Anomali Lens - Use Cases - Threat Intel Solution
Anomali Lens

Identify key threat intelligence within unstructured data in seconds

Anomali Lens is a powerful extension that quickly operationalizes threat intelligence by automatically scanning digital content to identify relevant threats and streamline researching and reporting on them.

Interactive tour Schedule demo Download Datasheet
Watch Video
Use case

Answer the question, “Have we been impacted?”

Anomali Lens case study 1


When a new threat is discovered in the wild, security teams and executives need to know as soon as possible if the attackers have already penetrated their network.


When Lens does a scan, it automatically checks Anomali Match to determine if any of the discovered threat intelligence has been seen on your network.

  • See the number of matches found in your environment for any scanned threat indicator or TTP
  • Understand the threat type and severity at a glance
  • Open Match at the click of a button for further investigation pivoting, and research
Use case

Operationalize the MITRE ATT&CK framework


While a critical ‘best practice’, threat analysis using the MITRE ATT&CK framework can be an extremely manual and time-intensive process.


Lens operationalizes the MITRE ATT&CK framework for you, automatically identifying the MITRE ATT&CK techniques found in scanned pages and importing the data into your Anomali ThreatStream instance at the click of a button.

  • Automatically identify techniques in web pages, blogs, and reports or quickly import unstructured lists
  • Automatically associate scanned techniques with MITRE ATT&CK IDs
  • Import MITRE ATT&CK TTPs into a ThreatStream investigation with the click of a button
  • Pivot, investigate, and visualize the imported threat intelligence in MITRE ATT&CK heatmaps in ThreatStream
Anomali Lens case study 2
Use case

Routinely Build Protection from Unstructured Sources

Anomali Lens case study 3


A regular research routine of pulling new threat information from reports, lists, and web pages can be fruitful, but extremely time-consuming.


Use Lens in your weekly routine to identify and ingest email addresses, URLs, and hashes from lists provided by a specific source and also from specific web pages. Lens customers report that in the past it took on average 2.5 FTE to perform this work – with Lens it now takes just half the time of a single analyst, freeing resources to focus elsewhere. Typical steps include:

  • The analyst logs into the source portal and looks at a posted list of known phishing email addresses, malicious URLs, hashes, etc.
  • The analyst scans those lists with Lens and automatically imports them via investigations into ThreatStream.
  • The items are tagged and then your SOAR validates automatically if the items match anything in your SIEM, and then creates tickets for the Incident Response team to investigate as necessary.
Use case

Create a Threat Bulletin for Threat Management & Executive Briefings


Researching a new threat and developing a threat bulletin and executive reports is a common requirement that is too manual and time-consuming.


Based on news reports or other sources of information about a threat or incident, users research the web, go to relevant pages, use Lens to scan and understand what you are seeing out there, and start building protection around it. You can then leverage Anomali’s Finished Intelligence to build a Threat Bulletin for the management of the threat, then take a subset of the information to build a PPT presentation for executives.

Anomali Lens case study 4

Go with Anomali and improve your security posture

Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.