Use Cases | Anomali
Anomali Match

Intelligence-driven threat detection using all your security data

Schedule demo
Use case

Retrospective search – “Have we been impacted?”

Anomali Match - Retrospective search

Problem

When a new threat is discovered in the wild, searching back through historic logs to find out if you were compromised can be a long and expensive process.

Solution

Match tells you in seconds if a threat indicator was present in your historic event data months (even years) in the past.

  • Search historical event logs going back five years or more
  • Search for threat indicators, TTPs, actors, vulnerabilities, or threat bulletins
  • Return all threat matches in seconds
  • Deliver these matches to your SIEM, ticketing, or SOAR system
Use case

Hunt for threats by actor, threat bulletin, or vulnerability

Problem

Sophisticated attackers have learned how to dynamically change IOCs to avoid detection, but changing their tactics, techniques, and procedures (TTPs) is hard.

Solution

Match enables your security teams to identify threats in your environment based on TTPs, actors, campaigns, threat bulletins, and vulnerabilities. Once a threat actor is identified in your network, you can analyze the TTPs using the MITRE ATT&CK framework and heatmaps.

  • Search for intrusions in your environment by threat actor, TTPs, threat bulletins, campaign, or vulnerability
  • Analyze the tactics, techniques, and procedures (TTPs) for a selected actor in the MITRE ATT&CK framework heatmap
  • View matched event details, including dwell time, severity, and event source/destination
Anomali Match - Hunt for threats
Use case

Prioritized response based on asset value, vulnerability, and threat severity

Anomali Match - Prioritized response

Problem

Once you’ve identified malicious behavior in your network, it can be a challenge to decide which threats are the most important to deal with first.

Solution

Anomali Match integrates asset and vulnerability scan data into your threat detection results, allowing your analysts to prioritize remediation based on risk.

  • Identify the top assets that show malicious activity at a glance
  • Prioritize response based on risk score and asset criticality
  • Track malicious activity back to the original point of intrusion and review a timeline of compromise
Use case

Identify bots in your network connecting to C&C servers

Problem

Many bot networks disguise communications to their “command and control” (C&C) servers using Domain Generation Algorithms (DGA) to bypass IP address blocklists.

Solution

Match uses an advanced machine learning model to predict malicious domains and identify them in your event logs.

  • Identify events in which DGA domains have been found
  • Identify which malware family likely generated the DGA domains
  • Identify which assets are communicating using the DGA domain
Anomali Match - Identify bots
Use case

Find “Patient Zero”

Anomali Match - Patient Zero

Problem

After a malware infection occurs, many organizations begin a game of ‘whack-a-mole’ – they know they have an infection, they take steps to remove it, but it keeps popping up again.

Solution

Match automates the process of finding Patient Zero, allowing you to identify how the infection began, who is most at risk, and how long the infection has been active.

  • Track malicious activity back to the original point of intrusion
  • View the event timeline for an indicator
  • Determine the scope of the attack across all of your hosts and endpoints
  • Deliver these matches to your SIEM, ticketing, or SOAR system for remediation
Use case

Hypothesis-based threat hunting

Problem

Threat hunters need to find adversaries who are already in the system, but they often lack the search tools and access needed to identify malicious activity.

Solution

Match empowers threat hunters to pivot from an initial threat indicator to explore its relationships and associations with other actors, campaigns, TTPs, threat bulletins, and vulnerabilities.

  • Start with a known adversary and find associated adversaries that were previously unknown
  • Confirm a hunch or answer a query, such as the number of file indicators associated with a vulnerability
  • Visually pivot, expand, and explore relationships and associations for any indicator
  • Enhance indicators with WhoIs, VirusTotal, PassiveDNS, and Symantec Intelligence services
Anomali Match - Hypothesis-based threat hunting
 

Go with Anomali and improve your security posture

Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.