Find threats faster
Anomali Match uses all available intelligence and telemetry to deliver comprehensive threat detection at machine speed. You get faster Mean Time to Detection, reduced cost of security incidents, and more efficient security operations.
Detect all the threats in your environment
Detect threats using all available data
Match uses all of your active threat intelligence and correlates it against all of your event logs to continuously identify sightings of malicious activity on your network.
Detect newly discovered threats dwelling in your network
Match continuously analyzes historical log data against new threat intelligence to uncover evidence of past breaches.
Prioritize your threat response by asset value and risk
Match scores threat sightings based on asset value, vulnerability, and threat severity, enabling risk-prioritized triage and response.
Automate threat detection using all available telemetry and intelligence
SIEM and log management solutions are limited in the volume of IOCs and event logs they can store and search, making it a challenge to identify every potential threat an organization may face.
Match is purpose-built to detect known threats at scale, using big data analytics and machine learning to continuously correlate massive volumes of event logs against all of your active threat intelligence.
- Continuously correlate tens of millions of IOCs against billions of events
- Identify threat indicator, TTP, actor, vulnerability, or threat bulletin matches in event logs
- Automatically alert your SIEM, SOAR, or ticketing systems
Answer the hard question – “Have we been impacted?”
When a new threat is discovered in the wild, searching back through historic logs to find out if you were compromised can be a long and expensive process.
Match tells you in seconds if a threat indicator was present in your historic event data months or years in the past.
- Search historical event logs going back five years or more
- Search for threat indicators, TTPs, actors, vulnerabilities, or threat bulletins
- Return all threat matches in seconds
- Deliver these matches to your SIEM, ticketing, or SOAR system
Prioritize response based on asset value, vulnerability, and threat severity
Once you’ve identified malicious behavior in your network, it can be a challenge to decide which threats are the most important to deal with first.
Anomali Match integrates asset and vulnerability scan data into your threat detection results, allowing your analysts to prioritize remediation based on risk.
- Identify the top assets that show malicious activity at a glance
- Prioritize response based on risk score and asset criticality
- Track malicious activity back to the original point of intrusion and review a timeline of compromise
Identify bots in your network connecting to C&C servers
Many bot networks disguise communications to their “command and control” (C&C) servers using Domain Generation Algorithms (DGA) to bypass IP address blocklists.
Match uses an advanced machine learning model to predict malicious domains, and identifies them in your event logs.
- Identify events in which DGA domains have been found
- Identify which malware family likely generated the DGA domains
- Identify which assets are communicating using the DGA domain
Hunt for threats by actor, threat bulletin, or vulnerability
Sophisticated attackers have learned how to dynamically change IOCs to avoid detection, but changing their tactics, techniques, and procedures (TTPs) is hard.
Match enables your security teams to identify threats in your environment based on TTPs, actors, campaigns, threat bulletins, and vulnerabilities. Once a threat actor is identified in your network, you can analyze the TTPs using the MITRE ATT&CK framework and heatmaps.
- Search for intrusions in your environment by threat actor, TTPs, threat bulletins, campaign, or vulnerability
- View matched event details, including dwell time, severity, and event source/destination
- Analyze the tactics, techniques, and procedures (TTPs) for a selected actor in the MITRE ATT&CK framework heatmap
Find “Patient Zero”
After a malware infection occurs, many organizations begin a game of ‘whack-a-mole’ – they know they have an infection, they take steps to remove it, but it keeps popping up again.
Match automates the process of finding Patient Zero, allowing you to identify how the infection began, who is most at risk, and how long the infection has been active.
- Track malicious activity back to the original point of intrusion
- View the event timeline for an indicator
- Determine the scope of the attack across all of your hosts and endpoints
- Deliver these matches to your SIEM, ticketing, or SOAR system for remediation
Hypothesis-based threat hunting
Threat hunters need to find adversaries who are already in the system, but they often lack the search tools and access they need to identify malicious activity.
Match empowers threat hunters to pivot from an initial threat indicator to explore its relationships and associations with other actors, campaigns, TTPs, threat bulletins, and vulnerabilities.
- Start with a known adversary and find previously unknown adversaries associated with it
- Confirm a hunch or answer a query, such as the number of file indicators associated with a vulnerability
- Visually pivot, expand, and explore relationships and associations for any indicator
- Enhance indicators with WhoIs, VirusTotal, PassiveDNS, and Symantec Intelligence services