홈contact us사이트맵
공지사항
고객문의
자료실
고객센터
서브이미지
공지사항 > customer > 공지사항
제목 [기본] [Anomali] Product & APP Store Update 날짜 2022.05.11 14:41
글쓴이 관리자 조회 244
Anomali ThreatStream 2022 May Edition에 대한 Product & APP Store가 아래와 같이 업데이트 되었습니다.

---------------------------------------------------------------------------------------------------- 
What’s New This Month

The Anomali Platform
• More Log Sources for Correlation
• Vulnerability, Asset Management - Prioritizing Response
• Further enabling decision-makers - new Dashboards
• Pinpointing threats using Spike and Frequency alerting 

Anomali ThreatStream
• Feed Health Status Monitoring
• TAXII 2.x Client Support
• Import Intelligence Improvement
• SAML2 Single Sign-On Improvements
• Improved Attachments on all Threat Models

Integrator & Integration Updates
• Anomali Integrator v7.3.1
• Microsoft Defender Integrator Extension v1.0.2
• IBM QRadar SOAR App 2.4.0 (previously known as IBM Resilient; Certified by IBM)
New OSINT Data Sources

Anomali Product Updates

The Anomali Platform
The Anomali Platform, our Cloud XDR solution, stops breaches and attackers in real-time. It uses big data, machine learning, and the world’s largest intelligence repository, to provide security teams with the tools and insights needed to detect threats, make informed decisions, and defend against today’s sophisticated attacks.

This month we have released a number of key updates to our Cloud XDR solution:
• More telemetry sources native support
• Extended vulnerability and asset management support
• Deeper alerting and response capabilities
• Extended the key metrics in dashboards

More Log Sources for Correlation
Anomali continues to ensure a great breadth of security log source coverage through vendor support. These vendors now include Windows Defender, CrowdStrike, and Carbon Black. This enables a quicker configuration of the log source data within Cloud XDR.

Vulnerability, Asset Management - Prioritizing Response
We have extended our support for vulnerability scanners and asset information. Anomali Platform now includes support for Tenable.io - support for the Cloud Tenable vulnerability tooling. This addition now means that Tenable clients have support for the product of choice, either Tenable.sc or Tenable.io. This allows your analysts to prioritize remediation based on risk by identifying the top assets that show malicious activity at a glance and prioritizing that response based on risk score and asset criticality.

New Dashboards
Additional key dashboards in Cloud XDR have been released. The Multi-Dimensional View presents a number of visualizations showing the occurrence of IOC matches over time, whether by Source Host, Indicator, iType, Severity, Confidence and more. Furthermore, the Match Analysis View provides analytics about the threat intelligence feeds, indicator types, indicators, and DGA domains that match events in your network, such as Matches Over Time, Matches by iType, Matches by Indicator, Matches by DGA

An example of the Multi-dimensional View Dashboard

Pinpointing threats using Spike and Frequency alerting
The Anomali Platform could trigger alerts based on keyword matches, but now spike and frequency detection alerts can be triggered as well. This means that alerts triggered for user action or other types of response can track an upward or downward trend in the number of event matches within a given time frame (Spike detection) or when the number of events matches the filter condition in the specified time period (Frequency detection). These both provide the additional benefit of elevating the right intelligence and threats for actioning and remediation at the right time.

Anomali ThreatStream

Feed Health Status Monitoring
We have revamped the details of the current health state of these intelligence feeds within the APP Store modals. When opening the details of an active Feed within the APP Store, you’ll now be able to see the Health Status, Last Event time, and the Interval between intelligence syncs for that feed.
Additionally, we’ve also provided a color-coded line series for each feed or feed channel to indicate the Health History over the last thirty days. You can hover over each line to find out the status of requests and the error rate for that day. This feature is currently in BETA and available on request until the end of May, and you can reach out to support@anomali.com or your CSM if you’d like to enable it.
This feature set allows our customers to easily see if there are issues arising from a particular intelligence provider, and engage our teams to assist if necessary. Further details are available from ThreatStream Help.

