A few months back, Anomali released a set of SDKs that greatly expanded our ability to deliver content within the platform, and with integrated systems. One of those SDKs – focusing on enrichments – was introduced to provide a straightforward means for adding contextual information.
In the threat intel world, enrichment has traditionally meant adding context to indicators in the form of network information (DNS, whois, GeoIP, ASN, certificate info, etc.) and reputation services (e.g. “scoring” indicators for risk). These will continue to be important data points used in threat analysis, and the Enrichment SDK will provide expanded choice for providers of this information.
But the TIP market has long since evolved to the point where this basic enrichment is commonplace, and a standard requirement for most organizations. So, when I first got my hands on the Enrichment SDK, my mind immediately jumped to all the possibilities this would open up. Obviously, my next step was to write an app that tells you the weather based on the geolocation of a given IP!
Because, as we all know, it rains a whole lot in Chongqing, China. So if it’s sunny then the hackers won’t be working. Am I right? This is totally ridiculous and flawed on more levels than I can count, but I hope it helps prove my point: Don’t be bound by the traditional notions of what an enrichment is. Here are a few (slightly more useful) examples of what I mean. Each of the referenced examples have been proven out using our SDK.
The platform and the SDK were specifically built to allow for this flexibility. By necessity, that meant the SDK is:
With our new investigations functionality, context is part of the graph/link analysis and becomes available for integration to other systems. Want to further enrich enrichment data? Simple, just continue to pivot. Want to import newly identified indicators? Add them to an import individually, using multiselect, or all at once.
Further, the SDK partner program was developed in a similar fashion to our existing APP store. This means users of the platform will regularly see new enrichments become available, while those with a narrower focus can remain restricted to specific organizations.
Ultimately, our SDKs provide an open and integrated ecosystem that allow customers to realize more value from Anomali and our partners. For more information on how we’ve worked with partners to deliver this functionality, see our recent blog with Silobreaker.
For more information visit our APP Store page.
As a Senior Sales Engineer at Anomali, Joe works with companies to build and operationalize threat intelligence programs. His over 15 years of cyber security experience span from security strategy to solution implementation. His current areas of focus include system interoperability and collaboration.