Anomali February Product Release: Moving Beyond Tactical Intelligence

We are happy to announce the Anomali Product Release for February 2021. For our product and engineering teams to deliver this latest set of features and enhancements, they worked closely with our customers with a particular eye to supporting security teams in their further move beyond a reliance on tactical, technical intelligence to a holistic, threat-model-driven approach by allowing them to work with threat models like the MITRE ATT&CK framework inside Anomali ThreatStream easily and productively. A further highlight directed at augmenting collaboration across teams and with external peers, leveraging our popular Trusted Circles capabilities, is the advent of full-featured chat within the Anomali ThreatStream threat intelligence platform, while maintaining privacy controls.

Enhancements in this latest release include:

MITRE ATT&CK Framework Integration

As a follow-up to the recent release of support for MITRE ATT&CK framework techniques, we’ve added the ability to import content from the MITRE ATT&CK Navigator tool and store your framework capabilities inside ThreatStream. Users can use the MITRE capability in ThreatStream’s Investigations feature to help prioritize investigative activity and decision-making, making security teams more efficient and responsive.

Advanced Search Functionality for Threat Models

This month we’ve extended advanced search to Threat Model content in ThreatStream – providing the same flexibility and features for finding and refining content in our platform as for observable content. Users can now create advanced search queries with conditions and operators, and some additional capabilities specific to our Threat Model content, to find relevant intelligence quickly, as well as save their complex searches for future use at a click.

Collaboration via Full-Featured ThreatStream Chat

Customers now have the benefit of real-time, protected communication within ThreatStream for their internal teams and with Trusted Circle collaborators via the use of a full-featured chat client. With this built-in chat functionality, analysts can communicate and share tactical information as well as more strategic aspects of analysis and response quickly and easily with colleagues and peers at organizations that are members of common Trusted Circles–from inside the ThreatStream platform, where it can be easily shared and investigated. Most importantly, the collaboration remains anonymized and privacy is ensured.

Clone Custom Themed Dashboards

Extending the custom themed dashboards developed by the Anomali Threat Research (ATR) team and released in December, we are now offering the ability to not only access a custom themed dashboard (for COVID, Sunburst or other specific themes), but also to clone (or create a copy) of that dashboard, which you can now further customize or tailor to your specific needs and preferences. Once a dashboard is cloned a user can change, for a given widget, the saved query upon which the widget is based, as well as add their own custom widgets.

Intelligence Enrichment Inside of Investigations

We continue to refine the display of critical information to the user at the appropriate point of their research in order to ensure analysts have the right intelligence at the right time and are able to perform their tasks quickly and easily. With this release analysts can now view enrichment details from the Investigations graph, further saving effort and shortening response times. Users will rarely have to navigate away from the page to gain more context about an Investigation entity. In addition to this, analysts are now able to view enrichment output for multiple indicators found during their investigation from the same view, allowing comparison of content and simplifying the investigation process.

These changes combine with a new enhancement to Threat Cards, a recently released feature inside the Investigations module that shows key summary information on any graph entity, to include a list of enrichments available for indicators, so that users can view that enrichment or context information from the Investigations view without having to navigate elsewhere on the platform.

Other workflow enhancements requested by customers were also included in this release, like bulk indicator upload and improvements on Analyst Notes on any observable uploaded or added to an investigation.

Finished Intelligence Report Distribution Control

At the conclusion of an investigation, key indicators, metrics or reports are often distributed to key stakeholders, such as the security operations team or executives, by emailing a ThreatStream generated report as Finished Intelligence directly from ThreatStream. In this month’s release, we’ve enabled a tighter security posture regarding the distribution of this Finished Intelligence from ThreatStream, allowing organization’s to restrict the domains to which that Finished Intelligence can be distributed by email. By default, organizations will continue to be able to send Finished Intelligence output to recipients on any web domain. To implement a restriction, Administrative users can just apply settings in the Organization Administration area.

GreyNoise Threat Intelligence Enrichment Now Available

We are excited to announce the latest threat intelligence integration into ThreatStream, with GreyNoise enrichment is now available for activation. GreyNoise provides context on IP behavior associated with mass-internet scanning, with data such as intent, tags, first seen, last seen, geo-data, ports, OS and JA3. ThreatStream customers can enrich against it to identify and reduce the number of such observables, leaving more time to investigate high-priority targeted attacks.