
If you select this option, use the date selector to complete the time period
filter. You can specify a range within the last 90 days.
3. Select at least 1 and no more than 10 users from the User list. You can find
users by scrolling the list or searching.
Anomali ThreatStream Page 195 of 750
User Guide
Chapter 5: Organization Administration
4. Select the API audit log option.
To export a report:
1. Create an API audit log report.
2. Click Actions and select Export to CSV.
Restricting Access to Intelligence with
Workgroups
Workgroups provide granular control over the visibility of threat intelligence content
you create on ThreatStream to groups of users in your organization. Workgroups
enable you to restrict the observables, Threat Model entities, and investigations you
create on ThreatStream to groups of users within your organization.
Important: Workgroups restrict access to the intelligence you create on the
platform. Workgroups cannot be used to control access to intelligence sourced
from feeds, or to limit platform functionality to groups of users. See "Workgroup
Limitations" on the next page for further limitations.
Org Admins can create and manage workgroups from the Workgroups tab within
ThreatStream settings.
Actions Enabled by Workgroups
Workgroups can be leveraged to restrict access to the following entities created on
ThreatStream:
l Observables imported by your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 and "Restricting Observables Visibility to
Workgroups During Import" on page 314.
Mailboxes can be configured to share imported observables with workgroups as
well. See "Mailboxes For Receiving Observables" on page 81 for more
information.
l Threat Model entities created by your organization from the ThreatStream user
interface. See "Restricting Threat Model Entities to Workgroups" on page 544.
Anomali ThreatStream Page 196 of 750
User Guide
Chapter 5: Organization Administration
l Investigations created by your organization. See "Understanding the
Investigations User Interface" on page 330.
Additionally, workgroups enable the following actions:
l Generating user activity reports based on workgroups. See "Generating User
Activity Reports By Workgroup" on page 31.
l Searching observables visible only to specific workgroups. See "Searching
Workgroup Restricted Observables" on page 275.
l Restricting rules email notifications to specific workgroups. See "Notify" on
page 586.
l Assigning an investigation to a workgroup. See "Assignee" on page 335.
Workgroup Limitations
l Workgroups cannot be used to restrict the visibility of Sandbox Reports
l Rules do not match for keywords within intelligence whose visibility is restricted to
workgroups
l Streams cannot be configured to restrict observables to workgroups
l TAXII sites cannot be configured to restrict observables to workgroups
l Intelligence snapshots do not include intelligence whose visibility is restricted to
workgroups
Example Use Cases for Workgroups
The examples in this section illustrate ways in which workgroups can support
organization workflows and intentional distribution of information.
1. Distinct Teams Within Your Organization
In cases where multiple teams within an organization use ThreatStream,
workgroups enable teams to create intelligence which other teams can be excluded
from accessing on a permanent or temporary basis.
For example, both the Threat Intelligence (TI) and Security Operations Center
(SOC) teams in an organization have access to ThreatStream. The TI team, as it
works on a new Threat Bulletin, wants to restrict access to the entity until it has been
fully developed and is ready for wider distribution. Two workgroups can be created
to address this need—one for the TI team and the other for the SOC team. The TI
Anomali ThreatStream Page 197 of 750
User Guide
Chapter 5: Organization Administration
team can work and collaborate within their workgroup on the intelligence and
publish it to the SOC team workgroup or organization as a whole when ready.
2. Levels of Classification Within Teams
Workgroups also enable the sharing of intelligence with different levels of sensitivity
within a team.
For example, a Threat Intelligence team has three levels of internally understood
classification for information—top secret, secret, and unclassified. To enable
classification based sharing of intelligence, a workgroup is created for the three
levels of classification. When an investigation is created that contains top secret
information, its visibility is restricted to the top secret workgroup.
Managing Workgroups
Org Admins can manage workgroups from the Settings page.
To create a new workgroup:
1. In the top navigation bar, click , Workgroups, and then New Workgroup.
OR
On an investigation page, expand the Assignee drop down and click New
Workgroup.
2. Enter a Name for the new workgroup.
3. (Optional): Upload an Avatar for the workgroup.
4. Click New Workgroup.
5. To add users to the workgroup, select a Member from the drop down menu.
Anomali ThreatStream Page 198 of 750
User Guide
Chapter 5: Organization Administration
6. Specify a Role for the selected user. Only users with the Owner role have the
ability to remove users from workgroups. The Approver, Contributor, and
Reviewer roles serve as labels for users in the context of investigations and do
not grant additional privileges.
7. Click +.
8. (Optional): Add additional users as required.
Note: Only Org Admins can create workgroups.
To edit a workgroup:
1. In the top navigation bar, click and then Workgroups.
2. Click the Edit icon.
3. Make necessary changes. Changes are saved automatically.
Note: Only Org Admins and workgroup owners can edit workgroups. Only
workgroup owners and creators can remove workgroup users.
To delete a workgroup:
Anomali ThreatStream Page 199 of 750
User Guide
Chapter 5: Organization Administration
1. In the top navigation bar, click and then Workgroups.
2. Click the Edit icon.
3. Click Delete.
Note: Only Org Admins and workgroup owners can delete workgroups.
Adding Preferred Tags to Intelligence
Preferred tags are a list of frequently used tags that can be quickly selected from
any Tags field in ThreatStream. Preferred tags are suggested to users alongside
recently used tags as they associate tags with intelligence, thus eliminating the need
to repeatedly type out frequently used tags. As displayed below, users can enter * in
the tags field to display a complete list of preferred tags.
Note: Tags must be 2,000 characters or less.
Managing Preferred Tags
Org Admins can add and delete preferred tags from the Preferred Tags tab within
ThreatStream settings. You can add a maximum of 500 preferred tags.
Anomali ThreatStream Page 200 of 750
User Guide
Chapter 5: Organization Administration
Add or delete preferred tags
Configured preferred tags
Organization user that created the preferred tag
Search configured preferred tags
To configure preferred tags:
1. In the top navigation bar, click and then Preferred Tags.
2. In the Actions menu, click Add.
3. Enter the tags you would like to add as preferred tags. If configuring multiple
preferred tags, enter one tag per line.
Note: While the maximum number of preferred tags you can configure is
500, you can only configure up to 100 in a single batch.
4. Click Add.
To delete preferred tags:
1. In the top navigation bar, click and then Preferred Tags.
2. Select the preferred tags you want to delete.
3. In the Actions menu, click Delete.
Note: Preferred tags that you delete may still appear as suggested tags for up to
seven days.
Anomali ThreatStream Page 201 of 750
User Guide
Chapter 5: Organization Administration
Managing Organization Never Scan Lists for
the Anomali Lens Plugin
ThreatStream Org Admins can create and manage an organization level Never
Scan list for users in their organization that use the Anomali Lens plugin. The Never
Scan list prevents users from scanning the domains, IP addresses, or URLs you
configure. Entries on the organization-level list cannot be edited or deleted from the
Anomali Lens plugin.
Note: The Never Scan list pertains to the Anomali Lens browser extension. For
more information, see https://www.anomali.com/products/lens.
To add entries to your organization level Never Scan list:
1. On the ThreatStream user interface, click in the top navigation menu.
2. Navigate to the Lens tab.
3. Click Add in the Actions menu.
4. Add the domains, IP addresses, or URLs you want to prevent users in your
organization from scanning. If entering multiple entries, separate each entry
with a new line or comma.
Anomali ThreatStream Page 202 of 750
User Guide
Chapter 5: Organization Administration
5. Click Add.
The entries have been added. The organization Never Scan list synchronizes with
Anomali Lens every 10 minutes.
To delete entries from your organization Never Scan list:
1. On the ThreatStream user interface, click in the top navigation menu.
2. Navigate to the Lens tab.
3. Select the entries you want to delete.
4. Click Delete in the Actions menu.
The entries have been deleted.
ThreatStream User Roles
For each organization using the ThreatStream platform, there are three types of
users: Org Admins, Non-admins, and Read Only users. Org Admins can
perform administrative tasks that impact their entire organization on ThreatStream,
whereas Non-admins can only manage settings that impact their personal profiles.
Read Only users can view and export intelligence on ThreatStream but cannot
create intelligence of any kind.
Org Admin Privileges
The tasks below are reserved for ThreatStream users with Org Admin privileges.
Anomali ThreatStream Page 203 of 750
User Guide
Chapter 5: Organization Administration
Task Description
Update Update organization name in ThreatStream.
organization name
Update PDF Change the number of search results and intelligences
export settings included in Search Result and Threat Bulletin PDF
downloads respectively .
Configure Enable ThreatStream session timeout for users in your
organization-wide organization and decide when timeouts occur after periods
session timeout of inactivity.
settings
Configure multi- Decide whether or not the organization requires multi-factor
factor authentication for ThreatStream login.
authentication
(MFA)
Add/edit/delete Add and remove users from the organization and update
organization users privileges for existing users.
Enable Configure privileges for non-admin users that enable them
organization users to evaluate imported observables.
to approve imports
Bypass MFA for When MFA is enabled, Org Admins can configure users to
organization users avoid multi-factor authentication and login with their email
address and password only.
Configure Prevents users from within the organization from
organization accidentally importing an organization CIDR, IP Address,
Exclude List Domain Name, URL, or Email Address.
Activate third-party Configure ThreatStream to use third-party services such as
integrations with Farsight and Open DNS.
ThreatStream
Manage premium Purchase and evaluate premium threat intelligence streams
intelligence partnered with Anomali.
streams
Create/leave/join Enable the sharing of information between your organization
Trusted Circles and other organizations on ThreatStream.
Anomali ThreatStream Page 204 of 750
User Guide
Chapter 5: Organization Administration
Task Description
Delete Threat Permanently delete Threat Bulletins, Actors, Campaigns,
Model entities TTPs, Incidents, and Signatures that belong to your
organization.
Audit user activity View user activity from the past 7 days.
Unlock Locked When user accounts in your organization are locked after
Accounts consecutive failed login attempts, Org Admins can unlock
accounts from the User Admin page within settings. See
"Managing Organization Users" on page 97 for more
information.
The email lists below are reserved for ThreatStream users with Org Admin
privileges.
Email List Description
Keyword Matches Sends notifications for each keyword match.
Keyword Matches Hourly Sends summaries of all keyword matches from the
Digest last hour.
Non-admin Privileges
The tasks below can be performed by Non-admins and Org Admins.
Task Description
Edit personal contact Edit personal email address, name, and phone
information number.
Change password used Change personal password used for ThreatStream
for ThreatStream login login.
Update ThreatStream Users can configure which ThreatStream email lists
email subscriptions their personal email address is included in.
The email lists below can be subscribed to by Non-admins and Org Admins.
Anomali ThreatStream Page 205 of 750
User Guide
Chapter 5: Organization Administration
Email List Description
Threat Bulletin Sends notifications every time a Threat Bulletin is
Creation created.
Threat Bulletin Daily Sends summaries of Threat Bulletins created each day.
Digest
Trusted Circles Sends notifications when organizations join or leave your
trusted circles.
Read Only User Privileges
Read Only users are restricted to viewing intelligence on ThreatStream and cannot
create intelligence or related content such as tags, comments, or other metadata.
Notes:
- Read Only users do not count toward the number of users allocated to your
organization in your ThreatStream license.
- Read Only users can access ThreatStream OnPrem deployments that are on
v4.1.1 and above. Read Only users cannot access ThreatStream OnPrem if it is
on an earlier version.
- Read Only users cannot use their ThreatStream accounts for single sign-on
(SSO) on Anomali Match or ThreatStream Integrator.
The table below lists the features to which Read Only users have access.
Screen Available Features
Dashboard l View the Overview dashboard. Available widgets include
Contributions, Indicators by Type, Intelligence Sources, My
Recent Attacks, Organization Recent Sandbox Submissions,
Threat Model Entities, Top ASNs, Top Impacts, and Top
Threats by Country.
l View the MyEvents dashboard.
l View the Community Threats dashboard
l Add shared custom dashboards created by fellow
organization users and themed dashboards created by the
Anomali Threat Research team to their homepages on
ThreatStream.
Anomali ThreatStream Page 206 of 750
User Guide
Chapter 5: Organization Administration
Screen Available Features
Analyze > View and drill down on recent threat model entities.
Overview
Analyze > l Perform basic observable searches.
Observables
l Perform advanced observable searches.
l View observable details pages.
l Export observables from the observables search page and
details pages.
Analyze > l Perform basic Threat Model entity searches.
Threat Model
l Perform advanced Threat Model entity searches
l View Threat Model entity details pages.
l Export Threat Model entities from threat model entity details
pages.
Research > l View sandbox report details.
Sandbox
l Export sandbox reports.
Research Chat with organization and trusted circles members.
> Collaborate
Note: This menu item is only visible if the user is assigned
the Can Use Chat privilege. See "Managing Organization
Users" on page 97 for more information.
APP Store > Browse available APP Store services.
APP Store
Settings > My l Update user Email, Name, and Phone.
Profile
l Change account password.
l Subscribe to the Threat Model Daily Digest email.
Anomali ThreatStream Page 207 of 750
Chapter 6: Sharing Intelligence via TAXII
on ThreatStream
This chapter covers the following topics:
Getting Started with TAXII on ThreatStream 210
Connecting To Your ThreatStream TAXII Server from a TAXII Client 211
Using ThreatStream as a TAXII Client 213
Managing TAXII Sites 215
Managing TAXII Site Collections 217
Managing TAXII Feeds 218
ThreatStream provides you comprehensive TAXII functionality to fulfill all of your
requirements for exchanging and aggregating TAXII data from trusted sources.
ThreatStream serves a dual purpose with regard to TAXII. You can leverage
bidirectional exchange between ThreatStream and your TAXII clients, enabling you
to both download intelligence from ThreatStream and push intelligence to
ThreatStream. You can also use ThreatStream to aggregate threat intelligence from
trusted TAXII sources, such as hailataxii.com.
With its dual functionality, ThreatStream serves simultaneously as a TAXII server
and client.
Using ThreatStream as a TAXII Server
When you use ThreatStream as a TAXII server, you can connect to ThreatStream
and poll data into TAXII clients, as illustrated below.
Anomali ThreatStream Page 208 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
ThreatStream gives you two TAXII Discovery URLs—one for pushing data in
TAXII v1.x format and one for TAXII v2.0— that you can use to connect to
ThreatStream from your TAXII clients. When you connect to the URL in a TAXII
client, your ThreatStream TAXII Feeds—dedicated channels for exchanging TAXII
data—appear as collections available to poll into your TAXII client. You can also
push data from TAXII clients to your TAXII Feeds on ThreatStream, enabling
bidirectional exchange of TAXII data.
See "Connecting To Your ThreatStream TAXII Server from a TAXII Client" on
page 211 for more information.
To learn more about creating TAXII Feeds, see "Managing TAXII Feeds " on
page 218.
Using ThreatStream as a TAXII Client
Using ThreatStream as a TAXII client enables you to aggregate TAXII data in one
location and add it to the intelligence you are already receiving on ThreatStream.
Anomali ThreatStream Page 209 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
After configuring the TAXII source as a Site, ThreatStream connects to the site and
discovers the collections available to be polled. You can subscribe to available
collections and configure ThreatStream to poll data from them on a regular interval.
The data becomes part of your threat intelligence through one of your TAXII Feeds
on ThreatStream.
See "Using ThreatStream as a TAXII Client" on page 213 for more information.
Getting Started with TAXII on ThreatStream
1. Create TAXII Feeds. Whether you plan to use ThreatStream to serve threat
intelligence to TAXII clients or aggregate data from TAXII trusted sources, TAXII
Feeds serve as gateways in and out of ThreatStream for TAXII data. See
"Managing TAXII Feeds " on page 218for more information.
2. To use ThreatStream as a TAXII client and aggregate threat intelligence from
trusted TAXII sources, configure sources as Sites. Once Sites are configured,
ThreatStream discovers available TAXII collections. You can schedule polls and
pushes for collections of interest. See "Using ThreatStream as a TAXII Client"
on page 213 for more information.
3. To use a TAXII client to receive threat intelligence from your ThreatStream
TAXII server, take note of your TAXII Discovery URL on the TAXII Settings
page and see "Connecting To Your ThreatStream TAXII Server from a TAXII
Client" on the next page for more information.
Anomali ThreatStream Page 210 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
Connecting To Your ThreatStream TAXII
Server from a TAXII Client
You can connect to your ThreatStream TAXII server using the TAXII Discovery
URLs listed on the TAXII page within ThreatStream settings. This enables you to
poll data from your TAXII feeds on ThreatStream into TAXII clients and push data
from your TAXII client to ThreatStream.
The ThreatStream TAXII server provides both TAXII 1.x and TAXII 2 services,
enabling you to poll data in the appropriate format depending on TAXII client
requirements. Both URLs can serve the same intelligence to clients—choosing one
over the other simply impacts the format the intelligence is served in.
When you connect to a ThreatStream TAXII Discover URL, your TAXII feeds,
trusted circles, and saved searches appear as poll collections. Poll collections
adhere to the following naming conventions:
l TAXII feed collections: <TAXII Feed Name>_F_<TAXII_feed_ID>
Example: TAXII_Feed_1_F23
l Trusted circle collections: <Trusted Circle Name>_C_<Trusted Circle ID>
Example: Government_C548
l Saved search collections: <Saved Search Name>_S_<Saved Search ID>
Example: Covid_S345
Basic Authentication is enabled by default. You can use your ThreatStream login
credentials to access your ThreatStream TAXII server via Basic Authentication.
You must have the Import to TAXII Feeds permission to push data to TAXII feeds on
ThreatStream. See "Managing Organization Users" on page 97 for more
information.
Notes:
- To receive TAXII requests from ThreatStream on your network, ensure that
Anomali ThreatStream Page 211 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
35.173.107.231 can connect to your TAXII client.
- LogRhythm does not support the TAXII discovery service. To connect to your
ThreatStream TAXII server from LogRhythm, use the following TAXII collection
management URL:
https://optic.threatstream.com/api/v1/taxii/collection_management/
- IPv6 observables cannot be pushed or polled.
Sharing TAXII Intelligence with Trusted Circles
When you create TAXII feeds, you can associate them with trusted circles. In
addition to accessing data from feeds on ThreatStream, trusted circle organizations
can leverage trusted circles to poll data into TAXII clients.
When you configure your ThreatStream TAXII server as a data source on a
TAXII client, trusted circles you are a member of appear as available TAXII
collections, alongside your TAXII feeds. While data can only be pushed to TAXII
feeds owned by your organization, data can be polled from trusted circles in addition
to your TAXII feeds.
The following chart illustrates the relationship between TAXII feeds and trusted
circles with regard to sharing TAXII data.
l Org 1 owns TAXII Feed 1, which is shared with a trusted circle that Org 2 is also a
member of.
Anomali ThreatStream Page 212 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
l Org 2 owns TAXII Feed 2, which is shared with the trusted circle, and TAXII Feed
3, which is classified as My Organization and not shared with any trusted circle.
l Org 1 can poll the trusted circle to pull data that Org 2 pushes to TAXII Feed 2.
l Org 2 can poll the trusted circle to to poll data that Org 1 pushes to TAXII Feed 1.
l Org 2 has exclusive access to data it pushes to TAXII Feed 3, which is not shared
with any trusted circle.
Sharing TAXII Intelligence via Saved Searches
Saved searches you create on ThreatStream can also be polled by TAXII clients.
After authenticating using the ThreatStream TAXII Discovery URL and your
ThreatStream credentials, your saved searches appear as poll collections on the
TAXII client. Only the saved searches created by the user whose credentials you
used for authentication are available. Saved searches created by other users in your
organization are not available.
Using ThreatStream as a TAXII Client
Using ThreatStream as a TAXII client enables you to aggregate TAXII data in one
location and add it to the intelligence you are already receiving on ThreatStream.
Note: The ThreatStream TAXII client can receive data from TAXII 1.x servers
only.
Anomali ThreatStream Page 213 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
Getting started with your ThreatStream TAXII Client requires the following steps:
1. Configure one or more TAXII Feeds. TAXII Feeds are dedicated channels for
receiving TAXII data on ThreatStream.
See "Managing TAXII Feeds " on page 218for further guidance.
2. Add a TAXII source that you have access to as a Site on ThreatStream.
See "Managing TAXII Sites " on the next page for further guidance.
3. If you want to receive TAXII data from the site, configure the collections of
interest as Poll Collections.
If you want to push TAXII data to the site, configure the collections of interest as
Push Collections.
You can configure ThreatStream to poll or push on a regular interval. The data
becomes part of your threat intelligence through one of your TAXII Feeds on
ThreatStream.
See "Managing TAXII Site Collections" on page 217 for further guidance.
Anomali ThreatStream Page 214 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
Managing TAXII Sites
The Sites tab enables you to configure and manage communication between
ThreatStream and external TAXII sources to which you have access. Configuring a
Site on ThreatStream involves authenticating to a Discovery URL for the site. After
you have configured a TAXII server site, you can poll data from available collections
on the server.
You can configure Poll Collections to poll data into ThreatStream on a regular
interval. You can also configure Push Collections to push data from ThreatStream
to collections on the site. Data is pushed at a regular cadence and based on a saved
search that you specify.
Notes:
- ThreatStream can receive data from TAXII 1.x servers only.
- ThreatStream TAXII clients utilize the following IP address as an outbound
NAT gateway: 35.173.107.231. Anomali recommends that your TAXII server
can connect to this IP address.
- IPv6 observables cannot be pushed or polled.
- Hash observables received from TAXII servers do not expire.
To configure a site:
1. In the top navigation bar, click and then TAXII.
2. Under Sites, click Actions > Add Site.
3. Enter a meaningful Name for the site.
4. Enter the Discovery URL.
Anomali ThreatStream Page 215 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
5. (Optional) Select required authentication methods.
If you will use SSL Verification from the site, select Use Site SSL Verification.
If the site uses basic authentication, select Basic Authentication and enter
your credentials for the site
If the site requires an SSL Two-Way Certificate, select SSL Two-Way
Certificate and upload your certificate.
Note: ThreatStream supports SSL Two-Way Certificates in P12 and PEM
format.
6. Click Add Site. ThreatStream will now discover available TAXII feeds on the
site.
7. To view discovered feeds, click . The site details are then displayed.
If feed discovery is unsuccessful an error code is displayed. You can click the
error code for more information on why the discovery failed.
Anomali ThreatStream Page 216 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
Managing TAXII Site Collections
After configuring a TAXII source as a site, ThreatStream discovers the collections
that are available for you to poll data from and push data to on the site.
Configuring Poll Collections
After authenticating to a TAXII server site, a list of collections available to poll is
displayed under Poll Collections.
Note: Only users with the Import to TAXII Feeds privileges can configure poll
collections. If you do not have this privilege, the Poll Collections tab is not
displayed.
To configure a poll collection:
1. In the top navigation bar, click and then TAXII.
2. Under Sites, locate the TAXII server of interest and click to expand the site
details.
3. A list of discovered collections is available under Poll Collections. To configure
a collections, click Configure.
4. Select a TAXII Feed to associate with the collection. Incoming data will be
added to ThreatStream via the TAXII Feed you select.
5. If required, enter your Subscription ID.
6. Enter an Interval to specify the cadence at which ThreatStream will poll data
from the feed.
7. Enter a Start From date. This specifies the furthest timestamp you want to be
polled. Click Now to use the current date and time.
8. To finish configuration and poll the feed, click Save and Run Now.
After configuring the collection, you can click the Poll Status to view a complete log
of poll activity for the collection.
Configuring Push Collections
You can also push data from ThreatStream to available collections on the TAXII
server. Pushes can be configured to run on a regular interval and based on saved
Anomali ThreatStream Page 217 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
search filters. To read more about creating saved search filters, see "Saving
Observable Search Filters" on page 275.
To configure a push collection:
1. In the top navigation bar, click and then TAXII.
2. Under Sites, locate the TAXII server of interest and click to expand the site
details.
3. Click Push Collections.
4. Click New.
5. Under Collection Name, select the collection on the TAXII server to which you
want to push.
6. Enter an Interval to specify the cadence at which ThreatStream will push data to
the collection.
7. Enter a Start From date. This specifies the furthest timestamp you want to be
polled. Click Now to use the current date and time.
8. Select a Saved Search to specify the data you want to push to the collection.
9. If required, enter your Subscription ID.
10. To save the configuration and push data to the collection, click Save and Run
Now.
Managing TAXII Feeds
TAXII Feeds are dedicated channels for receiving TAXII data on ThreatStream.
TAXII feeds can be private to your organization or shared with trusted circle
organizations. In addition to fostering sharing within ThreatStream, TAXII feeds can
also serve data to TAXII clients.
Creating TAXII Feeds on ThreatStream
You can create new TAXII feeds on the TAXII tab within ThreatStream settings.
Anomali ThreatStream Page 218 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
To create a TAXII Feed:
1. In the top navigation bar, click and then TAXII.
2. Click Actions > New TAXII Feed.
3. Enter a unique Name for the feed.
4. Under Expiration Date enter the number of days you want intelligence pushed
to this feed to stay active.
5. Select a default Confidence score for the intelligence pushed to the feed.
To use the selected default Confidence score over ThreatStream Confidence
scores, select Trust My Confidence.
6. Select a Visibility for the feed.
If you choose Trusted Circles, select a trusted circle from the list.
Organizations in the trusted circle will be able to poll data you push to the feed.
See "Managing TAXII Feeds " on the previous page for more information.
Note: Once a TAXII feed has been created, its Visibility can not be edited.
7. Click Save.
Editing TAXII Feeds
You can edit configured TAXII feeds on the TAXII settings page.
Anomali ThreatStream Page 219 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
To edit a TAXII feed:
1. In the top navigation bar, click and then TAXII.
2. Click TAXII Feeds
3. On the TAXII Feeds tab, click Actions > Edit TAXII Feed.
4. Make required changes.
5. Click Save.
Deleting TAXII Feeds
TAXII feeds cannot be deleted from the ThreatStream UI. Please contact Anomali
support for assistance.
Anomali ThreatStream Page 220 of 750
User Guide
Chapter 6: Sharing Intelligence via TAXII on ThreatStream
Anomali ThreatStream Page 221 of 750
Chapter 7: Searching Intelligence in
ThreatStream
ThreatStream enables you to comb the multitude of intelligence available to you on
ThreatStream, including Observables, Threat Bulletins, Actors, Campaigns, TTPs,
Incidents, Signatures, Vulnerabilities, and Investigations.
The search box in the ThreatStream top navigation bar queries all available
observables and Threat Model entities in a single search. Search queries are not
case sensitive and results are returned regardless of case. For more on case
sensitivity, see "Case Sensitivity in ThreatStream Search" on page 279.
For more on searching observables only, including Basic and Advanced search
functionality, see "Searching Observables in ThreatStream" on page 258.
For more on searching individual Threat Model entities only, see "Threat Model List
View" on page 366.
For more on investigations see, "Investigating Threats in ThreatStream" on
page 325
Fields Queried in Universal Searches
Universal search queries observable values for Observables and Aliases,
Descriptions, Names, and Tags for Threat Model entities.
Universal Search Results Page
The universal search results page gives you an overview of results for the entered
keyword in each entity.
Anomali ThreatStream Page 222 of 750
User Guide
Chapter 7: Searching Intelligence in ThreatStream
Observable search results. Only observables with the status Active are queried.
To view a complete list of results on the ThreatStream Search page, click See more
in Search for a complete list of results on the ThreatStreamSearch page.
Threat Model entity search results. To view a complete list of results for a Threat
Model entity on its respective Threat Model page, click the See more... link under
the search results list.
Investigation search results. The complete list of results is displayed.
Anomali ThreatStream Page 223 of 750
Chapter 8: Observables
Observable Confidence in ThreatStream 235
Editing Observable Details 237
Associating an Observable with Other Observables 242
Adding Private Tags to Observables 243
Bulk Tag Management 244
Restricting Observable Visibility to Workgroups 246
Reporting False Positives 248
My Attacks Report 250
Viewing Attacks with Sightings 253
Deleting Observables 256
ThreatStream uses the terms observable and indicator of compromise (IOC)
interchangeably.
For deeper analysis, you can drill down on individual observables by viewing
observable details pages. To view observable details pages, click the link for the
observable from any page in ThreatStream that displays observables as hyperlinks.
On this page, you can:
l Drill down further on observables associated with the observable you started
with. If you find any related observables through Explorer or Passive DNS
intelligence, you can view the observable details pages for those observables.
l Export observable details.
l Edit the observable fields. See "Editing Observable Details" on page 237.
Anomali ThreatStream Page 224 of 750
User Guide
Chapter 8: Observables
Observable Details
Note: When details pages aggregate multiple instances of the same observable
value, this details in this section correspond to the instance with the highest
ThreatStream assigned confidence score in active state.
Field Description
Anomali ThreatStream Page 225 of 750
User Guide
Chapter 8: Observables
Severity Gauges the potential impact of the indicator type the observable
is thought to be associated with.
By default, ThreatStream maps observables to one of four
severity values based on the indicator type with which they are
associated. For example, command and control indicator types
are mapped to the severity value High, while TOR related
observables are mapped to Low. However, cases occur in which
default values are not displayed. In some cases, severity values
assigned to observables by the source are used. Additionally,
severity values can be modified by ThreatStream users when
editing observables that belong to their organizations.
For a complete list of indicator types and corresponding default
severity values, see Indicator Types in ThreatStream.
Confidence Confidence indicates the certainty that an observable exhibits or
is connected to malicious behavior. Anomali ThreatStream's
machine learning-based threat intelligence engine calculates
confidence by taking many factors into account. Confidence is
calculated for all available instances of a single observable as
reported by various threat intelligence sources. ThreatStream's
machine learning algorithms do not calculate confidence scores
for email, hash, or string observable types and in cases where
users select "Override System Confidence" during import or
stream creation.
If the observable details page aggregates multiple instances of
the same observable, the highest ThreatStream assigned
confidence score of the available instances in active state is
displayed. In these cases high (Hi), low (Lo), and an average
(Avg) confidence values are displayed when you mouse over the
confidence value.
For more information on how confidence is calculated and used
in ThreatStream, see "Observable Confidence in ThreatStream"
on page 235.
Org Admins can configure observable details pages to display
the Source Reported Confidence instead of confidence values
assigned by ThreatStream. For more on confidence value
display settings, see "Viewing and Editing Organization
Settings" on page 71.
Anomali ThreatStream Page 226 of 750
User Guide
Chapter 8: Observables
Status Whether the observable is Active, Inactive, or False Positive.
Observables imported through feeds to which ThreatStream
assigns a confidence score less than or equal to 15 are
automatically marked false positive. Observables imported and
approved through the ThreatStream user interface are never
automatically marked false positive by ThreatStream. Since an
observable can have multiple instances, cases occur in which
observable values—imported through a feed—are automatically
marked false positive by ThreatStream due to their confidence
scores, while identical values—imported and approved through
the ThreatStream user interface—have active status.
Type Indicator type associated with the observable. See Indicator
Types in ThreatStream for more information.
If the observable details page aggregates multiple instances of
the same observable, the indicator type associated with the
most recently imported observable is displayed.
Anomali ThreatStream Page 227 of 750
User Guide
Chapter 8: Observables
Tags View tags associated with all available instances of the
observable.
Click Edit to add or remove tags. Click Done to save changes.
As you type, the 20 most used tags in your organization from the
previous seven days are displayed. Enter * to display a list of
preferred tags configured by your organization, in addition to
pre-defined kill chain phase tags. For more on configuring
Preferred Tags, see "Adding Preferred Tags to Intelligence" on
page 200.
Tags must be 2,000 characters or less. Observables can contain
up to 200 tags per organization. Tags added by other
organizations do not count toward this limit.
To add private tags that are only visible to your organization,
assign them the My Organization visibility setting. Tags
assigned the Anomali Community visibility setting are visible to
any user with access to the observable. See "Adding Private
Tags to Observables" on page 243 for more information. Since
organizations can decide whether users outside of their
organization can add public tags to their data, the Anomali
Community visibility setting is not available in all cases. In cases
where there are multiple instances of an observable, Anomali
Community tags will only be added to instances of the
observable if owner organizations allow public tags from
external users.
You can only remove tags that were added by users in your
organization.
Tip: Did you know you can add tags to observables in bulk?
On the observables search page, select the observables you
want to tag and click Modify Tags in the Actions menu. See
"Modify Tags" in "Performing Basic Observable Searches"
on page 258 for more information.
Org Admins: Did you know you can set a default tag
visibility setting? See the "Use My Organization as default
tag TLP" setting on "Viewing and Editing Organization
Settings" on page 71 for more information.
Last Modified Timestamp of the most recent update made to the details of the
observable.
Anomali ThreatStream Page 228 of 750
User Guide
Chapter 8: Observables
Sightings Number of times the observable has appeared in your network
data. You can click View Sightings to manually manage
sightings data. See "Viewing Attacks with Sightings" on
page 253 for more information.
Entries Number of instances of the observable to which you have
access on ThreatStream. Details of each instance are listed
below in the Intelligence section.
Country Two-letter ISO country code for the IP associated with the
observable. For example, US, CN, DE, and so on.
ASN The Autonomous System Number (ASN) for the IP associated
with the observable.
Organization ThreatStream organization that owns the observable.
Insights Additional context on the observable from external sources.
Analysis Links
View external resources for more information on the observable. The table below
lists the resources available for each observable type.
Type Resource
Domain Google Safe Browsing, URLVoid, VirusTotal, Web of Trust, urlscan.io
Hash VirusTotal
IP Google Safe Browsing, IPVoid, Shodan, VirusTotal, urlscan.io
URL Google Safe Browsing, URLVoid, VirusTotal, Web of Trust, urlscan.io
Note: Analysis links are not available for email observables.
Export
Click the PDF icon to export observable details in PDF format. Click CSV, Snort,
OpenIOC, STIX 1.1.1, STIX 1.2, STIX 2, or STIX 2.1 to export instances of the
observable from the Intelligence table (see Intelligence for more information) in the
format of your choosing.
See "Supported Attributes for Indicators" on page 693 for a list of supported
STIX attributes.
Anomali ThreatStream Page 229 of 750
User Guide
Chapter 8: Observables
Note:
- Tags are included in STIX 1.x eports as Cybox:Keywords. Up to 250 tags can
be exported.
- STIX 2.0 and 2.1 exports are only supported for Domain, Email, Hash, IP
address, and URL observables.
- All timestamps are displayed in UTC when exported.
False Positive
Report the observable as false positive. See "Reporting False Positives" on
page 248 for more information.
Investigation
Add the observable to an investigation. See "Investigating Threats in ThreatStream"
on page 325 for more information.
Relationships
View and build graphical representations of relationships between the observable
and other observables or Threat Model entities. For more on using the Relationships
tool, see "Analyzing Adversary Infrastructure with Explore" on page 630.
Notes:
- On Observable details pages, Explore contains an additional export icon.
Clicking this icon exports the graph in PNG format.
- Auto-Map to MITRE, a feature available on pivoting tools within investigations,
is not available on observable details pages. See "Automatically Adding
MITRE ATT&CK Techniques to Investigations" on page 344 for more
information.
Deeper Analysis
View values for every available intelligence field—in addition to intelligence from
enrichments you have access to—in two different views.
l
Click to view intelligence in a graphical tree.
l
Click to view intelligence in a table.
Anomali ThreatStream Page 230 of 750
User Guide
Chapter 8: Observables
Import Related Observables
If your organization subscribes to Virus Total, you can import related domains,
hashes, and URLs provided by Virus Total at the click of a button.
To import observables from Virus Total:
1. Navigate to the observable details page that contains the related Virus Total
intelligence you want to import.
2. Click Import Related Observables.
3. Select the observables you want to import.
4. Click Import Related Observables.
5. Complete the import job on the Import screen. Import jobs must be approved
before the observables are added to your threat intelligence on ThreatStream.
Note: By default, import jobs for related Virus Total observables assign Visibility,
Confidence, Expiration Date, and Threat Type values based on the parent
observable.
Anomali ThreatStream Page 231 of 750
User Guide
Chapter 8: Observables
Intelligence
View each available instance of the observable. If encountered by multiple data
sources, more than one instance is displayed.
Field Description
Date First Date the instance of the observable became active in
ThreatStream.
Last Modified Date the instance of the observable was most recently edited.
Click View details to view a log of changes made to the instance.
Recorded changes include edits to observable confidence,
expiration date, indicator type, tags, severity, status, and TLP.
Source Timestamp when the observable was created by its original
Created source.
Anomali ThreatStream Page 232 of 750
User Guide
Chapter 8: Observables
Field Description
Source Timestamp when the observable was last modified by its original
Modified source.
iType Indicator type associated with the observable. See "Indicator
Types in ThreatStream" on page 702 for more information.
Indicator Value of the observable.
Country Country associated with the observable.
Source Feed, trusted circle, or organization user from which the instance
originates.
Visibility Visibility setting for the instance Anomali Community, Trusted
Circles, or My Organization. The visibility of observables imported
by your organization can be further restricted to specific
workgroups in your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
TLP TLP (Traffic Light Protocol) color assigned to the instance.
The TLP color provides a mechanism to communicate to
consumers of the information whether further dissemination of
this information is allowed; if yes, how freely can this information
be distributed.
To learn more about TLP, search for "Traffic Light Protocol" in
your favorite search engine.
Confidence Confidence values assigned to the observable instance by
ThreatStream. These confidence values are determined either in
part or in whole by Anomali’s machine learning algorithms.
Anomali’s algorithms take many factors into account when
calculating confidence scores. See " ThreatStream Assigned
Confidence" on page 237 for more information.
Anomali ThreatStream Page 233 of 750
User Guide
Chapter 8: Observables
Field Description
Source Confidence value assigned to an observable by its source. As
Reported data originates from an array of sources, Source Reported
Confidence Confidence values can be assigned by premium feed providers,
open source feeds, or individual analysts manually importing data
- among others. ThreatStream ingests Source Reported
Confidence scores and displays them to users as-is, without
alteration. See " Source Reported Confidence" on page 237 for
more information.
Status Current status of the instance—Active, Inactive, or False Positive.
Import Job Link to the import job associated with the instance.
For instances of the observable that you have permission to clone, a Clone button is
displayed. See "Cloning Observables" on page 241 for more information.
For instances of the observable that you have permission to edit, an Edit button is
displayed. See "Editing Observable Details" on page 237 for more information.
For instances of the observable that belong to your organization, an Edit
Anonymous button is displayed. You can use it to change the user and
organization information anonymization setting for the instance. If enabled, users
outside of your organization with access to the data will see "Analyst" in all fields that
would otherwise display an organization or user name.
For instances of the observable which are assigned the My Organization visibility
setting, you can click Assign to Workgroup to restrict the visibility of the observable
to specific workgroups within your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
Sightings
View attack data on the observable in a graphical widget. Sightings is only displayed
if My Recent Attacks data is available for the observable. For more on Sightings, see
"Viewing Attacks with Sightings" on page 253.
Enrichments
View various data enrichments on the observable from external sources. Click
Suggested Enrichments... to view a list of available unactivated enrichments that
ThreatStream recommends for the observable based on its indicator type. Clicking
an unactivated enrichment takes you to the Integrations tab within Settings, where
you can activate the enrichment. For more information on available enrichments,
see "Integrating With Third-Party Services" on page 117
Related Indicators
Anomali ThreatStream Page 234 of 750
User Guide
Chapter 8: Observables
If available, related observables from Virus Total are displayed. You can import
these observables by clicking Import Related Observables at the top of the
screen.
Associations
View and drill down on observables, threat model entities, and investigations
associated with the observable. You can create associations with other observables
from this section. Associations with Threat Model entities and investigations can be
created from the details page of the entity or investigation you want to associate with
the observable.
Comments
View and add comments on the observable. To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the observable.
Observable Confidence in ThreatStream
Observable details pages often aggregate information about an observable coming
from multiple sources. Feeds, trusted circles, user imports, sandbox detonations,
and more can provide varying data on the same observable value. Confidence—the
confidence a data source has that the observable exhibits or is connected to
malicious behavior—is one such data piece. Therefore, confidence appears in
multiple places on observable details pages. This article describes what each of
these confidence scores are, where they come from, and how to use them.
Taken together with severity, which gauges the potential impact of the indicator type
the observable is thought to be associated with, confidence helps form a high-level
judgment on individual observables that can be used for prioritizing threat research.
Indicator types in ThreatStream are mapped to one of four severity values: low,
medium, high, and very-high.
Overview Confidence
The first confidence score you see on observable details pages is the score included
in the overview section at the top of the page.
Anomali ThreatStream Page 235 of 750
User Guide
Chapter 8: Observables
This confidence score is assigned to the observable by ThreatStream. If the page
includes information from multiple sources, the overview section displays the
highest confidence score of the available instances in active state. See
ThreatStream Assigned Confidence for information on how these values are
calculated.
Confidence in the Intelligence Table
The Intelligence table on observable details pages displays all available instances of
a single observable as reported by various sources. Each instance has a
Confidence score and a Source Reported Confidence score.
Anomali ThreatStream Page 236 of 750
User Guide
Chapter 8: Observables
ThreatStream Assigned Confidence
Values in the Confidence column are assigned to the observable instance by
ThreatStream. These confidence values are determined either in part or in whole by
Anomali ThreatStream's machine learning-based threat intelligence engine.
With regard to observables imported directly into ThreatStream or from a user-
created stream, the ThreatStream assigned confidence score is determined entirely
by Anomali’s machine learning algorithms—unless users manually specify a
confidence value and select Override System Confidence during import or stream
creation.
Note: Anomali machine learning algorithms only score observables assigned
Domain, IP, and URL indicator types. When all other observables—those
assigned email, hash, or string indicator types—are imported through the import
assistant or a feed, confidence values specified on the confidence slider are
used, even if Override System Confidence is not selected.
With regard to observables ingested from premium or open-source threat
intelligence feeds which are not configured by users, the ThreatStream assigned
confidence score is a combination of the confidence score calculated by machine
learning algorithms and the Source Reported Confidence score. Each feed or
source is assigned a weight at which the source and ThreatStream machine
learning confidence scores are mixed. This ratio is set by Anomali and varies across
sources.
Source Reported Confidence
Source Reported Confidence, as indicated by its name, is a confidence value
assigned to an observable by its source. As alluded to above, data originates from
an array of sources. Therefore, Source Reported Confidence values can be
assigned by premium feed providers, open source feeds, or individual analysts
manually importing data—among others. ThreatStream ingests Source Reported
Confidence scores and displays the values to users as-is, without alteration.
Editing Observable Details
As observable information can change over the course of investigations,
ThreatStream enables you to edit certain observable fields. The following fields can
be edited: iType, Confidence, TLP, Severity, Status, Anonymous, and
Expiration Date.
Only users with the Approve Import privilege can edit observables for their
organization.
Anomali ThreatStream Page 237 of 750
User Guide
Chapter 8: Observables
You can edit observables individually from an observable details page, or in bulk
from the observables search page.
Reasons to Edit observables
Editing observables can be helpful when:
l Observables that are private to your organization have expired and become
Inactive
l Marking observables that are private to your organization false positive
l You want to update information in any of these fields: iType, Confidence, TLP,
Severity, Status, Anonymous, and Expiration Date
Editing Restrictions
Only My Organization observables—those that are private to your organization—
can be edited.
Though only My Organization observables can be edited, you can change the status
of inactive Anomali Community and Trusted Circle observables to active by re-
importing them. See "Re-importing Observable Values" on page 321 for more
information.
To edit observables in bulk:
1. Navigate to Analyze > Observables and perform a search to locate the
observables you want to edit.
2. Select the observables you want to edit.
3. In the Actions menu, click Edit.
Anomali ThreatStream Page 238 of 750
User Guide
Chapter 8: Observables
4. In the edit window, select the fields you want to edit and make required
changes.
Once you have made the changes, you can click Review Changes to review
them before saving them.
Before saving, you can also click Revert to restore the original value for the
changed field.
Notes:
- If you selected observables of more than one type, such as domains and IP
addresses, you cannot edit the indicator type field.
- As indicator types are mapped to severity values, editing observable
Anomali ThreatStream Page 239 of 750
User Guide
Chapter 8: Observables
indicator types can result in changes to the severity field. See "Indicator
Types in ThreatStream" on page 702 for a complete list of indicator type to
severity mappings.
- Anonymous settings cannot be edited in bulk. You can anonymize
observables individually from observable details pages.
5. Click Apply Changes.
To edit an individual observable:
1. Navigate to the observable details page of the observable you want to edit.
2. Under Intelligence, locate the instance of the observable that you want to edit
and click Edit. If Edit is not displayed, the observable cannot be edited due to
the reasons specified in "Editing Restrictions " on page 238.
3. Make the required edits.
4. Click Update.
Anomali ThreatStream Page 240 of 750
User Guide
Chapter 8: Observables
Cloning Observables
Cloning an observable creates a separate instance of the observable. When you
clone an observable, an import session is initiated, which must be approved to add
the cloned observable to your threat intelligence.
Cloned observables are completely independent from the observables they are
cloned from. Once a cloned observable is imported and added to your threat
intelligence, it is treated like any other observable in ThreatStream.
Reasons to Clone Observables
Cloning observables can be helpful when...
l you encounter Inactive observables imported by other organizations. Cloned
observables become Active after successfully moving through the regular Import
process.
For more on the ThreatStream Import process, see "Importing Observables with
Import Assistant " on page 280
l you want a private copy of an observable for internal use. Cloned observables
are always My Organization.
Cloned Attributes
When you clone an observable, the following intelligence fields are copied from the
source observable: Value, Type, iType, Confidence, Tags, and Severity.
Cloned observables maintain the Threat Model entity associations held by the
source observable. As a result, threat model entities associated with a source
observable also list the cloned observable in their Intelligence associations.
Cloning Restrictions
The following observables cannot be cloned:
l Observables assigned a string indicator type. For a list of string indicator types,
see "Indicator Types in ThreatStream" on page 702.
l Observables with the status Pending
l Observables imported by your organization
To clone an observable:
Anomali ThreatStream Page 241 of 750
User Guide
Chapter 8: Observables
1. Navigate to the observable details page of the observable you want to clone.
2. Under Intelligence, locate the instance of the observable that you want to clone
and click Clone.
If Clone is not displayed, the observable cannot be cloned due to one or more of
the above restrictions.
3. On the dialogue box, click Clone to initiate the cloning process.
4. If you are authorized to approve import sessions, you can click Approve Now to
immediately add the cloned observable to your threat intelligence, or Review
Now to review the observable details on the Import Review page. For more on
approving import sessions, see "Approving Import Jobs" on page 308.
Note: Only users with Approve Import privileges can approve observable
imports.
Associating an Observable with Other
Observables
In addition to bidirectional associations between observables and threat model
entities, ThreatStream enables you to associate observables with other related
observables. Associations appear in the Associations table on observable details
pages, allowing you to quickly and easily pivot between related observables.
To associate an observable with another observable:
1. Navigate to the details page of the observable for which you want to add the
association.
Anomali ThreatStream Page 242 of 750
User Guide
Chapter 8: Observables
2. Under Associations, click Observables.
3. Click Add.
4. Enter a search query and select the observables you want to add as
associations.
5. Click Add Observables.
To remove observable associations:
1. Navigate to the details page of the observable for which you want to remove the
association.
2. Under Associations, click Observables.
3. Select the observable you want to disassociate.
4. Click Remove.
Adding Private Tags to Observables
ThreatStream gives you the flexibility to add private tags to observables that are
classified Anomali Community or shared with trusted circles.
Private tags enable you to add private information to Anomali Community or Trusted
Circle observables without having to create private clones of the observables. For
example, if you wanted to add a tag that contains proprietary information to a public
observable, you could simply make the tag private. Though the observable is
publicly available, the tag would only be visible to users in your organization.
When you add tags to observables, you can select one of two visibility settings:
Anomali Community or My Organization. Tags assigned the Anomali Community
setting are visible to all users with access to the observable. Tags assigned the My
Organization setting are private to your organization.
Organizations can configure whether users from other organizations can add public
(Anomali Community) tags to their data. See "Allow public tags on data owned by
my organization" on page 80 for more information.
On search and observable details pages, private tags appear in red and public tags
in black.
Anomali ThreatStream Page 243 of 750
User Guide
Chapter 8: Observables
Private tags can be added from:
l Observable Details pages
For more information, see "Observables" on page 224.
l Import sessions
Fore more information, see "Importing Observables with Import Assistant " on
page 280.
l Basic Search pages
For more information, see "Performing Basic Observable Searches" on
page 258.
l Advanced Search pages
For more information, see "Performing Advanced Observable Searches" on
page 260.
Observables can contain up to 200 tags per organization. Tags added by other
organizations do not count toward this limit.
Note: You can only remove tags that were added by users in your organization.
Bulk Tag Management
ThreatStream enables you to add and remove observable tags in bulk from the
Observables search page. You can add tags to any observable to which you have
access on ThreatStream, including those owned by other organizations.
For observables owned by other organizations, you can only remove tags that were
added by your organization. You can remove any public tag associated with
observables owned by your organization. Anomali Community tags can only be
added to observables if owner organizations allow public tags from external users.
Anomali ThreatStream Page 244 of 750
User Guide
Chapter 8: Observables
Note: Observables can contain up to 200 tags per organization. Tags added by
other organizations do not count toward this limit.
To add observable tags in bulk:
1. Navigate to Analyze > Observables.
2. Select the observables to which you want to add tags.
3. In the Actions menu, click Edit Tags.
4. Under Add Tags, select a Visibility setting for the new tags. To add tags which
are visible only to your organization, select My Organization. To add tags
which are visible to all organizations with access to the observables, select
Anomali Community.
5. Enter the tags you want to add to the observables. If adding multiple tags,
comma separate the desired tag values.
Note: Tags must be 2,000 characters or less.
6. Click Apply Changes.
To remove observable tags in bulk:
Anomali ThreatStream Page 245 of 750
User Guide
Chapter 8: Observables
1. Navigate to Analyze > Observables.
2. Select the observables containing the tags which you want to remove.
3. In the Actions menu, click Edit Tags.
4. Tags currently associated with the selected observables are displayed under
Mutual Tags—those shared by all selected observables—and Other Tags—
those that are associated with one or more of the selected observables.
5. Select the tags which you want to remove from the selected observables.
Note: You cannot remove tags on observables owned by other
organizations that your organization did not create.
6. Click Apply Changes.
Restricting Observable Visibility to
Workgroups
Users with the Approve Import privilege can restrict the visibility of observables that
are private to your organization to specific workgroups within your organization or
edit the workgroups observables are already restricted to. Workgroups can be
selected from observable details pages or in bulk from the observables search
page.
Anomali ThreatStream Page 246 of 750
User Guide
Chapter 8: Observables
You cannot restrict the visibility of observables which are shared with the Anomali
Community or Trusted Circles.
For more information on workgroups, see "Restricting Access to Intelligence with
Workgroups " on page 196.
To restrict an observable to selected workgroups from observable details
pages:
1. Navigate to the details page of the My Organization observable whose visibility
you want to restrict.
2. In the Intelligence table, click Assign to Workgroups.
3. Click Restrict to Workgroups and select the workgroups to which you want to
give exclusive access to the observable. You must select at least one
workgroup to which you belong.
4. Click Save.
To restrict an observable to selected workgroups from the observables
search screen:
1. Navigate to Analyze > Search.
2. Search for the observable whose visibility you want to restrict.
3. In the Actions menu, click Assign to Workgroups.
4. Click Restrict to Workgroups and select the workgroups to which you want to
give exclusive access to the observable. You must select at least one
workgroup to which you belong.
5. Click Save.
To restrict observables in bulk to selected workgroups:
1. Navigate to Analyze > Observables.
2. Select the My Organization observables whose visibility you want to restrict.
Note: You must select only observables with identical visibility settings. For
example, select only My Organization observables without workgroup
restrictions or those shared with the same workgroups.
3. In the Actions menu, click Bulk Add Workgroups.
Anomali ThreatStream Page 247 of 750
User Guide
Chapter 8: Observables
4. Click Restrict to Workgroups and select the workgroups to which you want to
give exclusive access to the observable. You must select at least one
workgroup to which you belong.
5. Click Save.
Reporting False Positives
You can report observables you believe to be benign as false positive on
ThreatStream.
Reporting My Organization observables as false positive does not require approval
from Anomali. Reporting Anomali Community observables and those shared with
your organization via trusted circles does require approval from Anomali. Therefore,
there are distinct procedures for each scenario.
For ThreatStream OnPrem users only: For local observables, follow the
procedure under "Reporting My Organization Observables as False Positives"
below. For remote observables, follow the procedure appropriate for the Visibility of
the observable.
Note: Observables imported through feeds to which ThreatStream assigns a
confidence score less than or equal to 15 are automatically marked false
positive. Observables imported and approved through the ThreatStream user
interface are never automatically marked false positive by ThreatStream. Since
an observable can have multiple instances, cases occur in which observable
values—imported through a feed—are automatically marked false positive by
ThreatStream due to their confidence scores, while identical values—imported
and approved through the ThreatStream user interface—have active status.
Reporting My Organization Observables as False Positives
Reporting My Organization observables—those owned by your organization—as
false positive does not require approval from Anomali. To mark a My Organization
observable false positive, simply edit the observable and change its Status to False
Positive.
When you change the Status of a My Organization observable to False Positive it is
removed from your downstream integrations but not added to your Exclude List.
To report a My Organization observable as false positive:
1. Navigate to the details page of the observable you want to report as false
positive.
Anomali ThreatStream Page 248 of 750
User Guide
Chapter 8: Observables
2. In the Intelligence table click Edit.
Note: Only users with the Approve Import privilege can edit observables.
3. Under Status, select False Positive.
4. Click Update.
Reporting Anomali Community or Trusted Circle Observables as False Positives
Reporting Anomali Community observables or those shared with your organization
via trusted circles as false positive requires approval from Anomali. You can report
these observables as false positives from observable details pages.
When reported, observables are immediately added to your Exclude List and also
sent to Anomali for approval. Reported observables are also automatically removed
from your downstream integrations via ThreatStream Integrator at your next
scheduled data synchronization. If false positives are rejected by Anomali, they
continue to be part of your Exclude List but remain active on ThreatStream.
For more on managing your Exclude List entries, see "Updating Your Exclude List"
on page 113.
Note: Once approved by Anomali, the false positive status of a Anomali
Community and trusted circle observables cannot be revoked. If you need to
revoke the false positive status of an observable, contact Anomali Customer
Support.
To report a Anomali Community or trusted circle observable as false
positive:
1. Navigate to the details page of the observable you want to report as false
positive.
2. Click Report as False Positive.
Anomali ThreatStream Page 249 of 750
User Guide
Chapter 8: Observables
3. Select the reason why the observable is a false positive.
4. (Optional) Enter an additional comment to provide more details.
5. Click Report.
My Attacks Report
My Attacks (also known as MyAttacks) report, which is generated on
ThreatStream's downstream SIEM integrations and Anomali Match, contains
information about matches that recently occurred on these integrations with the
threat intelligence received from ThreatStream. You can configure your integrations
to send this report to ThreatStream.
Note: My Attacks report does not collect or forward any information pertaining to
your internal network, users, or assets.
Information in a My Attacks report is used in the following ways on ThreatStream:
Anomali ThreatStream Page 250 of 750
User Guide
Chapter 8: Observables
l To populate the My Recent Attacks widget in the Overview Dashboard of your
organization on ThreatStream thus allowing you to quickly and centrally see all
matches in your organization from the ThreatStream dashboard.
See "My Recent Attacks" on page 24 for more information on the widget.
l To create the My Events Map on ThreatStream for your organization thus
allowing you to visualize the attack and its origination.
