Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Anomali Integration Guide

cloud integrations anomali threat intelligence byoti

The following instructions are for configuring Anomali to ingest threat indicators into Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.


The Preview release is limited to 10,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.

Anomali Requirements

An Anomali account username and API key are required to integrate with Taegis™ XDR.

Data Provided from Integration

Threat Indictor Lists contain the following data types:

Add Integration in Taegis™ XDR

  1. From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
  2. Choose Set up Anomali.

Create a New Anomali Integration

Create a New Anomali Integration

  1. Enter the following fields:

    • Integration Name — Name that this integration will use in Taegis™ XDR
    • Anomali Username
    • Anomali API Key
  2. Select Done. The Cloud API Integrations page displays with the successfully added Anomali integration.

Once the preceding steps are completed, Anomali integration details are available on Cloud APIs. From the XDR left-hand side navigation, select Integrations → Cloud APIs.

Alert Severity

Anomali provides an indicator severity and that severity is set on XDR BYOTI alerts. The following is used to map Anomali severity to XDR severity.

Anomali Severity XDR Severity
Very-High Critical
High High
Medium Medium
Low Low

Example Query Language Searches

To search for Bring Your Own Threat Intel Alerts from the last 24 hours:

from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h


On this page: