Anomali Threat Platform

Reviewed By: Matthew Hreben & Michael Diehl

The Anomali Threat Platform automates the identification of serious attacks targeting organizations, prioritizes threats based on their severity and confidence, and provides context to understand and respond to the threat. Anomali offers this platform not only as an on-premises solution but also as Software as a Service (Saas), which is the model of choice for most customers.

The platform consists of two components: ThreatStream and Integrator (formerly ThreatStream Link). ThreatStream offers more than 120 open-source feeds and more than 30 premium feeds, many with free trial options before purchasing. If an organization already subscribes to one of these premium feeds (e.g., CrowdStrike, VirusTotal, FireEye), it is easy to log in and provide a license key. Anomali will then start ingesting new threat intelligence within minutes.

Security teams can install Anamoli ThreateStream Integrator as a binary or MSI load within Windows Server OS and UNIX x64 environments to share platform intelligence with existing security technologies. In fact, there are 22 integrations pre-built with major SIEM, FW, endpoint and other similar technologies. Additional integrations are being added on a monthly basis, and if one does not exist, it's possible to build a custom destination.

Once data is received and processed, threat intelligence can be distributed to several channels within an organization to share the intelligence feeds and allow the device to get more out of the most up-to-date information available. Analysts logging into the threat platform will find a fully customizable dashboard (which has undergone a facelift since last year) that gives a quick summary of the details on emerging threats. All widgets across multiple dashboards - whether IP addresses, web domains, email domains or even hashes - are interactive, offering the ability to drill down and quickly find relevant data.

In short, the dashboard provides everything needed to begin an investigation, - a built-in utility tool that allows analysts to create a case based on an indicator. The investigation can then be assigned to a workgroup or an individual or shared within a trusted circle. Notable investigations can be expanded throughout the entire Anomali community to external companies or industry-minded Information Sharing & Analysis Centers (ISACs), a growing number of which use Anomali's platform.

In our testing, we witnessed detailed descriptions about threat actors and focused on removing false positives and prioritizing key indicators. Confidence is determined by a machine learning algorithm and is scored. For instance, 100 percent means Anomali is 100 percent confident, while scores from individual researchers are displayed below that figure for comparison since every company has different data vectors. The solution conveniently offers phishing email components to work alongside existing email gateways to protect end users from spam or phishing emails. The tool works with Diamond, STIX/TAXII and kill chain formatting to export or import information into other tools.

Help is built into this threat intelligence platform, with access to training videos, a large knowledge base, and the ability to roam through Anomali University. The company also offers a customer-only support portal and a customer forum for interaction with existing customers and sharing experiences. 

Product title
Anomali Threat Platform
Product info
Name: Anomali Threat Platform
Platform is easy to navigate; a very polished solution for a great price.
Support options could be a bit more well rounded and additional third-party integrations would make this a must-have.
An amazing product for the money. This platform could be the center of any successful threat intelligence initiative making it our SC Labs Best Buy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.