See "Visualizing Threats With MyEvents Map" on page 25 for more information
on this dashboard.
l To provide you Sightings information—another visual representation of attack
data to gain a clear understanding of observables impacting your infrastructure
and how they compare with other organizations in the ThreatStream community.
Anomali ThreatStream Page 251 of 750
User Guide
Chapter 8: Observables
See "Viewing Attacks with Sightings" on the next page for more information.
Sources that can send My Attacks Report
The following sources or downstream integrations can send My Attacks report to
ThreatStream:
l Anomali Match
l Splunk App
l ArcSight ESM (via ThreatStream Integrator)
l QRadar (via ThreatStream Integrator)
l LogRhythm (via ThreatStream Integrator)
Information included in the My Attacks Report
The following information is included in a My Attacks Report:
Field Value
Attack Type l Type of indicator (for all sources)
Examples: c2_ip, mal_ip
l "DGA" (only for Anomali Match)
Attacker Address Indicator value.
Examples: 50.63.202.42, updatesys.zapto.org
Count Number of matches
Reported TS Timestamp
Anomali ThreatStream Page 252 of 750
User Guide
Chapter 8: Observables
Field Value
Device Source Source of the My Attacks report:
l Anomali Match
l splunk
l arcsight_esm
l qradar
l logrhythm
Viewing Attacks with Sightings
Sightings is a graphical widget that displays attack data from integration
destinations that you have configured on ThreatStream. You can use Sightings to
gain a clearer understanding of the observables impacting your infrastructure and
how they compare with other organizations in ThreatStream.
Sightings data is provided to ThreatStream by a My Attacks Report. See
"My Attacks Report" on page 250 for more information.
When data from integration destinations is available for observables in
ThreatStream, Sightings is displayed on observable details pages
(See"Observables" on page 224). You can also manually add sightings data for an
observable. The widget displays up to the previous 30 days of data on the
observable.
Observable matches displayed in Sightings are sorted into three categories:
Anomali ThreatStream Page 253 of 750
User Guide
Chapter 8: Observables
l Other Organizations: observable matches reported by other ThreatStream
organizations and not your organization. Data from other organizations is
anonymous and stripped of any personally identifiable information.
l My Organization: observable matches reported by your organization and other
ThreatStream organizations.
l Unique to my Organization: observable matches reported only by your
organization.
For more on observable details pages, see "Observables" on page 224.
Note: The Sightings widget is only displayed for observables that appear in the
My Recent Attacks widget on the Overview Dashboard.
Sending Attack Data to ThreatStream
Sightings uses data sent to ThreatStream from your integration destinations. To
enable ThreatStream to receive this data, the following settings must be configured
on your integration destinations:
l For ArcSight ESM, LogRhythm, and QRadar, the Enable My Attacks setting must
be configured on ThreatStream Integrator. Refer to the ThreatStream Integrator
Installation Guide for more information.
l For Splunk users that receive data from ThreatStream through ThreatStream
Integrator, the ThreatStream Autotune Report must be enabled on Splunk. Refer
to the ThreatStream Splunk App User Guide for more information.
l For Splunk users that receive data directly from ThreatStream, no further
configuration is required—the ThreatStream Autotune Report is enabled by
default.
Managing Sightings Data
In addition to the automated population of sightings data through ThreatStream
Integrator, sightings data can be manually managed from the ThreatStream user
interface. You can add, edit, and remove sightings from observable details pages.
All updates you make to your sightings data are reflected on the Sightings widget.
To add sightings:
1. Navigate to the details page of the observable for which you want to add
sightings.
Anomali ThreatStream Page 254 of 750
User Guide
Chapter 8: Observables
2. In the Observable Details section of the page, click View Sightings.
3. In the Actions menu, click Add Sightings.
4. Select the date and time of the appearance of the observable in your network
history.
5. Enter a Count—number of instances of the observable during the Incident.
6. Click Add Sighting to add the sighting and close the window.
OR
Click Add Sighting & Add Another to add the sighting and continue creating
additional sightings.
To edit sightings:
1. Navigate to the details page of the observable for which you want to edit
sightings.
2. In the Observable Details section of the page, click View Sightings.
Anomali ThreatStream Page 255 of 750
User Guide
Chapter 8: Observables
3. Locate the sighting you want to edit and click its Sighting Time.
4. Make required edits and click Save Change.
To delete sightings:
1. Navigate to the details page of the observable for which you want to delete
sightings.
2. In the Observable Details section of the page, click View Sightings.
3. Select the sightings which you want to delete and click Remove in the Actions
menu.
Sightings graphs are also displayed on observable details pages of observables
shown in Sightings.
Deleting Observables
Observables that are owned by your organization and assigned the My Organization
visibility setting can be deleted. Once deleted, observables cannot be restored. All
associations between deleted observables and threat model entities are broken.
You must have the Approve Import privilege to delete observables. Observables
can be deleted from observable details pages.
To delete an observable:
1. Navigate to the details page of the observable you want to delete.
2. Under Intelligence, locate the instance of the observable that is owned by your
organization and click Delete.
Anomali ThreatStream Page 256 of 750
User Guide
Chapter 8: Observables
Note: In the case that multiple instances of a single observable exist in
ThreatStream, only the instance imported by your organization can be
deleted.
3. Click OK to confirm.
Anomali ThreatStream Page 257 of 750
Chapter 9: Searching Observables in
ThreatStream
This chapter covers the following topics:
Performing Basic Observable Searches 258
Performing Advanced Observable Searches 260
Searching for Defanged Observable Values 270
Filtering Search Results 271
Saving Observable Search Filters 275
Exporting Search Results 277
Case Sensitivity in ThreatStream Search 279
ThreatStream enables you to search for specific observables. There are two
observable search types: Basic and Advanced.
Selecting a Search Type
Basic search is a full text keyword search. In other words, when you use Basic
search, ThreatStream searches for your query in every field. Use Basic search
when you are looking for a keyword in any of the available fields, or can form a
regular expression.
Advanced search enables you to add additional meta data to your query and
restrict the search to specific fields. Use Advanced search when searching for a
specific value in a specific field.
Performing Basic Observable Searches
The Basic observable search function is a full text keyword search. It is adequate in
cases of simple observable searches, such as specific values observed during
investigations or recent observables from a trusted source.
Anomali ThreatStream Page 258 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Left Filter: Filter displayed search results. See "Filtering Search Results" on
page 271 for more information.
Applied Filters: The search filters you apply are displayed here. By default,
ThreatStream searches active observables that were imported within the last 30
days.
Export: Export listed search results. For more information, see "Exporting
Search Results" on page 277.
Actions: When you select observables from listed search results, the actions
below are available.
l New Threat Bulletin: Create a Threat Bulletin with the observables you select
from listed search results. See "Threat Bulletins" on page 363 for more
information.
l Edit Tags: Add or remove tags associated with observables from the listed
search results in bulk. For more information on editing tags in bulk, see "Bulk Tag
Management" on page 244.
To add private tags that are only visible to your organization, assign them the My
Organization visibility setting. Tags assigned the Anomali Community visibility
setting are visible to any user with access to the observable. See "Adding Private
Tags to Observables" on page 243 for more information.
Note: Observables can contain up to 200 tags per organization. Tags added
by other organizations do not count toward this limit.
Anomali ThreatStream Page 259 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l Assign to Workgroups: Restrict the visibility of the selected observable to
specific workgroups within your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
l Bulk Add Workgroups: Restrict the visibility of the selected observables to
specific workgroups within your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
l Start/Continue Investigation: Create a new investigation with the observables
you select from listed search results or add them to an existing investigation.
l Anonymize: Change the user and organization information anonymization
setting for selected observables that belong to your organization. If enabled,
users outside of your organization with access to the data will see "Analyst" in all
fields that would otherwise display an organization or user name.
Settings: Select which search result columns are displayed.
Performing Basic Searches
You can access the Search page by navigating to Analyze > Observables. The
Search page contains a list of every observable available to you in ThreatStream.
Enter a keyword to perform a search.
Note: Keywords are not case sensitive. For more on case sensitivity, see "Case
Sensitivity in ThreatStream Search" on page 279.
Performing Advanced Observable Searches
ThreatStream provides advanced search functionality for cases involving
specialized searches. Advanced Search queries are formed by constructing filters.
Anomali ThreatStream Page 260 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Left Filter: Filter the displayed search results. Filters are reflected in the
advanced search query when applied.
Execute Saved Search Filter: Select and execute a previously saved search
filter. Searches are automatically executed when you select the saved search. The
left filter is updated to reflect the search query you select.
Notes:
- The left filter does not reflect saved searches in cases where the saved search
contains fields not supported by the left filter. Additionally, selecting a left filter
will result in the removal of unsupported fields from the search query.
- The left filter does not reflect saved searches that contain regex operators such
as !=. In these cases, selecting a left filter overwrites the query.
- If you switch to basic search after entering an advanced search query that
contains regex operators, nested conditions, or fields unsupported by the left
filter, the query is not translated to basic search. Thus, search results are
different between basic and advanced search in these cases.
Save Filters: Save or manage search filters. See "Saving Observable Search
Filters" on page 275 for more information.
Export: Export listed search results. For more information, see "Exporting
Search Results" on page 277.
Actions: When you select observables from listed search results, the actions
below are available.
Anomali ThreatStream Page 261 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l New Threat Bulletin: Create a Threat Bulletin with the observables you select
from listed search results. See "Threat Bulletins" on page 363 for more
information.
l Edit Tags: Add or remove tags associated with observables from the listed
search results in bulk. For more information on editing tags in bulk, see "Bulk Tag
Management" on page 244.
To add private tags that are only visible to your organization, assign them the My
Organization visibility setting. Tags assigned the Anomali Community visibility
setting are visible to any user with access to the observable. See "Adding Private
Tags to Observables" on page 243 for more information.
Note: Observables can contain up to 200 tags per organization. Tags added
by other organizations do not count toward this limit.
l Assign to Workgroups: Restrict the visibility of the selected observable to
specific workgroups within your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
l Bulk Add Workgroups: Restrict the visibility of the selected observables to
specific workgroups within your organization. See "Restricting Observable
Visibility to Workgroups" on page 246 for more information.
l Start/Continue Investigation: Create a new investigation with the observables
you select from listed search results or add them to an existing investigation.
l Anonymize: Change the user and organization information anonymization
setting for selected observables that belong to your organization. If enabled,
users outside of your organization with access to the data will see "Analyst" in all
fields that would otherwise display an organization or user name.
Settings: Select which search result columns are displayed.
Constructing Advanced Search Filters
Advanced Search filters are composed of expressions that adhere to the following
format:
intelligence_field operator value
Filters can contain any number of expressions joined together by the logical
operators AND, OR, and NOT.
As you type, ThreatStream suggests context specific valid operators and fields.
Anomali ThreatStream Page 262 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
You can hover over fields in the suggestion window to view descriptions for the
selected field.
ThreatStream color codes your advanced search queries for ease of use.
l Fields are blue
l Operators are purple
l Values are green
l Warnings are underlined in yellow
Tip: Warnings occur when you use the = or != operators and enter an
unexpected value for the specified field. Click the warning to view a list of
suggested values.
l Errors are underlined red
Anomali ThreatStream Page 263 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Tip: Errors occur when queries exhibit missing parenthesis, misplaced
tokens, or unknown fields, operators, or values (such as an unsupported date
format).
Click the expand icon to see your search query in an expanded view.
Note: Advanced search queries must be 2,000 characters or less.
Supported Intelligence Fields
To view a list of fields that can be used in advanced search queries, see
"Intelligence Fields in ThreatStream" on page 682.
Note: Though the values specified in advanced search filters are case-
insensitive, field names are case-sensitive. For example, including Tags instead
of tags creates an invalid search filter that will not return any results. To create a
valid search filter, you must enter the field name exactly as it appears in the
"Intelligence Fields in ThreatStream" on page 682. For more on case sensitivity,
see "Case Sensitivity in ThreatStream Search" on page 279.
Search Operators
Advanced search on ThreatStream supports the search operators listed in the table
below.
Operator Description
= Searches for results that are identical to the value after the
operator.
!= Searches for results that exclude the value after the operator.
contains Searches for results that are composed partially or wholly of the
value after the operator.
startswith Searches for results that begin with the value after the operator.
Anomali ThreatStream Page 264 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Operator Description
endswith Searches for results that end with the value after the operator.
~ Searches for results that match the regular expression after the
operator. Only valid for use in filter expressions that contain
regular expressions.
Note: Avoid using regular expression operators in search
queries. As an alternative, use the contains, endswith, or
startswith operators to search for specific phrase
matches. If these alternative operators do not fulfill your use
case, contact Anomali Support for assistance.
!~ Searches for results that do not match the regular expression
after the operator. Only valid for use in filter expressions that
contain regular expressions.
Note: Avoid using regular expression operators in search
queries. As an alternative, use the contains, endswith, or
startswith operators to search for specific phrase
matches. If these alternative operators do not fulfill your use
case, contact Anomali Support for assistance.
insubnet Searches for results that fall within the subnetwork after the
operator. See "Subnet Queries in Advanced Search" on
page 269 for more information.
!insubnet Searches for results that do not fall within the subnetwork after
the operator. See "Subnet Queries in Advanced Search" on
page 269 for more information.
< Searches for results that are less than the numerical value or
date after the operator.
<= Searches for results that are less than or equal to the numerical
value or date after the operator.
> Searches for results that are greater than the numerical value or
date after the operator.
Anomali ThreatStream Page 265 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Operator Description
>= Searches for results that are greater than or equal to the
numerical value or date after the operator.
AND Searches for results that are included in both the filter expression
before and the filter expression after the operator.
OR Searches for results that are included in either the filter
expression before or the filter expression after the operator.
Results included in both filter expressions are also returned.
NOT Searches for results that are excluded from the filter expression
after the operator.
Each data type is compatible with certain search operators. The table below
displays all of the valid operators and fields associated with each data type.
Data Valid
Type Operators Field Names
String =, !=, status, type, itype, classification, value,
contains, severity, feed_group, ip, asn, country, org,
startswith, tags, rdns, detail, maltype
endswith, ~,
!~, insubnet, Notes:
!insubnet - feed_group is a bulk collection of feeds and
only supports the = and != operators.
- The operators ~ and !~ can only be used with
regular expressions. However, Anomali
recommends the use of the contains,
startswith, and endswith operators instead
of regular expressions.
Numeric =, !=, <, <=, >, confidence, stream_id, import_session_id,
>= owner_id, trusted_circle_ids
Anomali ThreatStream Page 266 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Data Valid
Type Operators Field Names
Date =, !=, <, <=, >, created_ts, modified_ts
>= Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss, where
T denotes the start of the value for time. For
example, 2014-10-02T20:44:35.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and unit
is w, d, h, m, s (for week, days, hour, minutes,
and seconds, respectively). For example, -2w
denotes two weeks, starting now.
Boolean =, != is_public
Logical AND, OR, NOT Joins together multiple expressions.
Example: confidence >= 90 AND itype =
"apt_ip"
Tag Queries in Advanced Search
Unlike other string type observable fields, tags can contain multi-word phrases.
Therefore, advanced search behavior differs from other string type observable fields
with regard to certain operators.
l When searching for tags that equal a specified value (tags=<value>), results
include all tags that contain the specified value. For example, tags = "attack"
can yield any of the following tags: attack, attack pattern, zero day
attack, and so on.
l The startswith operator does not support multi-word queries, such as tags
startswith "panama papers". Therefore, you can use the startswith
operator to query tags that contain a word beginning with the specified value
only. For example, tags startswith "pan" can yield any of the following tags:
panda, mustang panda, panama papers, pan, and so on.
l The endswith operator does not support multi-word queries. Instead, endswith
inserts an OR between words specified after the operator. Therefore, you can
use the endswith operator to query tags whose ending characters or words
match the value specified after the operator. For example, tags endswith
Anomali ThreatStream Page 267 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
"security testing" can yield any of the following results: testing,
pentesting, enterprise security, and so on.
Example Advanced Search Filters
l confidence >= 90
l confidence >= 90 AND itype = "apt_ip"
l classification = "public"
l confidence >= 90 AND (severity = "high" OR severity = "very-
high")
l confidence >= 90 AND (itype = "apt_ip" OR itype = "bot_ip" OR
itype = "c2_ip")
l confidence >= 70 AND (itype startswith "apt" OR itype startswith
"mal" OR itype startswith "c2")
l confidence >= 75 AND itype != bot_ip AND itype != Actor_ip AND
itype != brute_ip
l itype startswith apt
l subtype=sha256
l subtype=md5
l (type="md5" or type="ip") and (subtype=md5)
l (type="hash" or type="ip") and (subtype=md5)
Note: When type is used in a search query, you can assign the values md5
and hash interchangably to it for all hash observables. However, in the
subtype field, the value md5 queries md5 type hash observables only and
excludes hashes of all other types.
l (subtype="sha1") and (status="active") and (created_ts>=2020-03-
09T23:49:39)
l value endswith net
Anomali ThreatStream Page 268 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l ((itype != "bot_ip" AND confidence >= 75) OR (itype = "bot_ip"
AND confidence >= 99)) AND classification = "public"
l modified_ts >= 2015-01-01T00:00:00
l country = "US"
l type = ip AND ip insubnet 192.168.23.170/27
l type=url AND value contains ".exe"
l (is_osint=true) and (status="active")
l (is_osint=true) and (type="url")
l (is_osint=true) and (confidence >= 90)
l (is_osint=false) and (type="url")
Subnet Queries in Advanced Search
There are two methods for searching IP observables that fall in particular subnets:
l Use the insubnet operator and specify a subnet using CIDR notation.
For example, to search in the IP subnet 192.168.23.170/27, enter the following
query: type= ip AND ip insubnet 192.168.23.170/27
Note: Including type = ip in the above query is optional, however,
specifying it narrows down the results to only observables of type IP address.
l Use the type and startswith operators to search within a subnet. After
specifying type = ip, you can use startswith to search for IP addresses
within /8, /16, /24, or /32 subnets.
For example, to search in a /16 subnet, such as 95.86.0.0/16, enter the following
query: type = ip AND value startswith 95.86
To search in a /24 subnet, such as 95.86.35.0/24, enter the following query: type
= ip AND value startswith 95.86.35
Anomali ThreatStream Page 269 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Searching for Defanged Observable Values
The ThreatStream observables search supports defanged domain, email address,
IP address, and URL observable queries. When you enter a defanged value,
ThreatStream queries and returns non-defanged observable values.
The following types of defanged values are supported for both basic and advanced
searches:
l [.] or [:]
Examples:
n analyst@security[.]com returns analyst@security.com
n https[:]//test[.]com returns https://test.com
n 1[.]1[.]1[.]1 returns 1.1.1.1
l {.}
Examples:
n 1{.}1{.}1{.}1 returns 1.1.1.1
n https{:}//test{.}com returns https://test.com
l hxxp://
Examples:
n hxxp://test.com returns http://test.com
n hxxp[:]//test[.]com returns http://test.com
l hxxps://
Examples:
n hxxps://test.com returns https://test.com
n hxxps{:}//test{.}com returns https://test.com
l meow://
Example: meow://test.com returns http://test.com
Anomali ThreatStream Page 270 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l meows://
Example: meows://test.com returns https://test.com
The following is supported for basic search only:
(.)
Example: test(.)com returns test.com.
Filtering Search Results
You can use any of the filters, located in filter widget to the left of the search results,
to create a search query or refine results after performing a query.
Selected filters are displayed under the search bar.
You can add any combination of search filters. Alternatively, you can perform wide
searches by adding a filter to a blank query. For example, if you select the Inactive
from the Status category, a list of all observables with the status Inactive will be
returned.
When you apply filters from different categories, they are separated by an
AND operator. When you apply filters from the same category, they are separated
by an OR operator. For example, you select Albania and Canada from the Countries
category, and Actor IP and Malware Email from the iType category. Results will be
displayed based on the following search query:
(itype="Actor_ip" or itype="mal_email") and (country="AL" or
country="CA")
The following search filters are available:
Anomali ThreatStream Page 271 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l Key Filters: Show only observables that were imported by your organization
(Imported By My Organization) or those originating from open source feeds
(Open Source). See "Filtering Open Source Observables" on page 274 for more
information.
l Date Added: Show only observables added to ThreatStream during the specified
date range.
l Status: Show only observables with the status of Active, Inactive, or False
Positive.
l Visibility: Show only observables classified as Anomali Community (formerly
"Public") or My Organization (formerly "Private").
l TLP: Show only observables assigned the selected Traffic Light Protocol.
l Minimum Confidence: Show only observables with specified minimum
confidence scores.
l Tags: Show only observables with specified tags.
Note: Due to caching, tags created within the last 30 minutes may not
populate the Tags filter.
l Streams: Show only observables from specified open source streams, premium
feeds, or other intelligence sources.
l ASN: Show only observables with the specified ASN.
l Type: Type of observable value—domain, email address, IP address, IPv6
address, Hash, URL, or other.
For additional information on filtering hash type observables, see "Filtering Hash
Observables" on the next page.
l iType: Select one or more indicator types to include.
l Trusted Circles: Show only observables from specified trusted circles.
l Org: Show only observables that belong to the selected organization.
l Workgroups: Show observables that are visible only to the selected
workgroups.
Anomali ThreatStream Page 272 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l Import Session: Show only observables associated with the specified Import
Session ID.
l Countries: Show only observables from specified countries.
Search results are automatically updated after selecting filters.
You can also use filters to create an advanced search query by selecting filters and
clicking Advanced. To read more about advanced searches in ThreatStream, see
"Performing Advanced Observable Searches" on page 260.
Filtering Hash Observables
When you select Hash in the Type filter section, additional filters are available which
enable you to filter by specific hash types. Available hash subtype filters include:
MD5, SHA1, SHA256, and SHA512.
When you select any of these hash types, only hashes of the selected type are
displayed in the search results.
Hash subtype filters map onto the subtype intelligence field. Thus, you can use this
field to construct advanced search filters that query hashes of the specified subtype.
Hash Subtype Advanced Search Examples
l To query hash observables of the SHA256 subtype:
subtype=sha256
l To query hash observables of the MD5 subtype:
subtype=md5
Anomali ThreatStream Page 273 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l To query active hash observables of the SHA1 subtype which were created after
a specific timestamp:
(subtype="sha1") and (status="active") and (created_ts>=2020-03-
09T23:49:39)
l To query hash observables of the MD5 subtype and IP address observables:
(type="hash" or type="ip") and (subtype=md5)
Note: When type is used in a search query, you can assign the values md5
and hash interchangably to it for all hash observables. However, in the
subtype field, the value md5 queries md5 type hash observables only and
excludes hashes of all other types.
Filtering Open Source Observables
ThreatStream leverages a number of open source intelligence streams to feed your
threat intelligence in ThreatStream. The Observables search screen provides an
Open Source filter in the Key Filters section, thus enabling you to query observables
from open source intelligence streams.
When you select Open Source Intelligence, open source observables are displayed
exclusively. When not selected, both open source and non-open source
observables are displayed.
The Open Source Intelligence filter maps onto the is_osint intelligence field. Set
this field to true to query open source observables exclusively. Set this field to
false to exclude open source observables from your query.
Open Source Intelligence Advanced Search Examples
l To query all active open source observables:
(is_osint=true) and (status="active")
l To query all open source URL observables:
(is_osint=true) and (type="url")
l To query all open source observable with confidence values over 90:
(is_osint=true) and (confidence >= 90)
Anomali ThreatStream Page 274 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
l To query all non-open source hash observables:
(is_osint=false) and (type="url")
Searching Workgroup Restricted Observables
The Observables search screen provides a Workgroups filter, thus enabling you to
query observables which are visible only to specific workgroups in your
organization.
Only workgroups of which you are a member are available in the filter.
Saving Observable Search Filters
You can save frequently used advanced observable search filters. Saving filters
enables you to perform common queries with the click of a button.
Note: Filters longer than 2,000 characters cannot be saved.
To save a search filter:
1. Navigate to Analyze > Observables.
2. Click Advanced.
3. Form an advanced search query. For a complete list of search fields, see
"Intelligence Fields in ThreatStream" on page 682.
4. Click Filter: Save as.
5. Enter a name for the new filter.
6. Click Save.
Anomali ThreatStream Page 275 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Saved filters can be accessed from the Search filter menu on the advanced search
bar.
Best Practices for Saved Search Filters
Anomali recommends adhering to the following best practices when constructing
saved search queries to improve search performance:
l Avoid using regular expression operators in search queries. As an alternative,
use the contains, endswith, or startswith operators to search for specific
phrase matches. If these alternative operators do not fulfill your use case, contact
Anomali Support for assistance.
For example, use (value endswith ".com.au") instead of (value ~
".*\.com\.au")
l Avoid redundancies when constructing search queries. Do not include filters
which duplicate search results.
For example, the query (tags contains "apt28" OR tags ~ "apt28")
contains two filters that yield the same results. In this case, (tags contains
"apt28") is the recommended query.
Managing Saved Search Filters
Users with Org Admin privileges can edit or delete any search filter that belongs to
their organization. Non-admins can only edit or delete search filters that they
themselves created.
To edit a search filter:
1. Navigate to Analyze > Observables.
2. Click Advanced.
3. Select the search filter you want to edit. The filter will populate the advanced
search bar.
4. Make required changes to the search filter.
5. Click Save.
To delete search filters:
Anomali ThreatStream Page 276 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
1. Navigate to Analyze > Observables.
2. Click Advanced.
3. Click Filter: Manage.
4. Select the search filters you want to delete.
5. Click Remove.
Exporting Search Results
You can export basic and advanced search results in the following formats:
l CSV
l Snort
l OpenIOC
l STIX 1.1.1
l STIX 1.2
l STIX 2
l STIX 2.1
l PDF
For CSV exports, you can select columns you want to export.
Org Admins can configure the maximum number of search results included in
search result exports from the Org Settings page. To read more, see "Organization
Administration" on page 70.
To export search results:
1. Perform the desired search.
2. Click the export icon.
Anomali ThreatStream Page 277 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
3. Select a file format. Your download will start automatically.
4. If you selected Export To CSV, you can specify a Maximum Number of
Search Results. The limit is 10,000. You can also select specific Fields to
Export.
For ThreatStream OnPrem users only: when viewing search results in a
merged view—with both local and remote observables displayed—the
CSV export limit is 1,000. When viewing local or remote only search results,
the limit is 10,000.
If you selected Export To STIX 1.1.1, Export To STIX 1.2, Export To STIX 2,
specify a Maximum Number of Search Results. The limit is 100.
Note: All timestamps are displayed in UTC when exported.
Anomali ThreatStream Page 278 of 750
User Guide
Chapter 9: Searching Observables in ThreatStream
Case Sensitivity in ThreatStream Search
Syntax Rules Example
<keyword> Keywords are not case sensitive. healthcare
Results are returned regardless of or
case.
Healthcare
field = Field names are case sensitive and status=active
<value> must be must be entered exactly as Status=active
they appear in the "Intelligence
Fields in ThreatStream" on
page 682.
Values for fields are not case
sensitive.
field ~ All letters in regular expressions tags~".+
<regex> must be lowercase. (phishing|exploit).+"
tags~".+
Note: Though the regular (Phishing|Exploit).+"
expression can only contain
lowercase letters, search
results are returned regardless
of case.
Anomali ThreatStream Page 279 of 750
Chapter 10: Importing Observables with
Import Assistant
This chapter covers the following topics:
Importing Observables 286
Importing Observables From an Email 293
Ingesting Phishing Emails 296
Importing STIX Data into the Anomali Threat Model 299
Viewing Import Jobs Associated With Your Organization 306
Approving Import Jobs 308
Rejecting Import Jobs 313
Restricting Observables Visibility to Workgroups During Import 314
Managing Import Sessions Without Approve Import Privileges 315
Managing Excluded Observables 318
Re-importing Observable Values 321
Editing Observable Values Before Approval 322
Deleting Import Jobs 323
ThreatStream provides you an easy-to-use wizard for importing intelligence into the
platform from the following sources:
l Files (CSV, HTML, IOC, JSON, PDF, TXT, XML)
l Raw text
l Plain-text intelligence streams
l Direct links to files
l STIX 1.2 XML files
l STIX 2.0 or 2.1 JSON files
l Emails
The ThreatStream Import Assistant can parse structured and unstructured data for
IP Addresses (v4 and v6), Domains, URLs, Emails, and MD5 Hashes. IPv6
Anomali ThreatStream Page 280 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
addresses are supported, but must be in either collapsed notation or in eight 16-bit
blocks when imported. URLs are truncated at 2000 characters.
You can select whether the imported data is available to everyone (Anomali
Community) or accessible to your organization only (My Organization), or shared
with Trusted Circles.
Imported data must be reviewed and approved before it becomes part of your threat
intelligence on ThreatStream. Once you approve the imported data, ThreatStream
analyzes it further and adds additional context—such as the confidence
ThreatStream has in observables being associated with a given indicator type. You
must have the "Approve Import" privilege to approve an import.
Once approved and added to your threat intelligence on ThreatStream, imported
observables are pushed to your downstream integrations via ThreatStream
Integrator at the time of your next scheduled synchronization. See "ThreatStream
Integrator" on page 679 for more information.
In addition to importing new observables, ThreatStream enables you to re-import
observables previously imported by your organization. Re-importing observables is
helpful when you want to update observable details or set the status of inactive
Anomali Community or Trusted Circle observables to active. See "Re-importing
Observable Values" on page 321 for more information.
Observables imported to ThreatStream are filtered through your organization
Exclude List, enabling you prevent users in your organization from importing
specified CIDRs, Domains, Email Addresses, IP Addresses, Hashes, URLs, or User
Agents. Observables are also filtered through a global exclude list which prevents all
ThreatStream users from importing known benign observables, including but not
limited to the top 500 domains on the internet. However, users are not prevented
from importing URLs associated with domains on the Anomali global exclude list.
Importing Unstructured Data
When the data is in unstructured format, the ThreatStream platform parses the raw
data and extracts observables from it. All observables are associated with the same
mapping information—Threat Type, visibility, confidence, and tags. For example, if
a file has two IP addresses, each IP will be assigned the same indicator type—mal_
ip or apt_ip. You can edit mapping information when reviewing import sessions.
Note: For ThreatStream to correctly parse URLs, protocols must be included in
the data you enter. This ensures that ThreatStream maps URLs to the correct
indicator type. For example, to import the URL example.com, you must enter
https://example.com.
Anomali ThreatStream Page 281 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Importing Structured Data
You can also use Import Assistant to import data in structured format. This involves
creating a CSV file and compiling the data you want to import using the "Guidelines
for Structured Data" below. CSV files submitted to ThreatStream for import
must be UTF-8 encoded or compatible.
When the data is in structured format, you can specify a different indicator type
mapping and tags for each observable in the structured file. It also enables you to
import host-based observables.
Note: If you do not specify an indicator type when importing URLs via structured
data, the URL values must include their respective protocols.
Guidelines for Structured Data
Follow these guidelines when importing structured data:
l The structured data must be contained in a valid CSV file with the following
header line: value, itype, tags. Optional columns include private_tags, is_
anonymous, and tlp.
privat is_
ityp e_ anonym
value e tags tags ous tlp
1.2.3.4 brut exploitation,p true gree
e_ip hishing n
https://example.com phishing sensiti amb
ve er
4d68462ca6071f9b6ad0fa mal_ false red
bea8bd1c9f md5
n The "value" header label is mandatory. This column must contain data.
n The "itype", "tags", and "private_tags" header labels can be omitted if no data
will be specified for these columns. See "Indicator Types in ThreatStream" on
page 702 for more information.
Anomali ThreatStream Page 282 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
n "tags" is a comma-separated list of tags. Tags included in the "tags" column
are assigned the Anomali Community visibility setting and visible to all users
with access to the observable.
n "private_tags" is a comma-separated list of tags. Tags included in the "private_
tags" column are assigned the My Organization visibility setting and visible
only to users in your organization.
n "is_anonymous" sets whether the organization and user information for the
observable is anonymized. Possible values include true and false. If no value
is specified, observables will not be anonymized.
n "tlp" sets a TLP color for the observable. Possible values include white, green,
amber, and red.
l The data specified in the "itype" column in the CSV file overrides the mapping
and tags values specified on the Import page of the ThreatStream UI. If this
column is empty, the values from the UI page are assigned. If importing a URL
and an indicator type is not specified, URL values must include their respective
protocols.
Example 1: The structured CSV contains the following:
value=1.2.3.4
itype=phish_ip
tags = empty
private_tags=may2018
The Threat Type setting on the Import UI page is set to Bot. Regardless of the
Threat Type set on the Import UI, the observable 1.2.3.4 will be assigned the
indicator type phish_ip as information in the CSV file overrides settings specified
on the UI. The tag "may2018" will be added to the observable and visible only to
your organization.
Example 2: The structured CSV contains the following:
value = 1.2.3.4
itype=empty
tags=empty
private_tags=empty
Anomali ThreatStream Page 283 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
The Threat Type setting on the Import page is set to Malware. As no indicator
type was specified in the CSV file, the observable is assigned the indicator type
Malware_ip.
Importing Host-Based Observables
Host-based observables can only be imported using structured CSV files.
Host-based observables on ThreatStream include: Adware Registry Keys, APT
File Names, APT File Paths, APT Mail Transfer Agents, APT Registry Keys,
APT Service Descriptions, APT Service Display Names, APT Service
Names, Malware File Names, Malware File Paths, Malware Registry Keys,
Malware Service Descriptions, Malware Service Display Names, Malware
Service Names, and Spam Mail Transfer Agents.
Follow these guidelines when importing host-based observables:
n If importing host-based observables only, the structured data must be
contained in a valid CSV file with the following header line: value, itype, tags.
Optional columns include private_tags, is_anonymous, and tlp.
is_
private_ anonymou
value itype tags tags s tlp
Malware.ex mal_ exploitation,phishi true
e file_ ng
name
badguy.doc apt_ private_ red
x file_ informatio
name n
n You can use the same format when importing host-based and non–host-based
observables in the same file.
Anomali ThreatStream Page 284 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
is_
private_ anonymo
value itype tags tags us tlp
Malware.exe mal_ exploitation,phis true
file_ hing
name
badguy.docx apt_ whit
file_ e
name
example.domain apt_ private_ false
.com domai informati
n on
For a complete list of indicator types, see "Indicator Types in ThreatStream" on
page 702.
Note: The "itype" and "value" header labels are mandatory. These columns
must contain data. All other header labels are optional and can be omitted if
no data will be specified for these columns.
Importing Observables From Plain Text
Intelligence Streams
Import Assistant enables you to perform one-time scrapes of plain text intelligence
streams. Simply provide the URL for the intelligence stream. ThreatStream
connects to the URL and parses the code for observable data.
Only unformatted, plain text intelligence streams are supported. An example of an
unformatted stream is displayed below.
Providing the URL for a stream that includes formatting will result in false positives.
Anomali ThreatStream Page 285 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Importing Observables From Direct Links to Files
Import Assistant also enables you import observable data from a CSV, HTML, IOC,
JSON, PDF, TXT, or XML files that are hosted online. Simply provide the URL for
the file. ThreatStream connects to the URL, downloads the file, and parses it for
observable data. Only the file types listed above are supported.
Note: URLs that require authentication are not supported.
Importing Observables From an Email
ThreatStream can also import observables from a free-form email. You do not need
to connect to ThreatStream to import observables in this case. You can simply
forward an email containing one or more observables to a designated email
address. ThreatStream parses the received email, extracts observables from it, and
creates an import job. To learn more about importing observables from an email,
see "Importing Observables From an Email" on page 293.
In addition to importing observables from free-form emails, you can also submit
emails that appear to be phishing scams. This involves sending the email as an .eml
attachment to a designated email address on ThreatStream. For more information,
see "Ingesting Phishing Emails" on page 296.
Importing Observables
To import observables:
1. From anywhere in the platform, click the Import icon on the right side of the
screen.
2. Click Observables.
Anomali ThreatStream Page 286 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
3. Add observable data to the import session.
If you are importing observables from a file:
a. Click Upload a New File.
o If you are importing structured data, make sure the data is in the format
specified in "Guidelines for Structured Data" on page 282.
o The maximum size supported for the file is 10 MB.
b. Drag and drop the file onto the import wizard OR click to browse and select
the file.
If you are entering observable data manually:
a. Click Paste Intelligence.
b. Enter the observable information in the text box.
You can enter free-form text that contains observable information or specific
observables, as shown in the following example.
If you are importing observable data from a plain text intelligence stream or
direct link to a file:
a. Click Scrape from URL.
b. Enter the URL for the intelligence stream or file.
4. In the Set Definitions section, specify data for the following parameters:
Field Definition
Anomali ThreatStream Page 287 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Intelligence Where the data originated.
Source
(Optional) Tip: You can create advanced search filters based on
Intelligence Source for observables imported by your
organization using the import_source field. See
"Constructing Advanced Search Filters" on page 262 for
more information.
Confidence Confidence value you want to assign to the imported
observables.
The Confidence value is re-assessed when ThreatStream
analyzes the imported data. To enforce the Confidence value
you selected, check Override System Confidence.
Note: For email, hash, and IPv6 observables, the
Confidence value you select will be enforced in all cases.
Anomali ThreatStream Page 288 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Threat Type Threat Type for the imported observables. ThreatStream will
assign extracted observables an indicator type based on the
threat type you specify.
Malware is the default threat type. Imported observables will
be assigned a Malware related indicator type if you do not
select a different threat type.
For a list of threat types and their associated indicator types,
see "Threat Types in ThreatStream" on page 733.
Note: Observables assigned APT indicator types are
never made inactive by ThreatStream, regardless of the
expiration date you set during the import process.
However, you can change the status of APT type
observables which you have the privilege to edit from
Active to Inactive at any time. See "Editing Observable
Details" on page 237 for more information.
TLP TLP (Traffic Light Protocol) color to the imported
(Optional) observables.
Anomali ThreatStream Page 289 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Tags Tags that you want to associate with imported observables.
(Optional) To add a tag, select a Visibility setting, enter the tag, and
click Add. Tags can contain spaces.
Tags assigned the My Organization visibility setting are only
visible to your organization. Tags assigned the Anomali
Community visibility setting are visible to users of all
organizations that have access to the observable. See
"Adding Private Tags to Observables" on page 243 for more
information.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a
list of preferred tags configured by your organization, in
addition to pre-defined kill chain phase tags. For more on
configuring Preferred Tags, see "Adding Preferred Tags to
Intelligence" on page 200.
Additionally, you can associate imported observables with
system imported Vulnerabilities by entering the Vulnerability
title as a tag and assigning it the Anomali Community
visibility setting. Only Vulnerabilities imported by
ThreatStream—not those created by your organization or
other organizations—can be associated with observables
Anomali ThreatStream Page 290 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
during import via tagging. You can associate non-system
imported Vulnerabilities with observables after import, from
the details page of the observable or Vulnerability.
Notes:
- Tags must be 2,000 characters or less.
- Observables can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
Visibility Visibility setting for the imported observables. You can select
Anomali Community, Trusted Circles, or My
Organization.
If you select Trusted Circles, select trusted circles from the
drop down menu. If you selected Override System
Confidence in the previous steps, only trusted circles with
Allow Members to Override System Confidence enabled
are displayed. For more information, see "Creating a Trusted
Circle" on page 650.
If you select My Organization, you can further restrict the
visibility to specific workgroups in your organization. To do
so, click Restrict to Workgroups and select the workgroups
to which you want to give exclusive access to the
observables. You can only select workgroups you are a
member of during import. At least one user in the workgroups
you select must have the Approve Import privilege. For more
information on workgroups, see "Restricting Access to
Intelligence with Workgroups " on page 196.
Anonymous If you want to anonymize your user and organization
information, select Anonymize user and organization.
Users outside of your organization with access to the
observables will see "Analyst" in all fields that would
otherwise display an organization or user name.
Anomali ThreatStream Page 291 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Expiration Select an Expiration Date on which the observables will
Date become inactive.
(Optional)
By default, Expiration Date is set to 90 days from the current
date, but there is no limit on how long observables can
remain active. As a best practice, if you know an observable
to be short lived (such as a tor_ip), specify a closer
expiration date.
You can edit the expiration date of individual observables
when reviewing the import session. See "Approving Import
Jobs" on page 308 for more information.
Source Specify the date and time when the observables were
Created created by their original source.
(Optional) Click Now to use the current time.
Source Specify the date and time when the observables were last
Modified modified by their original source.
(Optional) Click Now to use the current time.
Note: Any values you set in the Set Definition section are maintained as
defaults the next time you open the Import Assistant.
5. (Optional) Under Associate With Threat Models, click Add Association to
associate extracted observables with threat model entities. You can select any
Actors, Attack Patterns, Campaigns, Courses of Action, Identities, Incidents,
Infrastructure, Intrusion Sets, Malware, Signatures, Threat Bulletins, Tools,
TTPs, or Vulnerabilities to which you have access on ThreatStream.
Search for threat model entities by keyword.
Anomali ThreatStream Page 292 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Filter threat model entities by entity type.
After selecting the entities with which you want to associate the observables,
click Add Selected Threat Models.
6. If you have Approve Import privileges, you can select Auto-Approve to
automatically approve the import job upon submission.
When ThreatStream finishes processing the import job, all observables
validated by ThreatStream will become active immediately.
After submission, you can access the approved import job from the Imports list
view screen. See "Viewing Import Jobs Associated With Your Organization" on
page 306 for more information.
Note: If you select Auto-Approve, you will not have the opportunity to review
and force-add any excluded observables.
7. Click Import.
An import job is created and assigned an ID. Unless you selected Auto-
Approve, the job is in Ready to Review status and must be approved for the
observables to become part of your threat intelligence on ThreatStream. See
"Approving Import Jobs" on page 308 for more information on approving import
jobs. If you do not have Approve Import privileges, you can still edit the
parameters of the import job you submitted. See "Managing Import Sessions
Without Approve Import Privileges" on page 315.
Importing Observables From an Email
You can import observables into ThreatStream without connecting to the
ThreatStream platform. This involves sending one or more observable values in the
body of an email to a designated email address on ThreatStream. Additionally, you
can send observables in PDF, TXT, or CSV attachments to the email.
Once emails are received, they are validated and parsed on ThreatStream.If
successfully validated and parsed, import jobs are created. ThreatStream creates a
single import job for all observables contained in the body of the email and one
Anomali ThreatStream Page 293 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
additional import job for each attachment. Import jobs must be approved by a user
with the Approve Import privilege before the observables become part of your threat
intelligence on ThreatStream.The organization administrator is notified of the newly
created, pending for approval import job. The sender is also notified of the import job
that was created.
Emails received on ThreatStream for observable import are not stored on the
platform. Once observables have been extracted from them, emails are deleted.
For more information on creating and configuring import mailboxes, see "Mailboxes
For Receiving Observables" on page 81.
Guidelines for Importing Observables From an Email
The following guidelines apply to importing observables from an email:
l Just like other import methods, any ThreatStream user can submit an email to
ThreatStream for importing observables. The observables will only become part
of your threat intelligence when the import job is approved.
l Emails can be free-form; no specific format is required. However, the following
requirements must be met:
n Observables must be in the email body text. Observables in the subject line
are not parsed.
n Protocols must be included for URLs to be correctly parsed, unless the URL is
specified in a structured CSV file and mapped to a URL indicator type.
l Observable values may also be sent in attachments to the email. Attachments
must be in CSV, PDF, or TXT format.
Note: CSV files must be formatted according to the guidelines in "Guidelines
for Structured Data" on page 282.
l Attachments can be no larger than 10 MB.
l Emails must be sent from email addresses registered on ThreatStream or those
added to the Email Import Addresses list in on the Mailboxes tab within
Settings. Otherwise, the email import will be ignored. See "Adding Additional
Email Import Addresses" on page 93 for more information.
Anomali ThreatStream Page 294 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
l Emails must be sent to a Feed Mailbox email address on the Email/Phishing
tab of Import Assistant. To manage your mailboxes, see "Mailboxes For
Receiving Observables" on page 81.
l Only observables are parsed from an email even if the email contains other
ThreatStream meta-data such as tags or mapping. Default mappings (as
available on the Import UI page) are assigned to the imported observables.
l After parsing is complete, a notification containing the number of observables
extracted and a link to the import session is sent to the email address that the
observables were submitted from. If submitting from an email not registered on
ThreatStream that was added to the Email Import Addresses list, an Org Admin
receives the notification.
l By default, observables imported via Import Email mailboxes are assigned the
Malware threat type.
To import observables from an email:
1. From anywhere on the ThreatStream user interface, open the import assistant
and click Email/Phishing. Your mailboxes configured for receiving observables
are displayed under Feed Mailbox.
2. Click the copy icon next to the mailbox you want to use for receiving
observables.
Anomali ThreatStream Page 295 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
3. Use the copied email address to send an email containing observables to
ThreatStream.
Note: Emails must be sent from email addresses either registered on
ThreatStream or non-registered email addresses added to the Email
Import Addresses list, located in Org Settings.
If observables are successfully parsed, an import job is created on
ThreatStream.
4. Follow the process described in "Approving Import Jobs" on page 308.
Ingesting Phishing Emails
ThreatStream enables you to ingest phishing emails for further analysis. This
involves sending the email as an .eml attachment to a designated email address on
ThreatStream.
Once received, ThreatStream parses the metadata of the attached phishing email
and creates an investigation for the discovered observables. You can use the
investigation to analyze the results of the ingestion and review the parsed
observables before importing them into ThreatStream.
When you submit a phishing email to one of your phishing mailboxes, actions
configured for the phishing mailbox are taken. For example, phishing mailboxes can
be configured to create investigations for discovered observables, submit email
attachments to the sandbox, or create Threat Bulletins with the contents of the
phishing email. For more information on creating and configuring phishing
mailboxes, see "Mailboxes For Receiving Observables" on page 81.
Guidelines for Ingesting Phishing Emails
l Emails must be sent from email addresses registered on ThreatStream or those
added to the Email Import Addresses list on the Mailboxes tab within settings.
Emails received from email addresses not adhering to these guidelines are
ignored. See "Adding Additional Email Import Addresses" on page 93 for more
information.
l Phishing emails must be sent to ThreatStream as .emlattachments to a Phishing
Mailbox email address. These addresses are listed on the Email/Phishing tab
of Import Assistant and on the Mailboxes tab within settings. To manage your
Anomali ThreatStream Page 296 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
mailboxes, see "Mailboxes For Receiving Observables" on page 81.
l By default, observables imported via Phishing Email mailboxes are assigned the
phishing threat type.
To import observables from phishing emails:
1. From anywhere on the ThreatStream user interface, open the import assistant
and click Email/Phishing. Your mailboxes configured for ingesting phishing
emails are displayed under Phishing Mailbox.
2. Click the copy icon next to the mailbox you want to use for ingesting the phishing
email.
3. Use your email client to forward the phishing email to the copied email address
as an attachment.
OR
Save the phishing email to your local machine and manually send it to this
address as an .emlattachment.
To check the status of your submission, navigate to Settings > Mailboxes and click
the icon in the Activity column next to the mailbox to which you submitted the email.
Anomali ThreatStream Page 297 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Phishing Email Threat Bulletins
Phishing mailboxes can be configured to create Threat Bulletins when they receive
submissions. In addition to the email subject in the title of the Threat Bulletin, Threat
Bulletins created from imported phishing emails always contain the following
information.
Complete header of the phishing email.
Full text of the email body.
List of files attached to the phishing email and corresponding hash values. Hash
values are added to observable Import Sessions.
Import Session for the phishing email. Observables must be approved before
becoming part of your threat intelligence on ThreatStream.
Anomali ThreatStream Page 298 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Files attached to the phishing email available for download.
Note: Upon creation, Threat Bulletins are assigned the New status and only
visible to your organization. See "Reviewing Threat Model Entities for
Publication" on page 542 for more information on the Threat Model publication
workflow.
Importing STIX Data into the Anomali Threat
Model
You can use Import Assistant to import STIX compatible data from a file into the
Threat Model. ThreatStream supports files that follow the STIX 1.2, 2.0, or 2.1 data
models. Files can contain any attributes, however, the attributes listed in "Supported
Attributes for STIX Entities" on page 688 are the only ones supported. If the file
contains other attributes, they are ignored.
STIX 1.2 imports must be specified in a valid XML file. STIX 2.0 and 2.1 imports
must be specified in a valid JSON file.
When you import the file, ThreatStream extracts the Observables and Threat Model
entities and any associations from it. The associations specified in the file are
preserved upon a successful import. You can select whether the imported data is
available to everyone (Anomali Community) or accessible to your organization only
(My Organization), or shared with Trusted Circles.
If the imported file contains any observables of these types—IP address, URL,
email, hash, or domain—then the STIX import process also creates an Observable
import session for all the observables. The observable import process goes through
the same process described in "Importing Observables " on page 286. Also, see
"Understanding the Difference Between Observable Import and STIX Data Import"
on the next page.
During the import, a conflict may occur if you try to import a Threat Model entity of
the same name that already exists in your organization. If a conflict occurs, the
Threat Model entity is not imported. Any other entities defined in the XML or JSON
file and associated with the conflicting entity may still be imported; however, their
association information with the un-imported entity is not preserved.
You can check the status of an import in the STIX Import view of the Threat Model
Dashboard (see "Threat Model Dashboard" on page 365). In this view, you can also
see any observable import jobs that get created as part of the STIX import.
Anomali ThreatStream Page 299 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Understanding the Difference Between Observable Import and STIX
Data Import
Two types of import processes exist on ThreatStream:
l Observable import
Allows you to import structured and unstructured data containing observables
into ThreatStream. Imported data needs to be approved before it becomes part of
threat intelligence on ThreatStream.
l STIX Data import
Allows you to import STIX Threat Model entities—Threat Actors (Actors in
ThreatStream), Attack Patterns, Campaigns, Courses of Action, Custom Objects,
Identities, Indicators (Observables in ThreatStream), Incidents, Infrastructure,
Intrusion Sets, Malware, Reports (Threat Bulletins in ThreatStream), Tools,
TTPs, and Vulnerabilities.
Besides observables, the imported data does not need to be approved and
becomes part of Threat Model right after it has been successfully imported. If any
observables are included in the STIX import file, a separate observable import
session is created for importing them into ThreatStream. The observable import
session must be approved before the observables become part of your threat
intelligence.
Guidelines for Importing Observables through STIX Data Import
Adhere to the following guidelines when importing Observables through the
STIX Data Import:
l Only STIX Indicators can be imported through the ThreatStream STIX Data
Import. STIX Indicators are imported as Observables in ThreatStream.
l The following STIX 1.x CybOX Objects are supported: Address (ipv4 only),
DomainName, EmailAddress, EmailMessage (sender_address or from_
address), File (hashes), Hostname, Mutex, SocketAddress (ip_address), URI ,
WinRegistryKey.
l The following STIX 2.x Cyber Object Types are supported: domain-name,
email-addr, email-message, file (hashes and name), ipv4-addr, ipv6-
addr, mutex, url, windows-registry-key.
Anomali ThreatStream Page 300 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
l For STIX 2.0 and 2.1 imports, only basic patterns are supported. Basic patterns
contain one Observation Expression which consists of a single Comparison
Expression. The following is an example of a valid basic pattern:
l Only attributes listed in "Supported Attributes for Indicators" on page 693 are
supported.
Supported Attributes for Threat Model Entities
See "Supported Attributes for STIX Entities" on page 688 to reference the attributes
included in STIX exports.
Importing STIX Data Through the Import Assistant
To import STIX data:
1. From anywhere in the platform, click the Import icon on the right side of the
screen.
2. Click STIX.
The STIX Import page is displayed, as shown in the following figure:
Anomali ThreatStream Page 301 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
3. Either drag a file from your local system or click the dotted-line box to upload a
file from your system.
4. Select a Visibility for the imported data.
You can choose from Anomali Community, My Organization, or Trusted Circles.
If you select Trusted Circles, select trusted circles from the drop down menu. If
you selected Override System Confidence in the previous steps, only trusted
circles with Allow Members to Override System Confidence enabled are
displayed. For more information, see "Creating a Trusted Circle" on page 650.
If you select My Organization, you can further restrict the visibility to specific
workgroups in your organization. To do so, select the workgroups to which you
want to give exclusive access to the observables. For more information on
workgroups, see "Restricting Access to Intelligence with Workgroups " on
page 196.
Anomali ThreatStream Page 302 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
5. If you want to anonymize your user and organization information, select
Anonymize user and organization. Users outside of your organization with
access to the data will see "Analyst" in all fields that would otherwise display an
organization or user name.
6. Select the Confidence value you want to assign to the imported observables.
The Confidence value is re-assessed when ThreatStream analyzes the
imported data. To enforce the Confidence value you selected, check Trust my
confidence.
7. (Optional) Enter any additional notes that may be useful.
8. Click Import.
The threat model entities become part of Threat Model right after the data has
been successfully imported. If the entities had any observables associated with
them, an import job is created for those observables. The job is in Ready to
Review status and must be approved for the observables to become part of your
threat intelligence on ThreatStream. See "Approving Import Jobs" on page 308
for more information.
To view the status of STIX imports, visit the The STIX Imports screen. See
"Viewing STIX Import Jobs" below for more information.
Viewing STIX Import Jobs
The STIX Imports screen provides the status of recently imported STIX data. To
access the STIX Imports screen, navigate to Manage > Imports and open the STIX
tab.
For information about importing STIX data, see "Importing STIX Data into the
Anomali Threat Model " on page 299.
Anomali ThreatStream Page 303 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Filter STIX import jobs by Status, Date, and Owner. Click Show only my
imports to view STIX imports which you submitted.
Date: Time stamp of when the STIX import occurred.
Total Imported/Total Rejected: Number of STIX entities (Threat Model entities
and observables) that were imported or rejected. To see a list of all imported and
rejected entities, click the link in the STIX Import Jobs column.
STIX Import Job: Job ID and status of the STIX import job. Click the link to view
import job details. The STIX Import Review window lists the Threat Model entities
that were successfully imported and the ones that were rejected with a reason for
rejection, as shown in the following figure.
Anomali ThreatStream Page 304 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
While the Imported STIX Entities tab lists imported Threat Model entities only, the
Rejected STIX Entities tab lists rejected Threat Model entities and observables.
Note: Rows are ordered by import job ID when you sort the table using the STIX
Import Job column.
Observable Import Job: If the JSON or XML file contained any observables, an
observable import job is created for them. Click the link to view import job details.
Included observables are listed on the Included tab. Excluded observables are listed
on the Excluded tab.
Anomali ThreatStream Page 305 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Click View Full Import to open the Import Review page for the import job. See
"Approving Import Jobs" on page 308 for more information.
User: The ThreatStream user who initiated the STIX import.
Tags: Tags that were added to the import job.
File: The STIX JSON or XML file that was uploaded for import.
Refresh: Refresh the STIX import jobs listed on the page.
Import STIX: Submit a new STIX import job on the STIX tab of the import
assistant. See "Importing STIX Data Through the Import Assistant " on page 301 for
more information.
Viewing Import Jobs Associated With Your
Organization
The Import page displays a list of every import job associated with your
organization.
Anomali ThreatStream Page 306 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Filter the displayed import jobs by Status, Date Imported, or Owner. You can
view import jobs that you have submitted by selecting Show only my imports.
Job number associated with the import job. For approved import jobs, you can
click the Job # to view observables on the search page.
Timestamp when the import job was submitted.
Organization user that submitted the import job.
Displays whether the import job is assigned the visibility setting Anomali
Community, My Organization, or available to specific Trusted Circles.