Key capabilities and benefits in this new release include:
• New tab within APP Store Modals provides a detailed view of the health status for Feeds and Feed Channels
• Color-coded line series providing more detailed health information over the last 30 days (currently in beta)
• Enables an organization to easily identify issues with their active APP Store Feeds

TAXII 2.x Client Support
Trusted Automated Exchange of Intelligence Information (TAXII™) is an application protocol for exchanging intelligence over HTTPS. ThreatStream hosts a TAXII server instance that enables the sharing of observables with external applications, enabling out-of-the-box integration with security controls and other threat intelligence-consuming product.
In this release we update our ThreatStream TAXII client ensuring that any applications or products attempting to gather indicators using a TAXII 2.1 client will be able to receive intelligence without issue.
This release will add support for TAXII Client 2.x for ThreatStream Cloud customers.

Key capabilities and benefits in this new release include:
• Choose between TAXII 1.1, 2.0, and 2.1 when configuring a new site for IoC collection
• Configured TAXII 2.x sites will now show the API root hierarchy in the list view on the left hand side.
• Also allows the ability to specify different authentication per API root where necessary.
• Configured sites now show full details of both the overall Site and the selected API root where applicable
• Easy configuration of new TAXII 2.x sites allows out of the box integration with intelligence providers running TAXII 2.x servers
• Full Support for API roots ensures that all intelligence can be retrieved from these servers.

Import Intelligence Improvement
In this month's release, we’ve added the ability for users to manage import jobs much more effectively, improving the workflows to make selecting key intelligence simpler and clearer.
Further details are available from ThreatStream Help.
Key capabilities and benefits in this new release include:
• Users can filter import jobs based on any number of criteria to identify key intelligence for inclusion
• Users can easily exclude intelligence based on filtering within an import job, making the review process much more efficient
• This makes it much easier for users to identify and exclude / include key intelligence from their workflows
• This increases efficiency hugely during the review process of large data sets
• This new feature will help you to remove observables from an import that have a lower than preferred confidence score

SAML2 Single Sign-On Improvements
The Anomali team has extended the support for SAML2 in our platform to add features including Permissions Management and Auto User Provisioning (also known as Just-in-Time provisioning). These features have previously only been usable with our supported Microsoft identity solutions.
• User Permissions can be managed by any SAML2 compliant IDP which supports and implements groups/security groups, extending how organizations can set up their own Single Sign-On configuration in ThreatStream SaaS
• To add or remove a user or permission to an existing user, the customer's identity and access management (IDAM) team simply adds or removes the user from the appropriate group(s) on their user management application
• New users are automatically created if a user tries to log in and is found to have the necessary permissions to use ThreatStream or Match
• This applies to ThreatStream SaaS only for now; it will be available in the upcoming release of AirGap, and in a future release of OnPrem

Improved Attachments on all Threat Models
A small but significant improvement this month - ThreatStream now supports adding multiple attachments to our Threat Models during a single upload operation; limited to a maximum of 15 attachments in one operation, and a maximum total file size of 100MB. Note that an individual file size limit of 10MB applies.

Integrator & Integration Updates

Anomali Integrator v7.3.1
This patch release of Integrator is for CVE-2022-0778.
• The fix is provided by an updated version of OpenSSL library and is also included in Integrator 8.0.
• This patch is now available from the ThreatStream downloads page.

Microsoft Defender Integrator Extension v1.0.2
This is a patch release, which includes bug fixes, and the ability to configure the API endpoint for non-standard Defender accounts. This is an improvement to include a specific agent from our partner Microsoft.
Please note a recent change to the documented configuration process for this integration. The process previously used has been improved, and we ask customers to refer closely to the steps now included for manually creating an Azure application for the integration.
Further details are available from ThreatStream Help.

IBM QRadar SOAR App 2.4.0 (previously known as IBM Resilient; Certified by IBM)
This is a point release of IBM QRadar SOAR App 2.4.0 integration with a number of improvements and new features. It is now possible to include tags on artifact lookups to provide additional context on retrieved intelligence. Also, intelligence can now be imported directly from Resilient without approval, and with a specified expiration date. Synced investigations now include the Incident ID from Resilient.

This update has been certified by IBM, and is due on ThreatStream downloads page imminently.

New OSINT Data Sources
This month, the ThreatStream team are moving some of our previous public open source data to our APP store. Customers will see six new OSINT data sources in the APP store which they can easily review and opt in to consume. The sources include Emerging Threats and DShield open source data, among others. Customers should contact their CSM or the Anomali support Organization for further information if needed.


목록 쓰기