Anomali Match | Indicator Expansion and Data Enrichment
Get COVID-19 Cyber Security Resources Learn More

Anomali Match
Identify adversaries in your network

Detect and identify adversaries early in your organization’s network by correlating tens of millions of threat indicators against your real time network activity logs and forensic log data.

Threat Visibility Challenge

Every day new threats are discovered, adding to the list of millions of known Indicators of Compromise (IOCs). This presents organizations with two challenges:

  1. Evaluating newly identified threats to identify an existing breach
  2. Checking millions of IOCs daily to identify newly launched attacks

Anomali Match integrates with SIEMs and other log sources, maintaining a year or more of historical visibility without duplicating logs. Historical data is continuously analyzed against new and existing threat intelligence to uncover evidence of breaches. Real-Time Forensics immediately discovers matches between these data sets, and provides analysts with tools to categorize and elevate indicator matches for triage and response.

Threat Visibility Challenge

Detect New Threats

As new threats are discovered, organizations need to know if attackers have already targeted their networks. This means being able to look over historical data going back 6 months or longer to identify potential breaches. Anomali Match:

  • Evaluates all incoming, new threat data
  • Analyzes every network event in past 12+ months
  • Returns all threat matches in seconds
  • Delivers matches to SIEM or other integration

Detect Existing Threats

Security teams must also continuously monitor network traffic for activity from known threats. Organizations commonly collect and track millions of IOCs, making it difficult to monitor all network activity for matches. Anomali Match:

  • Collects and manages unlimited volumes of IOCs
  • Matches IOCs against unlimited volumes of logs
  • Automatically alerts on IOC activity in logs
  • Feeds indicator matches to SIEMs and other systems

Essential Integrations

Anomali Match integrates with threat intelligence sources, log sources, SIEMs and other systems. As indicators of interest are positively identified Anomali Match can automatically feed alerts into SIEMs for ongoing monitoring or blocking.

  • Inputs threat intelligence from ThreatStream
  • Analyzes log data from Syslog, SIEMs, AWS S3, Netflow/sFlow
  • Enables in depth threat investigations within ThreatStream
  • Integrates threat matches with SIEMs, incident response systems


Domain Generation Algorithms are widely used in malware to set up command and control domains. These domains often have short lifespans, meaning they do not make it onto threat intelligence lists. Anomali Match immediately detects and alerts on traffic to DGA domains using sophisticated machine-learning algorithms. Further, it associates the detected DGA domains with specific families of malware.

Threat Intelligence: A New Approach

Learn more about Anomali’s approach to operationalizing threat intelligence