Number of accepted and rejected observables associated with the import job.
Current status of the import job. View any errors associated with the job by
clicking Errors.
Tags associated with the import job.
You can take the following actions from the Imports screen:
l New Import: Submit a new import job. See "Importing Observables " on
page 286.
l Approve: Approve the selected import jobs. See "Approving and Rejecting
Import Sessions in Bulk" on page 312.
l Reject: Reject the selected import jobs. See "Approving and Rejecting Import
Sessions in Bulk" on page 312.
l Delete: Delete the selected import jobs and all associated observables. "Deleting
Import Jobs" on page 323.
Anomali ThreatStream Page 307 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Select the columns displayed on the dashboard. Available columns include Job
#, Date, Submitted By, Reviewed By, Visibility, Included, Excluded, Status, and
Tags.
To view all imported jobs:
1. Navigate to Manage > Imports.
The UI page displays all import jobs associated with your organization.
Approving Import Jobs
Observables extracted from import jobs must be approved before they can become
part of your threat intelligence. Only users with Approve Import privileges can
approve import jobs for their organization. As such, this article describes the actions
users with Approve Import privileges can take when reviewing import jobs.
Import jobs can be approved from Import Review pages or in bulk from the Import
list view.
Reviewing and Approving a Single Import Job
When you approve an import job, all observables in the Included tab are added to
your threat intelligence and made active. Observables in the Excluded tab will not be
added. See "Managing Excluded Observables" on page 318 for possible actions
that can be taken on excluded observables, such as force-adding and removing
excluded observables.
Note:If you do not have the privileges to approve an import job, you cannot
approve or reject import jobs, but you can send a request to your organization
administrator to review a specific job. Additionally, you can edit the import jobs
you submit. See "Managing Import Sessions Without Approve Import Privileges"
on page 315 for more information.
To approve import jobs:
1. Navigate to Manage > Imports.
2. Click Ready to Review for the import job that you want to approve in the Import
section.
The Import Review page is displayed.
Anomali ThreatStream Page 308 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
If you have the privileges to approve an import job, the Import Review page
displays Approve and Reject buttons at the top of the import session.
3. Review the observables listed as Included and make any necessary changes.
You can take the following actions on Included observables from the Actions
menu:
n Change Mapping: Edit the indicator type assigned to selected observables.
n Change Expiration Date: Edit the expiration date of the selected
observables.
n Edit Confidence: Change the Confidence score assigned to selected
observables.
n Move to Excluded: Exclude selected observables from approval.
Additionally, you can edit the values of Included observables by clicking the edit
icon corresponding to the value you want to edit.
See "Editing Observable Values Before Approval" on page 322 for more
information.
Tip: Click the filter icon to filter included observables by Type of observable,
Indicator Type, and Confidence.
4. Review the observables listed as Excluded and make any necessary changes.
Anomali ThreatStream Page 309 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
You can take the following actions on Excluded observables:
n Move to Included: Add observables excluded from the import job due to
errors to the Included list. See "Manually Adding Excluded Observables" on
page 319 for more information.
n Remove Selected: Remove excluded observables from the import job. See
"Removing Excluded Observables" on page 319 for more information.
n Force Apply Tags: In cases where observables duplicate observables
cannot be re-imported due visibility settings (see "Visibility of Re-imported
Observables" on page 321) you can add tags from the import job to the
existing active instances of the duplicate observables. See "Applying Tags
from Duplicate Observables" on page 320 for more information.
Additionally, you can edit the values and indicator types of Excluded
observables by clicking the edit icon corresponding to the observable you want
to edit.
See "Editing Observable Values Before Approval" on page 322 for more
information.
Tip: Click the filter icon to filter excluded observables by Type of observable,
Indicator Type, and Confidence.
5. (Optional) Add additional observables to the import job by clicking Add
Observables.
You can add up to 10 observables at once. You must select an indicator type
(iType) for each value.
Anomali ThreatStream Page 310 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Click Add Observables. The new observables are scored by ThreatStream and
added to the import job.
6. (Optional) Add Comments to the import job. Comments will be associated with
each observable included in the import job.
7. (Optional) Add Tags to the import job. Tags will be associated with each
observable included in the import job. Tags can contain spaces.
To add private tags that are only visible to your organization, assign them the My
Organizationvisibility setting. Tags assigned the Anomali Communityvisibility
setting are visible to any user with access to the observable. See "Adding
Private Tags to Observables" on page 243 for more information.
8. (Optional) Click Change Date to edit the expiration date for all observables
included in the import session.
9. (Optional) Click Add Association to associate the imported observables with
threat model entities.
10. To approve the import job and add included observables to your threat
intelligence, click Approve.
Anomali ThreatStream Page 311 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
All observables listed in the Included tab will be approved and become part of
your threat intelligence on ThreatStream.
After imports are approved, you can view the imported observables on the search
page by clicking Go to Observables on the Import Job page.
Note: Observables assigned a confidence score of 15 or below are made
private to your organization, regardless of the visibility setting you selected for
the import job.
Approving and Rejecting Import Sessions in Bulk
Users with the Approve Import privilege can approve or reject import jobs in bulk
from the Import list view screen. When you approve import jobs in bulk, observables
listed in the Included tabs of the selected import sessions are immediately made
active. Therefore, you must ensure that all import jobs have been adequately
reviewed before executing bulk approval.
To approve or reject import sessions in bulk:
Anomali ThreatStream Page 312 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
1. Navigate to Manage > Import .
2. Select the import jobs in Ready to Review state that you want to approve or
reject.
3. If you want to approve the import jobs, click Approve in the Actions menu.
If you want to reject the import jobs, click Reject in the Actions menu.
The page will refresh when ThreatStream finishes processing your request.
Depending on your request, the status for the import jobs changes to Approved or
Rejected.
Note: Only users with the Approve Import privilege can approve or reject import
sessions in bulk. Users without the privilege cannot send bulk approval
requests.
Rejecting Import Jobs
If you do not want observables included in import jobs to become part of your threat
intelligence on ThreatStream, you can reject the import job. When you reject an
import job, its status changes from Ready to Review to Rejected.
Only users with Approve Import privileges can reject import jobs for their
organization. As such, this article describes the actions users with Approve Import
privileges can take when reviewing import jobs.
Note: If you do not have the privileges to reject an import job, you cannot
approve or reject import jobs, but you can send a request to your organization
administrator to review a specific job. Additionally, you can edit the import jobs
you submit. See "Managing Import Sessions Without Approve Import Privileges"
on page 315 for more information.
To reject an import job:
1. Navigate to Manage > Imports.
2. Click Ready to Review for the import job that you want to approve in the Import
section. The Import Review page is displayed.
Anomali ThreatStream Page 313 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
If you have the privileges to approve an import job, the Import Review page
displays Approve and Reject buttons at the top of the import job.
3. To reject the import job, click Reject.
You can reference your rejected import jobs from the Import screen using the
Rejected status filter.
When you drill down on a rejected import job, observables which were Included and
Excluded in the import job are listed with the status Pending.
Restricting Observables Visibility to
Workgroups During Import
When you import observables and choose to share them with your organization
only, you have the opportunity to select specific workgroups with which to share the
imported observables. Only users that are members of the workgroups you select
will be able to see the observables.
To share observables with workgroups during import:
Anomali ThreatStream Page 314 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
1. During the import process, select Organization to make the data private to your
organization.
2. Click Restrict to Workgroups and select the workgroups with which you want
to share the observables. The workgroups you select are displayed under
Selected Workgroups.
Note: You can only select workgroups you are a member of during import.
At least one user in the workgroups you select must have the Approve
Import privilege.
3. Complete the import process. When the import job is approved, the observables
will be visible only to the members of the workgroups you selected.
You can also configure Import Email mailboxes to restrict imported data to selected
workgroups.
Note: If an observable already exists in ThreatStream whose visibility is
restricted to workgroups within your organization, you cannot import a duplicate
observable that is also private to your organization or restricted to other
workgroups—even in cases where the existing observable is not visible to you.
Managing Import Sessions Without Approve
Import Privileges
If you do not have Approve Import privileges, you cannot approve import sessions.
However, you can edit the import jobs you submit before they are approved. You
can update any of the parameters set at the time of submission and add additional
observables to the import job. Further, you can reject the import jobs you submit and
send approval requests to users in your organization with Approve Import privileges.
Anomali ThreatStream Page 315 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
To edit imported jobs before approval:
1. Navigate to Manage > Imports.
2. Click Ready To Review for the import job that you want to edit.
The Import Review page is displayed, which lists the observables extracted from
the import job.
3. Review the observables listed as Included and make any necessary changes.
You can take the following actions on Included observables from the Actions
menu:
n Change Mapping: Edit the indicator type assigned to selected observables.
n Change Expiration Date: Edit the expiration date of the selected
observables.
n Edit Confidence: Change the Confidence score assigned to selected
observables.
n Move to Excluded: Exclude selected observables from approval.
Additionally, you can edit the values of Included observables by clicking the edit
icon corresponding to the value you want to edit.
Anomali ThreatStream Page 316 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
See "Editing Observable Values Before Approval" on page 322 for more
information.
Tip: Click the filter icon to filter included observables by Type of observable,
Indicator Type, and Confidence.
4. Review the observables listed as Excluded and make any necessary changes.
You can take the following actions on Excluded observables:
n Move to Included: Add observables excluded from the import job due to
errors to the Included list. See "Manually Adding Excluded Observables" on
page 319 for more information.
n Remove Selected: Remove excluded observables from the import job. See
"Removing Excluded Observables" on page 319 for more information.
n Force Apply Tags: In cases where observables duplicate observables
cannot be re-imported due visibility settings (see "Visibility of Re-imported
Observables" on page 321) you can add tags from the import job to the
existing active instances of the duplicate observables. See "Applying Tags
from Duplicate Observables" on page 320 for more information.
Additionally, you can edit the values and indicator types of Excluded
observables by clicking the edit icon corresponding to the observable you want
to edit.
See "Editing Observable Values Before Approval" on page 322 for more
information.
Tip: Click the filter icon to filter excluded observables by Type of observable,
Indicator Type, and Confidence.
5. (Optional) Add additional observables to the import job by clicking Add
Observables.
Anomali ThreatStream Page 317 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
You can add up to 10 observables at once. You must select an indicator type
(iType) for each value.
Click Add Observables. The new observables are scored by ThreatStream and
added to the import job.
To reject an import job you submitted:
1. Navigate to Manage > Import .
2. Click Ready To Review for the import job that you want to reject.
3. Click Reject.
To send an approval request:
1. Navigate to Manage > Import .
2. Click Ready To Review for the import job you want to remind approvers to
review.
3. Click Send Intel Approval Request.
Managing Excluded Observables
Observables that were excluded from the import job due to errors are listed under
Excluded. Errors are displayed for each observable in the Reasons for exclusion
Anomali ThreatStream Page 318 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
column.
If observables were excluded due to typos, you can edit observable values and
resubmit the import job. See "Editing Observable Values Before Approval" on
page 322 for more information.
Manually Adding Excluded Observables
Observables that ThreatStream excluded from import jobs due to errors can be
manually moved to the Included tab of the import job. Observables that you move to
the Included tab become active when the import job is approved.
Note: Observables with fatal errors cannot be moved to the included tab.
To manually add observables:
1. Navigate to Manage > Imports.
2. Click Ready to Review for the import job that contains the rejected
observables.
3. Click Excluded to display excluded observables.
4. To move the selected observables to the Included tab, select the required
observables and select Move to Included from the Actions menu.
The observables are now listed on the Included tab and will be made active when
the import job is approved.
Removing Excluded Observables
Rejected observables can also be removed from import jobs.
Note: Observables with fatal errors cannot be removed.
Anomali ThreatStream Page 319 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
To remove excluded observables:
1. Navigate to Manage > Import .
2. Click Ready to Review for the import job that contains the rejected
observables.
3. Click Excluded to display excluded observables.
4. To remove selected observables without fatal errors, select Remove Selected
from the Actions menu.
Applying Tags from Duplicate Observables
If observables are excluded from import jobs because they already exist in
ThreatStream and cannot be re-imported (see "Re-importing Observable Values"
on the next page) they cannot be force-added to your threat intelligence. However,
you can apply the tags from the import job to existing versions of rejected
observables.
To apply tags from duplicate observables:
1. Navigate to Manage > Import.
2. Click Ready to Review for the import job that contains the observables excluded
for being duplicates.
3. Click Excluded to display excluded observables.
4. Select the observables to whose existing versions you want to apply the import
job tags.
5. Select Force Apply Tags from the Actions menu.
Note: For Force Apply Tags to appear as an available action, you must select
duplicate observables only. The action will not be available if you select
observables that were rejected for other reasons.
Anomali ThreatStream Page 320 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Re-importing Observable Values
ThreatStream enables you to re-import observable values that were previously
imported by your organization via the ThreatStream UI.
Re-importing observable values can be helpful in the following cases:
l Changing the Status of inactive observables to Active
l Updating details of existing observables
Any time you approve an import job that contains observables previously imported
by your organization, ThreatStream merges certain details of newly imported
observables into the details of existing observables.
Visibility of Re-imported Observables
Following re-import merges, observables are always made active and assigned the
visibility setting that allows for the widest visibility. For example, if the existing
observable is private to your organization and the newly imported observable is
restricted to specific Trusted Circles, the observable will be shared with the selected
Trusted Circles as a result of the merge. If both instances of the observable are
shared with different Trusted Circles, both groups of Trusted Circles are given
access to the observable as a result of the merge.
However, existing observables whose visibility is set to My Organization can only be
re-imported with the same visibility or shared with Trusted Circles. Observables that
are private to your organization can not be made public to the Anomali Community
as a result of re-import merges. In these cases, the observables you attempt to
import are excluded from import jobs.
Likewise, existing observables shared with the Anomali Community cannot be
restricted to your organization or Trusted Circles as a result of re-import merges. In
these cases, a distinct instance of the observable is imported and made active with
the more restrictive Visibility setting you selected.
The figure below illustrates how observable visibility can be expanded as a result of
re-import merges.
Anomali ThreatStream Page 321 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
Note: If you attempt to re-import Organization or Trusted Circle observables with
the Anomali Community visibility setting, they will be excluded from the import
job.
Results of Re-import Merges
Existing values from all other fields are overwritten by new values with the exception
of the fields listed in the following table.
Field Effect of Merge on Existing Values
Associations Combined with associations from newly imported observable
Comments Existing comments maintained
Source Combined with source listed for newly imported observable
Tags Combined with tags from newly imported observable
Note: Merges do not occur in cases of existing observables not owned by your
organization. In these cases, a distinct instance of the observable is imported
and made active.
Editing Observable Values Before Approval
ThreatStream enables you to easily edit and resubmit observables. This prevents
you from having to specify the correct values in a separate import job.
Both Included and Excluded observables can be edited. You can only edit pending
observables when import jobs are in Ready to Review status.
To edit and resubmit included observables:
1. Navigate to the import job that contains the included observables you want to
edit and resubmit.
2. On the Included tab, click the edit icon corresponding to the value you want to
edit.
Anomali ThreatStream Page 322 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
3. Make the desired changes to the observable value and click Apply Changes.
ThreatStream re-scores the observables based on the changes you made. Updated
values are immediately reflected in the import job.
To edit and resubmit excluded observables:
1. Navigate to the import job that contains the excluded observables you want to
resubmit.
2. Click Excluded.
3. Click the edit icon corresponding to the observable you want to edit.
4. Make the desired changes to the observable value or indicator type and click
Apply Changes.
ThreatStream evaluates the changes you made. The observable is automatically
moved to the Included tab if your changes result in a valid observable.
Deleting Import Jobs
Import Jobs submitted by your organization can be deleted from the Imports list view
screen. You can delete import jobs that are in Approved, Rejected, or Ready to
Review state.
Anomali ThreatStream Page 323 of 750
User Guide
Chapter 10: Importing Observables with Import Assistant
When you delete an import job, all Observables from the import job are also deleted
from ThreatStream. As such, deleting an import job can result in the deletion of
Observables which are currently active on ThreatStream.
Only users with Approve Import privileges can delete import jobs.
Note: Import jobs containing more than 10,000 observables cannot be deleted
from the ThreatStream user interface. Contact Anomali Support for assistance.
To delete import jobs:
1. Navigate to Manage > Imports.
2. Select up to 25 import jobs.
3. In the Actions menu, click Delete.
4. To confirm, click Delete Import Jobs.
After ThreatStream processes your request, the import jobs and all associated
Observables are deleted.
Anomali ThreatStream Page 324 of 750
Chapter 11: Investigating Threats in
ThreatStream
This chapter covers the following topics:
Investigations List View 326
Creating Investigations 327
Understanding the Investigations User Interface 330
Collaborating on Investigations 338
Using the MITRE ATT&CK Framework in Investigations 341
Managing Investigation Entities 346
Exporting Investigations as Threat Model Entities 356
Exporting Investigations in CSV Format 358
Investigations is a collaborative and flexible workspace that you can use to perform
daily tasks. After creating an investigation, you can centralize threat data as it
becomes available and perform pivoting to understand linkages. Investigation tasks
can also be tracked and assigned to organization users. After completing research,
you can create new intelligence in the form of threat model entities or newly
imported observables. Additionally, an integration with ServiceNow enables you to
push investigation information to security incident tracking systems.
Anomali ThreatStream Page 325 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Within an investigation, you can leverage the ThreatStream Explore tool to make
connections between the entities you are researching and other data, both internal
and external to ThreatStream. Using the Explore tool, you may discover external
data of interest that is not yet imported to ThreatStream. From the investigation, you
can initiate an import session for all not-yet imported observables, thus adding them
to your threat intelligence on ThreatStream.
Investigations also enables you to add contextual information to entities as Analysis.
See "Managing Entities on the Table View " on page 353 for more on adding
Analysis.
Investigations List View
The Investigations list view displays the investigations that you have access to in
ThreatStream. Access the Investigations list view by navigating to Research >
Investigations.
Search: Search investigations by keyword. Investigations search queries
investigation Name, Description, and Tags.
Filter: Filter the investigations in the list by Investigation Type, Created Date,
Modified Date, Assignee, Status, Tags, TLP, and Priority.
Note: Sharing Organization Analyst ThreatStream users have an additional
Form Submission Type filter to denote investigations created as a result of
Sharing Organization Member submissions.
Anomali ThreatStream Page 326 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Status: Current status of the investigation.
Investigation Type: Describes how the investigation was created. Possible
types are Phishing Email Ingest, Email Ingest, Rules Generated, and User Created.
Owner: User that created the investigation.
Actions:
l New: Create a new investigation. See "Creating Investigations" below for more
information.
l Delete: Delete the selected investigations.
l Export CSV: Export a list of investigations in a CSV file.
Creating Investigations
The need for starting an investigation can come from several scenarios. While
browsing the threat intelligence to which you have access on ThreatStream, you
might come across an observable, threat model entity, or sandbox report of interest
and want to create an investigation to learn more about it or research its context. In
these cases, you can start an investigation by selecting the intelligence of interest,
and then Start / Continue Investigation in the Actions menu.
Additionally, you can add all observables from an approved import session by
navigating to the approved import session and clicking Add to Investigation.
Anomali ThreatStream Page 327 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Phishing and Email Ingest Investigations
Investigations are also created as a result of ingesting a phishing email into
ThreatStream. If you forward a phishing email to ThreatStream, you can follow the
steps described in "Ingesting Phishing Emails" on page 296 and then use the
resulting investigation to build out a map of the attack infrastructure behind the
email.
Rules Generated Investigations
Investigations are also created when the conditions of a rule are met which has "Add
to Investigation" as a configured action. See "Configuring Rules" on page 574 for
more information.
Anomali Match Created Investigations
Anomali Match users can also trigger investigation creation in ThreatStream from
the Anomali Match user interface. See the Anomali Match Administration & User
Guide for more information.
Anomali Lens Created Investigations
Investigations can be created from the Anomali Lens browser plugin. See the
Anomali Lens User Guide for more information.
Creating Blank Investigations
Additionally, ThreatStream enables you to start from scratch and create blank
investigations. Blank investigations can be created from the Investigations
Dashboard.
To create a blank investigation:
1. Navigate to Research > Investigations.
2. In the Actions menu, click New.
3. Enter a Name for the investigation.
4. Select a Visibility setting for the investigation. By default, the investigation is
visible only to you. You can expand visibility to all users in your organization (My
Organization), workgroups, or a set of individual users in your organization.
5. (Optional) Select an Assignee for the investigation.
6. (Optional) Add Candidate Observables to the investigation from a PDF or TXT
file. Structured data is not supported. PDFs must be 20MB or less. TXT files
must be 10MB or less.
Anomali ThreatStream Page 328 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Up to 1000 observables will be parsed from the file and included in the new
investigation as Not Imported Observables and available on the Explore tool
and table view. If any parsed observables already exist in ThreatStream, they
are added to the investigation as Already Imported Observables.
Note: Adding candidate observables does not trigger an import session.
Global and organization exclude lists are not applied to candidate
observables until they are imported. Hence, observables present on your
organization Exclude List can be added to the investigation as Not Imported
Observables. If you want to import any of the parsed observables, click
Import Observables in the Actions menu of the investigation.
7. (Optional) Use the rich text editor to add a Description.
8. Click Create.
The new investigation will be available on the Investigations Dashboard.
Note: All investigations are assigned the My Organization visibility setting.
However, investigations can be exported as threat model entities of any type.
The resulting entities can be shared with trusted circles or the Anomali
Community. See "Exporting Investigations as Threat Model Entities" on
page 356 for more information.
Anomali ThreatStream Page 329 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Understanding the Investigations User
Interface
Investigation name: Click the text to edit the name. The investigation in this
example was the product of a phishing email ingest. Therefore, the phishing icon is
displayed next to the name.
Save: Save changes to the investigation. The save button becomes active after
you make a change to the investigation.
Investigation menu:
l Export to Threat Model—Export the investigation as a threat model entity. See
"Exporting Investigations as Threat Model Entities" on page 356 for more
Anomali ThreatStream Page 330 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
information.
l Import Observables—Initiate an import session for any observables contained
in the investigation that are unknown to ThreatStream. The TLP color assigned to
the investigation is automatically applied to the import session.
l Delete—Delete the investigation. Investigations can only be deleted by the users
that created them.
l Create / Update IBM Resilient Incident—Send investigation information to IBM
Resilient for tracking. See "Integrating with IBM Resilient" on page 121 for more
information.
l Create a Jira Ticket—Send investigation information to Jira for tracking. See
"Integrating with JIRA" on page 122 for more information.
l Create a Security Incident in ServiceNow—Send investigation information to
ServiceNow for tracking. See "Activating the ServiceNow Integration" on
page 133 for more information.
Entity Overview: View a count of the entities associated with the investigation
by entity type.
Displayed counts include:
l Already Imported Observables: Number of observables contained in the
investigation that exist in ThreatStream.
l Not Imported Observables: Number of observables contained in the
investigation from external sources that have yet to be imported into
ThreatStream.
Note: Investigations containing more than 1000 observables display a single
Observables count.
Anomali ThreatStream Page 331 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
l Pending Import Sessions: Import sessions in Ready To Review status
associated with the investigation. Click the Pending Import Sessions link to view
the import sessions.
From this window, you can click Approve to approve the import session or
Reject to reject the import session. When you approve a pending import session,
the observables from the import session become active and are included in the
Already Imported Observable count. When you reject an import session, the
observables included in the import session contribute to the Not Imported
Observables count and are not removed from the investigation. You can click
View Full Import to drill down on the import session.
A full list of import sessions associated with the investigation, including those
previously approved or rejected, is available in the Imports section. See below
for more information.
Note: If you delete a pending import session, observables are not removed
from the investigation.
l Sandbox Detonations: Number of sandbox reports contained in the
investigation.
Anomali ThreatStream Page 332 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
l Threat Model Entities: A count for each Threat Model entity type contained
within the investigation. Threat Model entity types include Actors, Attack
Patterns, Campaigns, Courses of Action, Identities, Incidents, Infrastructure,
Intrusion Sets, Malware, Signatures, Threat Bulletins, Tools, and TTPs.
Note: If you update an observable value in an import session, the update is
not reflected in the investigation when you approve the import session. The
new observable becomes active on ThreatStream but is not added to the
investigation. The original value remains part of the investigation as a Not
Imported Observable.
Investigation details: Click More Details to view or edit all available
information.
Field Description
Submitted Timestamp of when the investigation was created.
Date
Last Timestamp of when the most recent changes were saved to the
Modified investigation.
Reporter User that created the investigation.
Tags Tags associated with the investigation. Investigations can contain
up to 200 tags.
Anomali ThreatStream Page 333 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Field Description
Visibility The privacy level for the Investigation. Investigations can be visible
to all users in your organization, specific workgroups, or private
(visible only by you).
To modify the visibility setting for the investigation, open the
Visibility dropdown.
To make the investigation visible to all users in your organization,
select My Organization.
To make the investigation visible to specific workgroups, select the
workgroups of interest.
To make the investigation visible to a set of users, select the users
of interest.
To make the investigation private (visible only to you), deselect all
boxes in the list.
Note: Investigations cannot be shared with users outside of
your organization. However, investigations can be exported as
threat model entities of any type. The resulting entities can be
shared with trusted circles or the Anomali Community. See
"Exporting Investigations as Threat Model Entities" on
page 356 for more information.
Status Status of the investigation—Completed, In Progress, Pending, or
Unassigned.
Priority Priority that organization collaborators should give the
investigation—Very Low, Low, Medium, High, Very High.
Anomali ThreatStream Page 334 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Field Description
Assignee User or workgroup in your organization to which work on the
investigation has been assigned. To create a new workgroup, click
New Workgroup.
Assignees must have visibility into the investigation. You cannot
assign the investigation to individual users or workgroups whose
members are excluded by the visibility setting of the investigation.
For example, if the visibility of the investigation is restricted to a
workgroup, it can be assigned to either the workgroup as a whole
or an individual member of the workgroup.
If you want to remove the assignment for the investigation, select
Unassigned.
TLP The maximum level of information that users outside your
organization have access to when viewing your investigation.
TLP settings are used to filter information when sharing
investigations with outside organizations. Entities or analysis within
the investigation that you give a higher TLP color than the one you
selected for the investigation will be hidden from outside users.
Models: View entities on Investigation Entities, Diamond, and Kill Chain
graphical models. Below is an example of the Investigation Entities model.
Entities are automatically assigned to the Investigation Entities model. In order to
view entities on the Diamond or Kill Chain models, you must assign them a Kill
Chain phase or Diamond feature.
Anomali ThreatStream Page 335 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
ThreatStream also enables Anomali Lens+ customers to leverage the MITRE
ATT&CK Framework within Investigations. See "Using the MITRE ATT&CK
Framework in Investigations" on page 341.
To assign entities a Kill Chain phase or Diamond feature:
1. Navigate to the investigation in which you are working.
2. Click Show Models.
3. Select Diamond or Kill Chain.
4. In the Entities section, open the table view ( ).
5. Select the entity which you want to add to the model.
6. In the Actions menu, click Assign Feature (for the Diamond model) or Assign
Phase (for the Kill Chain model).
7. Select the Feature or Phase you want to assign the entity.
8. Click OK.
Note: Candidate observables must be imported before you can assign them to
structured threat models.
Entities: Data contained in the investigation. You can toggle between the
Explore tool ( ) and a table view ( ) of the entities that populate the Explore
tool.
For more information see "Managing Investigation Entities" on page 346.
Description: Long-form description of the threat and recommendations for
further action.
The intuitive rich text editor enables you to add pre-formatted content. You can copy
and paste content—including images—from .doc, docx, and .pdf files into the Rich
Text Editor. All formatting is preserved.
Attachments: Files associated with the investigation. This can include
investigation attachments, sandbox reports, phishing emails, and so on.
Anomali ThreatStream Page 336 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Investigation attachments must be 20MB or less.
To delete attachments, click the X icon of the attachment you want to delete and
then click OK on the resulting window to confirm. Attachments are immediately
deleted. You do not need to save the investigation to complete the deletion.
Tasks: View assigned tasks or create new ones. Click Add new task to create a
task.
Pre-defined tasks include Determine Target, Add Context, Determine Scope,
Find Related Observables, Build Event Timeline, and Show Relationships.
You can also use Other to assign tasks outside of the pre-defined tasks. Leave the
assignee a Note to make clear what you want them to accomplish.
If you want to remove the assignment for the task, select Unassigned from the
assignee drop down menu.
Note: If the visibility of the investigation is restricted to specific workgroups in
your organization, the task assignee must be a member of at least one of the
workgroups with visibility into the investigation.
Click Delete this task to permanently remove the task from the investigation.
Anomali ThreatStream Page 337 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Imports: View Import Sessions associated with the investigation.
Click the Status to drill down on the import session.
History: View a log of changes to the investigation on a graphical timeline.
Not Yet Imported Observables in Investigations
Observables listed as Not Yet Imported in investigations originate from multiple
places:
l Observables added as Candidate Observables during investigation creation
which did not already exist in ThreatStream (see "Creating Investigations" on
page 327).
l Observables added as Candidate Observables using the Bulk Add feature on the
Explore pivoting chart or the Table View of the investigation (see "Managing
Investigation Entities" on page 346).
l Observables parsed from a submission to a phishing mailbox which is configured
to create an investigation and not an import session (see "Mailboxes For
Receiving Observables" on page 81).
Global and organization exclude lists are not applied to candidate observables until
they are imported. Hence, observables present on your organization Import Exclude
List can be added to the investigation as Not Imported Observables. If you want to
import any of these observables, click Import Observables in the Actions menu of
the investigation.
Collaborating on Investigations
The investigation workspace is designed to support contributions from multiple
users within an organization. To ensure that one user does not overwrite the
changes of another user by mistake, only one user can edit a given investigation at a
time. ThreatStream locks investigations when an edit is made. Other users with
Anomali ThreatStream Page 338 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
access to the investigation are prevented from making edits until you save the
investigation or leave the page.
Tip: If the save button is active, the investigation is locked. Other users with
access to the investigation are prevented from making edits until you save the
investigation or leave the page.
The following message is displayed when you access a locked investigation—one
which another user is currently editing:
You can click Request Edit Access to view who is editing the investigation.
If the listed user is unable to save their edits, contact one of your ThreatStream
Org Admins for assistance. Org Admins can unlock investigations using the
instructions in "Managing Locked Investigations" below.
Managing Locked Investigations
Org Admin users have the ability to unlock investigations which organization users
are editing. When an Org Admin unlocks an investigation for another user, unsaved
changes made by the user are lost.
Anomali ThreatStream Page 339 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
To unlock investigations:
Note: You must be an Org Admin to unlock investigations which are being
edited by other users.
1. Navigate to Manage > Investigations.
2. Click There are... locked investigations.
3. On the resulting window, select the investigation you want to unlock and click
Force Unlock in the Actions menu.
4. Click Unlock and Lose Unsaved Changes to confirm.
The investigation is unlocked. Other users can now make changes to the
investigation.
Anomali ThreatStream Page 340 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Using the MITRE ATT&CK Framework in
Investigations
In addition to the Diamond, Kill Chain, and STIX models, ThreatStream
Investigations contain an on-board implementation of the MITRE ATT&CK
Framework. This implementation gives you a visual representation of MITRE
ATT&CK associations and insight into the impact of the threat under investigation
with regard to the MITRE ATT&CK Framework.
The Anomali Threat Model contains a library of MITRE ATT&CK techniques. When
techniques with the prefixes [MITRE ATT&CK] or [MITRE PRE-ATT&CK] are added
to an Investigation, they are automatically plotted on the MITRE ATT&CK
Framework matrix in the Models section of the Investigation.
When you export investigations, you have the option of including a non-editable,
point-in-time snapshot of the matrix in its current state. See "Exporting
Investigations as Threat Model Entities" on page 356 for more information.
Note: The MITRE tab is not available for Investigations that contain more than
1000 entity associations.
Matrix: MITRE techniques associated with the Investigation are plotted on the
matrix. Techniques are assigned a color within the scoring gradient based on the
number of associated Observables and Threat Model entities relative to the other
MITRE techniques contained within the Investigation. You can click techniques on
the matrix to view a description and access complete technique details.
Anomali ThreatStream Page 341 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
The popup displays an Investigation Total Linked Entity Score, which scores
techniques based on number of associations with entities contained within the
Investigation. This score determines the color gradient assigned to each technique.
Techniques that contain zero associations with other entities in the Investigation are
assigned a score of 0% and the lowest gradient on the matrix.
Click the Analysis icon ( )to add analysis to the technique.
Click the More Options icon ( )to drill down on the technique details page or
remove the technique from the Investigation An Open Entities Table option is
available if the technique contains associations, enabling you to view associations in
a filterable window.
Current Version: Current default version of the MITRE ATT&CK framework
used by your organization. See "Specifying a Default MITRE ATT&CK Version for
your Organization" on page 518 for more information.
Gradient: Displays the current color gradient for the matrix.
Overlay Security Controls: Overlay your Organization MITRE ATT&CK
security control representation on the framework to get a snapshot of your coverage
for a particular threat. For more information on configuring a your security control
representation, see "Managing Your Organization MITRE ATT&CK Security
Coverage Framework" on page 556.
If Overlay Security Coverage is disabled, the gradient ranges from Low Frequency
to High Frequency based on the number of investigation entities associated with the
techniques.
Anomali ThreatStream Page 342 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
If Overlay Security Coverage is enabled, the gradient ranges from Low Risk to High
Risk based your configured MITRE ATT&CK security coverage.
Multiselect: Add Threat Model entities and Observables to the matrix without
adding them to the Investigation. If these entities contain MITRE ATT&CK
associations, the associated techniques are plotted on the matrix.
Multiselected entities are listed in the Multiselect menu. From this menu, you can
click Add to Investigation to add the entity to the investigation or Remove to
remove the entity from the matrix.
If the entities contain MITRE technique associations they will be plotted on the
heatmap with the corresponding letters listed on the Multiselect menu.
Show/Hide Sub-Techniques: If your organization has configured an applicable
MITRE version, the screen contains an additional Show/Hide Sub-Techniques
option. Click Show Sub-Techniques to expand the matrix to display sub-techniques
for each technique. Additionally, you can expand sub-techniques for individual
techniques by clicking the arrow next to the technique on the matrix.
Note: Sub-techniques are only visible on the matrix if your organization uses
MITRE ATT&CK v7.2, v8.2, or v9.
Filter: Filter techniques by associated investigation Entities and Platforms.
Additionally, a Hide Unused switch enables you to display only those techniques for
which you have configured a security coverage level.
Note: Filter is applicable only to MITRE ATT&CK v6.2. Filter techniques are
deprecated in MITRE ATT&CK v7.2 and later.
Settings: The following settings are available:
l Show Relative Risk: When enabled, the Relative Risk view displays your
coverage of the threat under investigation as a heatmap.
Anomali ThreatStream Page 343 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Risk is represented on a gradient from low to high and calculated based on the
number of entities associated with a technique and the coverage level attained by
your organization.
l Frequency Gradient: Color gradient used when Overlay Security Coverage is
disabled.
l Risk Gradient: Color gradient used when Overlay Security Coverage is enabled.
Automatically Adding MITRE ATT&CK Techniques to Investigations
When you pivot on investigation entities or add new entities from the on-board
Explore pivoting tool, an additional option allows you to automatically add MITRE
techniques associated with the entities added to the chart.
Simply ensure Auto-Map to MITRE is selected under the chart key. For more on
using the Explore pivoting tool in investigations, see "Using Explore In
Investigations" on page 346.
Notes:
- Auto-Map to MITRE is only supported for entities added within the
investigation.
- Auto-Map to MITRE is not supported for Not Yet Imported observables in the
investigation.
- Auto-Map to MITRE is not available on the standalone Explore pivoting tool or
the pivoting tool on observable details pages.
Anomali ThreatStream Page 344 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Managing MITRE ATT&CK Technique Associations Within
Investigations
If an association does not exist between an investigation entity and a MITRE
technique, you can use the Assign technique function in the Entities table view
section to connect entities in the investigation to a specific MITRE technique. Doing
so creates a connection between the two entities within the investigation, thus
mapping the entity to a technique on the MITRE ATT&CK matrix. However, the
connection only exists within the investigation and an association is not created
between the two entities.
To add a MITRE association within an investigation:
1. Navigate to Research > Investigations.
2. Click the Name of the investigation of interest.
3. Click Show Models and open the MITRE ATT&CK tab.
4. Scroll down to the Entities section and open the table view ( ).
5. Select the entity with which you want to link the MITRE technique.
6. In the Actions menu, click Assign Technique.
Note: The MITRE ATT&CK tab must be open in the Models section for
Assign Technique to appear int he Actions menu.
7. Search for the relevant MITRE ATT&CK or MITRE PRE-ATT&CK techniques in
the Add Technique search.
Anomali ThreatStream Page 345 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Note: There is no limit to the number of MITRE techniques you can
associate with a single investigation entity.
8. Select the techniques of interest and click OK.
The association is created within the investigation and reflected on the MITRE
ATT&CK matrix.
See "Managing Entities on the Table View " on page 353for more information on the
investigation entity table view.
Managing Investigation Entities
You can manage entities contained within the investigation under Entities. There
are two views associated with entity management: Explore ( ) and the table view (
).
You can add up to 1000 entities to a single investigation using the Explore tool and
the table view. However, when investigations exceed 1000 entities, the Explore
chart is hidden on the investigation and only the table view is available.
When investigations exceed 3000 entities, only the most recently added 3000
entities are displayed.
Using Explore In Investigations
Investigations contain an on-board version of the Explore pivoting tool. When data is
added to the Explore chart, it is also added to the investigation and available on the
entity table view.
Anomali ThreatStream Page 346 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Quick Add: Add observables or threat model entities to the investigation based
on a keyword search.
You can use Quick Add to add Not Imported observables to the investigation.
Simply enter an observable value and click +.
In some cases, multiple instances of the same observable value are listed in the
search results. In these cases, different instances of the same observable are
available to you from multiple sources. Observable sources are listed in the search
results, thus enabling you to select an instance of the observable based on the
source of your choosing.
See "Not Yet Imported Observables in Investigations" on page 338 for more
information.
Browse: Add observables or threat model entities to the investigation using
comprehensive search functionality.
Add All: Add all entities displayed in the search results to the investigation.
Actions:
l Link: Create a link between the selected node or group and another node or
group on the chart. To create a link, select a node or group, click Link, and select
the node or group with which you want to link the initial node or group.
Anomali ThreatStream Page 347 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
When you add a link between a node or group with a group, links are created with
each node contained within the group. Thus, if you ungroup nodes in a group, the
original link is maintained with each ungrouped node.
Links can be removed by clicking the link and then pressing the Delete (for
Windows) or FN+Delete (for Mac) keys on your keyboard.
Note: Creating a link is a visual connection only and does not create an
association between entities.
l Rename: Rename the selected group. Only groups—and not individual nodes—
can be renamed. Group names can be no more than 80 characters.
l Search Associations: Search Observables and Threat Model entities that are
associated with the selected entity in ThreatStream. Related entities are added to
the chart.
l Search Metadata: Add any ASNs, tags, or other metadata associated with the
selected entity to the chart.
l Search Passive DNS: Search Passive DNS threat intelligence data for
observables related to the selected nodes. Related observables are added to the
chart.
l Search Passive SSL: Search Passive SSL data for certificate information. The
following Passive SSL searches are available:
n Search Certificate: Search certificates associated with the selected
observable. The search queries certificates based on the text string of the
observable value.
n Search Related Certificates: Search for related certificate based on
certificate text strings. When you run Search Related Certificates, you must
select the certificate text of interest.
Anomali ThreatStream Page 348 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
n Certificate to IP: Search IP addresses associated with selected certificates.
n Certificate to Domain: Search domains associated with selected certificates.
l Search Whois: Search Whois threat intelligence data for observables related to
the selected nodes.
l Recipes: Run a sequence of searches developed by the Anomali Threat
Research team for specific research scenarios.
l Import to ThreatStream: Import selected observables into ThreatStream.
Clicking this action will take you to the Import page.
l Group/Ungroup: Group together selected nodes. You can also ungroup
grouped nodes by selecting them and clicking Ungroup.
l View Detail: Drill down on the details page in ThreatStream for the selected
node.
l Delete Selection: Delete the selected node from the chart.
l Enrichments: Pivot on the node using enrichments which you have activated on
ThreatStream.
Anomali ThreatStream Page 349 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Click Search All within an enrichment pivot menu to execute all available pivots
from the enrichment on the selected nodes.
Chart Options:
l Center the chart.
l Reset the chart. This removes all nodes from the chart.
l Zoom in or out on the chart.
Tips:
- You can zoom using your mouse wheel by clicking inside the chart and
holding the control key on your keyboard.
- Zoom centers on specific nodes when you select nodes and zoom in or out.
- When you zoom in on a section of the chart and add a new node, the current
zoom setting persists after the node is added.
l Toggle the pointer between move and select modes. Move enables you to click
and drag the entire chart around the workspace; select enables you to click and
select individual node or click and drag to select multiple nodes.
l Toggle full screen view.
l Toggle between standard, hierarchical, and structural views.
l Export the chart in PNG format.
Anomali ThreatStream Page 350 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Note: As investigations themselves can be saved, the Save Chart and Open
Existing Chart options are not available on Explore charts within Investigations.
Search Nodes: Search for nodes on the chart by keyword. Nodes that match the
keyword you enter are spotlighted on the chart.
Chart Key: Select nodes on the chart by type.
Node Search Limit: When you execute a search on a chart node, this setting
limits the maximum number of nodes added to the chart from the total search
results.
Auto-Zoom: When enabled, the chart automatically adjusts when you add
nodes so that new nodes are in view.
Auto-Arrange: When enabled, nodes added to the chart are automatically
arranged based on the current view.
Auto-Map to MITRE: When enabled, MITRE TTPs associated with entities
resulting from pivots are automatically added to the investigation. These TTPs are
mapped on to the MITRE ATT&CK model. For more information on MITRE ATT&CK
TTPs in investigations, see "Using the MITRE ATT&CK Framework in
Investigations" on page 341.
Bulk Add: Add candidate observables to the investigation from a PDF or TXT
file. Structured data is not supported. PDFs must be 20MB or less. TXT files must be
10MB or less.
Up to 1000 observables will be parsed from the file and added to the investigation as
Not Imported Observables and available on the Explore tool and table view. If any
parsed observables already exist in ThreatStream, they are added to the
investigation as Already Imported Observables.
Note: Adding candidate observables does not trigger an import session. Global
and organization exclude lists are not applied to candidate observables until
they are imported. Hence, observables present on your organization Exclude
List can be added to the investigation as Not Imported Observables. If you want
to import any of the parsed observables, click Import Observables in the Actions
menu of the investigation.
Viewing Node Details
When you select a node on the chart, node details are displayed in the Selection
Details section of the chart.
Anomali ThreatStream Page 351 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Click View Details to drill down on the entity details page. You can execute any of
the actions listed under above from the Node Options menu.
Entities are displayed in a list view when you select multiple nodes.
Click a node Name to open the entity in the Selection Details section.
Note: If a threat model entity name is updated after the entity is added to the
investigation, the name change is not automatically reflected in the investigation
node.
Using Enrichments on Explore
In addition to executing pivoting enrichments on nodes in the Explore chart, you can
also use the Explore pivoting tool leverage contextual data enrichments within the
investigation. Contextual enrichments, which are also available in the Enrichments
section on observable details pages, provide qualitative information from third-party
sources on individual observables.
When you select a node on the Explore chart, available enrichments are listed in the
Enrichments section of Selection Details.
Anomali ThreatStream Page 352 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
To execute an enrichment, simply click the enrichment of interest. When you
execute an enrichment, ThreatStream opens a tab underneath Explore for the call,
as displayed below.
Tabs are added for each enrichment you launch, thus enabling you to reference
enrichment data for multiple observables and enrichments in the same section. You
can launch up to 100 tabs.
Note: Enrichment tabs are not maintained on the investigation after you
navigate away from the page.
Managing Entities on the Table View
Investigations also provides a table view for entity management that displays all
entities contained in the investigation.
Anomali ThreatStream Page 353 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Type: Type of entity.
Title: Name or value of the entity. Click the Threat Model entity name or the
Observable value to drill down on the details page.
Note: Details page links are not available for observables in Not Imported
status.
Status: Possible statuses for observables include Active (imported) or Not
Imported (candidate observable). Threat model entities display their current
publication status.
You can start an import session from the investigation by selecting the Not Imported
observables of interest and clicking Import to ThreatStream in the Actions menu.
Observables remain in the Not Imported status until the import session is approved.
Confidence: Confidence score for imported observables.
Analysis: Add contextual information to entities as analysis. Click the icon in the
Analysis column corresponding to the entity of interest. You can add analysis to
Already Imported Observables, Not Yet Imported Observables, Threat Model
entities, and entities returned from pivoting on Explore such as tags, ASNs, DNS
entities, metadata, or certificates.
Note: If the analysis icon is not available for a Not Imported observable in the
table view, save the investigation and try again.
Anomali ThreatStream Page 354 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Enter the contextual information on the resulting Analysis window. Previous analysis
entries for the entity are displayed below the text box.
Analysis can also include attachments. Click Add Attachment to upload a file.
Filter: Filter the entities listed in the table. Observables can be filtered by import
status, observable type, and confidence. Threat model entities can be filtered by
publication status.
Reset Filter: Remove any filter conditions and display all entities associated
with the investigation.
Actions:
l Add Observables—Add observables that are already available in ThreatStream
to the investigation.
l Add Threat Model Entities—Add ThreatStream threat model entities to the
investigation.
l Import to ThreatStream—Import a selected unknown observable to
ThreatStream. The TLP color assigned to the investigation is automatically
applied to the import session.
l Delete—Remove the selected entity from the investigation.
Anomali ThreatStream Page 355 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
l Assign Feature: Assign the selected entity to a Diamond feature. You must have
the Diamond tab open in the Models section of the investigation in order for this
action to appear in the menu.
l Assign Phase: Assign the selected entity to a Killchain phase. You must have
the Killchain tab open in the Models section of the investigation in order for this
action to appear in the menu.
l Assign Technique: Assign the selected entity to a MITRE ATT&CK TTP. You
must have the MITRE ATT&CK TTP tab open in the Models section of the
investigation in order for this action to appear in the menu. See "Managing
MITRE ATT&CK Technique Associations Within Investigations" on page 345 for
more information.
Bulk Add: Add candidate observables to the investigation from a PDF or TXT
file. Structured data is not supported. PDFs must be 20MB or less. TXT files must be
10MB or less.
Up to 1000 observables will be parsed from the file and added to the investigation as
Not Imported Observables and available on the Explore tool and table view. If any
parsed observables already exist in ThreatStream, they are added to the
investigation as Already Imported Observables.
Note: Adding candidate observables does not trigger an import session.
Observable exclude lists are not applied to candidate observables until they are
imported. Hence, observables present on your organization Import Whi can be
added to the investigation as Not Imported Observables. If you want to import
any of the parsed observables, click Import Observables in the Actions menu of
the investigation.
Exporting Investigations as Threat Model
Entities
Investigations can be exported as Actors, Attack Patterns, Campaigns, Courses of
Action, Identities, Incidents, Infrastructure, Intrusion Sets, Malware, Threat
Bulletins, Tools, TTPs, or Vulnerabilities for wider distribution with the ThreatStream
community.
When you export an investigation, all attachments and associated entities are
included in the resulting threat model entity. Files attached to analysis are not
included. After export, the resulting entity is added to the investigation as an
association.
Anomali ThreatStream Page 356 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Additionally, an import session is initiated for any observables listed in the
investigation as Not Imported Observables. The TLP color assigned to the
investigation is automatically applied to the import session.
To export an investigation:
1. Navigate to the investigation which you want to export.
2. In the Investigation menu, select Export to Threat Model.
3. Under Choose Threat Model Type, select a threat model entity type.
4. Confirm the Title, TLP, Tags, Visibility, and Description.
5. If you want to the exported Threat Model entity to include the MITRE ATT&CK
Framework matrix from the investigation, select Add Current MITRE Table
Image to Description.
A static image of the matrix in its current state will be added to the description of
the resulting Threat Model entity. The image is a non-interactive, point in time
snapshot.
For more on the MITRE ATT&CK Framework, see "Using the MITRE ATT&CK
Framework in Investigations" on page 341.
6. Click Save.
Anomali ThreatStream Page 357 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Note: Any unsaved work in the investigation is automatically saved upon
export.
Exporting Investigations in CSV Format
You can export a list of investigations in CSV format from the investigations list view
screen. CSV files include the following columns:
l assignee: Organization user or workgroup currently assigned the investigation.
l assignee_type: Type of assignee (user or workgroup).
l created_ts: Timestamp of when the investigation was created.
l id: Unique ID associated with the investigation.
l modified_ts: Timestamp of when the investigation was last modified.
l name: Investigation name.
l owner: User that created the investigation.
l source_type: Source of the investigation (created by a user, or generated by a
rule match or phishing mailbox).
l status: Current status of the investigation.
Exports can include up to 1000 investigations.
To export investigations in CSV format:
1. Navigate to Research > Investigations.
If you want to export specific investigations, select the investigations of interest.
If you don't select any investigations, a list of the most recently created
investigations is exported.
2. Click Export CSV in the Actions menu. If you selected specific investigations in
the previous step, your download begins immediately.
3. If you did not select any investigations, enter a Number of Records to Export on
the resulting window and click Export. Exports can include up to 100
investigations.
Anomali ThreatStream Page 358 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Your download begins immediately.
Anomali ThreatStream Page 359 of 750
User Guide
Chapter 11: Investigating Threats in ThreatStream
Anomali ThreatStream Page 360 of 750
Chapter 12: Using the Anomali Threat
Model
This chapter covers the following topics:
How to Use the Threat Model 364
Threat Model Dashboard 365
Threat Model List View 366
Performing Basic Threat Model Searches 369
Performing Advanced Threat Model Searches 371
Saving Threat Model Search Filters 381
Adding a Threat Model Entity 383
Viewing Actor Details 395
Editing Actors 398
Viewing Attack Pattern Details 405
Editing Attack Patterns 408
Viewing Campaign Details 413
Editing Campaigns 416
Viewing Course of Action Details 422
Edit Courses of Action 425
Adding STIX 2.1 Custom Objects to the Anomali Threat Model 430
Viewing Identity Details 440
Editing Identities 443
Viewing Incident Details 449
Editing Incidents 451
Viewing Infrastructure Details 458
Viewing Malware Details 466
Editing Malware 469
Viewing Signature Details 475
Editing Signatures 477
Viewing Threat Bulletin Details 483
Editing Threat Bulletins 485
Anomali ThreatStream Page 361 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Viewing Tool Details 492
Editing Tools 495
Viewing TTP Details 500
Editing TTPs 503
Viewing Vulnerability Details 508
Editing Vulnerabilities 510
Using the MITRE ATT&CK Framework in ThreatStream 516
Cloning Threat Model Entities 519
Managing STIX Relationship Objects (SROs) 520
Adding Labels to Associations 523
Viewing Threat Model Entity History 526
Sharing Threat Model Entities Through Email 527
Exporting Threat Model Entities in STIX Format 530
Exporting Threat Model Entities in PDF Format 531
About Threat Model Templates 540
Creating a Template 540
Editing a Template 541
Removing a Template 542
Reviewing Threat Model Entities for Publication 542
Restricting Threat Model Entities to Workgroups 544
Deleting a Threat Model Entity 544
The Anomali Threat Model is STIX (v1.2, v2.0, and v2.1) compatible and supports
adding, managing, importing, and exporting contextual, relationship, and workflow
information for these types of Threat Model entities: Actors, Attack Patterns,
Campaigns, Courses of Action, Custom Objects, Identities, Incidents, Infrastructure,
Intrusion Sets, Malware, Signatures, Tools, Threat Bulletins, Tools, TTPs, and
Vulnerabilities.
Note: For a complete list of STIX v1.2, v2.0, and v2.1 attributes supported for
each entity type in ThreatStream, see "Supported Attributes for STIX Entities" on
page 688. Only the attributes listed in this appendix are supported.
Although the Threat Model is pre-populated with a large set of information, you can
add additional Actors, Campaigns, Incidents, TTPs, and Signatures through the
ThreatStream UI or import this information. Observables can be imported using
Import Assistant. See "Importing Observables with Import Assistant " on
Anomali ThreatStream Page 362 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
page 280for more information. You can also export the Threat Model information
from ThreatStream.
Maintaining relationships across Threat Model entities provides additional context
around threats and allows you to use ThreatStream for a deeper analysis of
observables rather than viewing atomic observables. The rich contextual data and
relationship information can also be useful in making better policy decisions for
SIEM and other security automation use cases for your infrastructure.
The Anomali Threat Model provides bidirectional associations between entities of all
threat model types, including entities of the same threat model type. Therefore, the
UI always displays a bidirectional relationship between two entities. For example, if
an Actor is shown to be related to a Campaign then that Campaign is also shown as
related to the Actor. Bidirectional associations can also be created between Threat
Model entities and Observables, Threat Bulletins, and Vulnerabilities. Threat Model
entities of all types can also be associated with Sandbox Reports, though these
associations are unidirectional and not displayed on the Sandbox Report details
page. Additionally, you can add labels to Threat Model and observables
associations to track contextual information. See "Adding Labels to Associations" on
page 523 for more information.
Threat Bulletins
The Threat Model also supports the Threat Bulletin feature. Threat Bulletins—news
flashes, articles on Malware or attacker infrastructure, data dumps, and so on—
provide simple write-ups on events. Although the information in a Threat Bulletin
depends on the template used when the Threat Bulletin was created, a typical
Threat Bulletin consists of a summary of the event, source of the Threat Bulletin, any
tags associated with the event (an alias by which the event may also be known),
details of the event, and any observables associated with the event.
See "Viewing Threat Bulletin Details" on page 483 for more information.
Vulnerabilities
ThreatStream imports a large number of Vulnerabilities from outside sources, such
as the National Vulnerability Database, on a daily basis. These system imported
Vulnerabilities can be distinguished from non-system imported Vulnerabilities as
they display a MITRE External Link in the Attributes section of the details page.
Anomali ThreatStream Page 363 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
You can create associations between Vulnerabilities and all threat model entities,
Observables, Threat Bulletins, Sandbox Reports, and other Vulnerabilities. System
imported Vulnerabilities can be associated with observables during import by adding
Vulnerability titles as tags to the import session. See "Importing Observables " on
page 286for more information.
How to Use the Threat Model
If you are new to the Threat Model concept and do not know how to use it, the
information in this section will come in handy.
Discover and Explore
Threat model is a categorization of threat information into various STIX entities--
such as Actors, Campaigns, Incidents, and so on--which may be related. For
example, an observable may be related to a specific Campaign that may also be
related to a specific Actor. Once you see this relationship in ThreatStream, you can
strengthen your security posture against not only the observable but also the Actor
and the Campaign .
Visit the Threat Model dashboard frequently. The dashboard displays the most
recently updated threat model entities on ThreatStream. The update on these
entities implies "recent activity". Therefore, these entities may be of interest. See
"Threat Model List View" on page 366 for more information.
Drill down further on various entities on the dashboard to learn more about
them. Details about an entity can unveil additional information such as aliases
associated with an Actor, last activity date, and known victims. For example, if the
known victims list shows organizations from your business vertical, you want to
ensure your organization is protected against it. Additionally, details pages show
Associations—an important element of the STIX model. Associations show how
various Threat Model entities are related.
