May 13, 2024

Anomali Copilot, the Next Level of Ai-powered Security Operations

Anomali has introduced Copilot 6.0 this week and there is a lot to unpack. Details are as follows:

Anomali Copilot is a suite of generative AI solutions designed to revolutionize the way Security Operations Centers (SOCs) detect, investigate, and respond to incidents and alerts. It leverages the industry’s largest threat repository (ThreatStream), is built on a secure and private foundation of AI models, and is an integral part of the Anomali Security Operations Platform.

The Anomali Copilot browser extension and Anomali Copilot Office 365 Add-ins are part of the Anomali Copilot suite. When enabled, Anomali Copilot parses and highlights all cyber threat information on the current screen. Whether it's an article providing insights into the latest breach or a stream of raw intelligence data, Anomali Copilot employs advanced natural language processing (NLP) to dissect the content and pinpoint crucial cyber threat entities like Actors, Malware, or observables. Notably, Anomali Copilot adeptly highlights content even when the specific entity is unfamiliar to Anomali, showcasing its adaptability and effectiveness in real-time threat analysis.

When you scan a page, the Anomali Copilot client makes an API call to the ThreatStream Cloud platform. ThreatStream forwards the request to the Anomali Copilot engine, which processes the page and forwards the results back to ThreatStream. If Anomali Copilot has been configured to work with Security Analytics, formerly known as Match Cloud, the Anomali Copilot client then makes a call to Security Analytics to retrieve sightings data for detected content. The following diagram shows the flow of information for deployments when you have Security Analytics.

Anomali Copilot Browser Extensions

The Anomali Copilot browser extension is available from the Google Chrome Web Store, the Firefox Browser Add-ons and Themes Store, the Microsoft Edge Extensions Store, and the Apple App Store. You can also manually install Anomali Copilot for all supported browsers except Safari. 

Context at the Point of Use

Beyond ensuring that vital information isn’t missed by the human eye, Copilot provides context for highlighted information at the point of use. For example, if Copilot highlights the name of a cybersecurity Actor that exists in ThreatStream and it has been verified by the Anomali Labs team, you can mouse over the Actor's name to view more information on the Actor and follow a link to comprehensive details in ThreatStream.

Know What's Trending

Anomali Copilot also ensures you know which threats are trending. If you scan a page that contains a trending Actor, Malware entity, or Vulnerability, Anomali Copilot indicates that the entity is trending with a flame icon. Anomali Copilot determines that entities are trending based on the number of times they have appeared in recent security news feeds and blogs. The flame icon is displayed next to the term in the scan results list.

Know If You’ve Already Been Impacted

Copilot integrates with the Anomali Security Analytics platform. For Anomali Security Analytics users, potential threat entities detected by Copilot are automatically matched against network events and logs.

Matches with Known Entities

Anomali Copilot identifies and highlights threat entities within the browser page. Copilot makes it easy for you to learn if a threat has impacted your organization, and it provides details about the threat. Want more visibility into the threat’s impact on your organization? Simply mouse over the highlighted term and click Matches to drill into matches on Anomali Security Analytics.

Matches with Unknown Entities

The following figure illustrates matches when Anomali Copilot identifies unknown entities.

  • Within the page, the Match count is based on the Security Analytics Forensics and retrospective search index, which contains a copy of data ingested into Security Analytics before it has been correlated. It is possible that there will be matches with unknown threat entities in this data store. In the example above, this count is 455.
  • Within the Anomali Copilot browser extension, the number displayed on the Matches tab is a count of scanned threat entities that have any matches. This list includes only known, active indicators. Unknown entities are not counted. In the example above, the Anomali Copilot browser extension shows 11 entities matched.

Detect MITRE ATT&CK Information from Your Browser

When you scan a page with Anomali Copilot, the extension uses its natural language processing abilities to detect MITRE Attack Patterns referenced on the page.

You can click Details to read more about the detected Attack Patterns on ThreatStream. When you create a Threat Bulletin from the Anomali Copilot extension, detected Attack Patterns are automatically associated with the resulting Threat Bulletin. When you create an Investigation from the Anomali Copilot extension, detected Attack Patterns are added to the Investigation and visible on the onboard MITRE ATT&CK matrix.

Operationalize Threat Intelligence

With the click of a button, Anomali Copilot can import the current page to ThreatStream as a Threat Bulletin. In addition to making this human-readable content available alongside all of your threat intelligence, Anomali converts this information into machine-readable content. Thus, imported content can be pushed to downstream integrations and made available at the point of use. 

When you import web content as a Threat Bulletin, ThreatStream creates an import session for any parsed observables. After the import session is reviewed and approved, the observables scraped from the web content are made part of your threat intelligence and associated with the new Threat Bulletin. Detected and verified Threat Model entities are associated with the new Threat Bulletin. Tags for unknown or unverified Threat Model entities are applied to the Threat Bulletin. Copilot also applies MISP-compliant tags to imported content, ensuring the creation of uniform metadata.

You can also import a subset of the scanned observables by selecting the observables of interest. Only observables—domains, email addresses, IP addresses, hashes, and URLs—will be imported. 

Investigate Threats with Ease

If you come across an entity of interest and you want to investigate it further or bookmark it for later follow-up, Anomali Copilot enables ThreatStream users to add information, such as an Actor or a set of observables, to an existing or new Investigation. Investigations are collaborative workspaces that allow you to centralize threat data as it becomes available and perform pivoting to understand linkages. 

Organization Specific Threat Intelligence

Anomali Copilot enables you to leverage Actor and Malware information available to your organization in ThreatStream. With Anomali Copilot, these Threat Model entities owned by your organization are detected and classified as present in ThreatStream rather than as Unknown. Without Anomali Copilot, you are limited to Threat Model entities vetted by the Anomali Threat Research Team.

Drag and Drop PDF Scanning

In addition to scanning web content, you can use the Anomali Copilot browser extension to parse PDF files for cyber threat information. You can also scan PDFs from public URLs rendered in your browser. 

Access Trending Data in ThreatStream

With Anomali Copilot, you get access to exclusive custom dashboard widgets in ThreatStream that display data from Anomali Copilot on the trending Actors, Malware, and vulnerabilities from the last 24 hours, 7 days, 30 days, 60 days, and 90 days.

Complete Common Tasks from Your Browser

With Anomali Copilot, you can select and right-click any text on the screen to launch sandbox detonations, report selected entities as false positives, or perform observable or Threat Bulletin searches in ThreatStream.

Anomali Copilot Summaries

The Anomali Copilot summarization feature includes the following capabilities

  • Summarization of content from HTML and PDF pages.
  • Integration of summaries into Threat Bulletins and Investigations imported from Anomali Copilot into ThreatStream
  • Copying summarized content to a clipboard for convenient sharing and reference.
  • Support of the following languages: Arabic, Chinese (Simplified), Chinese (Traditional), Danish, Dutch, English, Finnish, French, German, Greek, Hindi, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish, Turkish.

Anomali Copilot Chat

The built-in chat enables you to have seamless interaction with Anomali Copilot. You can use suggested questions or pose custom questions, and Anomali Copilot will provide prompt answers based on the content of the page you are viewing. 

Anomali Copilot Microsoft 365 Add-ins

Anomali Copilot users also get access to the Anomali Copilot Outlook, Word, and Excel Add-ins. After installing the Add-ins, you can scan emails, Word documents, and Excel spreadsheets. 

There will be much more on a regular basis as we extend our capabilities to encompass the entirety of Security Operations. Please keep an eye on this blog for further updates.

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.