Cisco Umbrella (formerly OpenDNS) is a cloud security platform that provides the first line of defense against threats on the internet wherever users go. And because it’s built into the foundation of the internet and delivered from the cloud, Umbrella is the simplest security product to deploy and delivers powerful, effective protection. The intelligence from Cisco Umbrella Investigate provides the most complete view of the relationships and evolution of internet domains, IPs, and malware, and adds the security context needed to uncover and predict threats.

Cribl is the Data Engine for IT and Security, offering enterprises choice, control, and flexibility to manage their data efficiently. Cribl Stream, the world’s leading observability pipeline, processes logs, metrics, and traces in real-time, routing data to any destination in any format. Cribl Edge is an intelligent agent, and Cribl Search is the industry’s first search-in-place solution. Founded in 2018 and headquartered in San Francisco, Cribl’s vendor-agnostic product suite helps Fortune 1000 companies optimize data usage and storage, reducing costs and enhancing security insights​.

The DNSTwist Domain Spinning enrichment helps users quickly identify potential domain squats and phishing domains, and empowers security teams to perform phishing detection as part of their investigations.

Deloitte's Codex Enrichment allows access to a truly large malware sandbox dataset that encompasses additional data to include APT names from multiple vendors associated with malware, easy to understand malware naming, typing, execution information, and more.

DNS-Based Cyber Threat Detection and Response

The DomainTools® Iris™ App for Anomali delivers a subset of DomainTools Iris data, together with pivot capability and domain risk score, directly to the analyst inside the The Anomali Security Operations Platform. This integration enables rapid in-context assessments of domain name observables and discovery of connected domains that share the same IP, hostname, or SSL certificate hash.

Farsight DNSDB (now part of DomainTools) is a Passive DNS historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. This enrichment lets you look up and pivot on domain names and IP addresses using Farsight's Passive DNS (pDNS) database, DNSDB.

GreyNoise's integration with Anomali ThreatStream helps security analysts save time by revealing which events they can ignore. GreyNoise's data is a curation of IPs that saturate security tools with noise, like mass-internet scanners and harmless business services. This unique perspective helps analysts confidently ignore irrelevant or harmless activity, creating more time to uncover and investigate true threats.

Users can also enrich against GreyNoise to reduce observables created by mass-internet scanning and create more time to investigate targeted attacks. This enrichment provides context into IP behavior: intent, tags, first seen, last seen, geo-data, ports, OS and JA3. Advanced features showing timeline and similarity based information is available for users with those subscription features.

‍

IPQualityScore (IPQS) provides Anomali ThreatStream users with enterprise-grade detection for sophisticated abuse. The IPQS Fraud and Risk Scoring Enrichment provides enterprise grade fraud prevention, risk analysis, and threat detection. Analyze IP addresses, email addresses, URLs, and domains to identify sophisticated bad actors and high risk behavior. IPQS uses a unique data set, gathered by our proprietary honeypot network that captures advanced abuse such as residential botnets, phishing, hijacked domains, and any IOC that's been associated with abusive behavior across our partner reporting network, which analyzes over 10,000 abuse reports per second.

Enrich Hash information with IoCs and TTPs from Intezer Analyze.

The Pastebin Dump Collection (PSBDMP) enrichment allows users to determine which pastebin sites featured a specific e-mail address.

PolySwarm seamlessly integrates via API and allows Anomali’s users to obtain file and URL reputation services with a single click, in real-time, from a network of independent malware detection engines. PolySwarm enriches samples with diverse threat indicators and allows threat hunters and SOC analysts to search for and identify relationships between diverse malware families and threat indicators. integration allows users to obtain file and URL reputation services with a single click, in real-time, from a network of independent malware detection engines. PolySwarm summarizes crowdsourced verdicts into a single, authoritative number called PolyScore™, providing the probability a given file contains malware.

This enrichment integrates vulnerability assessment data and queries vulnerable hosts from Qualys VM, allowing for risk prioritization that is based on real-world activity.

Query.ai is a federated search solution that enables you to access and get answers from your security data. Query's patented browser-based platform delivers real-time access and centralized insights across on-premises, multi-cloud, and SaaS applications, without duplicating data from its native locations.

‍

InsightVM is a data-rich resource that can amplify the other solutions in your tech stack, from SIEMs and firewalls to ticketing systems. InsightVM brings together Rapid7’s library of vulnerability research knowledge from Nexpose, exploit knowledge from Metasploit, global attacker behavior, internet-wide scanning data, exposure analytics, and real-time reporting

SPUR's Context API provides hosted high-performance IP enrichment lookups suitable for automation platforms, scripts, and custom integrations. This enrichment provides ThreatStream users with additional context to IP address indicators. It also enriches each IP address with anonymity network information, precision geolocations, and estimated user counts.

The Anomali and ServiceNow integration leverages a bi-directional workflow that works hand-in-hand to consolidate incident intelligence and remediation processes. Anomali ThreatStream and ServiceNow Security Operations work together to accelerate investigation and remediation of security incidents.This is accomplished by associating intelligence about indicators of compromise in ServiceNow security incidents with context from AnomaliThreatStream, including threat score, confidence level, source, and severity.

This integration uses multiple transforms and enrichments to obtain malware data from the ReversingLabs Spectra Analyze platform and transforms it into valuable threat hunting info.

The ReversingLabs Spectra Intelligence enrichment is a set of pivot and context-based functions that can be used to enrich threat hunting and analysis by introducing new and unique insights into the security workflow. It returns data transformations and enrichment visualizations from ReversingLabs Spectra Intelligence, the industry's most comprehensive source of reputation data, into Anomali ThreatStream workflows.

The Anomali ThreatStream App for Splunk empowers Splunk users to leverage threat intelligence to detect, prioritize, and response to security incidents. It provides Splunk users with threat data collected and curated from industry leading threat intelligence platform ThreatStream to correlate with your log data in Splunk, detect malicious activities in incoming and outgoing traffic, alert security teams, and provide you with detailed contextual information from a variety of threat sources (open source, commercial, Anomali Labs, customer internal, etc.).

Tenable delivers unparalleled coverage and comprehensive insight to enable you to detect vulnerabilities, assess risk, and prioritize remediation for every asset, in every environment.

Anomali ThreatStream has an enrichment integration available for Tenable Security Center -Tenable's on-premise risk and vulnerability management solution. This enrichment allows users to query their Tenable Security Center instance with a vulnerability, and view affected asset details in ThreatStream for further analysis.

URLScan.io is a website scanner focused on analyzing all possible details about any established HTTP connection, site content, and relations with other sites. This enrichment helps ThreatStream users with analyzing and triaging suspicious URLs.

WOT checks every domain before you visit it to let you know its safety and security rating.

‍

The WhoisXMLAPI integration lets ThreatStream users access billions of domain and DNS records through acollection of APIs. Users can map and study all connections across domain names, current and historical resource owners, IP addresses, subdomains, NS and MX servers, and more.