Search information on a specific entity. For example, you hear about an Actor
Axiom and want to learn more this Actor. Search for the Actor name on the top
navigation search bar, or from the Threat Model Dashboard.
Anomali ThreatStream Page 364 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Maintain a Repository
By creating your own Threat Model content, you can start maintaining your own
repository of STIX-formatted threat intelligence on ThreatStream. Your private
repository and the public information present on ThreatStream is merged and
presented to you in one integrated view, which gives you a holistic view of the
Actors, Campaigns, Incidents, etc.
Add a new Threat Bulletin, Actor, Campaign , TTP, Incident, or Signature by
using the ThreatStream UI. See "Adding a Threat Model Entity" on page 383 for
more information.
Public vs Private
The Threat Model information you add to ThreatStream follows the same privacy
paradigm that all other methods of intelligence (import, sandbox, Threat Bulletin)
follow. You can select whether the data you are adding is available to everyone
(Anomali Community), accessible to your organization only (My Organization), or
shared with Trusted Circles.
Threat Model Dashboard
The Threat Model dashboard displays the five most recent Threat Model entities of
each type that were updated on ThreatStream.
To visit the Threat Model dashboard, navigate to Analyze > Overview.
Anomali ThreatStream Page 365 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
If you need to view the entire list, not just the top 5, click the "See more on..." link at
the bottom of each widget in the dashboard.
To dig deeper into a specific entity, click on it. The Details page provides you
additional information such as aliases associated with an Actor, last activity date,
and known victims.
Threat Model List View
The Threat Model List View displays the Threat Model entities—Actors, Attack
Patterns, Campaigns, Courses of Action, Identities, Incidents, Infrastructure,
Intrusion Sets, Malware, Signatures, Threat Bulletins, Tools, TTPs, and
Vulnerabilities—that your organization has access to on ThreatStream. It enables
you to quickly search entities via keyword searches and easy-to-use filtering.
Access the Threat Model List View by navigating to Analyze > Threat Model.
From this page, you can create new entities, delete entities, and add entities to
investigations.
Note: Due to the large number of Vulnerabilities imported by the system on a
daily basis, Vulnerabilities do not appear in the results by default. You must click
Vulnerabilities under Filter Options for Vulnerabilities to appear in search
results.
Search Threat Model entities by keyword. See "Performing Basic Threat Model
Searches" on page 369 for more information.
Anomali ThreatStream Page 366 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Perform an advanced Threat Model search. See "Performing Advanced Threat
Model Searches" on page 371 for more information.
Filter displayed search results.
Filter Description
Entity Type Filter search results by entity type. Entity types include: Actors,
Attack Patterns, Campaigns, Courses of Action, Identities,
Incidents, Infrastructure, Intrusion Sets, Malware, Signatures,
Threat Bulletins, Tools, TTPs, and Vulnerabilities.
Vulnerabilities are not included in search results unless you
select Vulnerabilities.
Tips:
- When you select the Infrastructure filter, you can select
additional Identity Class filters.
- When you select the Threat Bulletins filter, an Exclude
Email filter is available that removes Threat Bulletins created
as a result of phishing email imports from the list.
- When you select the Tools filter, you can select additional
Tool Type filters.
- When you select the Signatures filter, additional Signature
type filters are available, thus enabling you to search by
Signature type.
- When you select the Malware filter, additional Malware type
filters are available, thus enabling you to search by Malware
type.
- When you select the Vulnerabilities filter, additional CVSS
2.0 and 3.0 filters are available, thus enabling you to filter by
Vulnerability severity.
General To view only entities created by your organization, select Show
Only My Organization.
To view only entities which an organization member assigned to
you for review, select Show Only My Review Requested.
Open Source Threat Model Entities
To view only entities provided by open source intelligence
streams, select Show Only Open Source Threat Models.
Anomali ThreatStream Page 367 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Filter Description
TLP Filter entities by TLP color.
Date Last Filter entities by those updated in the Last 30 Days, Last 90
Updated Days, This Year, or a Custom Date Range.
Tags Filter entities based on Tags.
Publication Filter entities based on Publication Status. See "Reviewing
Status Threat Model Entities for Publication" on page 542 for more
information.
Visibility Filter entities by visibility: Anomali Community or My
Organization. When you select My Organization, entities shared
with Trusted Circles are also included in the results.
Streams Filter entities based on streams from which they originated.
Source Filter entities based on Source. Sources include Trusted Circles
and APP Store feeds.
Workgroups Filter entities that are visible only to specific workgroups. See
"Restricting Threat Model Entities to Workgroups" on page 544
for more information.
Assignee Filter entities based on Assignee users in your organization.
Owner Filter entities based on Owner. An Owner is the user who created
the entity.
For entities created by your organization, specific users are
displayed. "Analyst" is displayed for all entities shared through
Trusted Circles. For entities shared with the Anomali Community
or anonymously through Trusted Circles, no value is shown.
Note: The Owner column is not displayed by default. You
must select it from the settings wheel on the right of the
search results. See below for more information.
View selected filters.
Toggle the number of results displayed per page.
Threat model entity type.
Anomali ThreatStream Page 368 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Name of the threat model entity.
Current publication status of the entity.
Visibility setting for the entity.
Current user to which the entity is assigned.
Most recent date the entity was modified.
Select the columns displayed on the dashboard. Available columns include
Type, Name, Publication Status, Stream/Source, Visibility, Assignee, Owner,
Modified, Created, Date Published, Source Created, Source Modified, CVSS 2.0,
and CVSS 3.0.
Actions include:
l New: Create a new threat model entity. See "Adding a Threat Model Entity" on
page 383 for more information.
l Delete: Delete one or more selected threat model entities. See "Deleting a Threat
Model Entity" on page 544 for more information.
l Add to Investigation: Add selected threat model entities to a new or existing
investigation. When you add entities to an investigation you can additionally add
any observables associated with the entities to the investigation. See "Managing
Investigation Entities" on page 346 for more information.
l Share via Email: Share Threat Model entities with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
Performing Basic Threat Model Searches
Basic searches enable you to quickly locate threat model entities of interest by
keyword.
Anomali ThreatStream Page 369 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
When you perform a search, ThreatStream queries the following fields:
Entity Fields Searched
Actors Aliases, Description, Name, Tags
Attack Patterns Aliases, Description, Name, Tags
Campaigns Aliases, Description, Name, Tags
Courses of Action Description, Name, Tags
Incidents Description, Name, Tags
Infrastructure Aliases, Description, Name, Tags
Identities Description, Name, Tags
Intrusion Sets Aliases, Description, Name, Tags
Malware Aliases, Description, Name, Tags
Signatures Description, Name, Tags
Threat Bulletins Description, Name, Tags
Tools Aliases, Description, Name, Tags
TTPs Aliases, Description, Name, Tags
Vulnerabilities Aliases, Description, Name, Tags
When performing threat model searches, follow these guidelines:
l There is an implied AND operator between keywords in multi-word queries.
Words do not need to be contained in the same field for an entity to appear in the
search results.
For example, an entity containing foo in its description and bar in its name
would be returned for the query foo bar.
l To search for complete phrases, enclose your query in double quotes.
For example, to search for the phrase foo bar, enter "foo bar".
Anomali ThreatStream Page 370 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l All special characters, except periods (.) and commas (,) are treated as joins
between the words preceding and succeeding them. Therefore, simply enter a
search string with special characters, such as a name, an email address, domain
name, or URL.
Note that queries containing special characters may return additional search
results because the special characters in the search string are not matched
exactly but treated as joins between the words of the search string.
For example, searching for APT-28 will return matches for APT-28, APT+28,
APT 28, APT/28, APT#28 and so on.
l Periods and commas are matched exactly when an alphanumeric character
precedes and succeeds the character. Therefore, to search for an IP address,
simply enter the IP address in the dotted-decimal form.
For example, to search for the IP address 1.2.3.4, enter 1.2.3.4
Performing Advanced Threat Model Searches
ThreatStream provides advanced Threat Model search functionality for cases
involving specialized searches. Advanced Search queries are formed by
constructing filters.
Constructing Advanced Search Filters
Advanced Search filters are composed of expressions that adhere to the following
format:
intelligence_field operator value
Filters can contain any number of expressions joined together by the logical
operators AND, OR, and NOT.
As you type, ThreatStream suggests context specific valid operators and fields.
You can hover over fields in the suggestion window to view descriptions for the
selected field.
Anomali ThreatStream Page 371 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
ThreatStream color codes your advanced search queries for ease of use.
l Fields are blue
l Operators are purple
l Values are green
l Warnings are underlined in yellow
Tip: Warnings occur when you use the = or != operators and enter an
unexpected value for the specified field. Click the warning to view a list of
suggested values.
l Errors are underlined red
Tip: Errors occur when queries exhibit missing parenthesis, misplaced
tokens, or unknown fields, operators, or values (such as an unsupported date
format).
Click the expand icon to see your search query in an expanded view.
Anomali ThreatStream Page 372 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Note: Advanced search queries must be 2,000 characters or less.
ThreatStream enables you to save Threat Model advanced search filters. See
"Saving Threat Model Search Filters" on page 381.
Note: Saved Threat Model advanced search filters are not supported for use
with ThreatStream Integrator, custom dashboards, or the ThreatStream TAXII
server.
Supported Intelligence Fields
Note: Values specified in advanced search filters are case-insensitive unless
otherwise noted. However, field names are case-sensitive. For example,
including Tag instead of tag creates an invalid search filter that will not return
any results. To create a valid search filter, you must enter the field name exactly
as it appears in the table below. For more on case sensitivity, see "Case
Sensitivity in ThreatStream Search" on page 279.
Field Name Type Description
alias String Other names by which the entity is know
(Actors, Attack Patterns, Campaigns,
Infrastructure, Intrusion Sets, Malware, Tools,
TTPs, Vulnerabilities only).
assignee_user_ Numeric ID of the user to whom the entity is assigned.
id
body String Body of the entity.
Anomali ThreatStream Page 373 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Name Type Description
created_ts Date UTC time stamp of when the entity was created
in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35. T
must be capitalized.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. Units must be lowercase.
cvss2_score Numeric CVSS 2.0 Score (Vulnerability entities only).
Scores range from 0-10.
cvss3_score Numeric CVSS 3.0 Score (Vulnerability entities only).
Scores range from 0-10.
feed_id Numeric ID of the feed from which the entity originates.
is_email Boolean Whether the entity was created as a result of
ingesting a phishing email. This attribute applies
to Threat Bulletins only. Therefore, an invalid
query is created if you specify a value for is_
email and specify a value other than
tipreport for model_type.
is_public Boolean Whether the entity is public or private (including
belonging to a trusted circle). Possible values
include: false and true .
Anomali ThreatStream Page 374 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Name Type Description
model_type String Threat Model entity type. Possible values
include: actor, attackpattern, campaign,
courseofaction, customtm, identity,
infrastructure, incident, malware,
signature, intrusionset, tipreport, tool,
ttp, vulnarability.
You can also use model_type to search for
custom objects of a specific type.
For example, (model_type = "x-example")
Note: model_type values are case-
sensitive and must be entered as specified
above.
modified_ts Date UTC time stamp of when the entity was last
modified in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35. T
must be capitalized.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. Units must be lowercase.
name String Name of the entity.
organization_ Numeric ID of the organization on ThreatStream that
id owns the Threat Model entity.
owner_user_id Numeric ID of the user that owns the entity.
Anomali ThreatStream Page 375 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Name Type Description
publication_ String Publication status of the Threat Model entity.
status Possible values include: new, published,
review_requested, reviewed.
Note: publication_status values are
case-sensitive and must be entered as
specified above.
source_created Date UTC time stamp of when the entity was created
by its original source.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35. T
must be capitalized.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. Units must be lowercase.
source_ Date UTC time stamp of when the entity was last
modified modified by its original source.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35. T
must be capitalized.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. Units must be lowercase.
Anomali ThreatStream Page 376 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Name Type Description
tag String Tags assigned to the entity.
tlp String TLP (Traffic Light Protocol) color. Possible
values include: amber, green, red, white.
Note: tlp values are case-sensitive and
must be entered as specified above.
trusted_ Numeric ID of the trusted circle with which the Threat
circle_ids Model entity is shared.
Anomali ThreatStream Page 377 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Name Type Description
type String Threat Model entity subtypes.
Possible values for Actor entities
include: activist, competitor, crime-
syndicate, criminal, hacker, insider-
accidental, insider-disgruntled,
sensationalist, nation-state, spy,
terrorist, unknown.
Possible values for Infrastructure entities
include: amplification, anonymization,
botnet, command-and-control,
exfiltration, hosting-target-lists,
hosting-malware, phishing,
reconnaissance, staging, undefined.
Possible values for Malware entities include:
adware, backdoor, bot, bootkit, ddos,
downloader, dropper, exploit-kit,
keylogger, ransomware, remote-access-
trojan, resource-exploitation, rootkit,
rogue-security-software, screen-capture,
spyware, trojan, unknown, virus, webshell,
wiper, worm.
Possible values for Signature entities include:
Snort, YARA, CybOX, OpenIOC, ClamAV,
Suricata, Bro, Carbon Black Query, Custom,
Splunk Query, RSA NetWitness.
Possible values for Tool entities include:
denial-of-service, exploitation,
information-gathering, network-capture,
remote-access, credential-exploitation,
vulnerability-scanning, unknown.
Note: type values are case-sensitive and
must be entered as specified above.
workgroups Numeric ID of the workgroups with which the entity is
shared.
Anomali ThreatStream Page 378 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Search Operators
Advanced search on ThreatStream supports the search operators listed in the table
below.
Operator Description
= Searches for results that are identical to the value after the
operator.
!= Searches for results that exclude the value after the operator.
contains Searches for results that are composed partially or wholly of the
value after the operator.
startswith Searches for results that begin with the value after the operator.
endswith Searches for results that end with the value after the operator.
~ Searches for results that match the regular expression after the
operator. Only valid for use in filter expressions that contain
regular expressions.
!~ Searches for results that do not match the regular expression
after the operator. Only valid for use in filter expressions that
contain regular expressions.
< Searches for results that are less than the numerical value or
date after the operator.
<= Searches for results that are less than or equal to the numerical
value or date after the operator.
> Searches for results that are greater than the numerical value or
date after the operator.
>= Searches for results that are greater than or equal to the
numerical value or date after the operator.
AND Searches for results that are included in both the filter expression
before and the filter expression after the operator.
OR Searches for results that are included in either the filter
expression before or the filter expression after the operator.
Results included in both filter expressions are also returned.
Anomali ThreatStream Page 379 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Operator Description
NOT Searches for results that are excluded from the filter expression
after the operator.
Each data type is compatible with certain search operators. The table below
displays all of the valid operators and fields associated with each data type.
Data
Type Valid Operators Field Names
String =, !=, contains, alias, body, model_type, name,
startswith, endswith, publication_status, tag, tlp, type
~, !~, insubnet,
!insubnet
Numeric =, !=, <, <=, >, >= assignee_user_id, feed_id,
organization_id, owner_user_id,
trusted_circle_ids, workgroups
Date =, !=, <, <=, >, >= created_ts, modified_ts, source_
created, source_modified
Boolean =, != is_public
Logical AND, OR, NOT Joins together multiple expressions.
Example: name startswith APT AND
created_ts > 2020-10-
01T12:00:00
Name and Tag Queries in Advanced Search
Unlike other string type observable fields, name and tag can contain multi-word
phrases. Therefore, advanced search behavior differs from other string type
observable fields with regard to certain operators.
l When searching for names or tags that equal a specified value (tag=<value>),
results include all tags that contain the specified value. For example, tag =
"attack" can yield any of the following tags: attack, attack pattern, zero
day attack, and so on.
l The startswith operator does not support multi-word queries, such as tag
startswith "coronavirus pandemic". Therefore, you can use the
startswith operator to query tags that contain a word beginning with the
Anomali ThreatStream Page 380 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
specified value only. For example, tag startswith "pan" can yield any of the
following tags: panda, mustang panda, panama papers, pan, and so on.
l The endswith operator does not support multi-word queries. Instead, endswith
inserts an OR between words specified after the operator. Therefore, you can
use the endswith operator to query tags whose ending characters or words
match the value specified after the operator. For example, tag endswith
"security testing" can yield any of the following results: testing,
pentesting, enterprise security, and so on.
Example Advanced Search Filters
l name contains apt
l model_type = actor AND (type = hacker OR type = criminal)
l model_type = signature AND tlp = white
l model_type = vulnerability AND (cvss3_score >= 2 AND cvss3_score
<= 5)
l (tag = covid19 OR tag = coronavirus) AND model_type = campaign
l name contains APT AND modified_ts > 2021-01-01T00:00:00 AND is_
public = true
l publication_status = review requested AND assignee =
me@company.com
Saving Threat Model Search Filters
You can save frequently used Threat Model advanced search filters. Saving filters
enables you to perform common queries with the click of a button.
Filters longer than 2,000 characters cannot be saved.
Note: Saved Threat Model advanced search filters are not supported for use
with ThreatStream Integrator, custom dashboards, or the ThreatStream TAXII
server.
To save a search filter:
Anomali ThreatStream Page 381 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to Analyze > Threat Model.
2. Click Advanced.
3. Form an advanced search query. For a complete list of search fields, see
"Supported Intelligence Fields" on page 373.
4. Click Filter: Save as.
5. Enter a name for the new filter.
6. Click Save.
Saved filters can be accessed from the Search filter menu on the advanced search
bar.
Best Practices for Saved Search Filters
Anomali recommends adhering to the following best practices when constructing
saved search queries to improve search performance:
l Avoid using regular expression operators in search queries. As an alternative,
use the contains, endswith, or startswith operators to search for specific
phrase matches.
For example, use (value endswith ".com.au") instead of (value ~
".*\.com\.au")
l Avoid redundancies when constructing search queries. Do not include filters
which duplicate search results.
For example, the query (tags contains "apt28" OR tags ~ "apt28")
contains two filters that yield the same results. In this case, (tags contains
"apt28") is the recommended query.
Managing Saved Search Filters
You can managed saved searches from the Saved Searches screen.
Anomali ThreatStream Page 382 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Users with Org Admin privileges can edit or delete any search filter that belongs to
their organization. Non-admins can only edit or delete search filters that they
themselves created.
To edit a search filter:
1. Navigate to Analyze > Threat Model.
2. Click Advanced.
3. On the Threat Model Searches tab, select the search filter you want to edit.
The filter will populate the advanced search bar.
4. Make required changes to the search filter.
5. Click Save.
To delete search filters:
1. Navigate to Analyze > Threat Model.
2. Click Advanced.
3. Click Filter: Manage.
4. On the Threat Model Searches tab, select the search filters you want to delete.
5. Click Remove.
Adding a Threat Model Entity
ThreatStream enables you to create your own threat model entities.
Like all other data types in ThreatStream—such as observables, investigations, or
sandbox reports—threat model entities can be kept private to your organization,
Anomali ThreatStream Page 383 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
shared with specific trusted circles of which you are a member, or made visible to
the Anomali community as a whole. You can select one of the three visibility settings
when you publish the entity. Unpublished entities are only visible to users within
your organization. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
You can create threat model entities from the Threat Model tab of the import
assistant, or from the Threat Model list view screen.
To add a new threat model entity from import assistant:
1. From anywhere in the platform, click the import icon on the right side of the
screen to open the import assistant. Click Threat Model.
2. Enter the following information:
Anomali ThreatStream Page 384 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Add Data For all entity types besides Signatures, you can paste in rich
(Optional) text or upload an existing PDF or TXT file to use as the basis
for the threat model entity under Add Data.
When you paste in rich text, the formatting of the content is
preserved in the description of the new entity, including any
images.
Tips:
- Cutting and pasting content from third party sources may
not be completely transparent. If formatting issues occur,
Anomali recommends pasting content into a text editor to
remove formatting before pasting into ThreatStream.
- To ensure all sizing and placement and enhancement
features are available when editing the Threat Model entity
in the future, Anomali recommends saving images locally
and using the Insert Image function within the rich text
editor.
When you upload PDF files, descriptions become read only
and cannot be edited. Uploaded content is displayed in a PDF
viewer within the description. If the entity is downloaded to a
downstream integration, only the text from the PDF is included
in the push.
When you upload TXT files, you will use the rich text editor
exclusively when editing the description in the future. The
markdown editor will not be available.
ThreatStream will parse the data you add for observable
values. If observables are found, ThreatStream automatically
triggers an import session and associates it with the threat
model entity. An import session window is displayed to you
immediately when you create the threat model entity. You can
review the import session before you continue to edit the
entity. For all entity types besides Threat Bulletins,
associations between extracted observables and the threat
Anomali ThreatStream Page 385 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
model entity will be deleted if you ever delete the associated
import session.
Note: The maximum file size for PDF and TXT uploads is
10 MB.
Add file as For Actors, Campaigns, Incidents, Signatures, Threat
an Bulletins, TTPs, and Vulnerabilities, you can select Add file
attachment as an attachment if you'd like to attach the uploaded file to
the threat model entity.
Choose Select the type of threat model entity you want to create.
Threat Model
Type
Title Enter a Title for the entity.
Note: Titles must be 255 characters or less.
TLP Select a TLP (Traffic Light Protocol) color to associate with the
(Optional) entity.
The TLP color provides a mechanism to communicate to
consumers of the information whether further dissemination of
this information is allowed; if yes, how freely can this
information be distributed.
To learn more about TLP, search for "Traffic Light Protocol" in
your favorite search engine.
Anomali ThreatStream Page 386 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search this entity later using
(Optional) search. To add private tags that are only visible to your
organization, assign them the My Organization visibility
setting. Tags assigned the Anomali Community visibility
setting are visible to any user with access to the entity.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a tag
to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a list
of preferred tags configured by your organization, in addition
to pre-defined kill chain phase tags. For more on configuring
Preferred Tags, see "Adding Preferred Tags to Intelligence"
on page 200.
Note: Threat Model entities can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
Visibility All threat model entities are private to your organization or
specific workgroups in your organization until published.
To restrict visibility to specific workgroups, click Restrict To
Workgroups and select the workgroups to which you want to
give exclusive access to the entity. For more information on
workgroups, see "Restricting Access to Intelligence with
Workgroups " on page 196.
You have the opportunity to share the entity with the Anomali
Community or trusted circles when you publish a threat model
entity.
See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
Anomali ThreatStream Page 387 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Source Specify the date and time when the entity was created by its
Created original source.
(Optional) Click Now to use the current time.
Source Specify the date and time when the entity was last modified by
Modified its original source.
(Optional) Click Now to use the current time.
Notes:
- If creating an Identity entity, you must also select an Identity Class. See
"Editing Identities " on page 443for more information on this field.
- If creating an Infrastructure entity, you must also select relevant
Infrastructure Types. See "Editing Infrastructure" on page 461 for more
information on this field.
- If creating an Intrusion Set entity, you must also specify a First Seen date.
See Editing Intrusion Sets for more information on this field.
- If creating a Malware entity, you must also specify the following required
fields before proceeding: First Seen, Malware Family, Malware Types,
and Execution Platforms. See "Editing Malware" on page 469 for more
information on these fields.
- If creating a Tool entity, you must select all applicable Tool Types. See
"Editing Tools" on page 495 for more information on this field.
3. Click Import.
The new entity has been created. You are redirected to the entity details page in edit
view. If observable values were parsed from the content you added, an import
session window is displayed.
Anomali ThreatStream Page 388 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
You can review parsed observables and approve the import session directly from
the import session window. For more information on reviewing import sessions, see
"Reviewing and Approving a Single Import Job" on page 308. After approving the
import session, you can continue building out the entity with specific details from the
edit screen.
To add a new threat model entity from the Threat Model list view screen:
1. Navigate to Analyze > Threat Model and click New in the Actions menu.
Anomali ThreatStream Page 389 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
2. Enter the following information:
Field Description
Choose Select the type of threat model entity you want to create.
Threat Model
Type
Title Enter a Title for the entity.
Note: Titles must be 255 characters or less.
Visibility All threat model entities are private to your organization or
specific workgroups in your organization until published.
To restrict visibility to specific workgroups, click Restrict To
Workgroups and select the workgroups to which you want to
give exclusive access to the entity. For more information on
workgroups, see "Restricting Access to Intelligence with
Workgroups " on page 196.
You have the opportunity to share the entity with the Anomali
Community or trusted circles when you publish a threat
model entity.
See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
TLP Select a TLP (Traffic Light Protocol) color to associate with
(Optional) the entity.
The TLP color provides a mechanism to communicate to
consumers of the information whether further dissemination
of this information is allowed; if yes, how freely can this
information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Anomali ThreatStream Page 390 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search this entity later using
(Optional) search. To add private tags that are only visible to your
organization, assign them the My Organization visibility
setting. Tags assigned the Anomali Community visibility
setting are visible to any user with access to the entity.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a tag
to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a
list of preferred tags configured by your organization, in
addition to pre-defined kill chain phase tags. For more on
configuring Preferred Tags, see "Adding Preferred Tags to
Intelligence" on page 200.
Anomali ThreatStream Page 391 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Add For all entity types besides Signatures, you can paste in rich
Description text or upload an existing PDF or TXT file to use as the basis
(Optional) for the threat model entity under Add Description.
When you paste in rich text, the formatting of the content is
preserved in the description of the new entity, including any
images.
Tips:
- Cutting and pasting content from third party sources
may not be completely transparent. If formatting issues
occur, Anomali recommends pasting content into a text
editor to remove formatting before pasting into
ThreatStream.
- To ensure all sizing and placement and enhancement
features are available when editing the Threat Model
entity in the future, Anomali recommends saving images
locally and using the Insert Image function within the rich
text editor.
When you upload PDF files, descriptions become read only
and cannot be edited. Uploaded content is displayed in a
PDF viewer within the description. If the entity is downloaded
to a downstream integration, only the text from the PDF is
included in the push.
When you upload TXT files, you will use the rich text editor
exclusively when editing the description in the future. The
markdown editor will not be available.
Note: The maximum file size for PDF and TXT uploads is
10 MB.
Anomali ThreatStream Page 392 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Parse Select Parse description for observables if you want
description for ThreatStream to extract observable values from the
observables description you added. If observables are found,
ThreatStream automatically triggers an import session and
associates it with the threat model entity.
An import session window is displayed to you immediately
when you create the threat model entity. You can review the
import session before you continue to edit the entity.
For all entity types besides Threat Bulletins, associations
between extracted observables and the threat model entity
will be deleted if you ever delete the associated import
session.
Add file as an For Actors, Campaigns, Incidents, Signatures, Threat
attachment Bulletins, TTPs, and Vulnerabilities, you can select Add file
as an attachment if you'd like to attach the uploaded file to
the threat model entity.
Source Specify the date and time of when the entity was created by
Created its original source.
(Optional) Click Now to use the current time.
Source Specify the date and time of when the entity was last
Modified modified by its original source.
(Optional) Click Now to use the current time.
Note: When creating a Malware entity, you must also specify the following
required fields before proceeding: First Seen, Malware Family, Malware
Types, and Execution Platforms. See "Editing Malware" on page 469 for
more information on these fields.
Notes:
- If creating an Identity entity, you must also select an Identity Class. See
"Editing Identities " on page 443for more information on this field.
- If creating an Infrastructure entity, you must also select relevant
Anomali ThreatStream Page 393 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Infrastructure Types. See "Editing Infrastructure" on page 461 for more
information on this field.
- If creating an Intrusion Set entity, you must also specify a First Seen date.
See Editing Intrusion Sets for more information on this field.
- If creating a Malware entity, you must also specify the following required
fields before proceeding: First Seen, Malware Family, Malware Types,
and Execution Platforms. See "Editing Malware" on page 469 for more
information on these fields.
- If creating a Tool entity, you must select all applicable Tool Types. See
"Editing Tools" on page 495 for more information on this field.
3. Click Save.
The new entity has been created. You are redirected to the entity details page in edit
view. If the description you added was parsed for observables, an import session
window is displayed.
You can review parsed observables and approve the import session directly from
the import session window. For more information on reviewing import sessions, see
"Reviewing and Approving a Single Import Job" on page 308.
After approving the import session, you can continue building out the entity with
specific details from the edit screen.
For more information on editing specific Threat Model entity types, see one of the
following articles:
Anomali ThreatStream Page 394 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l "Editing Actors" on page 398
l "Editing Attack Patterns" on page 408
l "Editing Campaigns" on page 416
l "Edit Courses of Action" on page 425
l "Editing Identities " on page 443
l "Editing Incidents" on page 451
l "Editing Infrastructure" on page 461
l Editing Intrusion Sets
l "Editing Malware" on page 469
l "Editing Signatures" on page 477
l "Editing Threat Bulletins" on page 485
l "Editing Tools" on page 495
l "Editing TTPs" on page 503
l "Editing Vulnerabilities" on page 510
Viewing Actor Details
Anomali ThreatStream Page 395 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Summary
Summaries contain high level information, such as Actor Title, the user that created
the Actor, publication status, publication date, and TLP setting.
Actions
l Edit: Edit Actor details. For more information, see "Editing Actors" on page 398.
l Publication workflow: Move the Actor through the publication review workflow.
Possible actions include Assign User, Request Review, Complete Review, and
Publish. For more information, see "Reviewing Threat Model Entities for
Publication" on page 542.
l Add to Investigation: Add the Actor to a new or existing investigation. When
you add an Actor to an investigation you can additionally add any observables
associated with the Actor to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Actor. See "Deleting a Threat Model Entity" on page 544 for
more information.
l Clone: Create a private copy of the Actor. For more information, see "Cloning
Threat Model Entities " on page 519.
Attributes
Attributes may include Tags, Visibility, Aliases, Source Created, Source Modified,
and Custom Fields.
For a complete list of fields and definitions, see "Editing Actors" on page 398.
Description
Full text description of the Actor.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the Actor.
Anomali ThreatStream Page 396 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
History
When a change is made to a Actor, a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Actor. To add private comments that are only visible
to your organization, assign them the TLP color red. Comments assigned the TLP
color white are visible to any user with access to the Actor.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Actor with ThreatStream users (within or outside
your organization) or non-ThreatStream users through email. See "Sharing
Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Actor in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the Actor in STIX format. See "Exporting Threat Model
Entities in STIX Format" on page 530 for more information.
Anomali ThreatStream Page 397 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Editing Actors
To edit an Actor:
1. Navigate to Analyze > Threat Models.
2. Click the Name of the Actor you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Actor.
Actor titles are associated with your organization.
Therefore, you cannot create two Actors with the same title
within your organization. However, two Actors with the
same title can exist on ThreatStream as long as they
belong to different organizations.
Note: Titles must be 255 characters or less.
Avatar Drag and drop or browse for an image representing the
Actor.
Anomali ThreatStream Page 398 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
Notes:
- Actors can contain up to 200 tags per organization.
Tags added by other organizations do not count toward
this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 399 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Actor.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Other names that this Actor is known by.
For example, Axiom is also known as Elderwood and Shell
Crew.
Start Date Specify the time when this Actor was defined or modified
on ThreatStream.
Victims Select industries or groups that the Actor may have
impacted. You can add multiple victims.
Goals The high-level goals of this Actor, namely, what are they
trying to do. For example, they may be motivated by
personal gain, but their goal is to steal credit card numbers.
To do this, they may execute specific Campaigns that have
detailed objectives like compromising point of sale systems
at a large retailer.
Resource Level This defines the organizational level at which this Actor
typically works, which in turn determines the resources
available to this Actor for use in an attack. This attribute is
linked to the sophistication property — a specific resource
level implies that the Actor has access to at least a specific
sophistication level.
Anomali ThreatStream Page 400 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Primary The primary reason, motivation, or purpose behind this
Motivation Actor. The motivation is why the Actor wishes to achieve
the goal (what they are trying to achieve).
Threat Actor This property specifies the type(s) of this Actor.
Types
Secondary The secondary reasons, motivations, or purposes behind
Motivations this Actor.
Personal The personal reasons, motivations, or purposes of the
Motivations Actor regardless of organizational goals.
Roles A list of roles the Actor plays.
Operation Add an Operation Type from the drop-down list. This list is
Types derived from the Vocabulary Items in
ThreatActorTypeVocab-1.0 STIX Vocabularies Schema.
To add an Operation Type, click Add and select a Type
from the drop-down list. Optionally, specify a description for
the Type in the Description field.
Sophistication Specify the level of sophistication observed about the
Actor. The Sophistication levels available on ThreatStream
follow the Threat Actor Sophistication Vocabulary for STIX.
The levels are: No Type (Default), Innovator, Expert,
Practitioner, Novice, Aspirant.
Optionally, you can also enter a free-form text description
about the Sophistication level.
Anomali ThreatStream Page 401 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Motivations Add a Motivation from the drop-down list. This list is derived
from the Vocabulary Items in MotivationVocab-1.1 STIX
Vocabularies Schema.
To add a Motivation, click Add and select a Type from the
drop-down list. Optionally, specify a description for the
Type in the Description field.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 402 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Actor. Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 403 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Actor:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 404 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Actor.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Attack Pattern Details
Summary
Summaries contain high level information, such as Attack Pattern Title, the user that
created the Attack Pattern entity, publication status, publication date, and
Anomali ThreatStream Page 405 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
TLP setting.
Actions
l Edit: Edit Attack Pattern details. For more information, see "Editing Attack
Patterns" on page 408.
l Assign User: Assign the Attack Pattern to a user in your organization for further
work on the entity.
l Publication workflow: Move the Attack Pattern through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Attack Pattern to a new or existing investigation.
When you add a Attack Pattern to an investigation you can additionally add any
observables associated with the Attack Pattern to the investigation. See
"Managing Investigation Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Attack Pattern. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a private copy of the Attack Pattern. For more information, see
"Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, TLP, Aliases, Kill Chain Phases, Source Created, and
Source Modified.
For a complete list of fields and definitions, see "Editing Attack Patterns" on
page 408.
Description
Full text description of the Attack Pattern.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Anomali ThreatStream Page 406 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Attachments
External references relating to the Attack Pattern.
History
When a change is made to an Attack Pattern, a log entry of the change is created in
this section for future reference.
Comments
View and add comments to the Attack Pattern. To add private comments that are
only visible to your organization, assign them the TLP color red. Comments
assigned the TLP color white are visible to any user with access to the Attack
Pattern.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Attack Pattern with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Attack Pattern in
CSV format. You can select specific Fields to Export. You can export up to 1000
associated observables.
Anomali ThreatStream Page 407 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Export to STIX: Export the Attack Pattern in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Editing Attack Patterns
To edit an Attack Pattern:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Attack Pattern you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Attack Pattern.
Attack Pattern titles are associated with your organization.
Therefore, you cannot create two Attack Patterns with the
same title within your organization. However, two Attack
Pattern samples with the same title can exist on
ThreatStream as long as they belong to different
organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 408 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
Notes:
- Attack Patterns can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Attack Pattern.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Anomali ThreatStream Page 409 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Aliases Other names by which the Attack Pattern is known.
Kill Chain The list of Kill Chain Phases for which this Attack Pattern is
Phases used.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 410 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Attack Pattern. Descriptions can
be entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 411 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Attack Pattern:
Import Sessions a. Click Add for the type of entity you want to associate.
Threat Bulletins b. Select the entities you want to add.
Actors c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Attack Patterns
(SROs)" on page 520 for more information.
Campaigns
d. Click Create Association.
Course of
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 412 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Attack Pattern.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Campaign Details
Anomali ThreatStream Page 413 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Summary
Summaries contain high level information, such as Campaign Title, the user that
created the Campaign , publication status, publication date, and TLP setting.
Actions
l Edit: Edit Campaign details. For more information, see "Editing Campaigns" on
page 416.
l Publication workflow: Move the Campaign through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Campaign to a new or existing investigation.
When you add a Campaign to an investigation you can additionally add any
observables associated with the Campaign to the investigation. See "Managing
Investigation Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Campaign . See "Deleting a Threat Model Entity" on page 544
for more information.
l Clone: Create a private copy of the Campaign . For more information, see
"Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Status, Aliases, Start Date, End Date,
Victims, Activity Dates, Intended Effects, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Campaigns" on page 416.
Description
Full text description of the Campaign .
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Anomali ThreatStream Page 414 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Attachments
External references relating to the Campaign .
History
When a change is made to a Campaign , a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Campaign . To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the Campaign .
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Campaign with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Campaign in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
Anomali ThreatStream Page 415 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Export to STIX: Export the Campaign in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Editing Campaigns
To edit a Campaign :
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Campaign you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Campaign .
Campaign titles are associated with your organization.
Therefore, you cannot create two Campaigns with the
same title within your organization. However, two
Campaigns with the same title can exist on ThreatStream
as long as they belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 416 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Campaigns can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 417 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Campaign.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Status Select the status of this Campaign: Ongoing, Historic,
Future
Aliases Other names that this Campaign is known by.
Start Date Specify the date and time when this Campaign is known to
have started.
End Date Specify the date and time when this Campaign is known to
have ended. If the Campaign is still active, an end date field
can be left empty.
Victims Select industries or groups that the Campaign may have
impacted. You can add multiple victims.
Objective This property defines the Campaign’s primary goal,
objective, desired outcome, or intended effect — what the
Actor or Intrusion Set hopes to accomplish with this
Campaign.
Activity Dates Add a start and end dates (if available) to record the activity
for the Campaign .
To add an Activity Date, click Add and enter a Start Date
and End Date.
Anomali ThreatStream Page 418 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Intended Add the Intended Effects from the drop-down list. This list is
Effects derived from the Vocabulary Items in IntendedEffectVocab-
1.0 STIX Vocabularies Schema.
To add an Intended Effect, click Add and select a Type
from the drop-down list. Optionally, specify a description for
the Type in the Description field.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 419 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Campaign . Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 420 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Campaign:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 421 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Campaign .
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Course of Action Details
Summary
Summaries contain high level information, such as Course of Action Title, the user
that created the Course of Action entity, publication status, publication date, and
Anomali ThreatStream Page 422 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
TLP setting.
Actions
l Edit: Edit Course of Action details. For more information, see "Edit Courses
of Action" on page 425.
l Assign User: Assign the Course of Action to a user in your organization for
further work on the entity.
l Publication workflow: Move the Course of Action through the publication
review workflow. Possible actions include Assign User, Request Review,
Complete Review, and Publish. For more information, see "Reviewing Threat
Model Entities for Publication" on page 542.
l Add to Investigation: Add the Course of Action to a new or existing
investigation. When you add a Course of Action to an investigation you can
additionally add any observables associated with the Course of Action to the
investigation. See "Managing Investigation Entities" on page 346 for more
information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Course of Action. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a private copy of the Course of Action. For more information, see
"Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, TLP, Execution Platforms, Source Created, and
Source Modified.
For a complete list of fields and definitions, see "Edit Courses of Action" on
page 425.
Description
Full text description of the Course of Action.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Anomali ThreatStream Page 423 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Attachments
External references relating to the Course of Action.
History
When a change is made to a Course of Action, a log entry of the change is created in
this section for future reference.
Comments
View and add comments to the Course of Action. To add private comments that are
only visible to your organization, assign them the TLP color red. Comments
assigned the TLP color white are visible to any user with access to the Course of
Action.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Course of Action with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Course of Action
in CSV format. You can select specific Fields to Export. You can export up to
1000 associated observables.
Anomali ThreatStream Page 424 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Export to STIX: Export the Course of Action in STIX format. See "Exporting
Threat Model Entities in STIX Format" on page 530 for more information.
Edit Courses of Action
To edit a Course of Action:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Course of Action you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Course of Action.
Course of Action titles are associated with your
organization. Therefore, you cannot create two Courses of
Action with the same title within your
organization. However, two Course of Action samples with
the same title can exist on ThreatStream as long as they
belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 425 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Courses of Action can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 426 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Course of Action.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Execution A recommendation on the operating system(s) that this
Platforms Course of Action can be applied to.
If no Execution Platforms are defined, the operating
systems for the action specified are undefined, or the
specific operating system has no impact on the execution
of the Course of Action (e.g., power off system).
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 427 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Course of Action. Descriptions
can be entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 428 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Course of Action:
Import Sessions a. Click Add for the type of entity you want to associate.
Threat Bulletins b. Select the entities you want to add.
Actors c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Attack Patterns
(SROs)" on page 520 for more information.
Campaigns
d. Click Create Association.
Course of
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 429 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Course of Action.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Adding STIX 2.1 Custom Objects to the
Anomali Threat Model
ThreatStream enables you to import STIX 2.1 compatible custom objects through
the STIX tab of the import assistant. Custom objects must be specified in valid
STIX 2.1 JSON format.
Note: Custom objects cannot be added to investigations or the Explore pivoting
tool. Additionally, rules cannot be configured to associate matched intelligence
with custom objects.
Importing Custom Objects
Adhere to the following requirements when importing custom objects:
l Custom objects must be specified in valid STIX 2.1 JSON format. For more
information, see https://docs.oasis-open.org/cti/stix/v2.1/csd05/stix-v2.1-
Anomali ThreatStream Page 430 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
csd05.html#_7f3c4jgkyhl3
l Your JSON file must include id, name, and type objects for each custom object
specified
l Values specified for type must begin with 'x-'
For example: x-example
l Values specified for type must be between 3 and 250 characters. Only ASCII
characters are supported.
l Values specified for name cannot match names of existing custom objects in
ThreatStream
After creating your JSON file, use the instructions in "Importing STIX Data Through
the Import Assistant " on page 301 to import your custom objects.
Viewing Custom Objects
After the import is complete, custom objects are available from the ThreatStream
user interface as part of the Anomali Threat Model. A Custom filter enables you to
quickly locate custom objects using the Threat Model list view screen.
Searching for Custom Objects with Advanced Search
Use the model_type field to form advanced search queries for custom objects. You
can use model_type to filter for all custom objects (of any type) and custom objects
of a specific type.
l To return all custom objects, set model_type to customtm.
For example: (model_type = "customtm")
l To return custom objects of a specific type, set model_type to the custom object
Anomali ThreatStream Page 431 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
type of interest.
For example, (model_type = "x-example")
For more information on using the advanced Threat Model search, see "Performing
Advanced Threat Model Searches" on page 371.
Viewing Custom Object Details
Note: For information on importing custom objects, see "Adding STIX 2.1
Custom Objects to the Anomali Threat Model" on page 430.
Summary
Summaries contain high level information, such as custom object Title, the user that
created the custom object, publication status, publication date, and TLP setting.
Actions
l Edit: Edit custom object details. For more information, see "Editing Custom
Objects" on page 434.
l Publication workflow: Move the custom object through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Anomali ThreatStream Page 432 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the custom object. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a private copy of the custom object. For more information, see
"Cloning Threat Model Entities " on page 519.
Attributes
Attributes include Tags, Visibility, Aliases, Source Created, Source Modified, and
custom fields.
For a complete list of fields and definitions, see "Editing Custom Objects" on the
next page.
Description
Full text description of the custom object.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the custom object.
History
When a change is made to a custom object, a log entry of the change is created in
this section for future reference.
Anomali ThreatStream Page 433 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Comments
View and add comments to the custom object. To add private comments that are
only visible to your organization, assign them the TLP color red. Comments
assigned the TLP color white are visible to any user with access to the custom
object.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the custom object with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the custom object in
CSV format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the custom object in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Editing Custom Objects
To edit a custom object:
Anomali ThreatStream Page 434 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to Analyze > Threat Models.
2. Click the Name of the custom object you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the custom object.
Custom object titles are associated with your organization.
Therefore, you cannot create two custom objects with the
same title within your organization. However, two custom
objects with the same title can exist on ThreatStream as
long as they belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 435 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
Notes:
- Custom objects can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 436 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the custom object.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Other names that this custom object is known by.
For example, Axiom is also known as Elderwood and Shell
Crew.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Custom Fields Add, edit, or remove custom fields by modifying the JSON
code associated with the custom object.
Note: Modifications must result in valid JSON format.
You cannot save the custom object if the Custom Fields
section contains invalid JSON code.
Description
Anomali ThreatStream Page 437 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the custom object. Descriptions can
be entered using an intuitive Rich Text Editor or a
Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 438 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this custom object:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Custom Threat
Models
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 439 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References custom object.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note:Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Identity Details
Summary
Summaries contain high level information, such as Identity Title, the user that
created the Identity entity, publication status, publication date, and TLP setting.
Anomali ThreatStream Page 440 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Actions
l Edit: Edit Identity details. For more information, see "Editing Identities " on
page 443.
l Assign User: Assign the Identity to a user in your organization for further work
on the entity.
l Publication workflow: Move the Identity through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish.
For more information, see "Reviewing Threat Model Entities for Publication" on
page 542.
Note: Identities can only be assigned the visibility setting My Organization
upon publication.
l Add to Investigation: Add the Identity to a new or existing investigation. When
you add a Identity to an investigation you can additionally add any observables
associated with the Identity to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Identity. See "Deleting a Threat Model Entity" on page 544 for
more information.
l Clone: Create a private copy of the Identity . For more information, see "Cloning
Threat Model Entities " on page 519
l Export IOCs to CSV: Export observables associated with the Identity in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to PDF: Export the Identity in PDF format. See "Exporting Threat Model
Entities in PDF Format" on page 531 for more information.
Anomali ThreatStream Page 441 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Create Report: Generate a PDF using a template for sharing Threat Model
entities outside of ThreatStream. See "Creating PDF Reports" on page 531 for
more information.
Attributes
Attributes may include Tags, TLP, Identity Class, Sectors, Roles, Contact
Information, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Identities " on the next page.
Description
Full text description of the Identity .
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the Identity .
History
When a change is made to an Identity , a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Identity . To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the Identity .
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66
Anomali ThreatStream Page 442 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Identity with ThreatStream users (within or outside
your organization) or non-ThreatStream users through email. See "Sharing
Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Identity in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the Identity in STIX format. See "Exporting Threat Model
Entities in STIX Format" on page 530 for more information.
Editing Identities
To edit an Identity :
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Identity you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Anomali ThreatStream Page 443 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Title A meaningful name for the Identity .
Identity titles are associated with your organization.
Therefore, you cannot create two Identities with the same
title within your organization. However, two Identity
samples with the same title can exist on ThreatStream as
long as they belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 444 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Identities can contain up to 200 tags per organization.
Tags added by other organizations do not count toward
this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 445 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Identity.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Identity Class The type of entity that this Identity describes—Class,
Group, Individual, Organization, System, or Unspecified.
(Mandatory)
Sectors The list of industry sectors that this Identity belongs to.
Roles The list of roles that this Identity performs (e.g., CEO,
Domain Administrators, Doctors, Hospital, or Retailer).
Contact The contact information (e-mail, phone number, etc.) for
Information this Identity.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 446 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Identity . Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 447 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Identity:
Import Sessions a. Click Add for the type of entity you want to associate.
Threat Bulletins b. Select the entities you want to add.
Actors c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Attack Patterns
(SROs)" on page 520 for more information.
Campaigns
d. Click Create Association.
Course of
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 448 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Identity .
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
5. Click Save.
Viewing Incident Details
Summary
Summaries contain high level information, such as Incident Title, the user that
created the Incident, publication status, publication date, and TLP setting.
Actions
l Edit: Edit Incident details. For more information, see "Editing Incidents" on
page 451.
Anomali ThreatStream Page 449 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Publication workflow: Move the Incident through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Incident to a new or existing investigation. When
you add an Incident to an investigation you can additionally add any observables
associated with the Incident to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Incident. See "Deleting a Threat Model Entity" on page 544 for
more information.
l Clone: Create a private copy of the Incident. For more information, see "Cloning
Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Status, Aliases, Start Date, End Date,
Victims, Activity Dates, Intended Effects, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Incidents" on the next page.
Description
Full text description of the Incident.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the Incident.
History
When a change is made to an Incident, a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Incident. To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
Anomali ThreatStream Page 450 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
TLP color white are visible to any user with access to the Incidents.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Incident with ThreatStream users (within or outside
your organization) or non-ThreatStream users through email. See "Sharing
Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Incident in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the Incident in STIX format. See "Exporting Threat Model
Entities in STIX Format" on page 530 for more information.
Editing Incidents
To edit an Incident:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Incident you want to edit.
Anomali ThreatStream Page 451 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Incident.
Incident titles are associated with your organization.
Therefore, you cannot create two Incidents with the same
title within your organization. However, two Incidents with
the same title can exist on ThreatStream as long as they
belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 452 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Incidents can contain up to 200 tags per organization.
Tags added by other organizations do not count toward
this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 453 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Incident.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Status Select a status for the Incident and (optionally) enter a
description for the Incident in free-form text.
Start Date Specify the time when this Incident was created on
ThreatStream.
End Date Specify the date and time when this Incident ended (if it is
known). If the Incident is still active, an end date field can
be left empty.
Victims Select industries or groups that the Incident may have
impacted. You can add multiple victims.
Activity Dates Add a start and end dates (if available) to record the activity
for the Incident.
To add an Activity Date, click Add and enter a Start Date
and End Date.
Intended Add the Intended Effects from the drop-down list. This list is
Effects derived from the Vocabulary Items in IntendedEffectVocab-
1.0 STIX Vocabularies Schema.
To add an Intended Effect, click Add and select a Type
from the drop-down list. Optionally, specify a description for
the Type in the Description field.
Anomali ThreatStream Page 454 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 455 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Incident. Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 456 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Incident:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 457 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Incident.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Infrastructure Details
Summary
Summaries contain high level information, such as Infrastructure Title, the user that
created the Infrastructure entity, publication status, publication date, and
TLP setting.
Anomali ThreatStream Page 458 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Actions
l Edit: Edit Infrastructure entity details. For more information, see "Editing
Infrastructure" on page 461.
l Publication workflow: Move the Infrastructure entity through the publication
review workflow. Possible actions include Assign User, Request Review,
Complete Review, and Publish. For more information, see "Reviewing Threat
Model Entities for Publication" on page 542.
l Add to Investigation: Add the Infrastructure entity to a new or existing
investigation. When you add an Infrastructure entity to an investigation you can
additionally add any observables associated with the Infrastructure entity to the
investigation. See "Managing Investigation Entities" on page 346 for more
information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Infrastructure entity. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a private copy of the Infrastructure entity. For more information,
see "Cloning Threat Model Entities " on page 519.
Attributes
Attributes may include Tags, Visibility, First Seen, Last Seen, Infrastructure Types,
Kill Chain Phases, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Infrastructure" on page 461.
Description
Full text description of the Infrastructure entity.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the Infrastructure entity.
Anomali ThreatStream Page 459 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
History
When a change is made to an Infrastructure entity, a log entry of the change is
created in this section for future reference.
Comments
View and add comments to the Infrastructure entity. To add private comments that
are only visible to your organization, assign them the TLP color red. Comments
assigned the TLP color white are visible to any user with access to the Infrastructure
entity.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Infrastructure entity with ThreatStream users (within
or outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Infrastructure
entity in CSV format. You can select specific Fields to Export. You can export
up to 1000 associated observables.
l Export to STIX: Export the Infrastructure in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Anomali ThreatStream Page 460 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Editing Infrastructure
To edit an Infrastructure:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Infrastructure entity you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Infrastructure entity.
Infrastructure titles are associated with your organization.
Therefore, you cannot create two Infrastructure entities
with the same title within your organization. However, two
Infrastructure entity samples with the same title can exist
on ThreatStream as long as they belong to different
organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 461 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Infrastructure entities can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 462 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Infrastructure entity.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Alternative names used to identify this Infrastructure.
First Seen The time that this Infrastructure was first seen performing
malicious activities.
Last Seen The time that this Infrastructure was last seen performing
malicious activities.
Infrastructure The type of infrastructure being described.
Types
(Mandatory)
Kill Chain The list of Kill Chain Phases for which this Infrastructure is
Phases used.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 463 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Infrastructure entity.
Descriptions can be entered using an intuitive Rich Text
Editor or a Markdown Template editor. Enable the
Markdown Editor switch to use the Markdown Template
editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 464 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Infrastructure entity:
Import Sessions a. Click Add for the type of entity you want to associate.
Threat Bulletins b. Select the entities you want to add.
Actors c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Attack Patterns
(SROs)" on page 520 for more information.
Campaigns
d. Click Create Association.
Course of
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 465 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Infrastructure entity.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note:Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Malware Details
Anomali ThreatStream Page 466 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Summary
Summaries contain high level information, such as Malware Title, the user that
created the Malware entity, publication status, publication date, and TLP setting.
Actions
l Edit: Edit Malware details. For more information, see "Editing Malware" on
page 469.
l Publication workflow: Move the Malware through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Malware to a new or existing investigation. When
you add a Malware to an investigation you can additionally add any observables
associated with the Malware to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Malware sample. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a private copy of the Malware. For more information, see "Cloning
Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Aliases, First and Last Seen dates, Malware
Family, Malware Types, Execution Platforms, Capabilities, Implementation
Languages, C2 Protocol, C2 Port, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Malware" on page 469.
Description
Full text description of the Malware.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Anomali ThreatStream Page 467 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Attachments
External references relating to the Malware.
History
When a change is made to an Malware, a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Malware. To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the Malware.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Malware with ThreatStream users (within or outside
your organization) or non-ThreatStream users through email. See "Sharing
Threat Model Entities Through Email" on page 527 for more information.
l Export to STIX: Export the Malware in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Anomali ThreatStream Page 468 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Editing Malware
To edit a Malware sample:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Malware you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Malware.
Malware titles are associated with your organization.
Therefore, you cannot create two Malware samples with
the same title within your organization. However, two
Malware samples with the same title can exist on
ThreatStream as long as they belong to different
organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 469 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to
threat intelligence. For example, you can add a tag to
indicate the industry that the threat intelligence is
associated with or a tag to indicate the Kill Chain phase
stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see
"Adding Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities
owned by other organizations, you can only delete tags
added by your organization.
Notes:
- Malware entities can contain up to 200 tags per
organization. Tags added by other organizations do
not count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 470 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate
with the Malware.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light
Protocol" in your favorite search engine.
Aliases Other names by which the Malware is known.
First Seen Specify the date and time when this Malware is known to
have become active.
(Mandatory)
Last Seen Specify the date and time when this Malware was last
known to be active.
Malware Family Select whether the entity is a Malware family or an
individual instance.
(Mandatory)
Malware Types Select a type with which the Malware sample is known to
be associated.
(Mandatory)
Execution Select a platform on which the Malware sample is known
Platforms to be executable.
(Mandatory)
Capabilities Select the known capabilities of the Malware.
Implementation Select the implementation languages deployed by the
Languages Malware.
C2 Protocol Select the C2 protocol used by the Malware.
C2 Port Select the C2 port used by the Malware.
Anomali ThreatStream Page 471 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Modified Specify the date and time when the entity was last
modified by its original source.
(Optional)
Click Now to use the current time.
Description
Anomali ThreatStream Page 472 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Malware. Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and
click the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 473 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Malware:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship
Campaigns
Objects (SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox Reports
Attachments
Anomali ThreatStream Page 474 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to
References the Malware.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Signature Details
Summary
Summaries contain high level information, such as Signature Title, the user that
created the Signature, publication status, publication date, and TLP setting.
Anomali ThreatStream Page 475 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Actions
l Edit: Edit Signature details. For more information, see "Editing Signatures" on
the next page.
l Publication workflow: Move the Signature through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Signature to a new or existing investigation.
When you add a Signature to an investigation you can additionally add any
observables associated with the Signature to the investigation. See "Managing
Investigation Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Signature. See "Deleting a Threat Model Entity" on page 544
for more information.
l Clone: Create a private copy of the Signature. For more information, see
"Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Signature Type, Source Created, and Source
Modified.
For a complete list of fields and definitions, see "Editing Signatures" on the next
page.
