Skip to main content
Sumo Logic

Integrate Anomali ThreatStream

Learn how to set up CSE integration with Anomali ThreatStream.

This page has instructions for setting up the CSE integration with Anomali ThreatStream.

About CSE Integration with Anomali ThreatStream

Anomali ThreatStream delivers a comprehensive suite of Threat Intelligence solutions. It allows you to access intelligence feeds and integrate them with internal security and IT systems. 

What does the CSE ThreatStream integration do?

The ThreatStream integration integrates threat indicators from Anomali with CSE, so that you can enrich incoming Records with threat intel information, and leverage that information in CSE Rules. How does that work? 

CSE compares incoming Records with information from the Anomali feed. When there is a “match”, for instance when an IP address in a Record matches an IP address that Anomali says is malicious, CSE adds relevant information to that Record. Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. The built-in rules that come with CSE will also automatically create a Signal for any Record with a match from Threatstream.To leverage the information in a rule, you extend your rule expression. For a more detailed explanation, see Threat Intel in the About CSE Rules topic.

How does the integration work?

The integration is a binary that you run as a service on a local system. You configure it with CSE credentials and the URL of your CSE portal. The integration runs periodically to download the latest indicators (using Anomali APIs) and updates the Anomali threat intel list on CSE. By default, the integration runs every 60 seconds. You can change this period using polling_interval property in the [threatstream] section of the config file.

Here’s what you’ll see on the Threat Intelligence page after you set up the integration.

Setup_2.png

Requirements

Prerequisites

This integration requires that you have an Anomali ThreatStream account.

System requirements

In order to successfully install and run the integration, your machine must meet the following requirements.

Category Requirements
Operating System CentOS or Ubuntu 16
Core (CPU) 2
Memory (RAM) 2GB
Storage (Disk) 20GB

Outbound firewall rules

You need to configure your firewall to allow connections to the Anomali APIs.

The first step is to figure out the IP address for your CSE portal, and the addresses it uses for ingestion. To do so, run the following commands in a terminal window.

dig <customername>.portal.jask.ai # 1 IP
dig <customername>-ingest.jask.ai # 4 IPs

The first command will return a single IP address, the second returns four addresses.

Now, enable the following firewall rules, substituting:

  • The first segment of your CSE portal for <customername>.
  • The IP address returned by the first dig command for <IP 1>.
  • The IP addresses returned by the second dig command for <IP 1> through <IP5>.

TCP/443 <customername>.portal.jask.ai
TCP/443 <customername>-ingest.jask.ai
TCP/443 <IP 1>
TCP/443 <IP 2>
TCP/443 <IP 3>
TCP/443 <IP 4>
TCP/443 <IP 5>

Install and configure the integration service

To set up the integration, you’ll download a binary and supply required information in the configuration file.

  1. In the CSE web UI, click the gear icon, then click Enrichment to download the package.
    ThreatIntel.png
  2. On the Enrichment page, click the download link for Anomali ThreatStream Integration.
    ThreatIntel_2.png
  3. Make the file executable. Open a command shell, and run:
    chmod +x anomali-integration_installer.bin
  4. Run the installer:
    ./anomali-integration_installer.bin 
    This installs the “trident-intel” service.
  5. Open the configuration file, /opt/trident/intel/conf/trident-intel.cfg , in a text editor. Supply the values that are shown in angle brackets (<>):

[trident]

cluster_name  = <customer>.portal.jask.ai
api_key    = <user api key> # from your Anomali account
username      = <username matching api key>
chunk_size = 100
debug      = false
log_file   = /opt/trident/intel/logs/intel.log
 
[threatstream]
endpoint  = https://api.threatstream.com/api/v2/intelligence/
api_key    = <user api key> # found at https://<customer>.portal.jask.ai/configuration/profile
username      = <username matching api key>
filter    = status=active AND (type=domain OR type=ip OR type=url OR type=md5) AND itype!=tor_ip AND threat_type!=spam AND confidence>=95 AND created_ts>-7d
last_id   = 0
page_size = 1000

  1. Restart the “trident-intel” service
    $ systemctl restart trident_intel

Useful Linux commands

This section contains useful Linux commands for configuring and managing the integration service. 

# Restart the integration service
$ systemctl restart trident_intel
 
# Link status
$ systemctl status trident_intel
 
# View Config
$ cat /opt/trident/intel/conf/trident-intel.cfg
 
# Edit Config
$ vi /opt/trident/intel/conf/trident-intel.cfg
 
# View Logs
$ tail -f /opt/trident/intel/logs/trident-intel.log