Anomali

My main use case for Anomali is for threat intelligence. We have a threat stream and threat practice on that. We are checking overall and verifying malicious websites, malicious hashes, and malicious URLs that are coming to the internal organization.

I can give a quick specific example of how I use Anomali in my workflow. I have used Anomali to check which malicious URLs and websites are attacking our internal organization. We check the threat intelligence portal like VirusTotal and other sources, and if the reputation of that URL is malicious, we block it in Anomali.

The best features Anomali offers are that it shows all the information on the particular dashboard, whether something is malicious or not and what the reputation status is.

Anomali has impacted my organization positively because our SOC team, which is actively monitoring all the tools—either SIM, SOAR, or threat intelligence platform—operates in multiple shifts. It has impacted our organization in a positive way by showing whether malicious activities or APTs are present. Whatever attackers are there, it shows on the dashboard and we can perform our analysis and execute remediation effectively.

Anomali has improved our MTTR and MTDD.

We can enhance the dashboard and create metrics and improve the themes for incident response in particular. We could implement it through SOAR and gather more data on SOAR.

I have been using Anomali for about three months.

Anomali is stable.

I previously used a different solution.

I do not know much about the pricing, setup cost, and licensing. These aspects are taken care of by seniors and associate directors.

I did not evaluate other options before choosing Anomali.

I have used Anomali for the past four months in my previous organization.

There is nothing else I would like to add about the features.

On a scale of one to ten, I would rate Anomali an eight to nine. I would give Anomali that score because we see Anomali as a threat intelligence platform and we can work with it and improve the MTTR. I rate this product eight out of ten overall.

My main use case for Anomali in my organization is threat intelligence. We use threat intelligence with Anomali in my day-to-day work to query feeds.

What we do is query those feeds looking for all kinds of indicators of compromise: IP, URL, and other indicators of compromise. They are evaluated according to the score given by Anomali, and we also do other processing for those indicators, validations for those indicators. After that analysis, they are integrated with the different security controls: firewalls, IPS, proxy, and among others.

We also use it for hunting topics and security bulletins.

I consider the best features offered by Anomali to be its versatility, good information, various integrations, and feeds that are free. There are also others that are integrated and paid, but its capacity is large. It really has a high storage of indicators of compromise and its reliability is quite accurate.

Anomali has positively impacted my organization significantly; it has been a great help. Anomali is a very versatile platform, quite effective, and very fast when it comes to downloading and maintaining the information of the indicators of compromise. Additionally, it has a large amount of information about those indicators of compromise, such as their score and evaluation, and it also brings where they come from and tries to attach vectors to those indicators, which makes threat intelligence and security bulletins much easier. All the information that it provides makes it much easier to analyze and generate valuable information.

I think that Anomali could be improved by addressing a major weakness, which is the issue of its integrators. The capacity they have when publishing a large number of indicators is quite limited. This makes it almost indispensable to set up one integrator per control, which is not efficient. It should have a much larger capacity to publish the application on a single server and for that server to handle a large quantity and volume of indicators.

Regarding the web interface, there are several problems when it comes to administration. These integrators publish a web interface that after a while generates quite a few errors and the service has to be restarted quite a lot in order to administer it, which is not efficient.

I have been working in the field of computer security for more than 10 years. I have been using Anomali for 3 years.

I consider Anomali to be 100% stable.

I would rate the scalability of Anomali highly; it adapts well to my organization's growth needs.

My experience with Anomali's customer support has not gone so well for us. Not because they are bad at support, but because the tool being limited means the support people fall short.

Before using Anomali, I used ThreatConnect. I decided to switch from ThreatConnect to Anomali really for commercial reasons. ThreatConnect is also a quite complete platform.

Before choosing Anomali, I understand that ThreatConnect was there, but I do not know about the others.

I think the platform is fine as it is for now. In terms of costs, Anomali is not the cheapest, but it has helped on the operational side in reducing the efficiency burden on staff. Not the reduction of staff as such, but in the efficiency of the staff on other tasks with the reduction of the administration of this platform. My advice to other people who are considering implementing Anomali is that they validate their infrastructure. If they have too many controls that will need Anomali to disseminate, they have to take into account that they are going to deploy many integrators, which translates into on-premise infrastructure, which raises costs and increases the administrative burden. Other than that, Anomali is a very good platform in terms of dissemination of indicators of compromise and all the benefits it has at the threat intelligence level. I give this review an overall rating of 8.