Signature
Full text of the Signature.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
History
When a change is made to a Signature, a log entry of the change is created in this
section for future reference.
Anomali ThreatStream Page 476 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Comments
View and add comments to the Signature. To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the Signature.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Signature with ThreatStream users (within or outside
your organization) or non-ThreatStream users through email. See "Sharing
Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Signature in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
Editing Signatures
To edit a Signature:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Signature you want to edit.
Anomali ThreatStream Page 477 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title Enter a meaningful name for the Signature.
Signature titles are associated with your organization.
Therefore, you cannot create two Signatures with the same
title within your organization. However, two Signatures with
the same title can exist on ThreatStream as long as they
belong to different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 478 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Signatures can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 479 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Signature.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if further
dissemination is allowed, how freely can this information be
distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Signature Type Select the Signature type.
Examples: Snort, YARA, OpenIOC, Suricata, and so on
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Signature
Anomali ThreatStream Page 480 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Signature Enter the full text of the Signature.
Under Load Signature from file, add the Signature from a
file. The maximum file size is 10 MB.
OR
Under Paste Signature, manually enter the Signature.
Note: Supported file types are YARA (.yar) ,
Snort/Suricata (.rules), Cybox/OpenIOC (.xml),
Splunk/Carbon Black Query/Custom (.txt), Bro Intel
(.bro), and ClamAV (.ign .ign2 .ftm .hdu .hdb .hsu .hsb
.ndb .msu .msb .mdu .mdb .ndu .wdb .sfp .pdb .ldu .ldb
.idb.fp .crb .cdb)
Associations
Anomali ThreatStream Page 481 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Signature:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Anomali ThreatStream Page 482 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Viewing Threat Bulletin Details
Summary
Summaries contain high level information, such as Threat Bulletin Title, the user
that created the Threat Bulletin, publication status, publication date, and TLP
setting.
Actions
l Edit: Edit Threat Bulletin details. For more information, see "Editing Threat
Bulletins" on page 485.
l Publication workflow: Move the Threat Bulletin through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Threat Bulletin to a new or existing investigation.
When you add a Threat Bulletin to an investigation you can additionally add any
observables associated with the Threat Bulletin to the investigation. See
"Managing Investigation Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
Anomali ThreatStream Page 483 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Delete: Delete the Threat Bulletin. See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a My Organization copy of the Campaign . For more information,
see "Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Campaign , Source, TTP, Source Created,
and Source Modified.
For a complete list of fields and definitions, see "Editing Threat Bulletins" on the next
page.
Description
Full text of the Threat Bulletin.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Attachments
External references relating to the Threat Bulletin.
History
When a change is made to a Threat Bulletin, a log entry of the change is created in
this section for future reference.
Comments
View and add comments to the Threat Bulletin. To add private comments that are
only visible to your organization, assign them the TLP color red. Comments
assigned the TLP color white are visible to any user with access to the Threat
Bulletin.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
Anomali ThreatStream Page 484 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Threat Bulletin with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Threat Bulletin in
CSV format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the Threat Bulletin in STIX format. See "Exporting Threat
Model Entities in STIX Format" on page 530 for more information.
Editing Threat Bulletins
To edit a Threat Bulletin:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Threat Bulletin you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Anomali ThreatStream Page 485 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Title A descriptive and informative name for the Threat Bulletin.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 486 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Threat Bulletins can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 487 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Threat Bulletin.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Source Enter the name of the source of the intelligence.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 488 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Create import When checked, an import job for the observables specified
session with in the Description of the Threat Bulletin is automatically
observables created upon clicking Save.
found in Threat
Bulletin body Once an import job has been created, it goes through the
same workflow as any other import job on ThreatStream.
See "Importing Observables with Import Assistant " on
page 280for more information. If observables are
discovered the import session will be displayed in the
Import Sessions of the Threat Bulletin.
Note: Once the Threat Bulletin is assigned the
Publication Status Published, this action is no longer
available.
Anomali ThreatStream Page 489 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Threat Bulletin. Descriptions can
be entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 490 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Threat Bulletin:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Anomali ThreatStream Page 491 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Attachments Add any documents or other information that relates to the
Threat Bulletin.
To add an Attachment:
a. Click Select File.
b. Browse for the attachment.
c. Click Upload.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing Tool Details
Summary
Summaries contain high level information, such as Tool Title, the user that created
the Tool entity, publication status, publication date, and TLP setting.
Anomali ThreatStream Page 492 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Actions
l Edit: Edit Tool details. For more information, see "Editing Tools" on page 495.
l Assign User: Assign the Tool to a user in your organization for further work on
the entity.
l Publication workflow: Move the Tool through the publication review workflow.
Possible actions include Assign User, Request Review, Complete Review, and
Publish. For more information, see "Reviewing Threat Model Entities for
Publication" on page 542.
l Add to Investigation: Add the Tool to a new or existing investigation. When you
add a Tool to an investigation you can additionally add any observables
associated with the Tool to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the Tool. See "Deleting a Threat Model Entity" on page 544 for
more information.
l Clone: Create a private copy of the Tool. For more information, see "Cloning
Threat Model Entities " on page 519
Attributes
Attributes may include Tags, TLP, Aliases, Tool Version, Tool Types, Kill Chain
Phases, Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing Tools" on page 495.
Description
Full text description of the Tool.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
If you associate an import session with the Tool, associations are also created for all
observables contained in the import session.
Anomali ThreatStream Page 493 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Attachments
External references relating to the Tool.
History
When a change is made to an Tool, a log entry of the change is created in this
section for future reference.
Comments
View and add comments to the Tool. To add private comments that are only visible
to your organization, assign them the TLP color red. Comments assigned the TLP
color white are visible to any user with access to the Tool.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Tool with ThreatStream users (within or outside your
organization) or non-ThreatStream users through email. See "Sharing Threat
Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Tool in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
Anomali ThreatStream Page 494 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Export to STIX: Export the Tool in STIX format. See "Exporting Threat Model
Entities in STIX Format" on page 530 for more information.
Editing Tools
To edit a Tool:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the Tool you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Tool.
Tool titles are associated with your organization. Therefore,
you cannot create two Tools with the same title within your
organization. However, two Tool samples with the same
title can exist on ThreatStream as long as they belong to
different organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 495 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Tools can contain up to 200 tags per organization.
Tags added by other organizations do not count toward
this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 496 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Tool.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Other names by which the Tool is known.
Tool Version The version identifier associated with the Tool.
Tool Types The kind of tool being described.
(Mandatory)
Kill Chain The list of kill chain phases for which this Tool can be used.
Phases
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 497 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Tool. Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 498 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Tool:
Import Sessions a. Click Add for the type of entity you want to associate.
Threat Bulletins b. Select the entities you want to add.
Actors c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Attack Patterns
(SROs)" on page 520 for more information.
Campaigns
d. Click Create Association.
Course of
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Attachments
Anomali ThreatStream Page 499 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Tool.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
5. Click Save.
Viewing TTP Details
Anomali ThreatStream Page 500 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Summary
Summaries contain high level information, such as TTP Title, the user that created
the TTP, publication status, publication date, and TLP setting.
Actions
l Edit: Edit TTP details. For more information, see "Editing TTPs" on page 503
l Publication workflow: Move the TTP through the publication review workflow.
Possible actions include Assign User, Request Review, Complete Review, and
Publish. For more information, see "Reviewing Threat Model Entities for
Publication" on page 542.
l Add to Investigation: Add the TTP to a new or existing investigation. When you
add a TTP to an investigation you can additionally add any observables
associated with the TTP to the investigation. See "Managing Investigation
Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
l Delete: Delete the TTP. See "Deleting a Threat Model Entity" on page 544 for
more information.
l Clone: Create a My Organization copy of the Campaign . For more information,
see "Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Aliases, Attack Patterns, Malware, Exploits,
Source Created, and Source Modified.
For a complete list of fields and definitions, see "Editing TTPs" on page 503
Description
Full text of the TTP.
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
Anomali ThreatStream Page 501 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
History
When a change is made to a TTP, a log entry of the change is created in this section
for future reference.
Comments
View and add comments to the TTP. To add private comments that are only visible
to your organization, assign them the TLP color red. Comments assigned the TLP
color white are visible to any user with access to the TTP.
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the TTP with ThreatStream users (within or outside your
organization) or non-ThreatStream users through email. See "Sharing Threat
Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the TTP in CSV
format. You can select specific Fields to Export. You can export up to 1000
associated observables.
l Export to STIX: Export the TTP in STIX format. See "Exporting Threat Model
Entities in STIX Format" on page 530 for more information.
Anomali ThreatStream Page 502 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Editing TTPs
To edit a TTP:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the TTP you want to edit.
3. Under Actions, click Edit.
4. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful title for the TTP.
TTP titles are associated with your organization. Therefore,
you cannot create two TTPs with the same title within your
organization. However, two TTPs with the same title can
exist on ThreatStream as long as they belong to different
organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 503 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Notes:
- Tags can contain up to 200 tags per organization.
Tags added by other organizations do not count toward
this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 504 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the TTP.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Other names that this TTP is known by.
Attack Patterns Add any Attack Patterns observed for this TTP.
To add an Attack Pattern, click Add and enter a Name and
Notes for the Attack Pattern.
Malware Add any Malware that attacker has leveraged for this TTP.
To add Malware, click Add and enter a Name, Type, and
Notes for the Malware.
Exploits Add any exploits that attacker has leveraged for this TTP.
To add an Exploit, click Add and enter a Name and Notes
for the exploit.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 505 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the TTP. Descriptions can be
entered using an intuitive Rich Text Editor or a
Markdown Template editor. Enable the Markdown
Editor switch to use the Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 506 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this TTP:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
5. Click Save.
Anomali ThreatStream Page 507 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Viewing Vulnerability Details
Summary
Summaries can contain high level information, such as Vulnerability Title, the user
that created the Vulnerability , publication status, publication date, and TLP setting.
Actions
l Edit: Edit Vulnerability details. For more information, see "Editing Vulnerabilities"
on page 510.
l Publication workflow: Move the Vulnerability through the publication review
workflow. Possible actions include Assign User, Request Review, Complete
Review, and Publish. For more information, see "Reviewing Threat Model
Entities for Publication" on page 542.
l Add to Investigation: Add the Vulnerability to a new or existing investigation.
When you add a Vulnerability to an investigation you can additionally add any
observables associated with the Vulnerability to the investigation. See "Managing
Investigation Entities" on page 346 for more information.
l Anonymize: Change the user and organization information anonymization
setting. If enabled, users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user
name.
Anomali ThreatStream Page 508 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
l Delete: Delete the Vulnerability . See "Deleting a Threat Model Entity" on
page 544 for more information.
l Clone: Create a My Organization copy of the Vulnerability . For more information,
see "Cloning Threat Model Entities " on page 519
Attributes
Attributes may include Tags, Visibility, Aliases, Source, CVSS 2.0 Score, CVSS 3.0
Score, Source Created, and Source Modified. For system imported Vulnerabilities, a
MITRE External Link is displayed.
For a complete list of fields and definitions, see "Editing Vulnerabilities" on the next
page.
Description
Full text description of the Vulnerability .
Associations
Associated Observables, Threat Model entities, Import Sessions, and Sandbox
Reports.
If you associate an import session with the Vulnerability , associations are also
created for all observables contained in the import session.
Attachments
External references relating to the Vulnerability .
History
When a change is made to a Vulnerability , a log entry of the change is created in
this section for future reference.
Affected Products
For system imported Vulnerabilities only, view products and versions affected by the
Vulnerability .
Comments
View and add comments to the Vulnerability . To add private comments that are only
visible to your organization, assign them the TLP color red. Comments assigned the
TLP color white are visible to any user with access to the Vulnerability .
Anomali ThreatStream Page 509 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Intelligence Actions
l Watch: Receive notifications when the intelligence is updated.
l Star: Bookmark the intelligence. Starred intelligence is displayed to users in the
Starred section of the My Threats page.
l Like: Tell the Anomali community what you think of the intelligence.
l Share: Send the intelligence to another ThreatStream user. Users receive in-app
notifications when intelligence is shared with them. For more on in-app
notifications, see "Receiving In App Notifications from ThreatStream" on page 66.
You can track intelligence you have commented on, watched, starred, or liked on
the My Threats page. For more information, see "Tracking Intelligence with My
Threats" on page 677.
Export
l Create Report (PDF): Generate a PDF using a template for sharing Threat
Model entities outside of ThreatStream. See "Creating PDF Reports" on
page 531 for more information.
l Share via Email: Share the Vulnerability with ThreatStream users (within or
outside your organization) or non-ThreatStream users through email. See
"Sharing Threat Model Entities Through Email" on page 527 for more information.
l Export IOCs to CSV: Export observables associated with the Vulnerability in
CSV format. You can select specific Fields to Export. You can export up to 1000
associated observables.
Editing Vulnerabilities
To edit a Vulnerability:
1. Navigate to Analyze > Threat Model.
2. Under Filter Options, click Vulnerabilities to display all Vulnerabilities you have
access to on ThreatStream.
3. Click the Name of the Vulnerability you want to edit.
Anomali ThreatStream Page 510 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
4. Under Actions, click Edit.
5. In edit view, make changes to any of the fields listed below.
Field Description
Title A meaningful name for the Vulnerability.
Vulnerability titles are associated with your organization.
Therefore, you cannot create two Vulnerabilities with the
same title within your organization. However, two
Vulnerabilities with the same title can exist on
ThreatStream as long as they belong to different
organizations.
Note: Titles must be 255 characters or less.
Anomali ThreatStream Page 511 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Tags Enter a term that can be used to search for this entity later
using search. To add private tags that are only visible to
your organization, assign them the My Organization
visibility setting. Tags assigned the Anomali Community
visibility setting are visible to any user with access to the
entity. Since organizations can decide whether users
outside of their organization can add public tags to their
data, the Anomali Community visibility setting is not
available in all cases.
Tagging is a quick and easy way to add metadata to threat
intelligence. For example, you can add a tag to indicate the
industry that the threat intelligence is associated with or a
tag to indicate the Kill Chain phase stage.
As you type, the 20 most used tags in your organization
from the previous seven days are displayed. Enter * to
display a list of preferred tags configured by your
organization, in addition to pre-defined kill chain phase
tags. For more on configuring Preferred Tags, see "Adding
Preferred Tags to Intelligence" on page 200.
For entities owned by your organization, you can delete
any public tag associated with the entity. For entities owned
by other organizations, you can only delete tags added by
your organization.
Note:
- Vulnerabilities can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
- Tags must be 2,000 characters or less.
- You can remove any public tag added by other
organizations to your Threat Model entities.
Anomali ThreatStream Page 512 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
TLP Select a TLP (Traffic Light Protocol) color to associate with
the Vulnerability.
The TLP color provides a mechanism to communicate to
consumers of the information whether further
dissemination of this information is allowed; if yes, how
freely can this information be distributed.
To learn more about TLP, search for "Traffic Light Protocol"
in your favorite search engine.
Aliases Other names that this Vulnerability is known by.
CVSS 2.0 Enter a Common Vulnerability Scoring System (CVSS)
Score score in v2.0 format.
For more on calculating CVSS scores, see the following
National Vulnerability Database documentation:
Vulnerability Metrics.
CVSS 3.0 Enter a Common Vulnerability Scoring System (CVSS)
Score score in v3.0 format.
For more on calculating CVSS scores, see the following
National Vulnerability Database documentation:
Vulnerability Metrics.
Source Created Specify the date and time when the entity was created by
its original source.
(Optional)
Click Now to use the current time.
Source Specify the date and time when the entity was last modified
Modified by its original source.
(Optional) Click Now to use the current time.
Description
Anomali ThreatStream Page 513 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Description Enter a description for the Vulnerability. Descriptions can
be entered using an intuitive Rich Text Editor or a
Markdown Template editor.
The Rich Text Editor enables you to add pre-formatted
content. You can copy and paste content—including
images—from .doc, docx, and .pdf files into the Rich Text
Editor. All formatting is preserved.
Tip: To remove formatting from pasted text, select the
text from which you want to remove formatting and click
the "Clear Formatting" button.
The Markdown Template editor enables you to use pre-
existing templates or define new ones. Templates can be
reused to describe other Threat Model entities on
ThreatStream. See "About Threat Model Templates" on
page 540 for more information.
Note: Once a description has been saved, you can no
longer switch between the rich text and markdown
editors.
Associations
Anomali ThreatStream Page 514 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Observables To create associations with this Vulnerability:
Threat Bulletins a. Click Add for the type of entity you want to associate.
Actors b. Select the entities you want to add.
Attack Patterns c. (Optional) On the Details tab, define an SRO for the
association. See "Managing STIX Relationship Objects
Campaigns
(SROs)" on page 520 for more information.
Courses of
d. Click Create Association.
Action
Identities
Incidents
Infrastructure
Intrusion Sets
Malware
Signatures
Tools
TTPs
Vulnerabilities
Sandbox
Reports
Anomali ThreatStream Page 515 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
External Add any documents or other information that relates to the
References Vulnerability.
To add an External Reference:
a. Click Add.
b. In the newly created row, double click the Title cell to
add a title for the reference.
c. Double click the URL cell and enter the URL
corresponding to the reference.
Note: Visibility is set when you publish entities. If you want to change the
Visibility of a published entity, click Publish in the Actions menu and select a
new Visibility. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
6. Click Save.
Using the MITRE ATT&CK Framework in
ThreatStream
Anomali ingests MITRE ATT&CK techniques to the Anomali Threat Model as
updates become available.
ThreatStream enables you to configure a representation of your
MITRE ATT&CK security coverage. See "Managing Your Organization MITRE
ATT&CK Security Coverage Framework" on page 556 for more information. After
configuring your MITRE ATT&CK security coverage, you can leverage this
information within investigation to gauge your coverage of threats under
investigation. See "Using the MITRE ATT&CK Framework in Investigations" on
page 341 for more information.
Note: MITRE ATT&CK entities cannot be cloned.
Anomali ThreatStream Page 516 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
MITRE ATT&CK v7.2 and later Techniques
MITRE ATT&CK techniques and sub-techniques associated with v7.2 and later are
classified as attack patterns in the Anomali Threat Model. Like other entities in the
Anomali Threat Model, these attack patterns can be added to investigations and
exported in various formats.
Details pages for MITRE ATT&CK v9 attack pattern entities contain the following
additional fields: Data Sources, Defense Bypassed, MITRE ATT&CK® ID,
MITRE ATT&CK® Version, MITRE ATT&CK® Type, MITRE ATT&CK® Tactics,
Platforms, Permission Required, and System Requirements. Parent entities
include a Sub-Techniques field, which contains a list of links to related sub-
techniques. Sub-techniques contain a Sub-Technique Parent field, which contains
a list of links to related parent techniques. The following is an example of a MITRE
ATT&CK attack pattern in ThreatStream:
For more information on attack patterns in ThreatStream, see "Viewing Attack
Pattern Details" on page 405.
Viewing Alternate Versions of MITRE ATT&CK Techniques
ThreatStream enables you to view alternate versions MITRE ATT&CK techniques
and sub-techniques associated with v7.2 and later from attack pattern detail pages.
Anomali ThreatStream Page 517 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
To view alternate versions of MITRE ATT&CK techniques:
1. Navigate to Research > Threat Model.
2. Locate the v7.2 or later MITRE ATT&CK technique of interest and click the
Name. The attack pattern detail page is displayed.
3. In the Actions menu, click View Alternate Version and then select the version
of interest. Information associated with the selected version is displayed.
If the version you select differs from the default version an Org Admin has
specified for your organization, the following message is displayed at the top of
the screen:
Specifying a Default MITRE ATT&CK Version for your Organization
Org Admins can specify a default MITRE ATT&CK version for their organization.
Specifying a MITRE ATT&CK version determines which version is displayed by
default on attack pattern details pages for MITRE ATT&CK techniques associated
with v7.2 and later. Additionally, doing so determines which version your
organization users for determining security coverage on the MITRE ATT&CK
Security Coverage screen.
To specify a default MITRE ATT&CK version:
Note: You must be an Org Admin to specify a default MITRE ATT&CK version.
1. In the top navigation bar, click and then Organization.
2. Under MITRE ATT&CK, your current default is displayed next to Current
Version. Click Change Version to specify a new default.
Anomali ThreatStream Page 518 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
3. On the resulting window, select a new default version.
Note: ThreatStream enables you to select versions which are later than your
current selection. You cannot revert to earlier versions.
4. Click Change to save your changes.
MITRE ATT&CK v6 Techniques and Earlier
MITRE ATT&CK techniques associated with v6 and earlier are classified as TTPs in
the Anomali Threat Model. Like other entities in the Anomali Threat Model, these
TTPs can be added to investigations and exported in various formats.
Cloning Threat Model Entities
Cloning a Threat Model entity creates a separate copy of the entity. Changes made
to cloned entities are not reflected in original entities.
Reasons to Clone Threat Model Entities
Cloning threat model entities can be helpful when:
l You want to edit information and make comments independently from existing
entities.
l Creating new Threat Model entities similar to existing entities. Cloning enables
you to use existing entities as templates.
Cloned Attributes
All Threat Model entity attributes are cloned except for Publication Status and User
Assignment.
Anomali ThreatStream Page 519 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Cloned Threat Model entities also maintain observable associations held by the
original entity. Though associations are maintained, the associated observables
themselves are not cloned.
Note: Entities derived from premium intelligence feeds cannot be cloned.
To clone a Threat Model entity:
1. Navigate to the details page of the threat model entity you want to export.
2. Under Actions, click Clone. If Clone is not displayed, the entity cannot be
cloned due to the above.
3. Enter a Name for the cloned entity.
4. Select a Visibility setting for the cloned entity and any Trusted Circles that you
want to share the entity with.
Entities that are either Anomali Community or owned by your organization can
be given any Visibility.
Entities owned by other organizations may only be cloned as My Organization
entities.
5. Click Save.
Managing STIX Relationship Objects (SROs)
ThreatStream enables you to create STIX compliant relationship objects (SROs)
that define relationships between entities in the Anomali Threat Model. From the
ThreatStream user interface, you can define relationships by selecting a STIX v2.1
SRO or entering a custom SRO value, and then specifying a direction of for the
relationship. The following is an example of an SRO:
For more information on SROs, see the STIX documentation.
Defining SROs Between Entities
To define SROs between entities:
Anomali ThreatStream Page 520 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to the details page of the Threat Model entity or observable of interest.
Note: Associations between Threat Model entities and observables cannot
be created from observable details pages. Therefore, if you want to create
an association between a Threat Model entity and an observable, navigate
to the details page of the Threat Model entity.
2. If creating an SRO from a Threat Model entity details page, click Edit in the
Actions menu and then open the Associations tab. If you are adding an
observable association, open the observables tab and click Add Association in
the Actions menu. If adding a Threat Model entity association, open the Threat
Models tab and click Add next to the Threat Model entity type of interest. If
adding or editing an SRO for an existing association, select the association of
interest and click Edit Association in the Actions menu.
OR
If creating an SRO from an observable details page, navigate to the observables
tab in the Associations section of the page. Then click Add Association in the
Actions menu. If adding or editing an SRO for an existing association, select the
association of interest and click Edit Association in the Actions menu.
3. On the Association tab, select the Threat Model entities or observables with
which you want to create the association.
4. On the Details tab, select the SRO of interest under Type.
Anomali ThreatStream Page 521 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Hover over More... to view a full list of available SROs
To add a custom SRO, click Custom and enter the custom value under Custom
Type.
5. Click Switch Direction to select the desired SRO direction.
6. (Optional) Add a Label to the SRO to provide additional contextual information
for the association.
7. Click Create Association.
The SRO has been defined.
Viewing SROs
You can view SROs on the Associations section of observable or Threat Model
entity details pages. Associations that contain SRO definitions display values in the
Direction and Type columns.
Anomali ThreatStream Page 522 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Tip: Hover over the value in the Direction column to view the SRO definition.
Adding Labels to Associations
To help you track the contextual information behind the Threat Model entity and
observable associations you create, ThreatStream enables you to add labels when
you create associations. Association labels are displayed on the details pages of
both associated entities, along with a timestamp of when the association was
originally created (Associated Creation Date).
These labels are always private to your organization, even in cases where
associated entities are visible to users outside of your organization. Users outside of
your organization can never view the association labels you create.
You can add labels to the following types of associations:
l Observable <-> Observable
l Threat Model <-> Threat Model
l Threat Model <-> Observable
Labels are not supported for associations between Threat Model entities or
observables and Import Sessions, Investigations, or Sandbox Reports.
Anomali ThreatStream Page 523 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Note: When you export observables associated with a Threat Model entity,
association labels are not included. Additionally, association labels are not
carried over when you clone Threat Model entities.
To add association labels to new associations:
1. Navigate to the details page of the Threat Model entity or observable of interest.
Note: Associations between Threat Model entities and observables cannot
be created from observable details pages. Therefore, if you want to create
an association between a Threat Model entity and an observable, navigate
to the details page of the Threat Model entity.
2. If creating an association from a Threat Model entity details page, click Edit in
the Actions menu and then open the Associations tab. If you are adding an
observable association, open the observables tab and click Add Association in
the Actions menu. If adding a Threat Model entity association, open the Threat
Models tab and click Add next to the Threat Model entity type of interest.
OR
If creating an association from an observable details page, navigate to the
observables tab in the Associations section of the page. Then click Add
Association in the Actions menu.
3. Select the Threat Model entities or observables with which you want to create
the association.
4. On the Details tab, enter the desired association label under Label.
Note: Labels can be no more than 255 characters. Spaces and special
characters are supported.
5. Click Create Association to create the association.
The association has been created and labeled with the association label you
specified.
Note: If adding a label to an observable which contains multiple instances, the
label is added to all instances of the observable.
To add labels to existing associations:
Anomali ThreatStream Page 524 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to the details page of the Threat Model entity or observable of interest.
Note: Associations between Threat Model entities and observables cannot
be created from observable details pages. Therefore, if you want to add a
label to an association between a Threat Model entity and an observable,
navigate to the details page of the Threat Model entity.
2. If adding a label from a Threat Model entity details page, click Edit in the Actions
menu and then open the Associations tab. Select the associations of interest
from the observables or Threat Models tab and click Edit Association in the
Actions menu.
OR
If adding a label from an observable details page, navigate to the observables
tab in the Associations section of the page. Then click Edit Association in the
Actions menu.
3. Enter the desired association label on the resulting window.
4. Click Update Association.
The label has been added to the association.
To edit association labels:
1. Navigate to the details page of the Threat Model entity or observable of interest.
Note: Associations between Threat Model entities and observables cannot
be created from observable details pages. Therefore, if you want to edit a
label to an association between a Threat Model entity and an observable,
navigate to the details page of the Threat Model entity.
2. If editing a label from a Threat Model entity details page, click Edit in the Actions
menu and then open the Associations tab. Select the associations of interest
from the observables or Threat Models tab and click Edit Association in the
Actions menu.
OR
Anomali ThreatStream Page 525 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
If editing a label from an observable details page, navigate to the observables
tab in the Associations section of the page. Then click Edit Association in the
Actions menu.
3. Modify the association label as desired.
4. Click Update Association.
The association label has been updated.
To delete association labels:
1. Navigate to the details page of the Threat Model entity or observable of interest.
Note: Associations between Threat Model entities and observables cannot
be created from observable details pages. Therefore, if you want to delete a
label to an association between a Threat Model entity and an observable,
navigate to the details page of the Threat Model entity.
2. If deleting a label from a Threat Model entity details page, click Edit in the
Actions menu and then open the Associations tab. Select the associations of
interest from the observables or Threat Models tab and click Edit Association
in the Actions menu.
OR
If deleting a label from an observable details page, navigate to the observables
tab in the Associations section of the page. Then click Edit Association in the
Actions menu.
3. Clear the value in the Association Label field.
4. Click Update Association.
The association label has been removed.
Viewing Threat Model Entity History
Each Threat Model entity details page contains a running list of events in the life
span of the entity. Events include entity creation and updates, such as editing
descriptions, publishing an entity, uploading attachments, and so on.
Anomali ThreatStream Page 526 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
User: User who updated the entity. For entities owned by your organization,
specific users are listed. For entities from other organizations shared through
Trusted Circles, organization names are listed. For entities shared with the Anomali
Community or anonymously through Trusted Circles, no value is shown.
Action: Action taken on the entity.
For Threat Bulletins, actions include: Assigned Report, Association Added,
Association Removed, Cloned Report, Created Attachment, Created Comment,
Created Report, Deleted Attachment, Deleted Comment, Published Report,
Reviewed Report, Review Requested, Updated Import Session, Updated
Intelligence, and Updated Report.
For all other Threat Model entities, actions include: Assigned, Association Added,
Association Removed, Completed Review, Created, Created Comment, Published,
Review Requested, and Updated.
Timestamp: Timestamp from when the action was taken.
To view Threat Model entitiy history:
1. Navigate to Analyze > Threat Model.
2. Click the Name of the entity whose history you want to view. The entity details
page is displayed.
3. On the entity details page, open the History tab.
Sharing Threat Model Entities Through Email
You can share Threat Model entities with users in your organization through email
from Threat Model entity details pages or the Threat Model List View screen. Threat
Model entities are included in the body of the email and attached to the email in PDF
format. PDFs are generated using the template of your choosing. For information on
creating and managing your organization PDF templates, see "Creating Report
Templates" on page 534"Creating Report Templates" on page 534.
Additionally, the email includes hyperlinks to the Threat Model entity details pages in
ThreatStream.
Anomali ThreatStream Page 527 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Org Admins can restrict the email domains with which Threat Model entities can be
shared. See "Email Report Distribution" on page 73 for more information. Contact
your Org Admin if you are unsure of the restrictions implemented by your
organization.
If you share a Threat Model entity with a non-ThreatStream user, note that the
recipient is unable to access Threat Model entity details pages. Therefore, if a non-
ThreatStream user receives the email and clicks the hyperlink, they are shown the
ThreatStream login screen.
Note: Threat Model entity descriptions are truncated at 1000 characters in the
body of the email. Email recipients can read the full description by opening the
PDF or following the hyperlink included in the email.
To share Threat Model entities through email from the list view screen:
1. Navigate to Analyze > Threat Model.
2. Search for and select the Threat Model entities you want to share.
Note: You can share up to 10 threat model entities at once. Selected entities
are shared in a single email.
3. Click Share via Email in the Actions menu.
4. Enter the email addresses to which you want to share the entities and click +.
Anomali ThreatStream Page 528 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
5. (Optional) Modify the email Subject. Email subjects are automatically populated
with the name of the first entity you selected.
6. (Optional) Enter a Message to include with the entities in the body of the email.
7. If you want to attach the Threat Model entities to the email in PDF format, select
Include reports as attachments.
Select a Report Template, which ThreatStream will use to generate the PDFs. If
you select a template which is not applicable to the current Threat Model entity
type, the Anomali Default Template will be used. For information on creating and
managing your organization PDF templates, see "Creating Report Templates"
on page 534.
8. Click Send.
The Threat Model entities have been shared with the recipient email addresses.
To share individual Threat Model entities through email from details pages:
Anomali ThreatStream Page 529 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to Analyze > Threat Model.
2. Search for the Threat Model entity you want to share. Click the name of the
entity in the search results to navigate to its details page.
3. Click Share via Email in the Export menu.
4. Enter the email addresses to which you want to share the entities and click +.
5. (Optional) Modify the email Subject. Email subjects are automatically populated
with the name the entity you selected.
6. (Optional) Enter a Message to include with the entities in the body of the email.
7. If you want to attach the Threat Model entities to the email in PDF format, select
Include reports as attachments.
Select a Report Template, which ThreatStream will use to generate the PDFs.
For information on creating and managing your organization PDF templates,
see "Creating Report Templates" on page 534.
8. Click Send.
The Threat Model entity has been shared with the recipient email addresses.
Exporting Threat Model Entities in
STIX Format
You can export the Anomali Threat Model data in the following STIX formats:
l STIX version 1.2 XML
l STIX version 2.0 JSON
l STIX version 2.1 JSON
Notes:
- You can only export information about one entity at a time.
- Binary data is not filtered out in STIX exports.
- Attachments are not included in STIX exports.
- Threat Bulletins must be in Published state in order to be exported in STIX 2.0
or 2.1 format.
- STIX export is supported for all Domain, Email, Hash, IP address, and URL
Anomali ThreatStream Page 530 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
observables. The following additional STIX 2 Cyber Object types are also
supported by STIX 2 and 2.1 exports: file (file-name), email-message, mutex,
and windows-registry-key.
Exporting STIX Data from the Anomali Threat Model
Exporting Threat Model entities in STIX formats results in an XML file (for STIX 1.2)
or JSON file (for STIX 2.0 and 2.1). The exported file contains attributes and
associations for each Threat Model entity. The time stamp included in the exported
data is in UTC.
See "Supported Attributes for STIX Entities" on page 688 to reference the attributes
included in STIX exports.
Observables can be exported in STIX format from Observable details pages. See
"Observables" on page 224 for more information.
To export STIX data from Anomali Threat Model:
1. Navigate to the details page of the threat model entity you want to export.
2. Under Actions, click Export to STIX 1.2, Export to STIX 2.0, or Export to 2.1.
The export begins automatically.
Exporting Threat Model Entities in
PDF Format
PDF Report exports enable you to generate PDFs based on customizable templates
for sharing with a wider audience outside of ThreatStream. PDF Reports are
generated using templates, which can be customized to include specific fields,
headers, footers, and text styles.
Creating PDF Reports
To create a PDF Report:
1. Navigate to the details page of the threat model entity you want to export.
2. In the Export menu, click Create Report (PDF).
Anomali ThreatStream Page 531 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
3. Select the template you want to use to create the report. In addition to templates
created by your organization, you can use the Anomali Default Template. This
template contains all fields and is uses default colors and styles. It cannot be
edited, cloned, or deleted.
Note: Read Only users can create PDF reports using the Anomali Default
Template or other templates created by their organization. However, Read
Only users cannot create, edit, clone, delete, or set default templates.
To create a new template, click New in the Actions menu. See "Creating Report
Templates" on page 534 for more information.
Anomali ThreatStream Page 532 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Click Load Full Preview to view a preview of the template applied to the Threat
Model entity.
Click Template Options ^ to view and edit the template Included Elements on
an ad-hoc basis.
Anomali ThreatStream Page 533 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Note: When you deselect Tags, tags from both the primary entity and
associated entities are excluded from the report.
Changes made to the template are applied to the current download only and are
not permanent. If you selected the Anomali Default Template a Save settings
option is available. When this option is selected, changes to the selected
Included Elements are saved for the template. The next time you use the
Anomali Default Template, your previous changes are maintained.
Note: If the selected template is not applicable to the current Threat Model
entity type, the Download button is not available.
4. Click Download. The download begins immediately.
If your browser uses an ad blocker, you will see the following message:
Click Download Now to start the download.
Creating Report Templates
When you create a report template, it is available to all users in your organization.
To create a report template:
Anomali ThreatStream Page 534 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Navigate to any Threat Model entity details page.
2. In the Export menu, click Create Report (PDF) and then New in the Actions
menu. You can also click Add New Template on the Select Report Template
window.
3. Enter a Template Title.
You can click Reset in the bottom left corner of the window at any time to undo
all customizations you have made.
Tip: Click Load Full Preview to view a live preview of the template applied
to the current Threat Model entity. After loading the preview, configurations
you make on the template window are not reflected in the live preview until
you click Refresh Preview.
Anomali ThreatStream Page 535 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
4. (Optional) Select Set as Default Template if you want the new template to
serve as your default. If you select this option, the new template will appear at
the top of the template list each time you create a PDF report.
5. On the Content tab, select the Threat Model entity fields you want to include in
the Report template.
The following filters can be used to filter the fields listed on the tab:
n Content Type—display Header, Description, or Metadata fields only
n Model Specific—display fields related to specific Threat Model entity types
n Selected Only—remove unselected fields from the list
You can change the order of fields in the PDF by clicking and dragging the drag
and drop icon.
6. On the Header & Footer tab, configure the following settings:
Field Description
Image Banner image to be displayed at the top of the first page.
Anomali ThreatStream Page 536 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Use Check this box to use your organization logo for the header
Organization image. Org Admins can upload an organization logo on the
logo Org Settings tab within ThreatStream settings under Upload
a Custom Logo for Threat Model. See "Viewing and Editing
Organization Settings" on page 71 for more information.
Note: Images uploaded for the template are overridden
with the organization logo if this option is selected.
Image Whether the banner image is left, center, or right aligned.
Placement
Page Header Text to be displayed at the top of the page.
Contact Anomali Customer Support if you require additional
customization.
Display Whether the image and header is added to each page of the
header on all PDF. If not selected, images headers are only applied to the
pages first page.
Page Footer Text to be displayed at the bottom of each page.
Contact Anomali Customer Support if you require additional
customization.
7. On the Style & Format tab, configure the following settings:
Field Description
Format Not configurable—report templates only enable PDF
exports.
Document Margin Specify page margins for the report. You can specify
margins in inches or millimeters. The size you select is
applied to all four sides of the page. The maximum
margin size is two inches or 50.8 millimeters.
Anomali ThreatStream Page 537 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Field Description
Colors: Primary Text color applied to report titles and headings.
Click the current color to open the color picker. You
can select a new color using the color picker or by
entering a hex code.
Colors: Secondary Text color applied to the body of the report, such as the
description, comments, and history.
Click the current color to open the color picker. You
can select a new color using the color picker or by
entering a hex code.
Override colors in Whether the template will apply the selected
the description Secondary color to the description. If this option is not
selected, default colors are applied to the Threat
Model entity description.
Fonts: Document Font applied to report titles and headings.
& Section Titles
Fonts: Body Text Font applied to the body of the report.
Override font in the Whether the template will apply the selected Body Text
Description font to the description.
8. On the Advanced tab, select the Threat Model entity types for which you want to
make the template available. This enables you to apply specific content sets to
entity types of interest.
9. Click Save Template.
The template is created and available to all users in your organization.
Managing Report Templates
While Org Admin privileges are not required to create templates, non-admin users
can only edit and delete report templates that they created. However, non-admin
users can clone templates which they do not have permission to edit, thus creating
an editable copy. Org Admins can edit and delete any template in their organization.
All users can select a default template. When you set a template as your default, the
template appears at the top of the template list.
Anomali ThreatStream Page 538 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Tip: Org Admins can monitor organization PDF report activity. See "Audit User
Activity" on page 192 for more information.
To edit existing templates:
1. Navigate to any Threat Model entity details page.
2. In the Actions menu, click Create Report.
3. Select the template you want to edit and click Edit in the Actions menu.
Note: If Edit is not an available action, you do not have privileges to edit the
template.
4. Make desired changes.
5. Click Save Changes.
The template has been updated.
To clone an existing template:
1. Navigate to any Threat Model entity details page.
2. In the Actions menu, click Create Report.
3. Select the template you want to edit and click Clone in the Actions menu.
4. Make desired changes.
5. Click Save Template.
To delete a template:
1. Navigate to any Threat Model entity details page.
2. In the Actions menu, click Create Report.
3. Select the template you want to delete and click Delete in the Actions menu.
Note: If Delete is not an available action, you do not have privileges to
delete the template.
4. Click Delete on the confirmation window.
Anomali ThreatStream Page 539 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
The template has been deleted.
To set your default template:
1. Navigate to any Threat Model entity details page.
2. In the Actions menu, click Create Report.
3. Select the template you want to set as your default template in the left menu.
4. Click Set as Default in the Actions menu.
The template will now appear at the top of the list of templates. This is a user-level
setting and does not impact other users in your organization.
About Threat Model Templates
Although you can enter a description for a Threat Model entity in rich text, free-form,
or markdown-formatted text, using a template not only saves time but also enforces
consistency to descriptions entered by multiple users of your organization. You must
have Org admin privileges to create and manage templates.
All templates belonging to an organization are listed in a single list and are available
to use for any threat model entity type. If you have multiple templates, you can set
one of them as the default.
Descriptions entered using the Rich Text Editor may not be saved as templates.
Tip: Although you can create one template and use it for all threat model entity
types, Anomali recommends creating a unique template for each.
Creating a Template
You can save an existing description as a template or create one from scratch.
To save an existing description as a template:
1. Navigate to the entity whose description you want to save as a template.
2. On the entity details page, click Edit in the Actions menu.
Anomali ThreatStream Page 540 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Note: You must have the privileges to edit the entity. If Edit is an available
option in the Actions menu on the entity details page, you are authorized to
edit the entity.
3. On the Description tab, click Save as within the Markdown Template editor.
4. Enter a meaningful name in the Template field.
5. Click Save.
To create a template from scratch:
1. Create a new threat model entity. See "Adding a Threat Model Entity" on
page 383for further instructions.
2. On the details page of the new threat model entity, click Edit in the Actions
menu.
3. On the Description tab, click Save as within the Markdown Template editor.
4. Enter a meaningful name in the Template field.
5. Click Save.
Editing a Template
To edit a template:
1. Navigate to a threat model entity that you are authorized to edit.
2. On the entity details page, click Edit in the Actions menu.
Note: You must have the privileges to edit the entity. If Edit is an available
option in the Actions menu on the entity details page, you are authorized to
edit the entity.
3. On the Description tab, select the template that you want to edit within the
Markdown Template editor.
4. Select the template that you want to edit from the Template drop down.
Anomali ThreatStream Page 541 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
The current text of the template is displayed.
5. Modify the text and click Save.
Removing a Template
To remove a template:
1. Navigate to a threat model entity that you are authorized to edit.
2. On the entity details page, click Edit in the Actions menu.
Note: You must have the privileges to edit the entity. If Edit is an available
option in the Actions menu on the entity details page, you are authorized to
edit the entity.
3. On the Description tab, click Manage within the Markdown Template editor.
4. Locate the template you want to remove, and click Remove.
Reviewing Threat Model Entities for
Publication
You can use the Publication Status field to manage the review cycle of your threat
model entities, from creation to publication.
There are four publication statuses in the ThreatStream review workflow: New,
Review Requested, Review Completed, and Published.
Threat Model entities are not visible to users outside of your organization unless the
Publication Status is set to Published. However, unpublished entities are visible to
users within your organization at all times. Entities yet to be published display
DRAFT across the summary banner, as displayed below.
The chart below illustrates the full threat model publication workflow.
Anomali ThreatStream Page 542 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
When you create a threat model entity, its status is set to New. From New, you
can set the status to Published or Review Requested.
When you set the status to Review Requested, you can assign the entity to a
user in your organization for review. Click Assign User in the Actions menu to
select a user in your organization to review the entity. Users receive email
notifications when threat model entities are assigned to them.
After review, the assignee can set the status to Review Completed and re-assign
the entity to the reporter. If the reviewed entity is ready for publication, you can set
the status to Published. If the reviewed entity requires further review, you can set the
status to back to Review Requested and select another assignee.
When you set the status to Published, the entity is visible to other users. After an
entity is published, Publish remains an available action. Re-publishing an entity
enables you to change the Visibility of the entity. During publication, you can also
anonymize your user and organization information by selecting Anonymize user
and organization. Users outside of your organization with access to the data will
see "Analyst" in all fields that would otherwise display an organization or user name.
To move Threat Model entities through the review process:
1. Navigate to Threat Model > Threat Model.
2. Click the Name of the entity of interest.
3. Under Actions, select a publication review action.
Anomali ThreatStream Page 543 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
4. When the entity is ready for publication, click Publish in the Actions menu.
5. Specify the visibility of the entity. You can select Anomali Community, Trusted
Circles, or My Organization.
If you select Trusted Circles, select trusted circles from the drop down menu.
For more information, see "Creating a Trusted Circle" on page 650.
You can also restrict the visibility of the entity to specific workgroups within your
organization. To do so, select My Organization and then select desired
workgroups from the Restrict To Workgroups menu.
6. Click Save.
Restricting Threat Model Entities to
Workgroups
The visibility of Threat Model entities that are private to your organization can be
further restricted to user workgroups within your organization. You can restrict the
visibility of Threat Model entities to specific workgroups as part of the Threat Model
publication workflow. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
Deleting a Threat Model Entity
Org Admins can delete Threat Model entities that belong to their organization. Once
deleted, Threat Model entities cannot be restored.
Org Admins can track Threat Model entity deletion on the Audit page. For more on
auditing user activity, see "Audit User Activity" on page 192.
To delete one or more Threat Model entities:
Anomali ThreatStream Page 544 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
1. Access the Threat Model List View by navigating to Analyze > Threat Model.
2. Use search and filter options to find the Threat Model entities you want to act on.
3. Click check boxes in the first column to select one or more items.
4. Under Actions, click Delete.
If Delete does not appear in the Actions menu, you are not authorized to delete
the entity.
5. Click OK to confirm.
To delete a single Threat Model entity from the Threat Model details page:
1. Navigate to the details page of the entity you want to delete.
2. Under Actions, click Delete.
If Delete does not appear in the Actions menu, you are not authorized to delete
the entity.
3. Click OK to confirm.
Anomali ThreatStream Page 545 of 750
User Guide
Chapter 12: Using the Anomali Threat Model
Anomali ThreatStream Page 546 of 750
Chapter 13: Subscribing to Premium
Threat Intelligence Streams
This chapter covers the following topics:
Activating Premium Streams 548
Browsing Open Source Streams 551
Managing Open Source Intelligence (OSINT) Feeds 551
The Alliance Preferred Partner (APP) Store is a marketplace where organizations
can evaluate and purchase premium threat intelligence streams offered by Anomali
partners. The APP Store also enables you to reference the list of open source
streams that are already feeding your threat intelligence in ThreatStream.
Only Org Admins can manage premium intelligence streams. Typically,
organizations start out by integrating premium streams into their threat intelligence
on a free trial basis to evaluate its impact.
Search for streams by name.
Filter streams based on the following parameters:
l Subscription Type—Open Source or Premium. Streams classified as Free
include freemium streams which can be activated at no additional charge. For
more information on freemium offerings in ThreatStream, see "Activating
Anomali ThreatStream Page 547 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
Freemium Services" on page 187.
l Status—Filter streams by activation status. You can preview streams which will
be available soon by using the Coming Soon filter.
l Intelligence Initiative—Filter streams by their association with ThreatStream
intelligence initiative types. For more information on intelligence initiatives, see
"Attributing Organizational Goals with Intelligence Initiatives" on page 562.
l Vendor— Filter streams by vendor.
Toggle the APP Store view between the list ( ) and tile ( ) views.
The following is an example of streams displayed on the list view:
On the list view, you can click stream Names to view more information or manage
the status of the stream.
The following is an example of streams displayed on the tile view:
On the tile view, buttons are available on the stream tile based on available actions
for the stream, such as Request Access, Request a Trial, or Manage.
Activating Premium Streams
Premium streams in the APP Store enable one of two activation methods:
Anomali ThreatStream Page 548 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
l Credentialed activation—gain access to the premium stream by entering
credentials from the stream vendor. If you do not already have credentials, you
can request them through the APP Store. Streams do not become active until you
enter your credentials on the APP Store. See "Credentialed Activation" below for
more information. Streams do not become active until you enter your credentials
on the APP Store.
l Trial activation—gain access to the premium stream by requesting a free trial.
You will be contacted by email with further information on feed activation and
subscriptions. See "Trial Activation" on the next page for more information.
Credentialed Activation
Streams displaying Request Access can be activated by entering your credentials.
The following feeds are available for credentialed activation:
l Crowdstrike Falcon X
l Digital Shadows
l Dragos
l Mandiant
l Flashpoint Compromised Credentials
l Group-IB Anti-Phishing
l Group-IB Brand Abuse Add On
l Group-IB Threat Intelligence
l Kaspersky
l Proofpoint TAP
Note: See the Connected Apps menu on the Proofpoint TAP Dashboard to
create the credentials needed to activate the Proofpoint TAP feed.
l Recorded Future Premium Intelligence Feed
l Sixgill Deep Insights
Anomali ThreatStream Page 549 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
l SWIFT ISAC Threat Intelligence Feed
l ZeroFOX
To activate a credentialed premium stream:
1. Navigate to APP Store > APP Store.
2. Locate the credentialed feed of interest, click Request Access
3. If you do not have credentials, click Request Access on the resulting popup.
The vendor will contact you through email with further information. Once you
have your credentials, proceed to the next step.
4. Locate the feed of interest, click Manage, and then I have credentials.
5. Enter your credentials.
6. Click Activate.
The premium feed is now active.
Trial Activation
Streams displaying Request a Trial are currently available for activation on a trial or
paid basis. After requesting access, you will receive further subscription and
activation information through email.
If you have not already done so, your organization can subscribe to the feed on a
free trial basis. After monitoring its impact, you can decide whether or not to
purchase the stream at the end of the trial period. For more information on
monitoring stream quality, see "Viewing Weekly Summaries for Your Organization"
on page 27.
After activating a free trial, the number of days remaining in your trial is displayed on
the APP Store user interface. Anomali Support will contact you via email when trials
expire. You can then purchase feeds to continue receiving intelligence on a
permanent basis.
To request activation:
1. Navigate to APP Store > APP Store.
2. Locate the required premium stream.
3. If you are using the tile view, click Request a Trial and accept the evaluation
agreement.
Anomali ThreatStream Page 550 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
If you are using the list view, click the name of the stream, accept the evaluation
agreement, and click Request a Trial.
Anomali will contact you to complete the activation process.
Browsing Open Source Streams
ThreatStream leverages a number of open source intelligence streams to feed your
threat intelligence in ThreatStream. Open source streams are listed after the
premium streams in the APP Store and display Open Source in their upper right
corner of the tile.
You can use the Source Optimizer tool to compare open source streams and the
data they provide you. See "Comparing Intelligence Sources with Source Optimizer"
on page 571 for more information.
Managing Open Source Intelligence (OSINT)
Feeds
ThreatStream leverages a number of open source intelligence feeds to feed your
threat intelligence in ThreatStream. OSINT feeds are listed in the APP Store and
display an OSINT badge in the upper right corner in each tile. OSINT feeds are not
displayed by default on the APP Store. You must select the Open Source
Subscription Type filter in order to view OSINT feeds.
Anomali ThreatStream Page 551 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
Note: OSINT tiles are hidden on the ThreatStream OnPrem user interface.
ThreatStream OnPrem must manage OSINT feeds from the
ThreatStream Cloud user interface.
From the APP Store, you can browse, activate, and deactivate the OSINT feeds
contributing to your threat intelligence on ThreatStream.
Viewing OSINT Feeds in the APP Store
To browse OSINT feeds in the APP Store:
1. Navigate to APP Store > APP Store.
2. Select the Open Source Subscription Type filter.
All OSINT feeds available in ThreatStream are now listed in the APP Store. Select
the Available Status filter to view OSINT feeds to which you are currently not
subscribed.
Anomali ThreatStream Page 552 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
You can use the Source Optimizer tool to compare open source streams and the
data they provide you. See "Comparing Intelligence Sources with Source Optimizer"
on page 571 for more information.
Tip: You can use the is_osint search filter in advanced observable searches
to query OSINT observables. Simply include is_osint=true in your advanced
search query. See "Performing Advanced Observable Searches" on page 260
for more information.
Activating and Deactivating OSINT Feeds
Note: This is a beta feature. Contact your Anomali Customer Support
representative to participate in the beta release.
By default, all OSINT feeds aggregated by ThreatStream are active for your
organization. However, Org Admins can deactivate and reactivate OSINT feeds
from the APP Store at any time. This granular level of control enables you to make
strategic and intelligence informed decisions.
To deactivate OSINT feeds:
1. Navigate to APP Store > APP Store.
2. Select the Open Source Subscription Type filter.
3. Locate the active OSINT feed you want to deactivate.
4. If you are using the tile view, flip the switch to the left position.
Anomali ThreatStream Page 553 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
If you are using the list view, click the name of the feed and then click
Deactivate.
The status changes to Inactive.
Note: Feed data is not automatically removed from your downstream
integrations when you deactivate a feed. If you want to remove feed data from
downstream integrations, perform a full intelligence resynchronization (known
as a Full Refresh) on ThreatStream Integrator.
To activate OSINT feeds:
1. Navigate to APP Store > APP Store.
2. Select the Open Source Subscription Type filter.
3. Locate the active OSINT feed you want to activate.
4. If you are using the tile view, flip the switch to the right position.
Anomali ThreatStream Page 554 of 750
User Guide
Chapter 13: Subscribing to Premium Threat Intelligence Streams
If you are using the list view, click the name of the feed and then click Activate.
The status changes to Active.
Note: If you do not have Resync Integrators when joining a new Trusted
Circle or Feed enabled on the Organization tab within ThreatStream settings,
downstream integrations receive intelligence from the time of activation onwards
only. If you want your downstream integrations to receive historical data from the
feed, perform a full intelligence resynchronization (known as a Full Refresh) on
ThreatStream Integrator. See "Resync Integrators when joining a new Trusted
Circle or Feed" on page 72 for more information.
Anomali ThreatStream Page 555 of 750
Chapter 14: Managing Your Organization
MITRE ATT&CK Security Coverage
Framework
The ThreatStream investigations workspace includes an on-board implementation
of the MITRE ATT&CK Framework, which enables you to build visual
representations of MITRE ATT&CK associations and insights into the impact of the
threat under investigation with regard to the MITRE ATT&CK Framework.
ThreatStream also enables you to use the MITRE ATT&CK to log the security
coverage implemented by your organization. After configuring your security
coverage, you can overlay it on MITRE ATT&CK models within investigations to get
a snapshot of your coverage for a particular threat.
For more information on using the MITRE ATT&CK framework in an investigation,
see "Using the MITRE ATT&CK Framework in Investigations" on page 341.
You can configure a representation of your security coverage on the MITRE
ATT&CK Security Coverage screen. Security coverage can be configured by
uploading a JSON file generated by the MITRE ATT&CK Navigator or manually
from the matrix on the MITRE ATT&CK Security Coverage screen.
For information on configuring your security coverage from a JSON file, see
"Configuring a Representation of your Security Coverage from a JSON File" on
page 558. For manual configuration, see "Manually Configuring a Representation of
your Security Coverage" on page 560.
Note: Read Only users cannot access the MITRE ATT&CK Security Coverage
screen. All other users can access the screen and configure or modify the
security coverage representation.
Anomali ThreatStream Page 556 of 750
User Guide
Chapter 14: Managing Your Organization MITRE ATT&CK Security Coverage
Current Version: Current default version of the MITRE ATT&CK framework
used by your organization. See "Specifying a MITRE ATT&CK Security Coverage
Framework Version" on the next page for more information.
Show/Hide Sub-Techniques: If your organization has configured an applicable
MITRE version, the screen contains an additional Show/Hide Sub-Techniques
option. Click Show Sub-Techniques to expand the matrix to display sub-techniques
for each technique. Additionally, you can expand sub-techniques for individual
techniques by clicking the arrow next to the technique on the matrix.
Note: Sub-techniques are only visible on the matrix if your organization uses
MITRE ATT&CK v7.2, v8.2, or v9.
Filter: Filter techniques by Platform and Stages. Additionally, a Hide Unused
switch enables you to display only those TTPs for which you have configured a
security coverage level.
Note: Filter is applicable only to MITRE ATT&CK v6.2. Filter techniques are
deprecated in MITRE ATT&CK v7.2 and later.
Anomali ThreatStream Page 557 of 750
User Guide
Chapter 14: Managing Your Organization MITRE ATT&CK Security Coverage
Settings: The following settings are available:
l MITRE ATT&CK Navigator JSON: Configure your security coverage using a
JSON file. See "Configuring a Representation of your Security Coverage from a
JSON File" below for more information.
l Matrix Visual Settings: Select a color gradient for your security coverage
matrix.
l Clear all: Clear your current security coverage configuration. This action cannot
be reversed.
Specifying a MITRE ATT&CK Security Coverage Framework Version
Org Admins control which version of the MITRE ATT&CK framework your
organization uses to gauge security coverage. For more information, see
"Specifying a Default MITRE ATT&CK Version for your Organization" on page 518.
Your current version is displayed at the top of the screen.
Configuring a Representation of your Security
Coverage from a JSON File
You can quickly configure your security coverage representation by uploading a
JSON file generated by the MITRE ATT&CK Navigator tool.
When generating your JSON file, you must adhere to the following requirements:
l The JSON file must adhere to the MITRE ATT&CK version used by your
organization. See the Current Version listed at the top of the MITRE ATT&CK
Security Coverage screen to determine the version used by your organization.
l domain must be set to enterprise-attack
l score values must be between 0 and 100. ThreatStream maps these scores on
to security level settings as follows:
Anomali ThreatStream Page 558 of 750
User Guide
Chapter 14: Managing Your Organization MITRE ATT&CK Security Coverage
n 0—None (no coverage)
n 1-33—Low (low level of protection)
n 34-67—Medium (moderate level of protection)
n 68-100—High (high level of protection)
l Multiple layers are not supported
Note: Uploading a JSON file overwrites any existing configurations.
To configure a representation of your security coverage from a JSON file:
1. Generate your JSON file using the MITRE ATT&CK Navigator tool.
2. On the ThreatStream user interface, navigate to Manage > MITRE ATT&CK.
3. Click the settings icon in the upper right corner of the screen.
4. On the resulting window, click browse and select your JSON file or drag and
drop the file from your system file explorer.
5. Click Save.
Your JSON file is uploaded. ThreatStream processes the file and updates your
security coverage on the MITRE ATT&CK framework displayed on the screen.
Anomali ThreatStream Page 559 of 750
User Guide
Chapter 14: Managing Your Organization MITRE ATT&CK Security Coverage
Manually Configuring a Representation of
your Security Coverage
In addition to configuring your security controls from a JSON file, you can manually
configure or update your security coverage on the MITRE ATT&CK Security
Coverage screen.
To configure a representation of your security coverage:
1. Navigate to Manage > MITRE ATT&CK.
The MITRE ATT&CK framework is displayed. By default, all TTPs are assigned
the "None" security level setting.
2. To log coverage for a TTP, click the TTP of interest and select a security level
setting.
High (green) indicates a high level of protection. Medium (yellow) indicates a
moderate level of protection. Low (orange) indicates a low level of protection.
None (red) indicates no protection.
Note: Colors depend on the gradient selected in the matrix configuration.
3. When you have finished configuring your security control coverage, click Save.
Anomali ThreatStream Page 560 of 750
User Guide
Chapter 14: Managing Your Organization MITRE ATT&CK Security Coverage
Your security coverage has been saved. You can return to the MITRE
ATT&CK Security Coverage screen and update the representation at any time.
Anomali ThreatStream Page 561 of 750
Chapter 15: Attributing Organizational
Goals with Intelligence Initiatives
Information in an Intelligence Initiative 564
Creating Intelligence Initiatives 567
Completing Intelligence Initiatives 568
Exporting Intelligence Initiatives 569
Deleting Intelligence Initiatives 570
Intelligence initiatives enable you to attribute threat intelligence and efforts to larger
organizational goals. Intelligence initiatives focus efforts related to specific goals by
centralizing related threat intelligence feeds (known within intelligence initiatives as
Collections), investigations, and Threat Model entities.
The intelligence initiative framework in ThreatStream includes the following initiative
types:
Initiative Type Description
Adversary Threat actors or groups that pose the greatest threat to public or
Monitoring private enterprises. Threat assessment of adversaries is based
on a combination of their sophistication and their volume of
activity.
Brand Threats to a corporate brand based on observations in open
Monitoring and closed sources. Includes compromises of corporate
intellectual property, domains, or credentials; threats to
corporate personnel, facilities, or operations; attacks on
corporate brands or reputations; and rogue applications.
Domain Misuse or compromise of corporate domains. Includes domain
Monitoring names crafted to deceive consumers through variations of
legitimate domains or typosquatting, domains that host
counterfeit websites that impersonate a legitimate entity, and
domains created to support phishing campaigns.
Anomali ThreatStream Page 562 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
Initiative Type Description
Fraudulent Activities include financial fraud (credit cards, business email
Activity compromise, rewards fraud, etc.), bogus applications, identity
theft or misuse, and unauthorized access to information
systems of facilities.
Geopolitical Threats assessed to be most likely to have significant impact on
a global scale, including political, social, criminal, governmental,
economic, or environmental events. Examples include
conflict/war, cyber attacks, economic sanctions, significant
changes in financial markets, and natural disasters.
Malware Known or suspected threats from malicious software.
Intelligence
Mobile Threats to mobile communications hardware (Apple, Samsung,
etc.), operating systems (iOS, Android, etc.), and applications.
Phishing Attempts to fraudulently acquire access or information by
means of impersonation through email or messaging. Includes
tactics, techniques, procedures, and impacts of such
campaigns. Includes attribution when possible.
Physical Threats or malicious activity against cyber infrastructure,
Infrastructure including hardware, software, supply chain components, and
both public and private cloud architectures.
Social Media Threats made on social media to corporate brands, personnel,
facilities, or reputation. Threats may include malicious
comments or explicit threats.
Threat and Threats to an organization mapped against known defensive
Risk Analysis tools. Threat assessment is based on the known or suspected
intent and capabilities of specific threat actors, groups, or TTPs.
Risk assessment is based on potential damage.
Vulnerability Known vulnerabilities prioritized by risk. Based on intelligence
and Patch assessments of potential threats against the current
Management configuration.
Org Admins can create one intelligence initiative of a given type at a time. After
marking an intelligence initiative as complete, the initiative is archived and available
for export in PDF by members of your organization.
Anomali ThreatStream Page 563 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
Non Admin users can view and export intelligence initiatives.
You can also monitor intelligence initiatives on the Intelligence Initiatives dashboard.
See "Viewing the Intelligence Initiatives Dashboard" on page 35 for more
information.
Note: Read Only users cannot view or export intelligence initiatives.
Information in an Intelligence Initiative
The following is an example of an intelligence initiative:
Intelligence initiative types associated with open initiatives. Click an initiative
type to view the open initiative.
Anomali provided description of the selected intelligence initiative.
Intelligence initiative details. This section contains the following:
Field Description
Associated Counts of Collections (feeds), Investigations, and Threat Models
Entities associated with the intelligence initiative.
Start Date | Time period for the intelligence initiative.
End Date
Anomali ThreatStream Page 564 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
Field Description
Remaining Number of days left for the initiative.
Days
Created Timestamp of when the initiative was created.
Last Modified Timestamp of when the initiative was last modified by an Org
Admin.
Investigation Assignees of investigations associated with the intelligence
Contributors initiative.
Collections: Threat intelligence feeds associated with the initiative. Click Add
Feeds in the Actions menu to associate feeds with the initiative.
In the Collections table view, Number of Entities contains a count of observables
provided by the feed within the time period of the initiative. Click the count to drill
down on the observable search screen.
Investigations: Investigations associated with the initiative. Click the Name of
the investigation to drill down on the investigation details page.
To associate an investigation with an intelligence initiative, navigate to the
investigation of interest and select the intelligence initiative under Intelligence
Initiatives. You can select multiple intelligence initiatives.
Anomali ThreatStream Page 565 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
Note: After selecting the intelligence initiative with which you want to associate
the investigation, save the investigation to ensure the association is created.
Threat Models: Threat Model entities associated with the initiative. To associate
Threat Model entities, you must add a saved Threat Model search filter to the
initiative. Threat Model entities that meet the search filter and the specified time
period for the initiative are associated.
If you have already added a saved search to the initiative, you can click Edit Saved
Search in the Actions menu to select a different saved search.
Suggested Feeds: Browse suggested premium intelligence feeds that provide
threat intelligence relevant to the initiative type. Click the feed Name to view
subscription information in the APP Store. The Status column lists whether the feed
is available on a trial basis.
Refresh: Refresh the initiative.
Actions: The following actions are available:
Anomali ThreatStream Page 566 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
l New Initiative: Create a new intelligence initiative.
Note: You must mark active initiatives as complete before creating a new
initiative of the same type.
Edit Time Period: Edit the time period of the open intelligence initiative.
l Complete Initiative: Complete the open intelligence initiative. See "Completing
Intelligence Initiatives" on the next page for more information.
l Export Previous Reports: Export previous intelligence initiatives. See
"Exporting Intelligence Initiatives" on page 569 for more information.
l Delete: Delete the open intelligence initiative. See "Deleting Intelligence
Initiatives" on page 570 for more information.
Creating Intelligence Initiatives
Org Admins can create intelligence initiatives from the Intelligence Initiatives screen.
To create an intelligence initiative:
1. Navigate to Manage > Intelligence Initiatives. The intelligence initiatives
screen is displayed.
2. On the left pane, click + Add Initiative. the type of intelligence initiative you
want to create. You can select Adversary Monitoring, Brand Monitoring, Domain
Monitoring, Fraudulent Activity, Geopolitical, Malware Intelligence, Mobile,
Phishing, Physical Infrastructure, Social Media, Threat and Risk Analysis, and
Vulnerability and Patch Management.
3. Under Intelligence Initiative, select the type of intelligence initiative you want to
create.
Note: Only types which are not associated with open initiatives are display.
You can only have one active initiative of a given type at once.
4. Select a Start Date and End Date to specify a time period for the initiative. Time
periods can be no longer than 180 days.
5. Click Save Changes to create the initiative.
Anomali ThreatStream Page 567 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
6. To associate Collections (feeds) with the initiative:
a. On the Collections tab of the initiative, click Add Feed in the Actions menu.
b. Select the feeds of interest and click Add.
Note: You can add a maximum of 100 feeds to an intelligence initiative.
7. To associate Investigations with the initiative:
a. Navigate to Research > Investigations.
b. Locate the investigation of interest and click the investigation Name to open
the details page of the investigation.
c. Under Intelligence Initiatives, select the intelligence initiative under
Intelligence Initiatives. You can select multiple intelligence initiatives for the
investigation.
8. To associate Threat Model entities with the initiative:
a. On the Threat Models tab of the initiative, click Add Saved Search.
Note: For more information on creating saved advanced Threat Model
searches, see "Saving Threat Model Search Filters" on page 381.
b. Select the saved Threat Model advanced search of interest and click Save
Change.
Threat Model entities returned by the saved search and were modified within the
time period specified for the intelligence initiative are listed in the Threat Model
table.
Completing Intelligence Initiatives
Org Admins can mark intelligence initiatives as complete at any time. Initiatives are
not automatically completed when the time period expires.
To complete an intelligence initiative:
Anomali ThreatStream Page 568 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
1. Navigate to Manage > Intelligence Initiatives.
2. On the left pane, click the type associated with the initiative you want to
complete.
3. In the Actions menu, click Complete Initiative.
Note: You cannot edit the intelligence initiative after completion.
4. If you want to automatically export the initiative upon completion, select
Download PDF.
If you want to automatically create a new initiative of the same type, select
Create a new initiative.
The intelligence initiative has been completed.
Exporting Intelligence Initiatives
Org Admin and Non Admin users can export completed intelligence initiatives.
Export gives you access to a full archive of completed intelligence initiatives created
by your organization.
To export intelligence initiatives:
1. Navigate to Manage > Intelligence Initiatives.
2. In the Actions menu, click Export Previous Reports.
Anomali ThreatStream Page 569 of 750
User Guide
Chapter 15: Attributing Organizational Goals with Intelligence Initiatives
3. Select the initiative type of interest.
4. Click Export.
Your download begins after ThreatStream finishes generating the PDF.
Deleting Intelligence Initiatives
Org Admins can delete open intelligence initiatives.
To delete an intelligence initiative:
1. Navigate to Manage > Intelligence Initiatives.
2. On the left pane, click the type associated with the initiative you want to delete.
3. In the Actions menu, click Delete.
4. Click OK to confirm.
The intelligence initiative has been deleted.
Anomali ThreatStream Page 570 of 750
User Guide
Chapter 16: Comparing Intelligence Sources with Source Optimizer
Chapter 16: Comparing Intelligence
Sources with Source Optimizer
Source Optimizer provides valuable metrics on the relevance of open-source
intelligence sources to your organization. You can compare sources by two
parameters: Overlap and Earliest to Report. Comparing sources by Overlap
displays the number of identical observables provided by more than one source,
and Earliest to Report displays which source provided overlapping observables first.
To view Source Optimizer, navigate to Manage > Source Optimizer.
Source Selection
Use the checkboxes to select sources to compare. You can select all sources in the
list by clicking the checkbox in the top left corner.
Sources can be filtered by:
l Source: Name of the intelligence source. Use the text box to search for sources
by name.
l ITypes: Indicator types assigned to all active observables provided by the
source. Use the drop-down menu to select an indicator type. For a complete list
of observable types, see Indicator Types in ThreatStream.
Anomali ThreatStream Page 571 of 750
User Guide
Chapter 16: Comparing Intelligence Sources with Source Optimizer
l Source Score: Average confidence score of all active observables provided by
the source.
l False Positives: Number of false positives provided by the source.
l Relevance: Number of observables provided by the source that appear in your
My Attacks.
l Volume: Number of active observables in the source.
You can also sort the list in ascending or descending order by any of the above
parameters.
If you apply a filter that excludes a source you have already selected, the selected
source will appear on the matrix until you manually deselect it.
Comparison Overview
View the favorability of sources based on the following metrics: Source Score,
Volume, Relevance, and False Positives. The most favorable sources appear as
green triangles, while the least favorable sources appear as red triangles. Mouse
over triangles to view the name of the source in full.
Co-Occurence Matrix
The Co-Occurence Matrix is a graphical representation of observable overlaps
between the sources you selected. Mouse over individual comparisons to view
statistics.
There are two different views:
l Overlap displays the number of identical active observables found in both
sources.
l Earliest to Report displays which sources were first to provide identical
observables. This view takes the total number of days that one source was ahead
Anomali ThreatStream Page 572 of 750
User Guide
Chapter 16: Comparing Intelligence Sources with Source Optimizer
of the other and divides it by the total number of overlapping observables.
Anomali ThreatStream Page 573 of 750
Chapter 17: Configuring Rules
This chapter covers the following topics:
Configuring Rules 578
Viewing Rule Details 587
Editing Configured Rules 588
Exporting Rules 590
Removing Configured Rules 591
Receiving Rules Email Notifications 592
Configuring Rules on ThreatStream enables you to take automated actions when
specific keywords appear in newly created Threat Bulletins, Sandbox Reports,
Signatures, Vulnerabilities, or recently imported observables. A single rule can
contain up to 100 distinct keywords. Actions configured for the rule trigger when any
of the keywords match incoming intelligence. Actions can also trigger when
keywords match on tags added to existing observables.
Note: Rules cannot match for keywords in intelligence whose visibility is
restricted to organization workgroups.
To view or manage your rules, navigate to Manage > Rules.
Anomali ThreatStream Page 574 of 750
User Guide
Chapter 17: Configuring Rules
Configured rules. Org Admins can view all rules which belong to their
organization. Non Admin users can only see rules visible to the entire organization
or workgroups of which they are members.
Actions include:
l New: Configure a new rule. See "Configuring Rules" on page 578 for more
information.
l Edit: Edit the selected rule. See "Editing Configured Rules" on page 588 for more
information.
l Export: Export configured rules in CSV format. See "Exporting Rules" on
page 590 for more information.
l Enable My Notifications: Toggle on the Notify Me setting for the selected rules.
See "Receiving Rules Email Notifications" on page 592 for more information on
receiving rules email notifications.
l Disable My Notifications: Toggle off the Notify Me setting for the selected rules.
See "Receiving Rules Email Notifications" on page 592 for more information on
receiving rules email notifications.
l Delete Selected: Remove the selected rule.
Total number of matches for all keywords configured on the rule.
Tags associated with each rule.
Toggle whether you receive email notifications for matches from a particular rule.
Notify Me is a user level setting which enables you to customize the rule match
notifications you receive. Disabling this setting for a rule does not prevent other
users in your organization from receiving notifications for the rule. See "Receiving
Rules Email Notifications" on page 592 for more information on receiving rules email
notifications.
For Org Admin users: Notify Me switches are not displayed for rules whose visibility
is restricted to workgroups of which you are not a member.
For Non-Admin users: Notify Me switches are available for all rules for which you
have privileges to edit.
Toggle whether the rule is enabled. If switched off, the rule is disabled and no
longer matches for keywords in new intelligence.
For Org Admin users: Enabled switches are not displayed for rules whose visibility is
restricted to workgroups of which you are not a member.
Anomali ThreatStream Page 575 of 750
User Guide
Chapter 17: Configuring Rules
For Non-Admin users: Enabled switches are available for all rules for which you
have privileges to edit.
Filter configured rules by the following parameters:
l Matches Within:Show rules which search for keyword matches within Threat
Bulletins, Observables, Vulnerabilities, Signatures, or Sandbox Reports
l Investigation: Show rules which add matched intelligence to investigations.
l Date Updated - Show rules which were updated in the Last Day, Last Week, Last
Month, or a Custom time range.
l Date Created: Show rules which were created in the Last Day, Last Week, Last
Month, or a Custom time range.
Search rules by rule name or configured keywords.
Keyword Syntax Requirements
Keywords added to rules must adhere to the following requirements:
l IP addresses must be expressed as regular expressions. In order to match exact
IP addresses, the regular expression must include \b metacharacters at the
beginning and end of the value.
Example: \b10\.1\.25\.1\b
l IP subnets must be expressed using CIDR notation and not as regular
expressions.
Example: 10.20.100.0/26
l Domains, URLs, and email addresses must also be expressed as regular
expressions. If specifying values of these entity types, dots (.) must be escaped in
order to search for exact matches.
Example: anomali\.com
l Do not start or end keywords with .*
l Keywords must contain at least three characters.
l Keywords are not case sensitive.
Sample Keyword Types
Anomali recommends the following baseline configuration:
Anomali ThreatStream Page 576 of 750
User Guide
Chapter 17: Configuring Rules
l Executive staff email addresses
Example: ceo@organization\.com or organizationceo@free-email-
provider\.com
l Organizational email domain names
Example: organization\.com
l Supply chain and critical business partner email domains
Example: supply\.com
l Any other domain names, trademarks, keywords, etc. used by your organization.
Example: internaldomain\.net
l Relevant CIDRs, including those of your supply chain and critical business
partners.
Example: 192.168.2.0/24
l Executive staff IP addresses (home IPs)
Example: cable-modem-1-1-1-1.isp.net or \b1\.1\.1\.1\b
l Common default passwords, code names, proprietary terms, etc.
Example: Any insecure default account passwords seen inside your
organization.
Note: IPv6 addresses are supported.
Matched Fields
Rules looks for matches between the keywords you configure and the fields listed in
the table below.
Intelligence
Type Matched Fields
Observables Tags, Values
Sandbox Hashes, Notes, Signatures, URLs
Reports
Signatures Name, Signature (full text of the Signature), Signature Type,
Tags
Anomali ThreatStream Page 577 of 750
User Guide
Chapter 17: Configuring Rules
Intelligence
Type Matched Fields
Threat Bulletins Actors, Campaigns, Description, Name, Source, Status, Tags,
TTPs
Vulnerabilities Description, Name
Configuring Rules
Your organization can configure up to 300 rules.
To configure a rule:
1. Navigate to Manage > Rules.
2. Under Actions, click New.
3. Configure the settings below.
Anomali ThreatStream Page 578 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Name (Required) Enter a unique name for the rule.
Match (Required) Keywords of interest. The rule will trigger configured
Keywords actions when any of the keywords are matched. Keywords are
not case sensitive.
A single rule can contain up to 100 keywords. Separate
keywords with commas or line breaks.
Keywords must adhere to the guidelines detailed in "Keyword
Syntax Requirements" on page 576.
Include Select the entity types in which you want the rule to match for
the keywords.
n Observables
n Sandbox Reports
n Signatures
n Threat Bulletins
n Vulnerabilities
Anomali ThreatStream Page 579 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
iTypes If you selected Observables under Include, you can configure
the rule to match within specific indicator types. By default, all
indicator types are selected.
You can use the search function to locate and deselect or
select specific indicator types.
Tip: Click Deselect All to deselect the indicator types and
then select a specific subset.
Exclude When Observables in the Exclude List of My Organization
is selected, the rule will exclude observables from your
organization Exclude List. When this setting is enabled, the rule
will not take its configured actions when keywords appear in
observables on your Exclude List.
This setting is only available when you select Observables for
Match Within.
Rule Specify the visibility for the rule. Rules can be visible to All
Visibility users in your organization or only to the organization
workgroups you specify. Only the workgroups of which you are
a member are available to select.
For more information on workgroups, see "Restricting Access
to Intelligence with Workgroups " on page 196
4. Click Next: Define Actions when complete.
Anomali ThreatStream Page 580 of 750
User Guide
Chapter 17: Configuring Rules
5. Configure the actions that the rule should take when keywords are matched.
Rules can be configured to add matched intelligence to new or existing
investigations, associate matched intelligence with Threat Model entities, add
tags to matched intelligence, or send notifications when matches occur.
Field Description
Investigation
Anomali ThreatStream Page 581 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Action Select one of the following:
n No Action—do not add matched intelligence to an
investigation.
n Add to new—add matched intelligence to a new
investigation. An investigation is created when you
complete rule configuration.
n Add to existing—add matched intelligence to an existing
investigation. Use the search function and select the
investigation of interest from the list.
Note: If the visibility of the rule is restricted to
workgroups in your organization, only investigations
visible to the exact same set of workgroups are
displayed. Investigations visible to a subset of the
workgroups are not displayed.
Anomali ThreatStream Page 582 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Name (New (Required) Name assigned to the investigation that will be
Investigation created the first time a keyword match occurs.
Only)
Investigation Visibility setting of the new investigation. The investigation
visibility (New inherits the same visibility setting configured for the rule and
Investigation cannot be edited.
Only)
Assignee Organization user to whom you want to assign the new
(New investigation. If you selected My Organization for the
Investigation visibility of the rule, you can select any user in your
Only) organization. If you restricted the visibility of the rule to
specific workgroups, only users from the selected
workgroups are available.
Threat Model
Anomali ThreatStream Page 583 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Action Select one of the following:
n No Action—do not associate matched entities with
Threat Model entities.
n Add To—associate matched intelligence with existing
Threat Model entities. Use the search function and select
the entities of interest from the list. You can select up to 10
entities.
Tip: You can use the All filter to filter search results by
Threat Model entity type.
Tags & Notifications
Anomali ThreatStream Page 584 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Tags If desired, specify tags which will be added to matched
intelligence.
To add private tags that are only visible to your organization,
assign them the My Organization visibility setting. Tags
assigned the Anomali Community visibility setting are visible
to any user with access to the entity.
Organizations and intelligence sources can prevent users of
other organizations on ThreatStream from adding public
tags (those with the Anomali Community visibility setting) to
their intelligence. To prevent your tags from being dropped in
these cases, Anomali recommends setting the visibility to My
Organization for tags added to matched intelligence.
Note: All entity types in ThreatStream are limited to 200
tags per organization. Tags added as a result of rule
matches can be dropped if matched entities reach this
limit.
Anomali ThreatStream Page 585 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Notify Select which users in your organization will receive email
notifications when the rule is triggered.
By default, All users with visibility into the rule receive
notifications. Alternatively, you can restrict notifications to a
specific user workgroup. If the rule is visible to all users in
your organization, all workgroups in your organization are
available to select. If the rule is restricted to specific
workgroups in your organization, only those with visibility
into the rule are available to select. See "Restricting Access
to Intelligence with Workgroups " on page 196 for more
information on workgroups.
Users must subscribe to the Keyword Matches email list in
order to receive notifications when rules are triggered. See
Managing Your ThreatStream Email Subscriptions for more
information.
Note: Notifications for matches in Sandbox Reports are
sent to all users in your organization and cannot be
restricted to specific workgroups.
Notify Me Toggle whether you receive email notifications when
keyword matches occur. Notify Me is a user level setting
which enables you to customize the rule match notifications
you receive. Disabling this setting for a rule does not prevent
other users with visibility into the rule from receiving
notifications. See "Receiving Rules Email Notifications" on
page 592 for more information on receiving rules email
notifications.
Anomali ThreatStream Page 586 of 750
User Guide
Chapter 17: Configuring Rules
Field Description
Exclude from When Observables imported by My Organization is
notifications selected, the rule suppresses notifications for observables
imported by your organization. When this setting is enabled,
keyword matches in observables imported by your
organization do not appear in Keyword Match or Hourly
Digest emails. In these cases, matches are still visible from
the rule details page and other configured actions are taken.
This setting is only available when you select Observables
for Match Within.
6. When complete, click Create Rule.
Note: Rules can take up to five minutes after creation to begin matching
keywords based on the configured criteria.
Viewing Rule Details
Rule Details pages enable you to view and track all matches found for configured
keywords.
Rule name.
Configured Keywords for the rule.
Anomali ThreatStream Page 587 of 750
User Guide
Chapter 17: Configuring Rules
Types of intelligence keywords are matched in.
Actions taken when keyword matches are found.
Edit the rule. See "Editing Configured Rules" below for more information.
Matched keyword.
Intelligence in which keywords matched. You can drill down on intelligence by
clicking a Matched Item.
Type of intelligence the keyword matched in.
Date on which the match occurred.
Status of the match.
Use this field to track any necessary follow-up on matches. Statuses include:
l New—default status of all matches.
l In Progress—match is currently under investigation.
l Dismissed—match has either been adequately investigated or deemed benign.
Take actions on selected matches. Actions include:
l Export—export selected matches in CSV format. See "Exporting Rules" on
page 590 for more information.
l Change Status—change the status of the match.
l Add to investigation—add selected matches to a new or existing investigation.
See "Investigating Threats in ThreatStream" on page 325 for more information.
Editing Configured Rules
ThreatStream enables you to edit previously configured rules. While Org Admin
users can view all rules in their organization, regardless of the visibility setting, they
can only edit rules which are visible to the entire organization or workgroups of
Anomali ThreatStream Page 588 of 750
User Guide
Chapter 17: Configuring Rules
which they are members. Non Admin users can edit any rule to which they have
access.
To edit a configured rule:
1. Navigate to Manage > Rules.
2. Select the rule you want to edit.
3. Under Actions, click Edit.
4. Make required edits in the edit window.
Keywords are displayed in a comma separated list. To edit an existing keyword,
simply modify the keyword value.
When editing Rule Visibility, all workgroups to which the rule is visible are
displayed—including those of which you are not a member.
5. Click Next: Define Actions and make any desired edits on the Actions screen.
Anomali ThreatStream Page 589 of 750
User Guide
Chapter 17: Configuring Rules
If the rule was configured to add intelligence to a new or existing investigation,
you can edit the name or assignee of the investigation, or select No Action on
the Investigation tab.
If you updated the visibility of the rule so that the previous investigation assignee
no longer has access, you must manually update the investigation assignee to a
user or workgroup with access to the rule based on the new visibility setting.
Note: In cases where rules were configured to create a new investigation for
keyword matches, visibility of the associated investigation is automatically
updated when you edit the visibility of the rule. However, when associated
investigation visibility does not match the rule visibility—such as cases
where users modify the investigation visibility outside of the rule—
investigation visibility is not automatically updated.
If you do not have access to the associated investigation because of its
visibility setting, investigation details are not displayed and you cannot make
any changes to the investigation on the Investigation tab of the Edit Rule
window.
If the rule was configured to associate matched intelligence with threat model
entities, you can use the Selected filter to reference the Threat Model entities
that have already been saved for the rule in a read-only list. If you want to
remove selected entities, you must remove the Selected filter and use the
search function to locate them.
6. Click Save Rule.
Note: Changes to existing rules can take up to five minutes to take effect on
keyword matching behavior.
Exporting Rules
You can export your configured rules in CSV format.
To export configured rules:
1. Navigate to Manage > Rules.
2. Select the rules you want to export
Anomali ThreatStream Page 590 of 750
User Guide
Chapter 17: Configuring Rules
OR
Leave rules unselected to export all configured rules.
3. Under Actions, click Export.
4. Specify a maximum Number of Records to Export.
5. Click Export. Your CSV download will start immediately.
You can also export matches for a rule in CSV format.
To export rule matches:
1. Navigate to Manage > Rules.
2. Click the rule that contains the matches you want to export.
3. Select the matches you want to export
4. OR
5. Leave matches unselected to export all matches.
6. Under Actions, click Export.
7. Specify a maximum Number of Records to Export.
8. Click Export. Your CSV download will start immediately.
Removing Configured Rules
Org Admins can delete any rule created by their organization. Non Admin users can
delete only rules to which they have access.
To remove a configured rule:
Anomali ThreatStream Page 591 of 750
User Guide
Chapter 17: Configuring Rules
1. Navigate to Manage > Rules.
2. Select the rules you want to remove.
3. Under Actions, click Remove Selected.
Receiving Rules Email Notifications
ThreatStream enables you to receive email notifications when Rules are triggered.
You can also receive an hourly digest of rule matches in your organization.
ThreatStream grants you additional granularity in controlling the email notifications
you receive with the Notify Me setting. From the Rules list view screen, you can
enable and disable email notifications for specific rules.
This setting controls email preferences at the user level. When you enable or
disable notifications for a specific rule, only your specific email preferences are
updated. Doing so does not impact whether other users in your organization receive
notifications.
To receive email notifications for your rules:
1. In the top navigation bar, click and then My Profile.
2. Locate Rules under Notifications.
3. To subscribe to Rules Matches email notifications, select Immediate in the
Email drop down.
To subscribe to the hourly Rules Matches digest email, select Hourly in the
Email drop down.
Note: To receive notifications for a specific rule, ensure that Notify Me is
enabled for the rule from the Rules list view screen. You do not receive email
notifications for rules when Notify Me is disabled.
For more on email notifications in ThreatStream, see "Receiving Notifications from
ThreatStream" on page 62.
Anomali ThreatStream Page 592 of 750
User Guide
Chapter 17: Configuring Rules
Example Rule Match Email Notification
The following is an example email notification for a observable match:
In the above example, Date provides the timestamp when the matched observable
was first imported and Rule Match Date provides the timestamp of the most recent
import which the rule matched.
Anomali ThreatStream Page 593 of 750
Chapter 18: Managing Intelligence
Streams
This chapter covers the following topics:
Anomali Threat Research Streams 596
Importing Streams Using Basic Submission 597
Importing Streams Using Advanced Submission 600
Viewing Stream Details 603
Editing Stream Sources 604
Disabling Stream Sources 605
Exporting Stream Details 605
The Streams page enables you to do the following:
l View streams currently feeding your threat intelligence
l Submit new streams that your organization has access to
l Edit previously submitted streams
Viewing Stream Sources
The Streams page displays a list of every stream feeding your threat intelligence,
including premium feeds purchased from the APP Store. To view the list, navigate to
Manage > Streams.
Anomali ThreatStream Page 594 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Actions:
l New Stream: Create a new stream on ThreatStream.
There are two stream submission methods:
n Basic Stream Submission: Used for plain text streams with one entry per
line. A majority of streams are compatible with this method. See "Importing
Streams Using Basic Submission" on page 597 for more information.
n Advanced Stream Submission: Used for all streams not compatible with the
basic submission method, such as those that employ HTML formatting.
Regular expressions must be provided in order to select the proper data. See
"Importing Streams Using Advanced Submission" on page 600 for more
information.
l Export CSV: Export stream details in CSV format. See "Exporting Stream
Details" on page 605 for more information.
Note: Streams that require authentication cannot be submitted. Please contact
Anomali support with any questions.
Search: Search for streams on ThreatStream by name.
Filter: Filter the streams listed on the page by Visibility and Status.
Anomali ThreatStream Page 595 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Stream Names: Name of the stream. Click the stream name to view stream
details, deactivate the stream, or edit the stream. See "Viewing Stream Details" on
page 603 for more information.
Active iTypes: Recent indicator types provided by the stream.
Visibility: Visibility of the threat intelligence data provided by the stream.
Interval: Interval at which the stream is updated on ThreatStream.
Active: Whether the stream is currently feeding your threat intelligence on
ThreatStream.
Last Seen: Timestamp of when the stream was most recently updated.
Anomali Threat Research Streams
The Anomali Threat Research Team (ATR) makes a number of curated threat
intelligence streams available on ThreatStream. These streams were renamed in
June 2021. For reference, the table below lists the previous and current name of
each ATR curated stream.
Previous Name Current Name
Anomali Labs Compromised Credentials Anomali Threat Research
Compromised Credentials
Anomali Labs Domains Paid for with Anomali Threat Research Bitcoin Paid
Bitcoins Domains
Anomali Labs Domains Registered via Anomali Threat Research Disposable
Disposable Email Email Domains
Anomali Labs Malware Indicators Anomali Threat Research Malware
Indicators
Anomali Labs Sinkholed Malicious Anomali Threat Research Sinkholed
Domains Domains
Anomali Labs Suspicious Domains by Anomali Threat Research Suspicious
Actors Domains
Anomali Labs TOR Nodes Anomali Threat Research TOR Nodes
Anomali ThreatStream Page 596 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Importing Streams Using Basic Submission
The Basic submission form is compatible with unformatted, plain text streams with
one entry per line. This makes up a majority of intelligence streams that
ThreatStream users submit.
Basic submissions extract data based on the indicator types you specify in the Entry
Mappings section. For more on the indicator types used in ThreatStream, see
"Indicator Types in ThreatStream" on page 702
Stream submissions are always private to your organization.
Note:
- Streams with formatting of any kind are not compatible with the basic
submission form. See "Importing Streams Using Advanced Submission" on
page 600 for more information on subscribing to formatted intelligence streams.
- You can also use the ThreatStream import assistant to perform a one-time
scrape of plain text intelligence streams. See "Importing Observables From
Plain Text Intelligence Streams" on page 285.
To import a stream using basic submission:
Anomali ThreatStream Page 597 of 750
User Guide
Chapter 18: Managing Intelligence Streams
1. Navigate to Manage > Streams.
2. In the Actions menu, click New Stream and then Basic Stream Forms.
3. Configure the following stream settings:
Setting Description
Name Name for the stream.
URL URL where the stream is hosted.
Visibility Visibility of the observables provided by the stream in
ThreatStream. You can select My Organization (visible to
your organization only) or Anomali Community (visible to all
ThreatStream users).
Confidence Default source reported Confidence scores for the
intelligence provided by the stream.
If you selected My Organization for Visibility, you can select
Override System Confidence to use the selected default
Confidence score over assigned ThreatStream Confidence
scores.
For more on observable confidence, see "Observable
Confidence in ThreatStream" on page 235.
Severity Default severity value for observables from the stream.
Interval Interval at which intelligence should be pulled from the
stream.
Expiration The number of days you want intelligence from this stream to
stay active.
Anomali ThreatStream Page 598 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Setting Description
Tags Tags you want to associate with intelligence from this stream.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a list
of preferred tags configured by your organization, in addition
to pre-defined kill chain phase tags. For more on configuring
Preferred Tags, see "Adding Preferred Tags to Intelligence"
on page 200.
Tags assigned the My Organization visibility setting are only
visible to your organization. Tags assigned the Anomali
Community visibility setting are visible to users of all
organizations that have access to the observable. See
"Adding Private Tags to Observables" on page 243 for more
information.
Note: Observables can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
4. Populate the following Entry Mappings fields:
Field Definition
Domain Indicator type that domains from the stream will be given.
Mapping
Email Mapping Indicator type that email addresses from the stream will be
given.
Hash Mapping Indicator type that hashes from the stream will be given.
IP Mapping Indicator type that IP addresses from the stream will be
given.
IPv6 Mapping Indicator type that IPv6 addresses from the stream will be
given.
URL Mapping Indicator type that URLs from the stream will be given.
Anomali ThreatStream Page 599 of 750
User Guide
Chapter 18: Managing Intelligence Streams
5. Click Submit
Importing Streams Using Advanced
Submission
The Advanced stream submission method must be used with non-plain text streams
that use any kind of formatting. Advanced stream submissions use regular
expressions to distinguish the intelligence from the formatting and prevent the
collection of false positives.
Advanced stream submissions extract data based on the observable types mapped
to the Group Name you specify in your regular expression.
Stream submissions are always private to your organization.
Creating Regular Expressions for Advanced Stream Submissions
Regular expressions tell the data scraper where the intelligence is on the page. In
other words, regular expressions provide the pattern that the scraper uses to parse
the intelligence values.
The example below illustrates a successful regular expression.
Anomali ThreatStream Page 600 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Sample stream code:
<td><a href="/host/134.247.2.21/"
The IP addresses provided by this stream are located in a table. For the scraper to
collect only the IP addresses, a regular expression must pinpoint the intelligence
and assign it to a Group Name. Group Names are then mapped to an observable
type.
The sample below illustrates a regular expression that successfully selects the
needed intelligence.
Sample regular expression:
\/host\/(?P<srcip>[\d\.]+)\/
The above regular expression assigns the intelligence from the stream to the Group
Name srcip.
Though the form will not let you submit an invalid regular expression, it is possible to
submit a valid regular expression that fails to select the necessary data. To prevent
these types of errors, test your regular expression to ensure it selects the needed
information before submitting it.
After entering a valid regular expression, you can confirm that the specified Group
Name is mapped to the correct observable type.
To import a stream using advanced submission:
1. Navigate to Manage > Streams.
2. In the Actions menu, click New Stream and then Advanced Stream Source.
3. Configure the following stream settings:
Configure the following stream settings:
Anomali ThreatStream Page 601 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Setting Description
Name Name for the stream.
URL URL where the stream is hosted.
Visibility Visibility of the observables provided by the stream in
ThreatStream. You can select My Organization (visible to
your organization only) or Anomali Community (visible to all
ThreatStream users).
Confidence Default source reported Confidence scores for the
intelligence provided by the stream.
For more on observable confidence, see "Observable
Confidence in ThreatStream" on page 235.
Severity Default severity value for observables from the stream.
Interval Interval at which intelligence should be pulled from the
stream.
Expiration The number of days you want intelligence from this stream to
stay active.
Anomali ThreatStream Page 602 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Setting Description
Tags Tags you want to associate with intelligence from this stream.
As you type, the 20 most used tags in your organization from
the previous seven days are displayed. Enter * to display a list
of preferred tags configured by your organization, in addition
to pre-defined kill chain phase tags. For more on configuring
Preferred Tags, see "Adding Preferred Tags to Intelligence"
on page 200.
Tags assigned the My Organization visibility setting are only
visible to your organization. Tags assigned the Anomali
Community visibility setting are visible to users of all
organizations that have access to the observable. See
"Adding Private Tags to Observables" on page 243 for more
information.
Note: Observables can contain up to 200 tags per
organization. Tags added by other organizations do not
count toward this limit.
iType Indicator type you want to assign to all intelligence from the
stream.
4. Enter a Regex that parses the intelligence in the stream from any formatting on
the page.
5. Confirm the Group Name from your regular expression is mapped to the correct
observable type.
6. Click Submit.
Viewing Stream Details
Stream details pages display all configured stream parameters a list of indicator
types received from the stream. You can also edit and deactivate streams which
were submitted by your organization.
Anomali ThreatStream Page 603 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Stream Name: Name of the stream whose details you are currently viewing.
Stream Details: Details of the stream configured during submission.
Observed iTypes: A list of indicator types provided by the stream within the last
90 days.
Deactivate Stream: Deactivate the stream. See "Disabling Stream Sources" on
the next page for more information.
Edit: Edit the stream. See "Editing Stream Sources" below.
Editing Stream Sources
Streams submitted by your organization can be edited.
User Privilege Requirements
Users with Org Admin privileges can edit any submitted stream. Non-admins can
only edit streams that they themselves have submitted.
To edit a stream source:
1. Navigate to Manage > Streams.
2. In the Streams table, locate and click the stream source you want to edit.
3. On the details page of the stream, click Edit.
4. Make required changes.
5. Click Save.
Anomali ThreatStream Page 604 of 750
User Guide
Chapter 18: Managing Intelligence Streams
Note: Streams cannot be deleted from the ThreatStream UI. However, streams
can be disabled. See "Disabling Stream Sources" below for more information.
Please contact Anomali support with any questions.
Disabling Stream Sources
Streams submitted by your organization can be disabled. When you disable
streams, they no longer feed your threat intelligence on ThreatStream. Disabling a
stream does not remove it from the ThreatStream UI.
Users with Org Admin privileges can edit any submitted stream. Non-admins can
only edit streams that they themselves have submitted.
To disable a stream:
1. Navigate to Manage > Streams.
2. In the Streams table, locate and click the stream source you want to disable.
3. Click Deactivate to disable the stream.
The status will change to Inactive. You can reactivate the stream by clicking
Activate Stream.
Exporting Stream Details
You can export details of the streams feeding your Threat Intelligence on
ThreatStream in CSV format. When you trigger an export, the resulting CSV file
contains information on all of the streams displayed on the Streams screen.
Exported details include:
Anomali ThreatStream Page 605 of 750
User Guide
Chapter 18: Managing Intelligence Streams
l Stream status (active)
l Visibility (classification)
l Stream ID (id)
l Last Seen (last_imported)
l Stream Name (name)
The following as an example of an exported stream list:
To export stream details:
To import a stream using advanced submission:
1. Navigate to Manage > Streams.
2. In the Actions menu, click Export CSV.
Your export begins automatically.
Anomali ThreatStream Page 606 of 750
Chapter 19: Analyzing Malware with the
ThreatStream Sandbox
This chapter covers the following topics:
Available Sandbox Services in ThreatStream 608
Information in a Sandbox Report 610
Submitting Malware for Detonation 611
Viewing Sandbox Reports 615
Importing Observables from the Sandbox Report 617
Exporting a Sandbox Report 617
Deleting a Sandbox Report 619
Editing Sandbox Report Visibility 620
Activating Joe Sandbox 621
Activating VMRay 623
Troubleshooting Joe Sandbox Submissions 629
Malware analysis can be a lengthy and resource intensive process when done
manually. Additionally, analyzing Malware on your primary systems (that hold your
software and data) can compromise them. Sandboxes provide a secluded
environment to run Malware and review the results without compromising your
primary systems.
ThreatStream provides a hosted Sandbox that allows you to automatically analyze
Malware (files or URLs) and generates detailed reports of the findings. You can use
these reports to determine the severity and impact of a particular Malware on your
organization. Using a Sandbox for threat analysis enables you to focus your efforts
only on Malware samples that will severely impact your organization, thus saving
you time and resources.
When you upload a Malware file or URL, you can select whether the results of
detonation should be available to everyone (Anomali Community), accessible to
your organization only (My Organization), or shared with Trusted Circles.
You can also opt to import Malware that is found to be malicious or suspicious
during detonation.
Anomali ThreatStream Page 607 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Note: Sandbox detonation results depend on many factors, including
environment settings of the system used for detonation and the sample being
used, and can vary even in cases where the same sample is used. If you have
any sandbox related questions or concerns, please contact Anomali Support for
further guidance.
Available Sandbox Services in ThreatStream
ThreatStream offers multiple sandbox configurations you can leverage for Malware
detonation.
Joe Sandbox via ThreatStream
ThreatStream offers Joe Sandbox to all premium customers at no extra cost. The
ThreatStream Joe Sandbox service is not enabled by default and must be activated
by an Org Admin. See "Activating Joe Sandbox" on page 621 for further
instructions on configuring the ThreatStream Joe Sandbox service.
When activated, your organization will use the ThreatStream Joe Sandbox service
exclusively and the default sandbox service becomes unavailable. Remaining
detonations are displayed in the "Analyze in Sandbox" section prior to submitting a
detonation.
Note: When you detonate archive files—such as .zip, .rar, or .7z files—Joe
Sandbox only processes and returns a report for the first four files in the archive.
Archive files count as a single submission toward your daily quota. However,
individual reports are returned for each detonated file. If you detonate a URL that
points to an archive file, the URL is also detonated.
The ThreatStream Joe Sandbox service provides the following platforms for
Malware detonation:
l Windows 10
l Windows 7
l Windows 7 with Office
l High Sierra 10.13.2 with Office
Anomali ThreatStream Page 608 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
l Ubuntu Linux 16.04 x64 with LibreOffice 5.1.6.2
l Android 9
Note: URLs are detonated using the Chrome web browser.
Submitting Password Protected Archive Files to Joe Sandbox
Joe Sandbox accepts password-protected archive files—such as .zip, .rar, or .7z.
You can specify the password for the protected archive file during submission.
Passwords must contain letters and numbers only. Special characters are not
supported.
If you do not specify a password for uploaded files, Joe Sandbox attempts to open
protected files with the default password—"infected".
Joe Sandbox via an Individual Subscription
ThreatStream enables you to activate Joe Sandbox with your own Joe Security
subscription. This involves using your credentials for an existing Joe Security
subscription to activate the Joe Sandbox service. See "Activating Joe Sandbox" on
page 621 for further instructions on configuring Joe Sandbox with an individual
subscription.
When you activate Joe Sandbox with your own subscription, your organization can
use either Joe Sandbox or the default ThreatStream sandbox for Malware
detonation. ThreatStream does not impose submission limits when you activate Joe
Sandbox with your own Joe Security subscription.
VMRay via an Individual Subscription
ThreatStream enables users with VMRay subscriptions to leverage VMRay for
Malware detonation. If you have an active VMRay integration on ThreatStream, you
can leverage VMRay for malware detonation from the Sandbox screen on
ThreatStream. Unlike other sandbox services, VMRay dynamically selects
detonation platforms based on the submission you make and enables detonations
on multiple platforms per submission. See "Activating VMRay" on page 623 for more
information on activating VMRay on ThreatStream.
After you activate VMRay, you can continue to use the ThreatStream Joe Sandbox
service. If you have not activated the ThreatStream Joe Sandbox service, you can
continue to use the default Cuckoo service.
Anomali ThreatStream Page 609 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Default Cuckoo Sandbox
ThreatStream is also integrated with the Cuckoo Sandbox service, which supports
Windows 7 detonations. This Sandbox service is available to all customers.
However, if you activate the Anomali-provided Joe Sandbox integration, the Cuckoo
sandbox service is not available for malware detonation from the ThreatStream user
interface. If you activate Joe Sandbox through an individual subscription, the
Cuckoo remains an available sandbox service for malware detonation from the
Sandbox screen. Sandbox detonations are limited to 150 submissions per 24 hours.
In general, when you submit a file to the default Sandbox, the default runtime
behavior for that file is similar to what it would be if the file was run on a Windows
platform. Therefore, if you submit a .tar file, the Sandbox will not provide a full (step-
by-step) runtime behavior of the file.
Information in a Sandbox Report
A typical Sandbox analysis report on ThreatStream provides the following
information:
l A slideshow of the steps taken to detonate the Malware.
l Details and Signatures of the Malware.
l Network and behavior analysis of the Malware.
l Other details about the Sandbox operation, such as whether the report is
Anomali Community or My Organization.
l A link to obtain the analysis report from the Sandbox site that was used to
detonate the Malware (View Details link).
If you selected Import Indicators when you detonated the Malware, an import
session is automatically created for Malware that is marked "Suspicious" or
"Malicious." You can use this session to import malicious observables into
ThreatStream. For Malware classified as "Benign", an import session is not created.
See "Importing Observables from the Sandbox Report" on page 617 for more
information.
For Joe Sandbox, you can download reports in PDF and PCAP (packet capture)
formats. For the default ThreatStream sandbox, you can download reports in PDF,
PCAP (packet capture), and JSON formats. See "Exporting a Sandbox Report" on
page 617 for more information.
Anomali ThreatStream Page 610 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Submitting Malware for Detonation
To submit malware for detonation:
1. Navigate to Research > Sandbox.
2. In the Actions menu, click New Sandbox Detonation.
3. Specify the following parameters on the ANALYZE IN SANDBOX window:
Field Definition
Anomali ThreatStream Page 611 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Add your If you are submitting a file:
detonation file
a. Click Upload a New File.
o You can upload file in any format that is compatible
with the platform you selected in step 4.
o The maximum size supported for the file is 10 MB.
b. Click Select File to browse to the location of the file and
select it.
If detonating on Joe Sandbox and the file is password
protected select File is encrypted and enter the
password for the file.
Passwords can contain letters and numbers only.
Special characters are not supported. If you do not
specify a password for uploaded files, Joe Sandbox
attempts to open protected files with the default
password—"infected".
Note: VMRay and Cuckoo do not support password
protected files.
If you are submitting a URL:
a. Click Paste a URL.
b. Enter the URL in the text box below.
Note: Joe Sandbox does not support URL
submissions on the MacOS platform.
Select Provider Select the sandbox provider to whom you want to make the
submission.
Anomali ThreatStream Page 612 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Select Platform Select the platform on which the submitted Malware will be
detonated.
Note: VMRay dynamically selects a detonation platform
based on the submission you make. Therefore, this
option is not available when making submissions to
VMRay.
# of Specify the number of detonations you want VMRay to
Detonations perform for the submission. If you specify 2 or 3, VMRay
(Premium performs the detonations on different platforms. A Sandbox
VMRay Report is created on ThreatStream for each detonation that
Subscriptions returns results.
Only)
Each detonation is treated as a submission toward your
quota. Therefore, if VMRay detonates a submission on
three different platforms, your number of remaining
detonations is reduced by three. However, if you submit an
archive file which contains multiple files, VMRay attempts to
detonate each file and your number of remaining
detonations is only reduced by one.
Note: The VMRay freemium service is limited to one
detonation per file or URL. Thus, this field is not
displayed for users of the VMRay freemium service.
Import Select Import Observables if you want ThreatStream to
Observables create an import job for any observables discovered during
detonation.
Note: This option may be disabled depending on how
your Org Admin has configured your organization
settings. See "Allow Observable Imports from Sandbox"
on page 75 for more information.
Tags Enter any tags you want to associate with the resulting
Sandbox Report.
Anomali ThreatStream Page 613 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Visibility Select a Visibility setting—Anomali Community, My
Organization, or Trusted Circles.
If you selected Trusted Circles, check the Trusted Circles
with which you want to share the report from the provided
list.
Note: After detonation is complete, the visibility setting
can only be edited to increase the visibility of the
resulting sandbox report. Visibility can not be edited to
restrict visibility of the sandbox report. As such, if you
select Anomali Community during submission, you may
not edit the visibility setting after detonation is complete.
Note: The number of submissions you can make in a 24 hour period varies
between sandbox vendors. You can view the number of submissions you
have left after selecting a vendor on the Analyze in Sandbox window. The
count is displayed at the bottom of the window.
4. Click Analyze. The malware is submitted to the Sandbox. An entry is created on
the Sandbox screen in Processing status.
The status changes to Done after the submission is processed. Click the blue
icon to view the Sandbox Report.
Anomali ThreatStream Page 614 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Note: If you submitted an archive file individual reports are generated for each
file detonated by the sandbox service.
Viewing Sandbox Reports
You can access sandbox reports from the Sandbox List View screen.
Search sandbox reports by keyword.
Filter sandbox reports by date, visibility, result, status, trusted circles, user, and
platform. Select Owned by My Organization to display only sandbox detonations
created by your organization. Select Shared with My Organization to display
detonations created by other organizations. By default, only detonations created by
your organization are displayed.
Toggle the number of results displayed per page.
Actions:
l New Sandbox Detonation: Create a new sandbox detonation. See "Submitting
Malware for Detonation " on page 611for more information.
l Export CSV: Export selected reports in CSV format. See "Exporting Sandbox
Reports in CSV Format" on page 618.
Anomali ThreatStream Page 615 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
l Start/Continue Investigation: Add the selected sandbox report to a new or
existing investigation. See "Investigating Threats in ThreatStream" on page 325
for more information.
l Delete: Delete the selected sandbox reports. See "Deleting a Sandbox Report"
on page 619 for more information.
View selected filters.
Date the sandbox submission was made.
Name of the submission.
Link to the sandbox report.
Platform on which the Malware was detonated.
User who made the sandbox submission. This field is blank for sandbox
detonations created by other organizations.
Visibility of the sandbox report—My Organization (private), Trusted Circles, or
Anomali Community (public).
Status of the sandbox report.
Result of the sandbox report—Malicious, Benign, or Suspicious.
To view a sandbox report:
1. Navigate to Manage > Sandbox.
2. Locate the sandbox report of interest.
3. In the Submission column, click the report icon.
Details of the report are displayed. Examine the details to determine next steps. For
more information, see "Information in a Sandbox Report" on page 610.
Anomali ThreatStream Page 616 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Importing Observables from the
Sandbox Report
If you select Import Observables when submitting Malware to the sandbox, an
import session is automatically created if Malware is found to be "Malicious" or
"Suspicious." Import sessions must be approved before the observables will
become part of your threat intelligence on ThreatStream.
To import observables from a detonation report:
1. Follow the process to view the detonation report as described in "Viewing
Sandbox Reports" on page 615.
2. If an import session is available, click the link available next to Import Session.
The Import Review page is displayed.
3. If you do not have the Approve Import user privilege, select the observable and
click Send Admin Review Request.
If you do have the Approve Import user privilege, see "Approving Import Jobs"
on page 308 for further instruction on completing the import process.
Exporting a Sandbox Report
Sandbox reports can be exported in the following formats:
Anomali ThreatStream Page 617 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
l PDF
l PCAP (raw packet capture)
l CSV
Exporting Sandbox Reports in PDF and PCAP Formats
PDF and PCAP exports can be initiated from the Detonation Report page.
To export a sandbox report in PDF or PCAP format:
1. Follow the process to view the detonation report as described in "Viewing
Sandbox Reports" on page 615.
2. Depending on the format you want the sandbox report in, click the appropriate
button, as shown below.
The report is downloaded to your local system. All timestamps are displayed in
UTC when exported.
Exporting Sandbox Reports in CSV Format
CSV exports can be initiated from the Sandbox List View screen. CSV exports
contain the following fields for each report: Date added, Platform, Result, Status,
Anomali ThreatStream Page 618 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Submission, User, Vendor, and Visibility.
To export sandbox reports in CSV format:
1. Navigate to Manage > Sandbox.
2. Select the Sandbox Reports you want to include in the export.
Note: The top 10,000 reports are included in the export if you do not select
any Sandbox Reports and then click Export CSV.
3. In the Actions menu, click Export CSV.
Your download starts immediately.
Deleting a Sandbox Report
Org Admins can delete sandbox reports that are owned by their organization.
When you delete a sandbox report, unapproved import sessions associated with
sandbox reports will also be deleted. Import sessions that have already been
approved will not be deleted.
To delete sandbox reports:
1. Navigate to Research > Sandbox.
2. Under Owned By Your Organization, select the sandbox reports you want to
delete.
3. In the Actions menu, click Delete.
4. Click OK.
Anomali ThreatStream Page 619 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Editing Sandbox Report Visibility
After detonation is complete, org admins can edit the visibility setting of sandbox
reports to increase their visibility. You cannot edit a sandbox report to restrict its
visibility. As such, if you selected Anomali Community during submission, you
cannot edit the visibility of the resulting report. The following table lists the visibility
changes you can make:
Detonation Visibility
Setting Visibility After Editing
My Organization Anomali Community
My Organization Trusted Circles
Trusted Circles Anomali Community
Trusted Circles Trusted Circles (shared with additional trusted
circles)
You can only edit the visibility of sandbox reports that belong to your organization.
