Pinpointing relevant threats – “Have we been impacted?”
When there's an active attack, organizations need to quickly determine if they have been hit - and understand what is required to respond.
Match tells you in seconds if a threat indicator is present in real-time or found in your historical event data months (even years) in the past.
- Search historical event logs going back five years or more
- Search for threat indicators, TTPs, actors, vulnerabilities, or threat bulletins
- Return all threat matches in seconds
- Deliver these matches to your SIEM, ticketing, or SOAR system
Accelerate threat hunting
Sophisticated attackers have learned how to dynamically change IOCs to avoid detection, but changing their tactics, techniques, and procedures (TTPs) is hard.
Match enables your security teams to identify threats in your environment based on TTPs, actors, campaigns, threat bulletins, and vulnerabilities. Once a threat actor is identified in your network, you can analyze the TTPs using the MITRE ATT&CK framework and heatmaps.
- Search for intrusions in your environment by threat actor, TTPs, threat bulletins, campaign, or vulnerability
- Analyze the tactics, techniques, and procedures (TTPs) for a selected actor in the MITRE ATT&CK framework heatmap
- View matched event details, including dwell time, severity, and event source/destination
Prioritized response based on asset value, vulnerability, and threat severity
Once you’ve identified malicious behavior in your network, it can be a challenge to decide which threats are the most important to deal with first.
Anomali Match integrates asset and vulnerability scan data into your threat detection results, allowing your analysts to prioritize remediation based on risk.
- Identify the top assets that show malicious activity at a glance
- Prioritize response based on risk score and asset criticality
- Track malicious activity back to the original point of intrusion and review a timeline of compromise
Identify bots in your network connecting to C&C servers
Many bot networks disguise communications to their “command and control” (C&C) servers using Domain Generation Algorithms (DGA) to bypass IP address blocklists.
Match uses an advanced machine learning model to predict malicious domains and identify them in your event logs.
- Identify events in which DGA domains have been found
- Identify which malware family likely generated the DGA domains
- Identify which assets are communicating using the DGA domain
Find “Patient Zero”
After a malware infection occurs, many organizations begin a game of ‘whack-a-mole’ – they know they have an infection, they take steps to remove it, but it keeps popping up again.
Match automates the process of finding Patient Zero, allowing you to identify how the infection began, who is most at risk, and how long the infection has been active.
- Track malicious activity back to the original point of intrusion
- View the event timeline for an indicator
- Determine the scope of the attack across all of your hosts and endpoints
- Deliver these matches to your SIEM, ticketing, or SOAR system for remediation
Hypothesis-based threat hunting
Threat hunters need to find adversaries who are already in the system, but they often lack the search tools and access needed to identify malicious activity.
Match empowers threat hunters to pivot from an initial threat indicator to explore its relationships and associations with other actors, campaigns, TTPs, threat bulletins, and vulnerabilities.
- Start with a known adversary and find associated adversaries that were previously unknown
- Confirm a hunch or answer a query, such as the number of file indicators associated with a vulnerability
- Visually pivot, expand, and explore relationships and associations for any indicator
- Enhance indicators with WhoIs, VirusTotal, PassiveDNS, and Symantec Intelligence services
Go with Anomali and improve your security posture
Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.