Anomali Integration Guide
cloud integrations anomali threat intelligence byoti
The following instructions are for configuring Anomali to ingest threat indicators into Secureworks® Taegis™ XDR to generate alerts via the Bring Your Own Threat Intel Detector.
Note
The Preview release is limited to 10,000 active indicators per tenant. When indicators reach the limit, the oldest indicators are deleted to remain under the limit.
Anomali Requirements ⫘
An Anomali account username and API key are required to integrate with XDR.
Data Provided from Integration ⫘
Threat Indictor Lists contain the following data types:
- IP Address
- Domain
- URL
- Filehash (SHA1, SHA256, MD5)
Add Integration in XDR ⫘
- From the XDR left-hand side navigation, select Integrations → Cloud APIs → Add API Integration.
- Choose Set up Anomali.
Create a New Anomali Integration
-
Enter the following fields:
- Integration Name — Name that this integration will use in XDR
- Anomali Username
- Anomali API Key
-
Select Done. The Cloud API Integrations page displays with the successfully added Anomali integration.
Once the preceding steps are completed, Anomali integration details are available on Cloud APIs. From the XDR left-hand side navigation, select Integrations → Cloud APIs.
Alert Severity ⫘
Anomali provides an indicator severity and that severity is set on XDR BYOTI alerts. The following is used to map Anomali severity to XDR severity.
Anomali Severity | XDR Severity |
---|---|
Very-High | Critical |
High | High |
Medium | Medium |
Low | Low |
Info |
Example Query Language Searches ⫘
To search for Bring Your Own Threat Intel Alerts from the last 24 hours:
from alert metadata.creator.detector.detector_id='app:detect:byoti' and EARLIEST=-24h
Related Topics ⫘
Viewing API Integration Status and Health ⫘
Delete an Integration ⫘
Bring Your Own Threat Intel Detector ⫘