Anomali’s product team continues to deliver on an aggressive schedule of intelligence-driven cybersecurity solutions, continuing to work in tight unison with our customers and security professionals throughout the product development lifecycle.
We’re excited to announce our quarterly product release update for May 2021. Key highlights for this quarter include:
- New Match 4.4 release enhancing Anomali’s extended detection and response capabilities
- Custom dashboards aligning global threat intelligence with local SOC threat prioritization activities
- Industry news monitoring that leverages Machine Learning to determine global trends
- Enhanced STIX 2.1 support with Custom Objects & Relationship Objects
- Support for MITRE ATT&CK Framework v9.0 via Attack Patterns
- Simplified Integrator upgrade process
- Anomali Lens – Outlook for Office 365
Match 4.4 New Features and Improvements
Anomali Match is the first threat detection and response solution that automatically and continuously correlates all your environment logs against all relevant active threat intelligence to expose previously unknown threats that may have already penetrated your enterprise, resulting in faster Mean-Time-To-Detection (MTTD), reduced cost of security incidents, and more efficient security operations.
In this release, we’ve added several new and significant features to improve the value offered by Match to clients, enhancing the fidelity of intelligence we use to identify matches in your environments, and simplifying the normalization of data coming from a variety of different formatted log sources. Furthermore, new alerting capabilities provide enhanced process automation and now support threat model-based alerts.
We’ve also released Universal Link v4.4 and made updates to these dedicated links that enable log event integration with Anomali Match: QRadar, Splunk, and RSA.
Building Custom Dashboard Widgets Based on Threat Model Data
Dashboards in ThreatStream provide a quick, digestible, and timely source of key metrics on threat intelligence indicators. Custom dashboards can be tailored for a given organization’s or user’s requirements. Users can now develop their own dashboard with widgets based on Threat Model saved searches also, in addition to an Observable saved search. Users can also choose to incorporate out-of-the-box widgets or develop their own, based on an advanced saved search (of Observables or Threat Models). This new feature builds upon features we’ve been adding to ThreatStream over recent releases, i.e. the addition of custom widgets and also the enablement of Threat Model advanced saved searches.
Industry News Trend Widgets in ThreatStream Dashboard
ThreatStream Dashboards provide key decision-making data in an easy-to-digest visual format for all users of ThreatStream – whether research analyst, team manager or CISO. With this release, industry trending news on Actors, Malware and Common Vulnerabilities and Exposures (CVEs) are available as graph widgets within the ThreatStream dashboard. Our trending engine is based on data sourced from a huge array of public and private security news feeds, blogs, and other reputable sources. The graphs provide current lists of trending entities, with pertinent information and graphs showing activity over various timelines. Currently, this feature is exclusive to Anomali Lens+ customers.
MITRE ATT&CK Support for Sub-techniques
The MITRE ATT&CK Security Framework is one of the most widely used tools to help organizations understand their security posture, offering a wide array of threat techniques and tactics. ThreatStream has a key integration with MITRE ATT&CK that allows customers to profile their environment, and use this profiling when conducting investigations and making informed decisions. Analyst users can quickly identify key areas of concern in their environment, and prioritize their response appropriately.
In this release, we’ve extended support to MITRE ATT&CK version 9 for new techniques and sub-techniques. In line with MITRE’s approach, these are implemented as customized STIX Attack Patterns in ThreatStream and enable analysts to associate a given Attack Pattern to any intelligence – observable or threat model.
We’ll be adding support for v9 in the MITRE Security Coverage and Investigations feature in future releases along with providing intermediate versions of the MITRE framework.
Support for STIX 2.1 Custom Objects and Relationship Objects (SROs)
Structured Threat Information Expression (STIX™) from Oasis Open is fast becoming the de facto standard for the exchange of cyber threat intelligence (CTI), based on a large open source community and many key industry contributors. The ThreatStream platform already has support for the majority of the STIX 2.1 standard and this quarter we’ve introduced support for STIX 2.1 Custom Objects and STIX Relationship Objects (SROs).
With STIX 2.1 Custom Objects, customers with specialized intelligence needs not met by the standard can host and maintain their tailored intelligence models, and share them with other STIX 2.1 compliant systems.
With STIX Relationship Objects (SROs), ThreatStream users can now import, edit, and export STIX compliant relationships from ThreatStream for use in 3rd party systems. The platform now also allows users to create STIX compliant associations or relationships on existing threat intelligence in the platform, allowing them to create net-new STIX compliant intelligence for use elsewhere.
Visual Advanced Search Editor
ThreatStream offers great flexibility around searching and filtering large collections of data with our Advanced Search for Observables and Threat Models so that your teams can find relevant intelligence. We’ve added an intuitive feature to assist with complex searches, which can rely on many conditions linked by operators, to help with the building and validation of such queries. Users are provided with immediate visual feedback that makes the search query easier to read, update and troubleshoot, with hints, color coding, and warnings.
Integrator 7.2 – Making Upgrades Easier
Integrator is pivotal in operationalizing your intelligence from ThreatStream to your security stack. We’ve added a new process for upgrading your instance of Integrator to make it easier to plan, execute and manage your upgrade. With this release, Integrator can now automatically download and notify you of new releases and provides a maintenance mode to coordinate the upgrade process.
In addition, we’ve updated some of our integrations to ensure additional support for McAfee ESM, QRadar, FireEye, and Splunk.
Anomali Lens – Outlook for Office 365
With the Anomali Lens Add-In for Microsoft Outlook, Anomali Lens+ customers will be able to scan email content within Outlook web client. Available initially as a Beta release, the add-in has a unique scanning capability that can quickly summarize key threat information found in the body of an email. Users can choose to create Threat Bulletins with the email content or import any unknown observables found in the mail – seamlessly into ThreatStream. In addition, users can send content which warrants further analysis directly to a ThreatStream investigation.
Anomali continues to drive new features and capabilities based upon our customer’s needs and wants to continue to drive intelligent detection at scale. Please reach out to your customer support manager if there’s something you’d like to see.