My main use case for Anomali is that it helps me with intelligence gathering and dark web monitoring. It has good functionality of integration with other solutions like Google Mandiant and Flashpoint, which are other CTI solutions. It also integrates with other SIEM solutions such as Splunk, allowing us to push all the indicators of compromise and IOCs to the SIEM solution. We can customize based on the confidence score of this indicator; for instance, if the confidence score is over 75, we push it to Splunk for real-time sightings within the network. I think it's one of the awesome tools I've worked with to date.

A specific example of how I've used Anomali for intelligence gathering or integration with Splunk is that Anomali captures all the latest intel from various sources, whether forums, open sources, articles published on social media, or researchers posting their findings in their blogs. It collects all the TTPs, IOCs, and captures them to publish within Anomali. We push those indicators to Splunk via an API-based integration for real-time checks within the network if there are any sightings or hits.

Regarding my main use case with Anomali, while much of it is confidential, one unique capability is Anomali's TAXII/STIX based integration with different platforms. For instance, we recently integrated with the CISA platform run by the US government, which provides us with the latest advisories. They push all the results into Anomali, creating a single UI that helps us avoid jumping into various sources to find intel, which I think is a unique feature of Anomali.

The best features Anomali offers are that it acts as an application that pulls data from different solutions. As I mentioned earlier, we utilize Mandiant, Flashpoint, and other CTI solutions. Using Anomali, I push all the results into it, providing a single UI to see what Flashpoint and Google Mandiant are providing rather than jumping into different platforms, which can be time-consuming. Anomali helps us stay on a single platform and provides the required results.

The user interface in Anomali is very good. I have worked in Anomali for five years and think they have a great UI for writing queries and finding specific results much more efficiently than in other solutions where you need to scroll down through different widgets. Anomali has a query-based language, similar to SQL, that helps us dig out specific results, whether vulnerability-related or concerning threat actors and TTPs. We can also perform string-based searches. I think it's an awesome feature. Furthermore, regarding integration, Anomali has capabilities to integrate with different downstream applications such as Palo Alto, allowing us to create playbooks to block domains, URLs, or IPs directly within the firewall.

Anomali has positively impacted my organization by reducing the time required to find intel specific to our needs. We can create our own queries specific to our organization and pull out results related to any posts within the dark web or any activities from threat actors targeting us. This capability enables us to create saved searches that provide exact results. I estimate that Anomali has saved me about 30% of my time.

In terms of improvements, I think Anomali has a good UI and integration capabilities. However, one area for improvement is providing a heat map of cyberattacks around the world. It would be helpful to have a list of which countries are facing the most attacks or experiencing major data breaches, and I think those areas could be enhanced.

One more improvement I would mention is regarding compromised credential monitoring. Anomali should increase their capability to fetch details from various dark web solutions where threat actors post compromised credentials. Expanding in that area could significantly enhance its utility.

I have been using Anomali for around five years now.

Anomali is stable. The good thing is that they have a health check page, and if any issues arise, they notify us. We can continuously track the real-time status of Anomali platform through this webpage.

Anomali's scalability is good; it performs well.

Customer support from Anomali is reliable; they provide support regularly during incidents or any requirements and are responsive to our needs.

I have not previously used a different solution; this is the only one I have used in the last five years.

I have seen a return on investment from using Anomali.

My experience with pricing involved a yearly, two-year contract; I can't specify the setup cost, but it was aligned with our budget, so I consider it good.

I did evaluate other options before choosing Anomali, but I can't recall the names of the specific ones.

My advice for others considering Anomali is to go for it, depending on your organization. Whether it is retail, finance, or service-based, decide on your PIRs and use cases to evaluate if Anomali covers those adequately.

Any new customers looking for a solution should consider Anomali as a great option. However, it depends on the organization; whether retail, finance, product-based, or service-based, you should evaluate the use cases for yourself, conduct a POC, and see if it meets all your needs. I would rate this solution an 8 out of 10.

We use Anomali as our threat intelligence platform for a variety of threat intelligence feeds that we subscribe to, needing a more central place to store everything so we can correlate which feeds have seen this indicator before and which haven't. This was the biggest use case for us to solve, which is why we went after it. It is definitely more than just a threat intel platform where we store all these indicators; it's almost very much a threat hunting tool that allows analysts to do investigations on those indicators and make connections, looking for other related things that we didn't necessarily see. It allows us to take a more proactive kind of approach.