Note: Once you have edited the visibility setting, you may not edit it again to
restrict the visibility of the report. Please contact Anomali support for assistance.
To edit the visibility of a sandbox report:
1. Navigate to Manage > Sandbox.
2. In the Submits columns of the "Owned By Your Organization" section, identify
the Malware file name or URL.
3. In the Report column, click Show report.
4. Click Edit Visibility. If this button is not displayed, the visibility of the sandbox
report cannot be edited.
5. Select a new visibility setting.
6. Click OK.
Anomali ThreatStream Page 620 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Activating Joe Sandbox
ThreatStream enables you to choose between the default sandbox and a
ThreatStream provided Joe Sandbox service, available at no extra cost.
Alternatively, if you have a Joe Security subscription of your own, you can use it for
Malware detonation in ThreatStream.
Activating the ThreatStream Joe Sandbox Service
Org Admins can activate the ThreatStream provided Joe Sandbox service for their
organization from the Sandbox page. Once activated, your organization uses the
ThreatStream Joe Sandbox service exclusively and cannot use the default Sandbox
service.
Caution: As a best practice, ensure that all Malware detonation jobs are
complete before activating or deactivating the Joe Sandbox service. Any jobs
with the status Processing at the time of Joe Sandbox activation or deactivation
will fail.
To activate the ThreatStream Joe Sandbox Service:
1. Navigate to Research > Sandbox. If you are eligible to use the ThreatStream
Joe Sandbox service, you will see the following at the top of the screen.
2. Click Use Joe Sandbox.
3. If you agree to the terms of service, check the box and click Accept.
Joe Sandbox is available from the Sandbox UI.
Note: If you have any mailboxes configured to use Windows 7 on the default
Cuckoo Sandbox for detonation, mailboxes are automatically reconfigured to
use Joe Sandbox at the time of activation. See "Managing Mailboxes" on
page 83 for more information.
Activating Joe Sandbox on ThreatStream with an Individual Subscription
If you have your own Joe Security subscription, you may use your Joe Sandbox
API key to activate Joe Sandbox on ThreatStream. Once you enter your API key for
Anomali ThreatStream Page 621 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Joe Sandbox, you can select your individual Joe Sandbox service from the Select
Client drop down during detonation.
Caution: As a best practice, ensure that all Malware detonation jobs are
complete before activating or deactivating the Joe Sandbox service. Any jobs
with the status Processing at the time of Joe Sandbox activation or deactivation
will fail.
To activate Joe Sandbox on ThreatStream with an individual subscription:
1. In the top navigation bar, click and then Integrations.
2. Locate the Joe Sandbox tile and click Activate.
3. Enter the following information:
Field Description
API Endpoint Specify the API Endpoint associated with your
organization's Joe Sandbox account.
Example:
https://jbxcloud.joesecurity.org/index.php/api/
API Key Specify the API key. You can retrieve your API key from the
API Key tab within Joe Sandbox user settings.
Anomali ThreatStream Page 622 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Note: Only one set of API Endpoint and API Key can be specified per
organization. The values you configure here are used by all users in your
organization when they access the service.
4. Click Save.
The status button for the service changes to Deactivate. The service will
become available five minutes after you click Save.
Note: After activation, you can configure mailboxes to use your individual Joe
Sandbox service for detonation. See "Managing Mailboxes" on page 83 for more
information.
Activating VMRay
The ThreatStream integration with VMRay enables users to leverage the VMRay
commercial service for malware detonation within the ThreatStream platform.
VMRay also offers activation to ThreatStream users on a freemium basis.
ThreatStream users can activate the freemium VMRay sandbox service at no
additional charge. See "Activating the VMRay Freemium Service" on page 627 for
more information.
Once activated, VMRay becomes one of the available Sandbox vendors on the
ThreatStream Sandbox user interface. Depending on the sandbox services to which
Anomali ThreatStream Page 623 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
your organization subscribes, you can choose between VMRay and other services,
such as the ThreatStream Joe Sandbox service, Joe Sandbox with an individual
subscription, or the default ThreatStream sandbox (Cuckoo).
The submission quota allotted to you as a VMRay user depends on the terms of
your subscription. When making VMRay submissions, your remaining quota is
displayed next to Remaining submissions for this 24 hour period on the Sandbox
submission window.
Note: When you detonate archive files—such as .zip, .rar, or .7z files—VMRay
attempts to detonate each file contained in the archive. For VMRay premium
users, each detonated file is counted towards your quota. For VMRay freemium
users, archive files count as a single submission toward your daily quota.
Individual reports are returned for each detonated file. If you detonate a URL that
points to an archive file, the URL is also detonated.
In order to activate the integration, you must have an active subscription with
VMRay and enter your VMRay Analyzer API key on the Integrations tab within
ThreatStream settings.
To activate the VMRay integration:
1. Obtain your VMRay Analyzer API Key from the VMRay platform.
a. On the VMRay platform, click Analysis Settings in the user menu.
b. Click API Keys.
c. Locate the API Key which displays VMRay Analyzer in the Product Type
Anomali ThreatStream Page 624 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
column and click Show Key. Your API Key is displayed. You will use this API
Key to activate the integration on the ThreatStream user interface.
2. Ensure Dynamic Analysis is configured for the API Key.
a. Click Edit in the Actions menu for the API Key you will use to activate the
integration.
b. Under Advanced Configurations, locate the Max Dynamic Analyses Per
Sample setting. Ensure that System default is selected.
c. Click Save.
You are now ready to activate the integration.
3. On the ThreatStream user interface, click and then Integrations.
4. Locate the VMRay tile and click Activate.
Anomali ThreatStream Page 625 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
5. Enter the following information:
Field Description
URL Specify the URL of the VMRay host where your account is
based. You can confirm this URL by referencing your VMRay
account activation email, as displayed in the following
example:
Tip: This is the URL you use to connect to the VMRay user
interface.
API Key Your VMRay Analyzer API Key.
Anomali ThreatStream Page 626 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Select Specify the maximum number of detonations you want
Number of organization members to make per submission.
Detonations
Note: VMRay can execute multiple detonations on
different operating systems depending on the type of
submission. Users can select an upper limit for the number
of detonations that VMRay can attempt for each sandbox
submission. This parameter sets the highest number users
can select at the time of submission.
6. Click Save.
Your VMRay integration is active and ready for use. You can leverage VMRay for
malware detonation from the Sandbox screen on ThreatStream. See "Submitting
Malware for Detonation " on page 611for more information.
Note: After activation, you can configure mailboxes to use VMRay for
detonation. See "Managing Mailboxes" on page 83 for more information.
Activating the VMRay Freemium Service
The VMRay freemium offering provides the same functionality as the premium
VMRay sandbox service. However, your organization is limited to two submissions
per day when using the VMRay freemium sandbox service. Unlike the premium
service, you can only perform one detonation per file or URL submission. You can
track your remaining quota on the Sandbox submission window next to Remaining
submissions for this 24 hour period.
After activation, you can configure mailboxes to use the VMRay freemium service
for detonation. However, mailboxes configured to use the freemium will not initiate
sandbox detonations if you have reached your daily quota.
Org Admins can activate the service from the Integrations tab within ThreatStream
settings. Activation involves agreeing to the VMRay EULA. Registration is not
required and no user information is sent to VMRay upon activation.
Anomali ThreatStream Page 627 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Note: When you use the VMRay freemium sandbox service, all data is
processed in the United States hosted VMRay cloud.
To activate the VMRay freemium service:
Note: VMRay premium and freemium services cannot be active at the same
time.
1. In the top navigation bar, click and then Integrations.
2. Locate the VMRay (Freemium) tile and click Set Up.
3. Select Agree to End User License Agreement and click Activate.
Anomali ThreatStream Page 628 of 750
User Guide
Chapter 19: Analyzing Malware with the ThreatStream Sandbox
Your VMRay freemium integration is active and ready for use. You can leverage
the VMRay freemium service for malware detonation from the Sandbox screen
on ThreatStream. See "Submitting Malware for Detonation " on page 611for
more information.
Troubleshooting Joe Sandbox Submissions
The table below lists common error messages passed through by Joe Sandbox to
the ThreatStream user interface. If you use the Joe Sandbox service for Malware
detonation on ThreatStream and submissions fail, refer to this matrix for
recommended actions.
Recommended
Error Message Probable Root Cause Actions
Nothing to analyse, Joe Sample is invalid or corrupt Verify the sample
Sandbox has not found any and try again
analysis process or sample
Unable to start the sample Sample cannot be launched Verify the sample
due to an unknown file and try again
extension or missing
application
Unable to browse the URL Submitted domain or Try again
IP address is down
OR
HTTP or TCP/IP timeout
Anomali ThreatStream Page 629 of 750
Chapter 20: Analyzing Adversary
Infrastructure with Explore
This chapter contains the following topics:
Exploring Known Attack Infrastructure 630
Exploring Previously Unknown Attack Infrastructure 631
Understanding the Explore Interface 633
Adding Nodes to Explore 636
Importing Observables from your Explore Chart 636
Exporting Your Explore Chart 637
Saving Your Explore Chart 637
Explore is a graphical tool that enables you to build out comprehensive maps of
adversary attack infrastructure. Starting from a single observable, you can ripple
outward to create a visual representation of relationships with data that is known to
be related, such as Actors, other observables, and so on. With Explore, you can
view relationships between observables without having to manually cross reference
dozens of details pages.
In addition to searching ThreatStream intelligence, you can search the Passive DNS
and Whois databases from within ThreatStream.
Further, with the Passive SSL integration provided by ThreatStream, you can use
Explore to perform new research on adversaries and map out previously unknown
infrastructure.
Exploring Known Attack Infrastructure
Explore enables you map out attack infrastructure that is known to be related to the
observable by querying data that already exists in ThreatStream. Data from
ThreatStream that you can query from Explore includes associated observables,
Actors, Campaigns, Incidents, TTPs, Threat Bulletins, and Vulnerabilities. For
example, you could query Actors on the observable and Explore would add any
Actors associated with the observable in the Anomali threat model to the chart.
Anomali ThreatStream Page 630 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
Additionally, for domain observables, you can run Passive DNS searches to return
associated IP addresses and Whois searches to return associated email addresses.
Exploring Previously Unknown Attack
Infrastructure
With the third party integrations provided by ThreatStream, you can use Explore to
perform new research and build out previously unknown adversary attack
infrastructure. ThreatStream's Passive SSL integration enables you to perform
Certificate, Related Certificate, Certificate to IP, and Certificate to Domain
searches on observables. In doing so, you can make connections between known
indicators of compromise and related observables that were previously unknown.
Anomali ThreatStream Page 631 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
For example, a domain—freesmartphone.net—was discovered when detonating
the contents of a phishing email in the sandbox. Using Explore, you could start to
search attack infrastructure unknown to ThreatStream by running Search
Certificate. Then, by running Search Related Certificates on a selected text string
from the certificate subject, you return all certificates that share the string.
You could also run a Certificate to Domain search on the certificate to return
associated domains, or a Certificate to IP search to return associated IP
addresses. These observables, potentially part of an adversary attack
infrastructure, can be imported to ThreatStream from the Explore interface. The
ThreatStream machine learning algorithms will automatically filter out any
observables found to be benign. After import, the observables are now available on
ThreatStream and can be leveraged by your security tools against the adversary.
Anomali ThreatStream Page 632 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
Understanding the Explore Interface
Search: Search for observables or add text strings to the chart. See "Adding
Nodes to Explore" on page 636 for more information.
Save Chart: Save the chart as a file on your local disk. See "Saving Your
Explore Chart" on page 637 for more information.
Open Existing Chart: Load existing charts from previously saved chart files.
Export: Export the chart in CSV or PNG format. See "Exporting Your Explore
Chart" on page 637 for more information.
Key: View node-types represented on the chart. You can select all nodes of a
type by clicking the type on the key. When you select nodes on the Explore chart,
node values are displayed in the key.
Node Search Limit: Sets the maximum number of nodes that can be added to
the chart for a single search. The maximum you can enter is 999.
Auto-Arrange: When enabled, Explore automatically arranges nodes according
to the view you have selected when added to the chart. When disabled, nodes
remain static when additional nodes are added.
Note: Auto-Map to MITRE, a feature available on pivoting tools within
investigations, is not available on the standalone Explore pivoting tool. See
"Automatically Adding MITRE ATT&CK Techniques to Investigations" on
page 344 for more information.
Chart Options:
Anomali ThreatStream Page 633 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
l Center the chart.
l Reset the chart. This removes all nodes from the chart.
l Zoom in or out on the chart.
Tips:
- You can zoom using your mouse wheel by clicking inside the chart and
holding the control key on your keyboard.
- Zoom centers on specific nodes when you select nodes and zoom in or out.
l Toggle the pointer between move and select modes. Move enables you to click
and drag the entire chart around the workspace; select enables you to click and
select individual node or click and drag to select multiple nodes.
l Toggle full screen view.
l Toggle between standard, hierarchical, and structural views.
l Show or hide the Explore key.
l Search nodes on the chart by value. Nodes matching the search query you enter
are selected on the chart.
Actions:
l Link: Create a link between the selected node and another node. To create a
link, select a node, click Link, and select the node with which you want to link the
initial node.
Links can be removed by clicking the link and then pressing the Delete (for
Windows) or FN+Delete (for Mac) keys on your keyboard.
l Search Associations: Search Observables and Threat Model entities that are
associated with the selected entity in ThreatStream. Related entities are added to
the chart.
l Search Metadata: Add any ASNs, tags, or other metadata associated with the
selected entity to the chart.
l Search Passive DNS: Search Passive DNS threat intelligence data for
observables related to the selected nodes. Related observables are added to the
chart.
Anomali ThreatStream Page 634 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
l Search Passive SSL: Search Passive SSL data for certificate information. The
following Passive SSL searches are available:
n Search Certificate: Search certificates associated with the selected
observable. The search queries certificates based on the text string of the
observable value.
n Search Related Certificates: Search for related certificate based on
certificate text strings. When you run Search Related Certificates, you must
select the certificate text of interest.
n Certificate to IP: Search IP addresses associated with selected certificates.
n Certificate to Domain: Search domains associated with selected certificates.
l Search Whois: Search Whois threat intelligence data for observables related to
the selected nodes.
l Import to ThreatStream: Import selected observables into ThreatStream.
Clicking this action will take you to the Import page. See "Importing Observables
from your Explore Chart" on the next page for more information.
l Group/Ungroup: Group together selected nodes. You can also ungroup
grouped nodes by selecting them and clicking Ungroup.
l View Detail: Drill down on the details page in ThreatStream for the selected
node.
l Delete Selection: Delete the selected node from the chart.
Anomali ThreatStream Page 635 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
l Enrichments: Pivot on the node using enrichments which you have activated on
ThreatStream.
Click Activate Enrichments... to view a list of unactivated enrichments. Clicking
an unactivated enrichment takes you to the Integrations tab within Settings,
where you can activate the enrichment. For more information on available
enrichments, see "Integrating With Third-Party Services" on page 117
Adding Nodes to Explore
Explore provides a full text keyword search for adding observables to the chart.
You can also add strings of text to the chart by entering the string and clicking +.
This can be helpful in cases where you want to run an ad-hoc intelligence search on
a string of interest or an observable that has not been imported.
Importing Observables from your Explore
Chart
If you find any observables from a third party such as Passive DNS in Explore, you
can easily import the intelligence into ThreatStream.
To import observables from Explore:
1. Perform a search and select the observables you want to import.
2. Right click the selected observables.
3. Click Import to ThreatStream.
4. Complete the import process on the Import screen. See Importing Observables
for more information on the import process.
Anomali ThreatStream Page 636 of 750
User Guide
Chapter 20: Analyzing Adversary Infrastructure with Explore
Exporting Your Explore Chart
Explore charts can be exported in one of two formats. You can export an image of
the chart in PNG format, or a list of the intelligence included in the chart in CSV
format.
To export your Explore chart:
1. Click the Export icon.
2. Select Export to PNG or Export to CSV.
Your download will start automatically.
Saving Your Explore Chart
Explore enables you to save charts for future use. Charts can be saved in
JSON format and then opened by clicking Open Existing Chart on the Explore
interface.
To save your Explore chart: click Save Chart on the Explore interface. Your
download will start automatically.
To load a saved chart: click Open Existing Chart on the Explore interface and
browse for the saved JSON file.
Anomali ThreatStream Page 637 of 750
Chapter 21: Collaborating with
ThreatStream Chat
ThreatStream Chat provides a channel of communication between collaborators on
the ThreatStream user interface. Chat is hosted within ThreatStream and not by an
external third party. Posted content is visible only to intended audiences, thus
enabling worry-free communication between teams and industry partners.
In addition to sending direct and group messages to members of your own
organization, Chat enables communication with Trusted Circle organizations.
Messages cannot be deleted once sent. Please exercise caution when
communicating with internal or external audiences.
Note: Your use of the ThreatStream Chat feature implies your acceptance of
Anomali TOS and Privacy policies.
Accessing Chat
To access ThreatStream Chat, navigate to Research > Collaborate.
Anomali ThreatStream Page 638 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
Chat Rooms: Available chat rooms include your organization and any chat-
enabled Trusted Circles of which your organization is a member.
Tip: Are you a member of the Anomali News Chat Trusted Circle and looking for
the COVID-19 chat channel? Locate and open the "anomalinewschat" chat
room.
The Anomali News Chat Trusted Circle chat room contains a single channel
called COVID-19 - anomalinewschat. For more information on gaining access to
this channel, see "Chat - COVID-19 " on page 747.
Channels: When you select a chat room, a list of available channels for the chat
room is displayed. Channels are specific to each chat room and used for wider
topical communication and announcements within a chat room. Channel
configurations vary between organization and Trusted Circle chat rooms:
l Your organization contains one default channel—TS Announcements. You can
also create additional channels within your organization. See "Sending Channel
Messages" on page 641 for more information.
l Trusted Circle chat rooms contain two default channels—Cybersecurity News
and TC Announcements. Trusted Circle channels contain all chat users within the
Trusted Circle. See "Chatting With Trusted Circles" on page 642 for more
information.
Direct Messages: Recent messages with groups and members within your
organization. See "Sending Direct Messages" on page 641 and "Sending Group
Messages" on page 641 for more information.
Organization Members: A list of members in your organization. Click a user
name to launch a direct message with the user. See "Chatting With Your
Organization" on the next pagefor more information.
Note: The organization members list is only displayed when your organization
chat room is selected.
Anomali ThreatStream Page 639 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
Your 20 most recent conversations are also accessible from a follow-me window,
which can be launched from the bottom right corner anywhere in ThreatStream.
While you can view and respond to messages from this window, you can only create
new direct or group messages from the primary Chat user interface.
Chatting With Your Organization
Chat enables you to send direct messages to organization users, begin group
messages with up to 7 users, and post in organization-wide channels.
To chat with your organization, select your organization icon the top left corner of the
Chat screen.
All organization chat rooms contain organization wide Cybersecurity News and TS
Announcements channels. You can also send direct messages to individual
organization members, group messages to multiple organization members, and
create new channels for wide communication,.
Anomali ThreatStream Page 640 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
Sending Direct Messages
Direct messages are conversations between you and individual members of your
organization on ThreatStream. These messages are private and accessible only by
you and the user with which you are chatting.
To send a direct message, click + next to Direct Messages and select the user with
whom you want to chat.
After you start a chat with an organization member, the conversation is listed under
Direct Messages.
Sending Group Messages
Group messages can be created by any Chat user and contain up to 7 organization
members.
To begin a group message:
1. Navigate to Research > Collaborate.
2. Click the + icon next to Direct Messages.
3. Select the users you want to add to the group.
4. Click Start.
Note: If you create a group message that contains the same users as a group
message you have previously created, a new group message is not created. In
these cases, the display name of the existing group is simply updated to reflect
the name of the new group message you attempted to create.
Sending Channel Messages
Unlike groups, channels do not have a limit for number of users. Channels are
means for wider topical communication and announcements within a chat room. In
addition to the default organization wide Cybersecurity News and TS
Announcements channels, you can create new channels.
To create a new channel:
Anomali ThreatStream Page 641 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
1. Navigate to Research > Collaborate.
2. Click the chat room within which you want to create the channel.
3. Click the + icon next to Channels.
4. Enter a Name for the new channel.
5. Select the users you want to add to the channel.
6. Click Create Channel.
Chatting With Trusted Circles
Chat also enables you to chat with Trusted Circle organizations. Unlike chatting with
your own organization, you cannot send direct messages to Trusted Circle users
outside of your organization. Rather, each Trusted Circle which has Chat enabled
can post in one of two circle-wide channels—Cybersecurity News or TC
Announcements.
When you post in a Trusted Circle channel on Chat, your username is not visible to
users outside of your organization.
Anomali ThreatStream Page 642 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
To chat with a Trusted Circle:
1. Navigate to Research > Collaborate.
2. Select the Trusted Circle chat room in which you want to chat.
3. Select the Trusted Circle channel within which you want to chat.
Messages you send will be seen by members of the Trusted Circle in the channel
you selected.
Note: Content posted in Trusted Circle channels is visible to all members of the
channel. Organization users are responsible for posted content and should
exercise caution in posting restricted, personal, or otherwise sensitive content.
Enabling Chat for Trusted Circles
Chat is not enabled for Trusted Circles by default. A Trusted Circle administrator
must enable Chat in order for the Trusted Circle to appear in the Circles list.
To enable Chat for a Trusted Circle:
Note: You must be an administrator of the Trusted Circle for which you want to
enable Chat.
Anomali ThreatStream Page 643 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
1. Navigate to Manage > Trusted Circles.
2. Click the Edit corresponding to Trusted Circle for which you want to enable
Chat.
3. Click Update.
You can now chat with the Trusted Circle from the Chat screen.
Enabling Chat for Your Organization
Chat is disabled by default. Org Admins can enable Chat for their organizations from
the Organization tab within ThreatStream settings.
Once Chat is enabled for your organization, an additional column is available on the
User Admin screen within ThreatStream settings, which allows Org Admins to grant
or deny organization users permission to use Chat. All users are excluded from Chat
by default and must be granted permission by an Org Admin in order to use Chat.
Requirements Before Enabling Chat
Before enabling Chat for your organization, you must ensure that your network has
socket connectivity to the following DNS name and IP addresses:
l wss.chat.threatstream.com
l 3.20.109.10
Anomali ThreatStream Page 644 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
l 3.20.109.51
l 3.20.96.2
After ensuring connectivity, you can enable Chat on ThreatStream using the steps in
the next section.
Enabling Chat on ThreatStream
Org Admins can enable Chat from the Organization tab within ThreatStream
settings.
To enable Chat for your Organization:
1. In the top navigation bar, click and then Organization.
2. Click Activate next to Enable ThreatStream Chat.
3. Select My Organization accepts these terms and click I agree on the
resulting window.
Requirements After Enabling Chat
After enabling Chat for your organization, all users with active sessions at the time of
enablement must logout of ThreatStream and login again.
Additionally, organization members to be included in Chat must be given the Chat
privilege on the User Admin tab within ThreatStream settings.
Note: Only Org Admins can modify user privileges.
To edit the Chat privileges of organization members:
1. In the top navigation bar, click and then User Admin.
2. Locate the Chat column and check or uncheck the box corresponding with the
Anomali ThreatStream Page 645 of 750
User Guide
Chapter 21: Collaborating with ThreatStream Chat
users to which you want to grant or revoke access.
Changes to user privileges are saved automatically. If users have an active
sessions when privileges are modified, changes take effect the next time users login
to ThreatStream.
Anomali ThreatStream Page 646 of 750
Chapter 22: Collaborating with Trusted
Circles
This chapter covers the following topics:
Public and Non-Public Trusted Circles 648
Privacy of Data in a Trusted Circle 649
Understanding the Role of a Trusted Circle Administrator 649
Creating a Trusted Circle 650
Editing a Trusted Circle 652
Joining a Trusted Circle 653
Approving Membership Requests to Public Trusted Circles 654
Inviting Members to Join a Non-Public Trusted Circle 654
Leaving a Trusted Circle 655
Sharing Data with Trusted Circles 656
Viewing Members of a Trusted Circle 657
Viewing Trusted Circles 658
Deleting a Trusted Circle 658
Trusted circles are communities within ThreatStream in which you can participate,
share threat intelligence in real-time, and get access to information others have
shared. Trusted Circles are comprised of organizations with similar threat
intelligence interests (due to their affiliation to an industry, supply chain, Incident,
and so on) and enable these organizations to collaborate and discuss threat
activities they have observed around a specific Campaign , adversary, or Incident.
In addition to organizations that participate in Trusted Circles, the Anomali Threat
Research team contributes and shares intelligence to the industry-specific Trusted
Circles available on ThreatStream.
Sharing threat intelligence not only allows organizations to prepare their defenses in
a timely manner but also join forces in thwarting a widespread attack.
For example, your organization is a member of a trusted circle made up of top 5
banks in the country. One of the members of this circle shares information about an
Actor that tried infiltrating their servers last night. Chances are that this Actor will try
other similar businesses. Your systems and servers may be the next target. Since
you have received an early warning from your Trusted Circle community on
Anomali ThreatStream Page 647 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
ThreatStream, you can strengthen your defenses in time—set up firewall rules,
block the Actor, and ensure your critical assets and data on them are under tight
access controls.
When you participate in a Trusted Circle, you control what information share with
other organizations in that circle. For example, if you want to share observables you
are importing with your 2 of the 5 Trusted Circles you participate in, you have to
explicitly set the Visibility for that import to those two Trusted Circles.
Public and Non-Public Trusted Circles
ThreatStream allows two kinds of Trusted Circles:
l Public—The names of these Trusted Circles are visible to all organizations. Any
organization can request an invite to these circles. The request must be
approved by the Trusted Circle owner before an organization can join that circle.
The Public Trusted Circles are listed in the Public Trusted Circles table, as shown
in the following figure.
l Non-Public—The names of these Trusted Circles are not visible to all
organizations but only to the members of organization that created the circle and
any other organizations that may have been explicitly invited to join them. If your
organization participates in any of such circles, they are listed in the Your Trusted
Circles table.
The Your Trusted Circles table is a list of non-Public and Public Trusted Circles
your organization participates in. In the following figure, the Trusted Circles in
blue outline are non-public. (The names and descriptions have been redacted.)
Anomali ThreatStream Page 648 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
Privacy of Data in a Trusted Circle
The threat intelligence shared with a Trusted Circle is only visible to an organization
if that organization is a member of that Trusted Circle.
Whether a Trusted Circle is listed on ThreatStream for all other organizations to see
and request membership depends on how it was created. The following table
summarizes the settings that control this aspect.
Public Open
Circle Invite
X X Trusted Circle is listed in the Public Trusted Circle list and is
visible to all users on ThreatStream. Any organization can
request membership to the Trusted Circle. The request must
be approved by the Trusted Circle owner before the
organization becomes a member.
X - Trusted Circle is listed in the Public Trusted Circle list and is
visible to all users on ThreatStream. Only organization
administrators in this Trusted Circle can invite other
organizations to join the Trusted Circle.
- X Trusted Circle is not listed in the Public Trusted Circle list
and is visible only to the members of the organization that
created it and any other member organizations. Any
member of this Trusted Circle can invite other organizations
to join the Trusted Circle.
- - Trusted Circle is not listed in the Public Trusted Circle list
and is visible only to the members of the organization that
created it and any other member organizations. Only
organization administrators in this Trusted Circle can invite
other organizations to join the Trusted Circle.
Understanding the Role of a Trusted Circle
Administrator
You must be an organization administrator to create a Trusted Circle. Once created,
an organization administrator is automatically designated as the Trusted Circle
administrator of that circle. ThreatStream users from the same or different
organization can be designated to be additional administrators of that Trusted
Anomali ThreatStream Page 649 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
Circle. The users designated as Trusted Circles administrator do not need to be
organization administrators; they can be non-admin users.
The Trusted Circle administrators can edit the Trusted Circles they administer, invite
additional members to them, and leave the Trusted Circle (remove their
organization from them). However, a Trusted Circle admin cannot create additional
Trusted Circles.
Creating a Trusted Circle
Note: You must be an organization administrator to create a Trusted Circle.
To create a Trusted Circle:
1. Navigate to Manage > Trusted Circles.
2. Click Create New Circle (at the top right corner of the page).
Anomali ThreatStream Page 650 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
3. Enter the following information:
Field Description
Name A meaningful name for the Trusted Circle.
Description An informative description for the Trusted Circle
Publicly See "Privacy of Data in a Trusted Circle" on page 649 for
Available more information.
Open Invite See "Privacy of Data in a Trusted Circle" on page 649 for
information
Override If enabled, members can select Override System Confidence
System when importing observables that are shared with the Trusted
Confidence Circle.
See "Importing Observables " on page 286 for more
information.
Anomali ThreatStream Page 651 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
Field Description
Anonymous If enabled, member organizations and users are made
Sharing anonymous in the data they share with the trusted circle.
Trusted circle members will see "Analyst" in all fields that
would otherwise display an organization or user name, such
as Source, Assignee, or History logs. In addition to being
made anonymous on the user interface, organization
information is anonymized in all email notifications that
display data shared with the trusted circle.
If anonymous sharing is removed from a trusted circle, data
shared with the circle does not remain anonymous. If
anonymous sharing is enabled for an existing trusted circle,
data shared with the circle is made anonymous.
Notes:
- Organization and user information is not made
anonymous in cases where data shared with the trusted
circle is shared with additional trusted circles that do not
have Anonymous Sharing enabled.
- User information is not made anonymous in comments
left on data shared with the trusted circle.
4. Click Create.
Editing a Trusted Circle
Note: You must be a Trusted Circle administrator for the Trusted Circle you want
to edit. For more information, see "Understanding the Role of a Trusted Circle
Administrator" on page 649.
To edit a Trusted Circle:
1. Navigate to Manage > Trusted Circles.
2. Identify the Trusted Circle you want to edit from the Your Trusted Circles list.
Anomali ThreatStream Page 652 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
The Trusted Circles you are permitted to edit display an Edit button in the
Actions column.
3. Click Edit and make the changes.
For information about the fields, see "Creating a Trusted Circle" on page 650.
Note: If you disable anonymous sharing for a trusted circle, data previously
shared with the trusted circle does not remain anonymized. If anonymous
sharing is enabled for a trusted circle, existing data shared with the trusted
circle is made anonymous.
4. Click Update.
Joining a Trusted Circle
Note: You must be an organization administrator to join your organization to a
Trusted Circle.
You must initiate the request to join a Public Circle.
To join a Public Trusted Circle:
1. Navigate to Manage > Trusted Circles.
2. Click Show Public Circles (at the top right corner of the page).
3. Identify the Trusted Circle you want to join and click Request Invite link for it.
A request to the Trusted Circle administrator is sent. Once the request has been
approved, the Trusted Circle is displayed in the Your Trusted Circles list.
To join a Non-Public Circle, you must be invited by the Trusted Circle
administrator or other members of that circle. Other members can only extend an
invite to a Non-Public Trusted Circles if the Trusted Circle was created with the
Anomali ThreatStream Page 653 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
Open Invite setting enabled. See "Privacy of Data in a Trusted Circle" on page 649
and "Inviting Members to Join a Non-Public Trusted Circle" below for more
information.
Approving Membership Requests to Public
Trusted Circles
You will receive membership requests to Public Trusted Circles you administer
when ThreatStream users click on the Request Invite link.The request looks like this
and is displayed on the Trusted Circles page when you log in to ThreatStream.
To approve the membership, click Accept.
To reject the membership, click Decline.
Inviting Members to Join a Non-Public
Trusted Circle
You can invite members to join non-public trusted circles of which you are an
administrator (See "Understanding the Role of a Trusted Circle Administrator" on
page 649). You can also invite members to join trusted circles that have the Open
Invite setting enabled.
When inviting someone to join a Trusted Circle:
l You can choose to invite them as an administrator of that Trusted Circle (See
"Understanding the Role of a Trusted Circle Administrator" on page 649).
l You can extend an invitation to a person who does not have an account on
ThreatStream. The person will need to create an account on ThreatStream
before joining the Trusted Circle.
To invite other members to join a non-Public Trusted Circle:
Anomali ThreatStream Page 654 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
1. Navigate to Manage > Trusted Circles.
2. Identify the Trusted Circle to which you want to invite additional members in the
Your Trusted Circles list.
3. Click Invite under the Members column.
4. Enter the email address of the person you want to invite.
To invite someone to join as the administrator of a Trusted Circle, you can click
the "Invite as an administrator of this Trusted Circle" box.
5. Click Add.
The person who was invited receives an email notifying them of the invitation
similar to the following. They must click the link to accept or decline the
invitation. If they do not have an account ThreatStream, they must first register
with ThreatStream.
Leaving a Trusted Circle
Note: You must be a Trusted Circle administrator to remove your organization
from the circle. For more information, see "Understanding the Role of a Trusted
Circle Administrator" on page 649.
To leave a Trusted Circle:
Anomali ThreatStream Page 655 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
1. Navigate to Manage > Trusted Circles.
2. Identify the Trusted Circle you want to leave from the Your Trusted Circles list.
3. Click Leave.
Sharing Data with Trusted Circles
ThreatStream enables you to restrict the visibility of data to specific trusted circles of
which your organization is a member. This article presents an overview of how to
share various types of data with your trusted circles.
Sharing Observables with Trusted Circles During Import
Observables can be shared with trusted circles during import by selecting the
Trusted Circle Visibility setting and then choosing the circles with which you want
to share imported observables. See "Importing Observables with Import Assistant "
on page 280for more information.
You can also share observables with your trusted circles directly from the
Trusted Circles page. Any member of a Trusted Circle can share intelligence with
that circle.
To share observables with a specific Trusted Circle during import:
1. Navigate to Manage > Trusted Circles.
2. Identify the Trusted Circle with which you want to share the intelligence in the
Your Trusted Circles list.
3. Click Share Intelligence under the Actions column.
The Import page is displayed with the Trusted Circle you identified earlier
automatically selected.
Anomali ThreatStream Page 656 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
4. Follow the Import procedure as described in "Importing Observables " on
page 286.
Sharing Existing Observables with Trusted Circles
You can re-import existing observables restricted to your organization to share them
with trusted circles of which you are a member. You can also share your existing
trusted circle observables with additional trusted circles. To read more about the re-
import process, see "Re-importing Observable Values" on page 321.
Sharing Threat Model Entities with Trusted Circles
You can use the threat model publication workflow to share new and existing threat
model entities with trusted circles at any time. On the threat model entity details
page, click Publish in the Actions menu and select the Trusted Circle Visibility
setting. You can then select the trusted circles with which you want to share the
threat model entity. See "Reviewing Threat Model Entities for Publication" on
page 542 for more information.
Sharing Sandbox Reports with Trusted Circles
The visibility of sandbox reports is set when you submit Malware for detonation and
cannot be edited. To share a sandbox report with trusted circles, select the Trusted
Circle Visibility setting. You can then select the trusted circles with which you want to
share the sandbox report. "Submitting Malware for Detonation " on page 611for
more information.
Viewing Members of a Trusted Circle
You can only see members of Trusted Circles to which your organization belongs.
To view members of a Trusted Circle:
1. Navigate to Manage > Trusted Circles.
2. Identify the Trusted Circle, from the Your Trusted Circles list, whose members
you want to view.
3. Click the number in the Members column to see a list of the organizations that
are the members.
Anomali ThreatStream Page 657 of 750
User Guide
Chapter 22: Collaborating with Trusted Circles
Viewing Trusted Circles
To view all Public Trusted Circles:
1. Navigate to Manage > Trusted Circles.
2. Click Show Public Circles (at the top right corner of the page).
A list of all Public Trusted Circles is displayed.
To view all Trusted Circles your organization is a member of:
1. Navigate to Manage > Trusted Circles.
The Your Trusted Circles list displays all Trusted Circles to which your
organization belongs.
Deleting a Trusted Circle
Once created, a Trusted Circle cannot be deleted on ThreatStream through the user
interface. If you need to delete a Trusted Circle, contact Anomali Customer Support
for assistance.
Anomali ThreatStream Page 658 of 750
Chapter 23: Using Anomali Lens in
ThreatStream
ThreatStream provides an on board version of the Anomali Lens browser plugin—
the cybersecurity industry’s first natural language processing (NLP) based web
content parser.
This functionality enables organizations to benefit from Anomali Lens within
ThreatStream, without needing to install the plugin.
Note: Anomali Lens in ThreatStream is automatically disabled if you have the
Anomali Lens plugin installed on your browser. In these cases, use the plugin to
scan pages in ThreatStream.
To scan a page with Anomali Lens in ThreatStream:
Click the Lens icon from anywhere in the platform.
Anomali ThreatStream Page 659 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Page content is scanned immediately and results are displayed in the pop-out
window. See "Scanning Pages with Anomali Lens" on page 662 for more
information on how Lens displays scanned page content.
Note: Free Anomali Lens users are limited to 100 scans per organizations per
month, including scans executed from the plugin and within ThreatStream.
Anomali Lens+ users get an unlimited number of scans. Interested in purchasing
Lens+? Contact sales@anomali.com for more information.
Context at the point of use
Anomali Lens can parse any screen in ThreatStream for cyber threat intelligence
terms and provide context at the point of use. For example, you scan a Threat
Bulletin and a number of observables are highlighted in the body of the Threat
Bulletin. You can mouse over the highlighted observables to view metadata, such as
Severity, Confidence, associated Indicator Types and Tags. If you want more
context, you can click View Details to visit the Observable details page.
Anomali ThreatStream Page 660 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Thus, Anomali Lens enables you to quickly access contextual information and
provides a direct vector of entry into comprehensive detail without needing to
manually run Observable or Threat Model entity searches.
Since Anomali Lens can scan any page in ThreatStream, that means you can enrich
conversations in ThreatStream Chat with additional context as well. If you are
chatting with a team member you can simply scan the conversation with Anomali
Lens to get immediate context on the entities referenced in the chat.
The flame icon is also displayed next to the highlighted entity on the page.
ThreatStream also ensures you know which threats are trending. If you scan a page
that contains reference to a threat that has appeared frequently in recent
intelligence feeds and articles, a flame icon is displayed next to the term in the scan
results list.
Parse new content from the web
Anomali Lens in ThreatStream scans content within the ThreatStream user
interface. However, you can leverage Lens in ThreatStream to scan content from
the web by pasting it into a text editor, such as the description of a Threat Bulletin.
Anomali ThreatStream Page 661 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Content does not need to be saved in order for Anomali Lens to scan it. Lens cannot
scan content in the rich text or markdown editors when an entity is in edit view.
However, Lens can scan content in the markdown live preview window while in edit
view.
Scanning Pages with Anomali Lens
When you land on a page in ThreatStream you want to scan, simply launch Anomali
Lens.
If Lens detects entities on the page, you will see results similar to the following:
Anomali ThreatStream Page 662 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Filters: Filter highlighted entities on the plugin by highlight type.
l Entities—All entities highlighted by Lens.
l Active—Observables that are currently active in ThreatStream and Threat Model
entities verified by the Anomali Threat Research Team.
l Inactive—Observables that are currently inactive in ThreatStream.
l Unknown—Observables unknown to ThreatStream. Unknown Threat Model
entities are either unknown to ThreatStream or unverified by the Anomali Threat
Research Team.
Highlighted Entities: Entities highlighted by Anomali Lens. Entities are grouped
into categories by entity type. You can gain context on the entity from the Lens
window by clicking the expand icon.
Anomali ThreatStream Page 663 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Additionally, you can click the entity name on the Anomali Lens window to jump to
the entity on the page. If Lens discovered multiple instances of the entity, you can
click to cycle through each instance of the entity on the page.
Create Threat Bulletin: Create a Threat Bulletin in ThreatStream. See
"Creating Threat Bulletins from Anomali Lens" on the next page.
Import: Create an import session for highlighted observables in ThreatStream.
See "Creating Import Sessions from Anomali Lens" on page 671.
Investigate: Create an investigation based on highlighted entities in
ThreatStream. See "Creating Investigations from Anomali Lens" on page 667.
Entities Highlighted by Anomali Lens in ThreatStream
Anomali Lens highlights both observables and threat model entities. The tables
below illustrate the differences between how Anomali Lens highlights observables
and threat model entities.
Observables
Observable Status Highlight Color
Anomali ThreatStream Page 664 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Not in ThreatStream Blue
In ThreatStream, currently inactive Gray
In ThreatStream, currently active Orange
Threat Model Entities
Entity Status Highlight Color
Not in Anomali Threat Model Database Blue. Descriptions read identified by
Anomali ThreatStream machine
learning.
In Anomali Threat Model Database, Blue. Descriptions are displayed, but
unverified by Anomali Threat Research start with Possibly:.
Team
In Anomali Threat Model Database, Orange. Includes verified description
unverified by Anomali Threat Research and links to more details in
Team ThreatStream.
Note: The Anomali Lens+ plugin detects Actor and Malware entities created by
your organization in addition to those verified by the Anomali Threat Research
Team. If you are interested in leveraging your organization specific intelligence,
contact sales@anomali.com for more information.
Creating Content with Anomali Lens in
ThreatStream
You can use Anomali Lens to create Threat Bulletins, Investigations, and Import
Sessions from anywhere in the platform.
Note: Read Only users cannot create Threat Bulletins, Investigations, or Import
Sessions through Anomali Lens in ThreatStream.
Creating Threat Bulletins from Anomali Lens
To create a Threat Bulletin from Anomali Lens:
Anomali ThreatStream Page 665 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
1. After scanning a page, click Create Threat Bulletin on the Lens window.
2. Select the entities you want to include in the Threat Bulletin. You can also use
the filters to select all entities of a particular highlight type.
The number of selected entities is reflected in the Create Threat Bulletin button.
Note: You can also create Threat Bulletins when no entities are detected by
Anomali Lens.
3. Click Create Threat Bulletin.
Anomali ThreatStream Page 666 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
The new Threat Bulletin has been created. You are redirected to the Threat
Bulletin details page in edit view. See "Editing Threat Bulletins" on page 485 for
more information.
If new observable values were included in the Threat Bulletin you created, an
import session window is displayed.
See "Approving Import Jobs" on page 308 for more information.
The entities you selected are automatically associated with the new Threat
Bulletin.
Creating Investigations from Anomali Lens
To create an Investigation from Anomali Lens:
1. After scanning a page, click Investigate on the Lens window.
2. Select the entities you want to include in the Investigation. You can also use the
filters to select all entities of a particular highlight type.
3. Click Investigate.
4. If you want to add the entities to an existing Investigation:
Anomali ThreatStream Page 667 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
a. Select Add to Investigation.
b. Use the Search function to locate the Investigation of interest. You can also
click Show Filters to filter Investigations by Last Modified date and
Reporter.
c. Select the Investigation of interest from the Results list.
d. Click Add to Investigation.
Lens displays the following message when it finishes adding the entities:
Anomali ThreatStream Page 668 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Click View Investigation to view the updated investigation in ThreatStream.
Note:ThreatStream may not complete grouping entities on the chart view of
the Investigation if you attempt to open the Investigation before Lens
displays this success message. If you close the Lens window before the
success message is displayed, Lens sends you a browser notification, such
as the following:
Click View Details to view the Investigation.
OR
If you add the entities to a new Investigation:
Anomali ThreatStream Page 669 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
a. Select Create Investigation.
b. Confirm the Investigation Name. The name of the scanned page is
automatically populated.
c. Select an Assignee for the Investigation.
d. Click Create Investigation.
When investigation creation is complete, Lens displays the following message:
Anomali ThreatStream Page 670 of 750
User Guide
Chapter 23: Using Anomali Lens in ThreatStream
Click View Investigation to view the investigation in ThreatStream.
Note: ThreatStream may not complete grouping entities on the chart view of
the Investigation if you attempt to open the Investigation before Lens
displays this success message. If you close the Lens window before the
success message is displayed, Lens sends you a browser notification, such
as the following:
Click View Details to view the Investigation.
Creating Import Sessions from Anomali Lens
To create an import session from Anomali ThreatStream:
1. After scanning a page in ThreatStream, click Import on the Lens window.
2. Select the observables you want to import.
Tip: Select the Unknown filter to select all observables highlighted by Lens
that are currently unknown to ThreatStream.
3. Click Import.
You are redirected to the import review screen. See "Approving Import Jobs" on
page 308 for more information.
Anomali ThreatStream Page 671 of 750
Chapter 24: Participating in the Anomali
Community
This chapter covers the following topics:
Managing Your Profile 673
Earning Badges 675
Watching, Starring, Liking, and Sharing Intelligence 675
Tracking Intelligence with My Threats 677
Viewing the Community Threats Dashboard 677
ThreatStream enables you to interact and stay current with the wider Anomali
community, including users outside of your organization.
After creating a unique user profile, you can:
l Watch, Star, and Like Threat Model entities and Sandbox Reports.
See "Watching, Starring, Liking, and Sharing Intelligence" on page 675 for more
information.
l Track Threat Model entities and Sandbox Reports on the My Threats page.
See "Tracking Intelligence with My Threats" on page 677 for more information.
l Share intelligence with individual ThreatStream users.
See "Watching, Starring, Liking, and Sharing Intelligence" on page 675 for more
information.
l Customize your ThreatStream user profile.
See "Managing Your Profile" on the next page for more information.
l Earn badges that recognize your threat intelligence achievements and
contributions in ThreatStream.
See "Earning Badges" on page 675 for more information.
l View intelligence trending in the Anomali community on the Community Threats
page.
Anomali ThreatStream Page 672 of 750
User Guide
Chapter 24: Participating in the Anomali Community
See "Viewing the Community Threats Dashboard" on page 677 for more
information.
Managing Your Profile
Creating Your Profile
You are prompted to create a profile when you login to ThreatStream for the first
time.
You must enter a Nickname. All other fields are optional. Nicknames can include
alphanumeric characters, hyphens (-), and underscores (_) only. Spaces and
special characters are not supported. However, words can be separated using
hyphens and underscores.
Note: Once created, nicknames cannot be edited from the ThreatStream user
interface. Contact Anomali Support if you require an update to your nickname.
If you have not been prompted to create a profile, please contact Anomali Support
for assistance.
Accessing Your Profile
You can access your profile by clicking Profile in the ThreatStream menu.
Anomali ThreatStream Page 673 of 750
User Guide
Chapter 24: Participating in the Anomali Community
Editing Your Profile
All profile fields except for Nickname can be edited. To edit a profile field, mouse
over the field and click the edit icon.
To save changes, click the check icon.
Privacy Settings
If you do not want your profile to appear in the Anomali Community search results,
you can make your profile Private.
Alternatively, you can make individual fields on your profile private. Fields are
private and not visible to the Anomali community unless you make them public. The
eye icon toggles the visibility of each field on and off.
When the eye is closed, the field is not visible to the Anomali community. When the
eye is open, the field is visible to the Anomali community.
Achievement Badges
Badges recognizing your threat intelligence achievements and contributions to the
Anomali community are displayed on your profile in the widget below.
For more information on earning badges, see "Earning Badges" on the next page.
Anomali ThreatStream Page 674 of 750
User Guide
Chapter 24: Participating in the Anomali Community
Earning Badges
After creating your unique user profile, you are eligible to earn badges that
recognize your threat intelligence achievements in ThreatStream and contributions
to the wider Anomali community.
There are three badge classes:
l Bronze badges encourage you to try out new features on the ThreatStream
platform and are relatively easy to earn.
l Silver badges are less common than Bronze badges and require more effort to
earn.
l Gold badges recognize important contributions from the Anomali community and
are the most difficult to earn.
The table below lists all achievement badges available on the ThreatStream
platform and the requirements that must be met in order to earn them.
Badge Requirement Class
ThreatStream Login to ThreatStream. Bronze
User
Profile All Star Complete your user profile. Bronze
Watching, Starring, Liking, and Sharing
Intelligence
ThreatStream enables you to Watch, Star, Like, and Share Threat Model entities
and Sandbox Reports for the purposes of tracking, rating, and sharing intelligence
with the wider Anomali community.
These actions are accessible from Threat Model entity detail and Sandbox Report
pages, as displayed below.
Anomali ThreatStream Page 675 of 750
User Guide
Chapter 24: Participating in the Anomali Community
Note: These actions are not available on the ThreatStream OnPrem user
interface.
Watching Intelligence
Watching Threat Model entities and Sandbox Reports enables you to receive
notifications when the intelligence is updated. Notifications are displayed in the
notification center.
Watched intelligence is listed under Watching on My Threats.
Starring Intelligence
Starring Threat Model entities and Sandbox Reports bookmarks the intelligence for
later reference. Starred intelligence is listed under Starred on the My Threats page.
You do not receive notifications when starred intelligence is updated.
Liking Intelligence
Liking Threat Model entities and Sandbox Reports enables you to quickly share your
opinion of the intelligence and contribute to an overall rating. You can either Like
(upvote) or Dislike (downvote) intelligence. Community likes and dislikes are
aggregated into an overall score.
Intelligence that you have previously liked is displayed under Liked on My Threats.
Sharing Intelligence
You can also Share Threat Model entities and Sandbox reports with users in your
organization. Users receive in-app notifications when you share intelligence with
them.
To share intelligence:
1. Navigate to the Threat Model entity detail page or Sandbox Report that you
want to share.
2. Click Share.
3. Enter the Nickname of the user you want to share the intelligence with and
select it from the menu.
Anomali ThreatStream Page 676 of 750
User Guide
Chapter 24: Participating in the Anomali Community
4. Click OK.
Tracking Intelligence with My Threats
You can view intelligence that you have Watched, Starred, Liked, and
Commented on by clicking My Threats in the ThreatStream menu.
For more information on the above actions, see "Watching, Starring, Liking, and
Sharing Intelligence" on page 675.
Viewing the Community Threats Dashboard
The Community Threats dashboard displays the most Watched, Starred, Liked,
and Commented intelligence from around the ThreatStream community over the
last 30 days. The dashboard aggregates intelligence actions—watching, starring,
liking, and commenting—from users across all organizations on ThreatStream.
Therefore, you can use the Community Threats dashboard to gauge interest in
particular Threat Intelligence entities over the past month from all ThreatStream
users—including those outside your organization.
To access Community Threats, navigate to Dashboards in the top navigation menu
and then click Community Threats.
Anomali ThreatStream Page 677 of 750
User Guide
Chapter 24: Participating in the Anomali Community
For more information on the actions tracked on the Community Threats dashboard,
see "Watching, Starring, Liking, and Sharing Intelligence" on page 675.
Intelligence that has been watched by the most ThreatStream users.
Intelligence that has been starred by the most ThreatStream users.
Intelligence that has received the highest number of likes.
Intelligence that has received the highest number of comments.
You can drill down on intelligence from the Community Threats page for deeper
analysis.
Anomali ThreatStream Page 678 of 750
Chapter 25: ThreatStream Integrator
Anomali ThreatStream Integrator (the next generation of ThreatStream Link) is the
software for integrating your existing security infrastructure to Anomali's
ThreatStream Cloud or ThreatStream OnPrem.
ThreatStream Integrator connects to the ThreatStream platform or the
ThreatStream appliance and pulls rich cyber threat intelligence feeds into existing
tools and infrastructure thus bringing real-time intelligence into your existing security
solutions to provide operational efficiency and relevancy to current security
technologies. It can output this data in many formats such as CSV, Syslog, and
Common Event Format (CEF), and can also directly integrate with security solutions
in your network, such as SIEMs, firewalls, end-point security solutions, DNS, and
Hadoop-based systems.
Supported Integrations
In addition to the ability to configure custom destinations, ThreatStream Integrator
enables integrations with the following services:
Product
Class Product
SIEM ArcSight ESM, Splunk, QRadar, McAfee ESM (NitroSecurity),
LogRhythm, AccelOps, RSA NetWitness, Bro_intel
Anomali ThreatStream Page 679 of 750
User Guide
Chapter 25: ThreatStream Integrator
Product
Class Product
Firewalls Palo Alto Networks, Blue Coat Proxy SG, Check Point, Cisco ASA
Endpoint Carbon Black, Tanium, CrowdStrike, FireEye HX
Security
Hadoop Cloudera Impala, Hadoop Hive
DNS Infoblox
Anomali is always adding new integrations. If your product is not represented in the
above list, contact sales@anomali.com to learn about our upcoming integrations.
Downloading ThreatStream Integrator
You can download ThreatStream Integrator from the Downloads page on
ThreatStream. Also available on the Downloads page is the ThreatStream
Integrator Installation & Administration Guide, which contains information on
installing and using ThreatStream Integrator.
Note: If you do not have access to the Downloads page from the ThreatStream
UI, contact your Anomali Sales representative.
Anomali ThreatStream Page 680 of 750
Chapter 26: ThreatStream API
ThreatStream is accessible through REST APIs, which are available to all Premium
customers. The APIs offers bi-directional interaction with the ThreatStream
platform. The APIs allow you to pull threat intelligence from the ThreatStream
platform for use with other third-party tools, import observables into ThreatStream
from any source, and manage Threat Bulletins.
To learn more about the ThreatStream API, download the ThreatStream
API Reference Guide from the Downloads page on ThreatStream.
Anomali ThreatStream Page 681 of 750
Appendix A: Intelligence Fields in
ThreatStream
This section lists the intelligence fields available in ThreatStream that can be used
for filtering and advanced searching.
Field Name Type Description
asn String The Autonomous System Number (ASN) for the
IP associated with the observable.
classification String Indicates the confidentiality level of an
observable.
Possible values: private, public
Notes:
- Private also includes Trusted Circles.
- classification is displayed as Visibility on
the ThreatStream user interface.
confidence Numeric Risk score from 0 to 100, assigned by
ThreatStream's predictive analytics technology
to observables.
country String Two-letter ISO country code for the
IP associated with the observable. For example,
US, CN, DE, and so on.
created_by String Email address of the user who submitted the
import job containing the observable.
Anomali ThreatStream Page 682 of 750
User Guide
Appendix A: Intelligence Fields in ThreatStream
Field Name Type Description
created_ts Date UTC time stamp of when the observable was
first created in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW.
detail String Additional comments and context associated
with the observable.
feed_group String Name of the group or industry associated with
the observable. For example, healthcare,
government, financial.
Possible values: behavioral, education,
financial, government, energy, healthcare,
spam, hitech, retail.
file_name String File name associated with the observable.
file_size String Size of the file associated with the observable.
file_type String File type associated with the observable.
import_session_ Numeric ID of the import session that created the
id observable on ThreatStream.
import_source String Original source of the observable. Values are
only displayed for observables manually
imported through the ThreatStream user
interface by your organization. Import source for
observables owned by other organizations is not
visible.
Anomali ThreatStream Page 683 of 750
User Guide
Appendix A: Intelligence Fields in ThreatStream
Field Name Type Description
ip String IP associated with the observable.
is_osint Boolean Whether the observable is from an open source
intelligence feed.
itype String Indicator type. For example, c2_ip,
compromised_email, apt_md5, and so on.
See "Indicator Types in ThreatStream" on
page 702 for a complete list.
lat Numeric Latitude associated with the Geo location of the
IP.
lon Numeric Longitude associated with the Geo location of
the IP.
maltype String Information regarding a malware family, a
CVE ID, or another attack or threat, associated
with the observable.
modified_ts Date UTC time stamp of when the observable was
last updated in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,
where T denotes the start of the value for
time. For example, modified_ts > 2014-10-
02T20:44:35.
l As a relative time unit, in this format: -
<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. The following example shows how you
will use this field in a filter: modified_ts > -14d.
org String Name of the business that owns the IP address
associated with the observable. For example,
Comcast, Amazon, and so on.
