Introducing Copilot Asset Analyzer

Anomali is pleased to announce expanded automation capabilities in the form of Asset Analyzer, a Custom Copilot, for customers who use our Copilot and Security Analytics products. Asset Analyzer performs an analysis that typically requires a SOAR playbook, improving SOC efficiency and helping consolidate the security stack. 

Asset Analyzer conducts an “inside-out analysis,” taking the customers' ingested logs and running an analysis to generate lookup tables. Using Anomali’s Custom Copilot, analysts can ask natural language questions directly from those tables and immediately receive actionable insights. 

Why We Built Copilot Asset Analyzer

SIEMs, on average, produce thousands of alerts per day — a number that is rising sharply as adversaries increasingly leverage AI. This alarming volume leaves SOCs chronically understaffed, as analysts may have hundreds of events to process daily, requiring at least 20 minutes per event (assuming the analyst is experienced and works quickly).

The steps involved in the analysis may include:

1. Initial alert triage: First, an analyst reviews the SIEM alert to confirm the IP match and verify its correlation with threat intelligence sources (such as Anomali ThreatStream). This step is essential for validating the alert and determining if it warrants further investigation.
2. Antivirus Scan: The analyst uses the IP address to query online services that analyze suspicious files and URLs to detect types of malware and other malicious content via antivirus engines and website scanners. This comprehensive reputation data helps analysts understand whether the IP is associated with known threats.
3. Passive DNS lookup: A passive DNS lookup provides a view of the Internet's infrastructure configuration, which can help analysts gather historical domain and IP information for the matched IP address. This data sheds light on how the domain or IP address has been used over time, which may reveal suspicious patterns or changes.
4. Attack surface assessment: Analysts use specialized web-based search platforms to assess attack surfaces for connected devices, and to perform a search on the IP address to identify the services, certificates, and infrastructure associated with the entity. This provides deep insights into the IP's infrastructure, which may help uncover potentially risky services or misconfigurations. 
5. Threat intelligence enrichment: Enriching the IP address with Anomali’s threat intelligence platform, ThreatStream, helps provide context, including associated threat actors, malware families, or attack campaigns. 
6. Risk ranking: At this step, analysts combine information from applications referenced in steps 2-4 to assess the IP's overall risk level, factoring in historical behavior, malicious reports, and infrastructure characteristics. Prioritizing alerts by risk level allows them to focus on the threats that pose immediate, critical risks to the organization.
7. Asset enrichment: Enriching the IP with data from the asset database and/or vulnerability scanner helps analysts identify whether it is associated with any critical assets or known vulnerabilities within the organization. This critical step ties external threats to internal assets, allowing the analyst to assess their direct impact and relevance to the organization’s systems.
8. Final risk assignment: Based on the combined intelligence and asset data, analysts assign a risk score to the alert, tagging it with the associated asset or entity within the organization. These activities enable contextualization, proper tracking, response prioritization, and automated remediation, if necessary. 
9. Automated response or escalation: Depending on the risk score, trigger an automated containment response, such as blocking the IP or escalating the alert for further human investigation. Automation or escalation ensures that the organization responds quickly to high-priority threats and reduces the workload on security teams.
   

Anomali Copilot is now capable of performing steps 1 through 8 without requiring a SOAR playbook. While Copilot can assist analysts with step 9, Anomali advises customers to keep humans in the loop regarding blocking decisions. Humans can also ask Copilot to write and execute a query using Anomali Query Language (AQL) to block the IP. 

With the help of Copilot, Anomali Security Analytics performs these steps with unprecedented scale and speed, processing billions of events per second while sorting through millions of individual signals and alerts. The Assets Assessment Agent, a Custom Copilot, provides an aggregated table view of network events. You can view this table through search or use it as a Custom Copilot, querying in natural language.

What the Assets Assessment Agent Provides

The Assets Assessment Agent provides an aggregated table view of network events for each asset (IP addresses belonging to the organization). Unlike the eventlog or iocmatch tables, which contain detailed information about every network event and individual threat matches, this table consolidates that information by asset. Each row in the table represents a unique asset (IP) within the organization’s network and provides high-level insights derived from the iocmatch table. It also provides asset scores to highlight the riskiest assets. This is one of the biggest perks of the table, and includes:n

• Asset-level overview: Aggregated insights for each unique IP (asset) in the organization’s network.
• Network exposure: Lists of unique ports, open ports accessible from outside the network, and domains associated with each asset (organization_domain).
• Threat connections: Aggregated lists of malicious indicators (e.g., IPs) with which the asset has communicated.
• Service and software insights: Services running on open ports, associated software, and any end-of-life software identified on the asset.
• Vulnerability analysis: CVEs associated with the software on the asset, including critical and exploitable vulnerabilities.
• Threat models: High-level view of the threat models associated with the malicious indicators connected to the asset.

What The Assets Assessment Agent Does Not Cover

• Event-level details: The Assets Assessment agent does not include granular event-by-event information (this can be found in iocmatch or eventlog tables). 
• Specific connection logs: Neither individual event logs nor the specific times of each connection appear in this table. 
• Detailed indicator information: While the Asset Assessment Agent aggregates malicious indicators, it doesn’t include every detail about each indicator (this can be found in the iocmatch table).

When to use the Assets Assessment Agent

The Assets Assessment Agent provides the following:

• Visibility: An aggregated view of the threats and risks related to specific assets. 
• Clarity: A clear picture of the services, ports, domains, and vulnerabilities associated with each organizational asset.
• Relevance: A quick assessment of the assets with the highest risk, based on correlated threat intelligence and vulnerabilities.

How It Compares to Attack Surface Management

The new Assets Assessment Agent has a similar goal as attack surface management but differs in its approach, providing additional perspective. See the visuals below: 

‍

‍

Key Takeaways

The new Custom Copilot strengthens the integration within your SecOps platform while providing a faster and more robust alternative to a SOAR playbook. Schedule a demo to see Copilot Asset Analyzer for yourself.