The API is our most important feature. We are very much into automation, so being able to handle things programmatically at scale has been immensely powerful for us. We've evolved beyond just the two use cases I mentioned. One of the things we decided to do is utilize the Anomali API to push everything into that platform after sorting and normalizing everything. We now have a very robust collection of threat intelligence based on the capabilities that Anomali provides. It's very adaptable; you can do a lot with it, making it a very powerful tool.

There is always room for improvement, as there are always new ideas. They have been dabbling with some AI functionality built into the platform, which is still very new, so there's a lot of improvement that could happen there, especially as the technology enhances.

I have been using Anomali for about 7 or 8 years.

The initial setup depends on which kind of deployment you choose; they offer both an on-prem solution and a Cloud deployment. If you choose the Cloud deployment, there's nothing you have to do; you just log in and start using it. It's pretty seamless. If you're using an on-prem setup, they provide an appliance for enterprise customers, and after subscribing, they ship you a device that you can set up by following their setup guide, which provides all the details and instructions.

Stability has been pretty seamless so far, but we've run into some issues more recently due to changes in how some platform functions operate. It doesn't seem they're considering enough how customers use those functions as they change them, and they don't give us enough time to adapt to those changes. For example, while Microsoft allows ample time for users to adapt to deprecated features, Anomali only gave us three weeks before switching, so they need to be more cognizant of customer use cases from their engineering side.

The scalability is massive, allowing us to store millions of indicators. Unless you have a threat intelligence platform, you can't scale to the level Anomali offers, especially compared to trying to do it in a SIEM tool such as Splunk or Sentinel. It seems almost unlimited; I'm sure there's a limit, but they do a good job of never allowing us to hit that limit.

Support in the past has been top-notch, but recent trends indicate that it has taken a back seat, as we often don't get answers for days. We'll receive excuses such as "I was out of the office" or "I forgot to follow up on this, I apologize." While they apologize, it doesn't seem very professional how they're handling support anymore.

You have to have at least a threat intelligence background or a SOC analyst background to use it, as that's the information you'll dig around with in there. If you don't have that kind of knowledge, it probably can be a little hard to use, but they do provide training. They offer training not only for how to use the platform but also some basic threat intelligence training to explain what these things are and what these terms mean.

My company is a customer of Anomali.

I would recommend it to other people.

I would advise making sure you don't pick it without testing other products and have your use cases well thought out and documented before testing, so you know it will solve the problems you're trying to address. Keep an open mind with it and realize that whatever you can dream of, you can probably do with the platform.

Overall, I would rate Anomali an eight out of ten.

I use Anomali for threat hunting, threat collection, operationalization of intelligence, such as indicators of compromise (IOCs), and dissemination of reports for report writing and documentation.

The most valuable aspect of Anomali is the threat modeling capability. It collects threat intel documents and IOCs and allows us to tailor it to our needs and prioritize intelligence requirements (PIRs). This enables us to receive prioritized threat intelligence.

An area for improvement is the intelligence sharing within the Anomali community. The tagging system can be inconsistent, as any company can use any tags for their reporting. Combining all aliases into a coherent solution would be beneficial, as we had to review each individual source ourselves. This would improve intelligence collection across Anomali.

I have been using Anomali for the last six years.

The initial deployment of Anomali was straightforward and went well.

I have not experienced any downtime with Anomali's cloud platform. It has been scaled very well.

The scalability of Anomali is impressive, as indicated by the smooth operation of its cloud platform.

The technical support at Anomali is excellent. They respond to inquiries within 24 to 48 hours.

I have used Recorded Future and Mandiant Advantage, which they bought from FireEye, in the past.

The initial setup of Anomali was easy and took about three months to deploy. The full operationalization took around three quarters to one year.

A dedicated engineer is needed for deployment, but for integrations and other tasks, multiple teams might be involved.

I have evaluated Recorded Future and Mandiant Advantage as alternatives to Anomali.

For new users, I recommend taking the training provided by Anomali as it is very well articulated. I advise reading the user manual and taking the instructor-led training sessions from the customer support success manager. This will effectively kickstart the journey. I rate the Anomali solution a solid nine out of ten.