Anomali ThreatStream Page 684 of 750
User Guide
Appendix A: Intelligence Fields in ThreatStream
Field Name Type Description
owner_id Numeric ID of the organization (in ThreatStream) that
imported the observable.
rdns String Domain name (obtained through reverse domain
name lookup) associated with the IP address
that is associated with the observable.
registrant_email String Email address of the person who registered the
domain.
This information is obtained from WHOIS.
registrant_name String Name of the person who registered the domain.
registrant_org String Name of the organization that registered the
domain.
registrant_ String Phone number associated with the domain
phone registration.
registrant_ String Street address associated with the domain
address registration.
registration_ Date Time stamp of when the domain was registered.
created_ts
registration_ Date Time stamp of when the domain registration was
modified_ts last updated.
severity String Criticality associated with the threat feed that
supplied the observable.
Possible values: low, medium, high, very-high
source_ Numeric A risk score from 0 to 100, provided by the
reported_ source of the observable.
confidence
stream_id Numeric ID of the threat feed that created the observable
on ThreatStream.
status String Current state of the observable in ThreatStream.
Possible values: active, inactive, falsepos
Anomali ThreatStream Page 685 of 750
User Guide
Appendix A: Intelligence Fields in ThreatStream
Field Name Type Description
subtype String For hash observables—those with type=md5—
subtype provides additional metadata on the
type of hash associated with the observable.
Possible values: MD5, SHA1, SHA256, SHA512
tags String Additional comments and context associated
with the observable when it was imported from
its original threat feed.
Note: Because this field can contain multiple
values, when specifying this field in a filter, make
sure you either specify all of those values,
separated by commas, in the order they appear
in the ThreatStream UI, or use the startswith
operator to specify the beginning of a value you
are looking for. For example, to look for "phish-
target,victim-hi-tech", specify detail ="phish-
target,victim-hi-tech", or detail startswith phish,
or detail startswith victim.
threat_type String Summarized threat type of the observable. For
example, malware, compromised, apt, c2, and
so on.
tlp String Traffic Light Protocol designation for the
observable—red, amber, green, white.
trusted_circle_id String ID of the trusted circle with which the observable
is shared.
type String Data type of the observable.
Possible values: ip, domain, url, email, md5
value String Specifies the value of an observable, whose
type is specified by the "type" field.
Anomali ThreatStream Page 686 of 750
Appendix B: Limits in ThreatStream
The table below contains a list of limits that ThreatStream enforces across the
platform.
Feature Parameter Limit
Custom Number of dashboards per home 10
Dashboards screen
Widgets per dashboard 10
PassiveDNS Requests per minute per user 20
Sandbox Detonations a day per organization l Cuckoo—150
l ThreatStream Joe
Sandbox—2
l ThreatStream
VMRay—2
Saved search Character limit 2,000
filters
Tags Character limit per tag 2,000
Character limit for total tags per 120,000
observable in a snapshot
Anomali ThreatStream Page 687 of 750
Appendix C: Supported Attributes for
STIX Entities
You can use this page to reference supported attributes for each STIX Threat Model
entity available in ThreatStream.
Supported Attributes for Actors (Threat Actors)
STIX 1.2 STIX 2.0 STIX 2.1
Title name (required) name (required)
Description description description
Short_ created created
Description
Type modified modified
Sophistication labels (required) threat_actor_types (required)
Note: If Threat Actor Note: If Threat Actor
Types is not set in Types is not set in
ThreatStream, STIX 2.0 ThreatStream, STIX 2.1
exports will fail. exports will fail.
Motivation aliases aliases
roles roles
goals goals
resource_level resource_level
primary_motivation primary_motivation
secondary_motivations secondary_motivations
personal_motivations personal_motivations
Anomali ThreatStream Page 688 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
external_references (Only external_references (Only
URLs are included in exports) URLs are included in exports)
Associations: Relationships: Relationships:
l Campaigns l Attack Patterns (uses) l Attack Patterns (uses)
l TTPs l Identities (attributed-to or l Identities (attributed-to or
impersonates) impersonates)
l Malware (uses) l Infrastructure
(compromises, hosts,
l Tools (uses) owns, or uses)
l Vulnerabilities (targets) l Malware (uses)
l Tools (uses)
l Vulnerabilities (targets)
Supported Attributes for Attack Patterns
STIX 2.0 STIX 2.1
name (required) name (required)
description description
created created
modified modified
kill_chain_phases kill_chain_phases
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
aliases
Anomali ThreatStream Page 689 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Relationships: Relationships:
l Identities (targets) l Identities (targets)
l Tools (uses) l Malware (delivers or uses)
l Vulnerabilities (targets) l Tools (uses)
l Vulnerabilities (targets)
Supported Attributes for Campaigns
STIX 1.2 STIX 2.0 STIX 2.1
Title name (required) name (required)
Description description description
Short_ created created
Description
Status modified modified
Intended_Effect aliases aliases
first_seen first_seen
last_seen last_seen
objective objective
external_references (Only external_references (Only
URLs are included in exports) URLs are included in exports)
Anomali ThreatStream Page 690 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Associations: Relationships: Relationships:
l Actors l Actors (attributed-to) l Actors (attributed-to)
l Incidents l Attack Patterns (uses) l Attack Patterns (uses)
l Observables l Identities (targets) l Identities (targets)
l TTPs l Intrusion Set (attributed- l Infrastructure
to) (compromises or uses)
l Malware (uses) l Intrusion Set (attributed-to)
l Tools (uses) l Malware (uses)
l Vulnerability (targets) l Tools (uses)
l Vulnerability (targets)
Supported Attributes for Courses of Action
STIX 2.0 STIX 2.1
name (required) name (required)
description description
created created
modified modified
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
os_execution_envs
Anomali ThreatStream Page 691 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Relationships: Relationships:
l Attack Patterns (mitigates) l Attack Patterns (mitigates)
l Malware (remediates) l Malware (remediates)
l Tool (mitigates) l Observables (investigates or
mitigates)
l Vulnerabilities (mitigates or
remediates) l Tool (mitigates)
l Vulnerabilities (mitigates or
remediates)
Supported Attributes for Identities
STIX 2.0 STIX 2.1
name (required) name (required)
description description
created created
modified modified
labels labels
identity_class (required) identity_class (required)
Note: If Identity Class is not set in Note: If Identity Class is not set in
ThreatStream, STIX 2.0 exports will ThreatStream, STIX 2.1 exports will
fail. fail.
sectors sectors
contact_information contact_information
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
roles
Anomali ThreatStream Page 692 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Supported Attributes for Indicators
STIX 1.2 STIX 2.0 STIX 2.1
Title created created
Description modified modified
Observable name name
Type description description
Handling (TLP) pattern pattern
(required) (required)
Confidence valid_from valid_from
(required) (required)
Producer labels indicator_
(required) types
(required)
Cybox:Keywords object_ object_
marking_ marking_
Note: Tags associated with observables in refs (TLP) refs (TLP)
ThreatStream are exported as
Cybox:Keywords. Exports can include up to
250 tags for an observable.
pattern_type pattern_type
(required) (required)
Supported Attributes for Incidents
STIX 1.2
Title
Description
Status
Intended_Effect
Anomali ThreatStream Page 693 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Relationships:
l Actors
l Observables
l TTPs
Supported Attributes for Infrastructure
STIX 2.1
name (required)
description
created
modified
infrastructure_types (required)
aliases
kill_chain_phases
first_seen
last_seen
Relationships:
l Infrastructure (communicates-with, consists-of, controls, or uses)
l Malware (controls, delivers, or hosts)
l Tools (hosts)
l Vulnerabilities (has)
Supported Attributes for Intrusion Sets
STIX 2.0 STIX 2.1
name (required) name (required)
Anomali ThreatStream Page 694 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
description description
created created
modified modified
aliases aliases
first_seen first_seen
last_seen last_seen
goals goals
resource_level resource_level
primary_motivation primary_motivation
secondary_motivations secondary_motivations
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
Relationships: Relationships:
l Actors (attributed-to) l Actors (attributed-to)
l Attack Patterns (uses) l Attack Patterns (uses)
l Identities (targets) l Identities (targets)
l Tool (uses) l Infrastructure (compromises, hosts,
owns, or uses)
l Vulnerabilities (target)
l Tool (uses)
l Vulnerabilities (target)
Supported Attributes for Malware
STIX 2.0 STIX 2.1
name (required) name (required)
description description
Anomali ThreatStream Page 695 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
created created
modified modified
labels (required) malware_types (required)
Note: If Malware Type is not set in Note: If Malware Type is not set in
ThreatStream, STIX 2.0 exports will ThreatStream, STIX 2.1 exports will
fail. fail.
kill_chain_phases kill_chain_phases
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
is_family (required)
aliases
kill_chain_phases
first_seen
last_seen
implementation_languages
capabilities
Anomali ThreatStream Page 696 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Relationships: Relationships:
l Identities (targets) l Actor (authored-by)
l Malware (variant-of) l Attack Patterns (uses)
l Tool (downloads, drops, or uses) l Identities (targets)
l Vulnerability (exploits or targets) l Infrastructure (beacons-to,
exfiltrates-to, targets, or uses)
l Intrusion Sets (authored-by)
l Malware (controls, downloads,
drops, uses, or variant-of)
l Tool (downloads, drops, or uses)
l Vulnerability (exploits or targets)
Supported Attributes for Threat Bulletins (Reports)
STIX 1.2 STIX 2.0 STIX 2.1
Title name (required) name (required)
Timestamps description description
TLP created created
Body modified modified
Tags labels labels
Intelligence published published
Source
object_refs object_refs
external_references (Only external_references (Only
URLs are included in exports) URLs are included in exports)
Anomali ThreatStream Page 697 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Associations:
l Actors
l Campaigns
l Incidents
l Observables
l TTPs
Supported Attributes for Tools
STIX 2.0 STIX 2.1
name (required) name (required)
description description
created created
modified modified
labels (required) tool_types
Note: If Tool Types is not set in Note: If Tool Types is not set in
ThreatStream, STIX 2.0 exports will ThreatStream, STIX 2.1 exports will
fail. fail.
kill_chain_phases kill_chain_phases
tool_version tool_version
external_references external_references
aliases
Anomali ThreatStream Page 698 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Relationships: Relationships:
l Identities (targets) l Identities (targets)
l Vulnerabilities (has or targets) l Infrastructure (targets or uses)
l Malware (delivers or drops)
l Vulnerabilities (has or targets)
Supported Attributes for TTPs
STIX 1.2
Title
Description
Short_Description
Behavior > Attack_Patterns > Attack_Pattern > Title, Description
Behavior > Malware > Malware_Instance > Type, Title, Description
Behavior > Exploits > Exploit > Title, Description
Kill_Chain_Phases
If a CAPEC TTP or a Threat Model entity associated with that TTP (see "Viewing
TTP Details" on page 500) is exported, the "Behavior > Attack_Patterns > Attack_
Pattern > capec_id" attribute is added to the exported XML file to preserve
identification of the CAPEC TTP.
When an XML file containing a TTP with the "Behavior > Attack_Patterns > Attack_
Pattern> capec_id" attribute is imported, the TTP content in the XML file is not
copied because it refers to an existing CAPEC on ThreatStream. Instead, the
references to the TTP are updated to point to the existing CAPEC on ThreatStream.
Supported Attributes for Vulnerabilities
STIX 2.0 STIX 2.1
name (required) name (required)
description description
Anomali ThreatStream Page 699 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
created created
modified modified
external_references (Only URLs are external_references (Only URLs are
included in exports) included in exports)
Anomali ThreatStream Page 700 of 750
User Guide
Appendix C: Supported Attributes for STIX Entities
Anomali ThreatStream Page 701 of 750
Appendix D: Indicator Types in
ThreatStream
The following table lists all available indicator types in ThreatStream.
The severity values listed in the table below represent the default severity values
that Anomali assigns to observables of a given indicator types. However, default
values are not displayed in the following cases:
1. When severity value assigned to observable by the source are used
2. When users modify the assigned value while editing observables that belong to
their organizations on ThreatStream
Notes:
- Observables assigned indicator types which display String in the Type column
below are not consumed by downstream integrations such as Anomali Match or
those which receive intelligence through ThreatStream Integrator. Additionally,
string-type observables cannot be cloned in ThreatStream.
- MD5 observables ingested from feeds are never made inactive by
ThreatStream. However, MD5 observables imported through other means, such
as the import assistant, adhere to the expiration dates you set.
Indicator Type Name Type Severity Description
actor_ip Actor IP IP Low IP address
associated with a
system involved in
malicious activity.
Example:
itype="actor_ip"
Anomali ThreatStream Page 702 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
actor_ipv6 Actor IPv6 IP Low IPv6 address
associated with a
system involved in
malicious activity.
Example:
itype="actor_ipv6"
actor_subject Actor Subject String High Subject from an email
Line associated with a
threat actor.
Example:
itype="actor_subject"
adware_ Adware Domain Domain Low A domain name
domain associated with
adware or other
Potentially Unwanted
Applications (PUA).
Example:
itype="adware_
domain"
adware_ Adware String Low A registry key
registry_key Registry Key associated with
adware or other
Potentially Unwanted
Applications (PUA).
Example:
itype="adware_
registry_key"
anon_proxy Anonymous IP Low IP address of the
Proxy IP system on which
anonymous proxy
software is hosted.
Example:
itype="anon_proxy"
Anomali ThreatStream Page 703 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
anon_proxy_ Anonymous IP Low IPv6 address of the
ipv6 Proxy IPv6 system on which
anonymous proxy
software is hosted.
Example:
itype="anon_proxy_
ipv6"
anon_vpn Anonymous IP Low IP address
VPN IP associated with
commercial or free
Virtual Private
Networks (VPN).
Example:
itype="anon_vpn"
anon_vpn_ipv6 Anonymous IP Low IPv6 address
associated with
commercial or free
Virtual Private
Networks (VPN).
Example:
itype:"anon_vpn_
ipv6"
apt_domain APT Domain Domain Very- Domain name
High associated with a
known Advanced
Persistent Threat
(APT) actor used for
command and
control, launching
exploits, or data
exfiltration.
Example: itype=" apt_
domain"
Anomali ThreatStream Page 704 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
apt_email APT Email Email High Email address used
by a known Advanced
Persistent Threat
(APT) actor for
sending targeted,
spear phishing
emails.
Example: itype="apt_
email"
apt_email_ APT Email String High Subject from an email
subject Subject Line associated with an
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
email_subject"
apt_file_name APT File Name String Very- Name of a file used by
High a known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
file_name"
apt_file_path APT File Path String Very- File path used by a
High known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
file_path"
Anomali ThreatStream Page 705 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
apt_ip APT IP IP Very- IP address
High associated with
known Advanced
Persistent Threat
(APT) actor for
command and
control, data
exfiltration, or
targeted exploitation.
Example: itype="apt_
ip"
apt_ipv6 APT IPv6 IP Very- IPv6 address
High associated with
known Advanced
Persistent Threat
(APT) actor for
command and
control, data
exfiltration, or
targeted exploitation.
Example: itype="apt_
ipv6"
apt_md5 APT File Hash Hash Very- MD5 or SHA hash of
High a malware sample
used by a known
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
md5"
apt_mta APT Mail String Very- Mail transfer agent
Transfer Agent High used by a known
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
mta"
Anomali ThreatStream Page 706 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
apt_mutex APT Mutex String Very- Mutex used by a
High known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
mutex"
apt_registry_ APT Registry String Very- Registry key used by
key Key High a known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
registry_key"
apt_service_ APT Service String Very- Description used by a
description Description High known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
service_description"
apt_service_ APT Service String Very- Service display name
displayname Display Name High used by a known
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
service_displayname"
apt_service_ APT Service String Very- Service name used
name Name High by a known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
service_name"
Anomali ThreatStream Page 707 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
apt_ssdeep APT SSDeep String Very- SSDeep Hash used
Hash High by a known Advanced
Persistent Threat
(APT) actor.
Example: itype="apt_
ssdeep"
apt_subject APT Subject String High Email subject line
Line used by a known
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
subject"
apt_ua APT User String High User agent string
Agent used by a known
Advanced Persistent
Threat (APT) actor.
Example: itype="apt_
ua"
apt_url APT URL URL Very- URL used by a known
High Advanced Persistent
Threat (APT) actor for
command and
control, launching
web based exploits,
or data exfiltration.
Example: itype=" apt_
url"
bot_ip Infected Bot IP IP Low IP address of an
infected machine
acting as an
autonomous bot.
Example: itype="bot_
ip"
Anomali ThreatStream Page 708 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
bot_ipv6 Infected Bot IP Low IPv6 address of an
IPv6 infected machine
acting as an
autonomous bot.
Example: itype="bot_
ipv6"
brute_ip Brute Force IP IP Low IP address
associated with
password brute force
activity.
Example:
itype="brute_ip"
brute_ipv6 Brute Force IP Low IPv6 address
IPv6 associated with
password brute force
activity.
Example:
itype="brute_ipv6"
c2_domain Malware C&C Domain High Domain name used
Domain Name by malware for
command and control
communication.
Example: itype="c2_
domain"
c2_ip Malware C&C IP High IP address used by
IP Address malware for
command and control
communication.
Example: itype="c2_
ip"
Anomali ThreatStream Page 709 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
c2_ipv6 Malware C&C IP High IPv6 address used by
IPv6 Address malware for
command and control
communication.
Example: itype="c2_
ipv6"
c2_url Malware C&C URL High URL used by malware
URL for command and
control
communication.
Example: itype="c2_
url"
comm_proxy_ Commercial Domain Low Domain of the system
domain Webproxy on which commercial
Domain proxy software is
hosted.
Example:
itype="comm_proxy_
domain"
comm_proxy_ Commercial IP Low IP address of the
ip Webproxy IP system on which
commercial proxy
software is hosted.
Example:
itype="comm_proxy_
ip"
compromised_ Compromised Domain Low Domain name of
domain Domain website or server that
has been
compromised.
Example:
itype="compromised_
domain"
Anomali ThreatStream Page 710 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
compromised_ Compromised Email Low Email address that
email Account Email has been
compromised and/or
taken over by a threat
actor.
Example:
itype="compromised_
email"
compromised_ Compromised String Low Email subject from a
email_subject Email Subject known compromised
email address.
Example:
itype="compromised_
email_subject"
compromised_ Compromised IP Low IP address of website
ip IP or server that has
been compromised.
Example:
itype="compromised_
ip"
compromised_ Compromised IP Low IPv6 address of
ipv6 IPv6 website or server that
has been
compromised.
Example:
itype="compromised_
ipv6"
Anomali ThreatStream Page 711 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
compromised_ Compromised String Low Account information
service_ Service associated with a
account Account service account that
has been
compromised and/or
taken over by a threat
actor.
Example:
itype="compromised_
serv_account"
compromised_ Compromised URL Medium URL of the website or
url URL server that has been
compromised.
Example:
itype="compromised_
url"
crypto_hash Cryptocurrency Hash High File hash for
Mining cryptocurrency
Software mining software.
Example:
itype="crypto_hash"
crypto_ip Cryptocurrency IP High IP address
IP associated with
cryptocurrency
mining software.
Example:
itype="crypto_ip"
crypto_pool Cryptocurrency Domain High Domain for
Pool Domain cryptocurrency pool.
Example:
itype="crypto_pool"
Anomali ThreatStream Page 712 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
crypto_url Cryptocurrency URL High URL where
URL cryptocurrency
mining software is
hosted.
Example:
itype="crypto_url"
crypto_wallet Cryptocurrency String Very- Public or private
Wallet Address High cryptocurrency wallet
key.
Example:
itype="crypto_wallet"
ddos_ip DDOS IP IP Low IP address
associated with
Distributed Denial of
Service (DDoS)
attacks.
Example:
itype="ddos_ip"
ddos_ipv6 DDOS IPv6 IP Low IPv6 address
associated with
Distributed Denial of
Service (DDoS)
attacks.
Example:
itype="ddos_ipv6"
disposable_ Disposable Email Low Domain associated
email_domain Email Domain with disposable email
activity.
Example:
itype="disposable_
email_domain"
Anomali ThreatStream Page 713 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
dyn_dns Dynamic DNS Domain Low Domain name used
for hosting Dynamic
DNS services.
Example: itype="dyn_
dns"
email_ Email String Low Email subject from a
attachment_ Attachment known compromised
subject Subject email attachment.
Example:
itype="email_
attachment_subject"
exfil_domain Data Exfiltration Domain High Domain name
Domain associated with the
infrastructure used for
data exfiltration.
Example:
itype="exfil_domain"
exfil_ip Data Exfiltration IP High IP address used for
IP data exfiltration.
Example:
itype="exfil_ip"
exfil_ipv6 Data Exfiltration IP High IPv6 address used for
IP data exfiltration.
Example:
itype="exfil_ipv6"
exfil_url Data Exfiltration URL High URL used for data
URL exfiltration.
Example:
itype="exfil_url"
Anomali ThreatStream Page 714 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
exploit_domain Exploit Kit Domain Very- Domain name
Domain High associated with the
web server hosting an
exploit kit or
launching web-based
exploits.
Example:
itype="exploit_
domain"
exploit_ip Exploit Kit IP IP High IP address
associated with the
web server hosting an
exploit kit or
launching web-based
exploits.
Example:
itype="exploit_ip"
exploit_ipv6 Exploit Kit IPv6 IP High IPv6 address
associated with the
web server hosting an
exploit kit or
launching web-based
exploits.
Example:
itype="exploit_ipv6"
exploit_url Exploit Kit URL URL Very- URL used for
High launching web-based
exploits.
Example:
itype="exploit_url"
Anomali ThreatStream Page 715 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
fraud_domain Fraud Hash Domain High Domain associated
with fraudulent
activity.
Example:
itype="fraud_domain"
fraud_email Fraud Email Email Low Email address
associated with
fraudulent activity.
Example:
itype="fraud_email"
fraud_email_ Fraud Email String Medium Subject from an email
subject Subject associated with fraud
activity.
Example:
itype="fraud_ip"
fraud_ip Fraud IP IP High IP address
Address associated with
fraudulent activity.
Example:
itype="fraud_email_
subject"
fraud_md5 Fraud Hash Hash Very- Hash associated with
High fraudulent activity.
Example:
itype="fraud_md5"
fraud_url Fraud URL URL Medium URL associated with
fraudulent activity.
Example:
itype="fraud_url"
Anomali ThreatStream Page 716 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
free_email_ Free Email Domain Low Domain associated
domain Domain with free email
service activity.
Example:
itype="free_email_
domain"
geolocation_url IP Geolocation URL Low URL that can be used
URL to provide IP Geo
location services.
Example:
itype="geolocation_
url"
hack_tool Hacking Tool String High Name of general
hacking software
tools used by threat
actors.
Example:
itype="hack_tool"
hack_tool_md5 Hack Tool File Hash Very- MD5 or SHA hash of
Hash High general hacking
software tools used
by threat actors.
Example:
itype="hack_tool_
md5"
i2p_ip I2P IP Address IP Low IP address observed
to be connecting to
the I2P (Invisible
Internet Project)
network.
Example: itype="i2p_
ip"
Anomali ThreatStream Page 717 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
i2p_ipv6 I2P IPv6 IP Low IPv6 address
Address observed to be
connecting to the I2P
(Invisible Internet
Project) network.
Example: itype="i2p_
ipv6"
ipcheck_url IP Check URL URL Low URL that can be used
to provide IP checking
services, such as
echoing the Internet
facing IP address of
the client.
Example:
itype="ipcheck_url"
mal_domain Malware Domain Very- Domain contacted by
Domain High malware sample;
could be for
command and control
commands, or to
check if the client is
online.
Example: itype="mal_
domain"
mal_email Malware Email Email Low Email address used
to send malware
through malicious
links or attachments.
Example: itype="mal_
email"
Anomali ThreatStream Page 718 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
mal_email_ Malware Email String Medium Subject from an email
subject Subject associated with
malware activity.
Example: itype="mal_
email_subject"
mal_file_name Malware File String Very- File name of malware
Name High sample.
Example: itype="mal_
file_name"
mal_file_path Malware File String Very- File path of malware
Path High sample.
Example: itype="mal_
file_path"
mal_ip Malware C&C IP Very- IP address contacted
IP High by malware sample;
could be for
command and control
commands, or to
check if the client is
online.
Example: itype="mal_
ip"
mal_ipv6 Malware C&C IP Very- IPv6 address
IPv6 High contacted by malware
sample; could be for
command and control
commands, or to
check if the client is
online.
Example: itype="mal_
ipv6"
Anomali ThreatStream Page 719 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
mal_md5 Malware File Hash Very- MD5 or SHA hash of
Hash High malware sample.
Example: itype="mal_
md5"
mal_mutex Malware Mutex String Very- Mutex of malware
High sample.
Example: itype="mal_
mutex"
mal_registry_ Malware String High Registry key of
key Registry Key malware sample.
Example: itype="mal_
registry_key"
mal_service_ Malware String Very- Service description
description Service High associated with the
Description malware sample.
Example: itype="mal_
service_description"
mal_service_ Malware String Very- Service display name
displayname Service Display High associated with the
Name malware sample.
Example: itype="mal_
service_displayname"
mal_service_ Malware String Very- Service name
name Service Name High associated with the
malware sample.
Example: itype="mal_
service_name"
mal_ssdeep Malware String Very- SSDeep Hash
SSDeep Hash High associated with the
malware sample.
Example: itype="mal_
ssdeep"
Anomali ThreatStream Page 720 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
mal_sslcert_ SSL Certificate Hash High MD5 or SHA hash of
sh1 Hash SSL certificate
associated with
malware or botnet
activities.
Example: itype="mal_
sslcert_sh1"
mal_ua Malware User String Low User agent string
Agent used by malware
sample when
communicating via
HTTP.
Example: itype="mal_
ua"
mal_url Malware URL URL Very- URL contacted by
High malware sample
when run on an
infected host.
Example: itype="mal_
url"
p2pcnc Peer-to-Peer IP Medium IP addressed
C&C IP associated with a
Address peer-to-peer
command and control
infrastructure.
Example:
itype="p2pcnc"
p2pcnc_ipv6 Peer-to-Peer IP Medium IPv6 addressed
C&C IPv6 associated with a
Address peer-to-peer
command and control
infrastructure.
Example:
itype="p2pcnc_ipv6"
Anomali ThreatStream Page 721 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
parked_ Parked Domain Domain Low A domain name of a
domain website which is
currently parked.
Example:
itype="parked_
domain"
parked_ip Domain Parking IP Low An IP addressed used
IP for parking newly
registered or inactive
domain names.
Example:
itype="parked_ip"
parked_ipv6 Domain Parking IP Low An IPv6 addressed
IPv6 used for parking
newly registered or
inactive domain
names.
Example:
itype="parked_ipv6"
parked_url Parked URL URL Low A URL of a website
that is currently
parked.
Example:
itype="parked_url"
pastesite_url Paste Site URL URL Low A URL that can be
used for sharing
pastes or text content
anonymously.
Example:
itype="pastesite_url"
Anomali ThreatStream Page 722 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
phish_domain Phishing Domain Very- A domain used to
Domain High perform phishing or
spear phishing
attacks or contained
in a phishing email.
Example:
itype="phish_domain"
phish_email Phishing Email Email Very- An email address
Address High associated with
sending phishing or
spear phishing emails
to victims.
Example:
itype="phish_email"
phish_email_ Phishing Email String High Subject from an email
subject Subject associated with
phishing activity.
Example:
itype="phish_email_
subject"
phish_ip Phishing IP Very- IP Address that has
IP Address High been used to perform
phishing or spear
phishing or is
contained in a
phishing email.
Example:
itype="phish_ip"
Anomali ThreatStream Page 723 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
phish_ipv6 Phishing IP Very- IPv6 Address that has
IPv6 Address High been used to perform
phishing or spear
phishing or is
contained in a
phishing email.
Example:
itype="phish_ipv6"
phish_md5 Phishing File Hash Very- Hash related to a file
Hash High used to perform
phishing or spear
phishing attacks or
contained in a
phishing email.
Example:
itype="phish_md5"
phish_url Phishing URL URL Very- A URL used to
High perform phishing or
spear phishing
attacks or contained
in a phishing email.
Example:
itype="phish_url"
proxy_ip Open Proxy IP IP Low IP address hosting
open or anonymous
proxy software.
Allows user to hide
their IP address from
target.
Example:
itype="proxy_ip"
Anomali ThreatStream Page 724 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
proxy_ipv6 Open Proxy IP Low IPv6 address hosting
IPv6 open or anonymous
proxy software.
Allows user to hide
their IP address from
target.
Example:
itype="proxy_ipv6"
scan_ip Scanning IP IP Medium IP address observed
to perform port
scanning and
vulnerability scanning
activities.
Example:
itype="scan_ip"
scan_ipv6 Scanning IPv6 IP Medium IPv6 address
observed to perform
port scanning and
vulnerability scanning
activities.
Example:
itype="scan_ipv6"
sinkhole_ Sinkhole Domain Low A domain name that
domain Domain researchers or
security companies
typically sinkhole.
Example:
itype="sinkhole_
domain"
Anomali ThreatStream Page 725 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
sinkhole_ip Sinkhole IP IP Low An IP address that is
known to be used to
sinkhole malicious
domain names.
Example:
itype="sinkhole_ip"
sinkhole_ipv6 Sinkhole IPv6 IP Low An IPv6 address that
is known to be used to
sinkhole malicious
domain names.
Example:
itype="sinkhole_ipv6"
social_media_ Social Media URL Medium URL related to social
url URL media activity. This
indicator type is
provided by select
feeds and cannot be
imported through the
ThreatStream user
interface.
Example:
itype="social_media_
url"
spam_domain Spam Domain Domain Low A malicious domain
name contained in the
SPAM email
messages.
Example:
itype="spam_domain"
Anomali ThreatStream Page 726 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
spam_email Spammer Email Email Low Email address that
Address has been observed
sending SPAM
emails.
Example:
itype="spam_email"
spam_email_ Spam Email String Low Subject from an email
subject Subject associated with spam
activity.
Example:
itype="spam_email_
subject"
spam_ip Spammer IP IP Low An IP address that is
known to send SPAM
emails.
Example:
itype="spam_ip"
spam_ipv6 Spammer IPv6 IP Low An IPv6 address that
is known to send
SPAM emails.
Example:
itype="spam_ipv6"
spam_mta Spam Mail String Low Mail transfer agent
Transfer Agent known to be
associated with
SPAM emails.
Example:
itype="spam_mta"
Anomali ThreatStream Page 727 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
spam_url Spam URL URL Low A malicious URL
contained in the
SPAM email
messages.
Example:
itype="spam_url"
speedtest_url Speed Test URL Low A URL that can be
URL used to run internet
speed tests or
bandwidth
measurements of the
client's network
connection.
Example:
itype="speedtest_url"
ssh_ip SSH Brute IP Low IP addresses
Force IP associated with SSH
brute force attempts.
Example: itype="ssh_
ip"
ssh_ipv6 SSH Brute IP Low IPv6 addresses
Force IPv6 associated with SSH
brute force attempts.
Example: itype="ssh_
ipv6"
ssl_cert_ SSL Certificate String Low Serial number unique
serial_number Serial Number to the TLS certificate
issuer that identifies
the entity being
signed.
Example: itype="ssl_
cert_serial_number"
Anomali ThreatStream Page 728 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
suppress Suppress n/a n/a Not a true indicator
type. Used by
Arcsight for
suppressing false
positives.
Default Severity: n/a
Example:
itype="suppress"
suspicious_ Suspicious Domain Medium A domain name that
domain Domain appears to be
registered for suspect
reasons, but may not
be associated with
known malicious
activity yet.
Example:
itype="suspicious_
domain"
suspicious_ Suspicious Email Low An email address that
email Email appears to be used
for suspect reasons,
but may not be
associated with
known malicious
activity yet.
Example:
itype="suspicious_
email"
suspicious_ Suspicious String Low Email subject from a
email_subject Email Subject suspicious email
address.
Anomali ThreatStream Page 729 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
suspicious_ip Suspicious IP IP Medium An IP address that
appears to be
registered for suspect
reasons, but may not
be associated with
known malicious
activity yet.
Example:
itype="suspicious_ip"
suspicious_ Suspicious Email Low A registrant email
reg_email Registrant address that appears
Email to be used for suspect
reasons, but may not
be associated with
known malicious
activity yet.
Example:
itype="suspicious_
reg_email"
suspicious_url Suspicious URL URL Medium A URL that appears to
be registered for
suspect reasons, but
may not be
associated with
known malicious
activity yet.
Example:
itype="suspicious_
url"
Anomali ThreatStream Page 730 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
tor_ip TOR Node IP IP Low An IP address
operating as part of
The Onion Router
(TOR) Network, also
know as a TOR exit
node.
Example: itype="tor_
ip"
tor_ipv6 TOR Node IPv6 IP Low An IPv6 address
operating as part of
The Onion Router
(TOR) Network, also
know as a TOR exit
node.
Example: itype="tor_
ipv6"
torrent_ Torrent Tracker URL Low A URL used for
tracker_url URL tracking bittorrent file
transfer activity.
Example:
itype="torrent_
tracker_url"
vpn_domain Anonymous Domain Low A domain name
VPN Domain associated with
commercial or free
Virtual Private
Networks (VPN).
Example: itype="vpn_
domain"
Anomali ThreatStream Page 731 of 750
User Guide
Appendix D: Indicator Types in ThreatStream
Indicator Type Name Type Severity Description
vps_ip Cloud Server IP IP Low An IP address that is
used for hosting
Virtual Private
Servers (VPS) or
other server rentals.
Example: itype="vps_
ip"
vps_ipv6 Cloud Server IP Low An IPv6 address that
IPv6 is used for hosting
Virtual Private
Servers (VPS) or
other server rentals.
Example: itype="vps_
ipv6"
whois_bulk_ Whois Bulk Email Low A registrant email
reg_email Registrant address associated
Email with privacy domain
purchased from
Whois.
Example:
itype="whois_bulk_
reg_email"
whois_privacy_ Whois Privacy Domain Low Privacy domain
domain Email Domain purchased from
Whois.
Example:
itype="whois_
privacy_domain"
whois_privacy_ Whois Privacy Email Low Email address
email Email associated with
privacy domain
purchased from
Whois.
Example:
itype="whois_
privacy_email"
Anomali ThreatStream Page 732 of 750
Appendix E: Threat Types in
ThreatStream
During the import process, ThreatStream uses machine learning to assign indicator
types to imported observables based on the threat type you select. The following
table lists all available threat types in ThreatStream, in addition to the indicator types
with which they are associated. For more on indicator types, see Indicator Types in
ThreatStream.
Associated
Threat Type Name Example Indicator Types
adware Adware threat_type="adware" adware_domain
anomalous Anomalous threat_ geolocation_url,
type="anomalous" ipcheck_url,
speedtest_url
anonymization Anonymization threat_ anon_proxy,
type="anonymization" anon_proxy_
ipv6, anon_vpn,
anon_vpn_ipv6,
proxy_ip, proxy_
ipv6, vpn_
domain
Anomali ThreatStream Page 733 of 750
User Guide
Appendix E: Threat Types in ThreatStream
Associated
Threat Type Name Example Indicator Types
apt APT threat_type="apt" apt_domain,
apt_email, apt_
email_subject,
apt_file_name,
apt_file_path,
apt_ip, apt_ipv6,
apt_md5, apt_
mta, apt_mutex,
apt_registry_
key, apt_
service_
description, apt_
service_
displayname,
apt_service_
name, apt_
ssdeep, apt_
subject, apt_ua
apt_url
bot Bot threat_type="bot" bot_ip, bot_ipv6
brute Brute threat_type="brute" brute_ip , brute_
ipv6, ssh_ip,
ssh_ipv6
c2 C2 threat_type="c2" c2_domain, c2_
ip, c2_ipv6, c2_
url
Anomali ThreatStream Page 734 of 750
User Guide
Appendix E: Threat Types in ThreatStream
Associated
Threat Type Name Example Indicator Types
compromised Compromised threat_ compromised_
type="compromised" domain,
compromised_
email,
compromised_
email_subject,
compromised_
ip,
compromised_
ipv6,
compromised_
url
crypto Crypto threat_type="crypto" crypto_hash,
crypto_ip,
crypto_pool,
crypto_url,
crypto_wallet
data_leakage Data Leakage threat_type="data_ pastesite_url
leakage"
ddos DDOS threat_type="ddos" ddos_ip, ddos_
ipv6
dyn_dns Dynamic DNS threat_type="dyn_dns" dyn_dns
exfil Exfil threat_type="exfil" exfil_domain,
exfil_ip, exfil_
ipv6, exfil_url
exploit Exploit threat_type="exploit" exploit_domain,
exploit_ip,
exploit_ipv6,
exploit_url
Anomali ThreatStream Page 735 of 750
User Guide
Appendix E: Threat Types in ThreatStream
Associated
Threat Type Name Example Indicator Types
fraud Fraud threat_type="fraud" fraud_domain,
fraud_email,
fraud_email_
subject, fraud_
ip, fraud_md5,
fraud_url
hack_tool Hacking Tool threat_type="hack_ hack_tool
tool"
i2p I2P threat_type="i2p" i2p_ip, i2p_ipv6
informational Informational threat_ comm_proxy_
type="informational" domain, comm_
proxy_ip,
disposable_
email_domain,
free_email_
domain,
passphrase, ssl_
cert_serial_
number, whois_
bulk_reg_email,
whois_privacy_
domain, whois_
privacy_email
Anomali ThreatStream Page 736 of 750
User Guide
Appendix E: Threat Types in ThreatStream
Associated
Threat Type Name Example Indicator Types
malware Malware threat_type="malware" mal_domain,
mal_email, mal_
email_subject,
email_
attachment_
subject, mal_
file_name, mal_
file_path, mal_ip,
mal_ipv6, mal_
md5, mal_
mutex, mal_
registry_key,
mal_service_
description, mal_
service_
displayname,
mal_service_
name, mal_
ssdeep, mal_
sslcert_sha1,
mal_ua, mal_url
p2p P2P threat_type="p2p" actor_ip actor_
ipv6, actor_
subject, p2pcnc,
p2pcnc_ipv6,
torrent_tracker_
url
parked Parked threat_type="parked" parked_domain,
parked_ip,
parked_ipv6,
parked_url
Anomali ThreatStream Page 737 of 750
User Guide
Appendix E: Threat Types in ThreatStream
Associated
Threat Type Name Example Indicator Types
phish Phish threat_type="phish" phish_domain,
phish_email,
phish_email_
subject, phish_
ip, phish_ipv6,
phish_url
scan Scan threat_type="scan" scan_ip, scan_
ipv6
sinkhole Sinkhole threat_type="sinkhole" sinkhole_
domain,
sinkhole_ip,
sinkhole_ipv6
spam Spam threat_type="spam" adware_
registry_key,
spam_domain,
spam_email,
spam_email_
subject, spam_
ip, spam_ipv6,
spam_mta
spam_url
suppress Suppress threat_type="suppress" suppress
suspicious Suspicious threat_ suspicious_
type="suspicious" domain,
suspicious_
email,
suspicious_
email_subject,
suspicious_ip,
suspicious_reg_
email,
suspicious_url
tor TOR threat_type="tor" tor_ip, tor_ipv6
vps VPS threat_type="vps" vps_ip, vps_ipv6
Anomali ThreatStream Page 738 of 750
Appendix F: Bolstering Your Security
Controls Against the Sunburst Supply
Chain Attacks
In the wake of the Sunburst supply chain attacks, the Anomali Threat Research
team is working hard to provide the Anomali community with late breaking
intelligence and analysis as the situation develops.
Want more information on the Sunburst attacks?
Visit the Anomali Sunburst Attack Resource
Center: https://www.anomali.com/learn/sunburst
Read a blog post on the attacks from the Anomali Threat Research
team: https://www.anomali.com/blog/fireeye-solarwinds-hacks-show-that-
detection-is-key-to-solid-defense
Listen to an episode of Anomali Detect Podcast on the attacks:
https://www.anomali.com/resources/podcasts/the-fireeye-solarwinds-hacks-
adversaries-want-access-how-to-protect-your-organization
Watch this video on using Anomali Match and Anomali Lens to discover whether
you've been impacted: https://www.anomali.com/resources/videos/have-i-been-
impacted-retrospective-search-with-anomali-match-and-lens
ThreatStream has the following resources, features, and tools available for you to
understand and analyze the latest threat intelligence and automate its ingestion in
your downstream security controls and integrations.
l "Threat Model Entities" on the next page
l "Observables" on the next page
l "Themed Custom Dashboard" on page 741
l "My Events Map (customized to Sunburst attacks)" on page 741
It is strongly recommended that you leverage all of these resources and the latest
threat intelligence on ThreatStream to ensure the best possible defense for your
infrastructure. Additionally, review your current filters to ensure Sunburst specific
Anomali ThreatStream Page 739 of 750
User Guide
Appendix F: Bolstering Your Security Controls Against the Sunburst Supply Chain
threat intelligence is properly forwarded and ingested into your downstream
integrations and other security controls.
Threat Model Entities
The Anomali Threat Research team has issued a set of Threat Model entities about
cyber threats related to the Sunburst attacks, including Threat Bulletins and
Signatures.
The following Threat Bulletins are available to grant you context on the attacks and
provide a single source for associated intelligence:
l FireEye Threat Bulletin: https://ui.threatstream.com/tip/1870242
l SolarWinds Threat Bulletin: https://ui.threatstream.com/tip/1876480
The following Signature search filters are available to grant you easy access to all
Signature entities associated with the attacks:
l FireEye Red Team Tool Countermeasures Signature
filter: https://ui.threatstream.com/threatmodels?model_
type=signature&value=%22FireEye%20Red%20Team%20Tool%20Counterme
asures%22
l SolarWinds Supply Chain Compromise Signature filter:
https://ui.threatstream.com/threatmodels?value=%22solarwinds%20supply%20
chain%20compromise%22&model_type=signature
These Threat Model entities are associated with observables, sandbox analysis
reports, and other related threat models thus allowing you to obtain the latest threat
intelligence from one central location and ingest it into your downstream integrations
through Integrator, match against your event logs on Anomali Match, and ingest
into your Splunk instances to automatically scan events in Splunk against the
observables associated with the bulletin.
Observables
The Anomali Threat Research Team is tagging and associating observables related
to the Sunburst attacks as they are discovered. You can use the following
observable search filters to stay up to date on the observables to watch out for in
your infrastructure:
Anomali ThreatStream Page 740 of 750
User Guide
Appendix F: Bolstering Your Security Controls Against the Sunburst Supply Chain
l FireEye Red Team Tool Countermeasures
Observables: https://ui.threatstream.com/search?value__
re=.*FireEye%20Red%20Team%20Tool%20Countermeasures.*
l SolarWinds Supply Chain Compromise
Observables: https://ui.threatstream.com/search?value__
re=.solarwinds%20supply%20chain%20compromise
Themed Custom Dashboard
The Anomali Threat Research team has developed a rapid response dashboard to
surface the latest observables related to the Sunburst attacks.
Use the instructions in "Adding Themed Custom Dashboards to Your Home Screen"
on page 49 to add this dashboard to your home screen on ThreatStream. Look for
the Sunburst Backdoor dashboard on the Add Existing tab.
My Events Map (customized to Sunburst
attacks)
Anomali recommends enabling the My Events Map to visualize threats tagged with
Sunburst specific threat information from around the world.
To create a My Events Map for Sunburst:
Anomali ThreatStream Page 741 of 750
User Guide
Appendix F: Bolstering Your Security Controls Against the Sunburst Supply Chain
1. Create a Saved Search:
a. Navigate to Analyze > Observables.
b. Click Advanced.
c. For FireEye related observables, enter this in the search text box:
(value contains "FireEye Red Team Tool Countermeasures" or
tags contains "FireEye Red Team Tool Countermeasures")
For SolarWind related observables, enter this in the search text box:
(value contains "SolarWinds Supply Chain Compromise" or tags
contains "SolarWinds Supply Chain Compromise")
d. Click Filter: Save as.
e. Enter a name for the new filter. For example, Sunburst.
f. Click Save.
2. Click Dashboard > My Events.
3. Click Recent Intelligence at the lower right corner of the map to locate the
saved search you created earlier.
4. Select the saved search (for example, Sunburst).
The My Events Map will start populating with threat intelligence related to
Sunburst.
Anomali ThreatStream Page 742 of 750
Appendix G: Bolstering Your Security
Controls Against COVID-19
Due to an increase in targeted COVID-19 related attacks on organizations and
network infrastructures, Anomali is ensuring that the threat intelligence community
members have the ability to rapidly receive intelligence from Anomali ThreatStream
and distribute it among peers in this community.
ThreatStream has the following resources, features, and tools available for you to
understand and analyze the latest threat intelligence and automate its ingestion in
your downstream security controls and integrations.
l "Threat Bulletin and Campaign" below
l "Trusted Circles" on the next page
l "My Events Map (customized to COVID-19 matches)" on page 745
l "My Alerts - Rules" on page 746
l "Chat - COVID-19 " on page 747
It is strongly recommended that you leverage all of these resources and the latest
threat intelligence on ThreatStream to ensure the best possible defense for your
infrastructure. Additionally, review your current filters to ensure COVID-19 specific
threat intelligence is properly forwarded and ingested into your downstream
integrations and other security controls.
Threat Bulletin and Campaign
The Anomali Threat Research team has issued the following Threat Bulletin and
Threat Campaign about cyber threats related to COVID-19:
l Threat Bulletin: https://ui.threatstream.com/tip/686977
l Threat Campaign: https://ui.threatstream.com/campaign/60704
These threat models are associated with observables, sandbox analysis reports,
and other related threat models thus allowing you to obtain the latest threat
intelligence from one central location and ingest it into your downstream integrations
through Integrator, match against your event logs on Anomali Match, and ingest
Anomali ThreatStream Page 743 of 750
User Guide
Appendix G: Bolstering Your Security Controls Against COVID-19
into your Splunk instances to automatically scan events in Splunk against the
observables associated with the bulletin.
The Threat Bulletin and the Threat Campaign are automatically available to you in
human-readable and machine-readable forms if you have purchased the Anomali
Labs Premium Feed from the ThreatStream APP Store.
Trusted Circles
Anomali recommends joining the following Public Trusted Circles on ThreatStream.
For information on joining a trusted circle, see "Joining a Trusted Circle" on
page 653.
Trusted Circle Trusted Circle ID
OSINT News & Other Reports 10983
OSINT Threat Reports 10977
OSINT Vulnerability Reports 10982
Twitter - APT 11053
Twitter - Compromised Accounts 10980
Twitter - Compromised Sites 10981
Twitter - Malware 10979
Twitter - Social Engineering & Phishing 10978
Note: The Trusted Circle ID links will only work once your organization has
joined them.
Once your organization joins these trusted circles, the following example queries
can be used to view the latest COVID-19 specific threat intelligence available from
these trusted circles:
Observables in the above trusted circles in the last 30 days (adjust the date
in the following query accordingly):
https://ui.threatstream.com/search?status=active&created_ts__gte=2020-02-
21T18:02:14.177Z&trustedcircles=10983,10977,10980,10981,10979,10978&valu
e__re=.*coronavirus.*
Anomali ThreatStream Page 744 of 750
User Guide
Appendix G: Bolstering Your Security Controls Against COVID-19
Threat Models in the above trusted circles in the last 30 days (adjust the date
in the following query accordingly):
https://ui.threatstream.com/threatmodels?trusted_circle_
ids=10980,10981,10979,10978,10983,10977,10982&modified_ts__gte=2020-02-
21T00:00:00.000Z
My Events Map (customized to COVID-19
matches)
Anomali recommends enabling the My Events Map to visualize threats tagged with
COVID-19 specific threat information from around the world.
To create a My Events Map for COVID-19:
1. Create a Saved Search:
a. Navigate to Analyze > Observables.
b. Click Advanced.
c. Enter this in the search text box:
(type="ip" or type="ipv6" or type="domain") and
(status="active") and (value contains "COVID-19" or tags
contains "COVID-19")
d. Click Filter: Save as.
e. Enter a name for the new filter. For example, COVID-19 or CoronaVirus.
f. Click Save.
2. Click Dashboard > My Events.
3. Click Recent Intelligence at the lower right corner of the map to locate the
saved search you created earlier.
4. Select the saved search (for example, CoronaVirus).
The My Events Map will start populating with threat intelligence related to
COVID-19.
Anomali ThreatStream Page 745 of 750
User Guide
Appendix G: Bolstering Your Security Controls Against COVID-19
My Alerts - Rules
Configuring rules enables your organization to take automated actions when
specific keywords appear in newly created Threat Bulletins, Sandbox Reports,
Signatures, Vulnerabilities, or recently imported observables.
Actions you can take are: tag the threat intelligence with additional terms, associate
the intelligence to a specific threat model, or add the intelligence to an investigation.
To create a rule specific to COVID-19, follow instructions in "Configuring Rules" on
page 578 and use the following recommendations for parameter values. It can take
up to five minutes for a newly created rule to start matching keywords.
Field Description
Name COVID-19, or another name of your choice.
Match Within Keep all of these checked:
l Observables
l Sandbox Reports
l Signatures
l Threat Bulletins
l Vulnerabilities
Keywords Suggested keywords:
covid*19
corona*virus
Add additional keywords to suit your needs. Keywords must
adhere to the guidelines detailed in "Keyword Syntax
Requirements" on page 576.
Indicator Accept the default value: Match All
Types
Exclude Leave unchecked
Anomali ThreatStream Page 746 of 750
User Guide
Appendix G: Bolstering Your Security Controls Against COVID-19
Field Description
Add Action Select the following automated actions to take when keywords
match within the selected intelligence types.
l Tag with Terms: Add tags to intelligence in which the
keywords appear. For example, coronavirus, covid-19.
To add private tags that are only visible to your organization,
assign them the My Organization visibility setting. Tags
assigned the Anomali Community visibility setting are visible to
any user with access to the entity.
l Add to Investigation: (Optional) Create a dedicated
investigation the first time the rule is triggered. All intelligence
in which keywords appear are added to the investigation.
Exclude from Leave unchecked
notifications
The "My Alerts" on page 24 widget on ThreatStream Overview Dashboard displays
the recently triggered rules and corresponding automated actions taken by
ThreatStream. Additionally, you can view the type of intelligence the rule matched,
any enrichments, add to an investigation, export in multiple formats, clone and share
within the community on the "Viewing Rule Details" on page 587 page.
Chat - COVID-19
Anomali has created a designated Chat channel for anonymous collaboration and
discussion on threat intelligence related to the COVID-19 pandemic. Additionally,
the Anomali Threat Research team uses the Chat channel to share breaking news
and threat intelligence updates. However, the channel is not a forum for asking
questions of the Threat Research team directly.
Anomali ThreatStream Page 747 of 750
User Guide
Appendix G: Bolstering Your Security Controls Against COVID-19
In order to access the COVID-19 Chat channel, you must join the invite only Anomali
News Chat Trusted Circle. Contact your Customer Support representative to gain
access.
After joining the Trusted Circle, you can launch the COVID-19 chat channel by
opening the "anomalinewschat" chat room.
For more information on using ThreatStream Chat, see "Collaborating with
ThreatStream Chat" on page 638.
Anomali ThreatStream Page 748 of 750
Send Documentation Feedback
If you have comments about this document, you can contact the documentation in
these ways:
l Click contact the documentation team to send an email. If you have an email
client configured on this system, an email window will open with the following
information in the subject line:
Feedback on User Guide (ThreatStream )
l Send your feedback to docs@anomali.com.
Thank you for your feedback!
Anomali ThreatStream Page 749 of 750
User Guide
Send Documentation Feedback
Anomali ThreatStream Page 750 of 750
You might also like
- Offensive Security: Penetration Test Report For PWK Internal LabsNo ratings yetOffensive Security: Penetration Test Report For PWK Internal Labs24 pages
- 60 Website Vulnerability Scanning System Using Python PY060No ratings yet60 Website Vulnerability Scanning System Using Python PY0607 pages
- 1.1 Active Directory Exploitation and Lateral - BlackBox ApproachNo ratings yet1.1 Active Directory Exploitation and Lateral - BlackBox Approach322 pages
- ? Active Directory Penetration Testing Training (Online)No ratings yet? Active Directory Penetration Testing Training (Online)8 pages
- CF Lecture 08 - Anti Forensics Techniques Part 1No ratings yetCF Lecture 08 - Anti Forensics Techniques Part 116 pages
- Isc2 Acceleratedcissp 2018 3 1 15 Security Architecture and EngineeringNo ratings yetIsc2 Acceleratedcissp 2018 3 1 15 Security Architecture and Engineering37 pages
- Mcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-2022No ratings yetMcafee Network Security Platform 10.1.x Manager API Reference Guide 5-6-20221,399 pages
- Certified Ethical Hacker Course OverviewNo ratings yetCertified Ethical Hacker Course Overview14 pages
- Vdocument - in - Iot Penetration Test Report Iot Penetration Test Report Momentum Axel 720pNo ratings yetVdocument - in - Iot Penetration Test Report Iot Penetration Test Report Momentum Axel 720p15 pages
- Go4braindumps Gaqm Iso Iec 27002 Lead Implementer Exam Dumps by Kline 29 01 2024 6qaNo ratings yetGo4braindumps Gaqm Iso Iec 27002 Lead Implementer Exam Dumps by Kline 29 01 2024 6qa8 pages
- Windows 10 System Programming Part 2 Pavel Yosifovich DownloadNo ratings yetWindows 10 System Programming Part 2 Pavel Yosifovich Download47 pages
- Isc2 Cissp 1 2 1 Understand and Apply Security Concepts (Cia)No ratings yetIsc2 Cissp 1 2 1 Understand and Apply Security Concepts (Cia)2 pages
- SEO-Optimized Penetration Testing ReportNo ratings yetSEO-Optimized Penetration Testing Report50 pages
- Hunt For Domain Controller: Active Directory Pentesting SessionNo ratings yetHunt For Domain Controller: Active Directory Pentesting Session84 pages
- CF Lecture 05-Disk Boot and File SystemNo ratings yetCF Lecture 05-Disk Boot and File System62 pages
- Anonymised Web Application Penetration Testing ReportNo ratings yetAnonymised Web Application Penetration Testing Report43 pages
- 11-20-19 Senator Wyden and Warren Letter FinalNo ratings yet11-20-19 Senator Wyden and Warren Letter Final2 pages
- Awsmp att75zPieFf5AWfzP Awsmp Gim 1vs7 Adhoc Sec Siem Siem WhitepaperNo ratings yetAwsmp att75zPieFf5AWfzP Awsmp Gim 1vs7 Adhoc Sec Siem Siem Whitepaper19 pages
- Fynch Hatton Care Label PDNA Manual August 2024No ratings yetFynch Hatton Care Label PDNA Manual August 202460 pages
- Writing A Business Email Reading Exercise: Did You Understand The Text?No ratings yetWriting A Business Email Reading Exercise: Did You Understand The Text?2 pages
- Pag-Ibig Loyalty Card Plus Account Holder'S Contact Details Change Request Form100% (7)Pag-Ibig Loyalty Card Plus Account Holder'S Contact Details Change Request Form1 page
- I. Personal Information A. Personal Data: (To Be Filled in by APPLICANT)No ratings yetI. Personal Information A. Personal Data: (To Be Filled in by APPLICANT)1 page
- Crafting Thesis Supervisor Reference Letters100% (3)Crafting Thesis Supervisor Reference Letters7 pages
- Exchange Server 2010 - Introduction To Supporting Exchange Client ServerNo ratings yetExchange Server 2010 - Introduction To Supporting Exchange Client Server97 pages
