Anomali Integration


Anomali ThreatStream automates all the processes for collecting, managing, and integrating threat intelligence, and gives security analysts the tools and resources to respond quickly to active threats. ThreatStream can ingest intelligence from a variety of sources and formats, automatically process it, add rich context, and then integrate it

with existing tools in the environment to make it actionable.

By leveraging insights from illicit online communities and other highly curated data sources, Flashpoint provides actionable intelligence to help multiple teams across an organization bolster cybersecurity, confront fraud, detect insider threats, enhance corporate and physical security, improve executive protection, address third-party risk,

and support due diligence efforts.

Integration of Flashpoint data into ThreatStream provides the essential analysis and correlation that organizations need to translate raw, unstructured, and duplicative data from illicit online communities into true intelligence. Flashpoint’s technical data enriches ThreatStream’s data with observables about suspicious and malicious activity, as well as indicators of compromise (IOCs), allowing users to gain context about threats observed in their environment. The insights, in conjunction with Flashpoint Finished Intelligence, allows users to determine additional tactics, techniques, and procedures (TTPs), and motivations associated with their investigations. The result is a single interface, using machine learning to enable faster and more actionable threat detection.

The Flashpoint & Anomali Advantage

This solution uses insights and observables from illicit online communities to reduce the noise of false positives from outdated, irrelevant data in minutes. What’s left is true insight in the form of pre-built rules, reports, and dashboards that users can immediately apply and manage within their security operations.

Integrated Flashpoint Datasets


Technical Indicators:

Enable users access to indicators of compromise (IOCs) and technical data across Flashpoint datasets, including those found in Flashpoint Finished Intelligence reports, allowing for seamless integration into users’ workflows and automated tools.

Risk Intelligence Observables (RIOs):

Flashpoint leverages its unique access to underground communities to collect and deliver a near real-time stream of cyber observables that can identify illicit activity from inside forums and file-sharing communities focused on cybercrime, hacking, fraud, and extremism/terrorism. These high-fidelity observables include IP address, location (city/ country), hosting provider, timestamp, and user-agent string.


Compromised Credentials Monitoring - Enterprise (CCM - E):

Enables organizations to search and monitor Flashpoint’s unique collections for compromised enterprise accounts and passwords in order to flag accounts, reset employee passwords, and restrict permissions to prevent actors from accessing confidential or personally identifiable information (PII).


Finished Intelligence:

Access to analytical reports produced by our intelligence analysts. Reports cover a wide spectrum of illicit underground activity, including crimeware, fraud, emerging malware, violent extremism, and physical threats.



Matches conversations from illicit online communities with a client’s areas of concern, and automatically provides these matches directly to the user. Generated alerts are available in the Flashpoint Intelligence Platform, ensuring timely notifications that identify potential risks to the organization, as well as the ability to investigate further within the platform.

Use Cases


The integration of Flashpoint data into the ThreatStream platform allows users to pivot and enrich their investigations by correlating illicit online community activity with specific cyber threats. For example, if Flashpoint’s technical indicator data identified a threat associated with a new malware kit, the user could link within the platform to a Flashpoint Finished Intelligence report with expert analysis of the malware kit, as well as actors associated with it. This allows users to cross-correlate observables and gain context in their investigation, link insights to known threat actors or communities, or determine additional TTPs and motivations associated with their investigation.


Flashpoint Technical Data provides visibility into activities and events extending beyond traditional indicator-based datasets. Using this data in the ThreatStream platform, organizations can monitor Technical Data associated with illicit online community activity for where they might be exposed by misuse, insider threat, or policy violations. The SOC could also monitor within its client-owned space (or third-party suppliers, partners, etc.) for users interacting in illicit communities or uploading/downloading files. By correlating against internal logs, users have greater visibility into potential insider threats in their environment and have a greater understanding of those threat actors’ actions.


By using the Finished Intelligence dataset produced by Flashpoint, the integration provides a “state of the threat landscape” view to assist security personnel in developing and prioritizing intelligence on emerging threats to the organization. A law firm, for instance, could create alerts about cybercriminals targeting documents held by law firms, allowing them to mitigate the risk of exposure and enhance their security protocols. This up-to-date, strategic-level awareness could help create a “what-should-I-care-about-today” intelligence feed for organizations.

Key Features


    ThreatStream aggregates and de-duplicates threat data from 160-plus public, private, illicit communities, and proprietary sources including Anomali’s global Modern HoneyNet (MHN) project. Eliminate unnecessary, duplicative, and irrelevant indicators before they enter your infrastructure.


    ThreatStream provides seamless, automatic integration of indicators from the surface web and illicit communities’ data to deliver real-time threat intelligence to customers’ security platforms. Machine learning provides needed prioritization of indicators, allowing analysts to focus on the most important and most relevant indicators observed in their environment.


    ThreatStream’s vast collection of indicator sources allows correlation and enrichment to improve contextual awareness around observed indicators. With the Flashpoint and ThreatStream integration, customers are ready to start using threat observables from the surface web and illicit online communities in meaningful ways.


    IP, Domain, URL, and Hash (MD5, SHA1, and SHA256) rules are included

About Anomali

Anomali delivers intelligence-driven cybersecurity solutions to public and private sector organizations, including the world’s largest global enterprises and leading banks. Customers rely on Anomali to detect threats, understand adversaries, and respond effectively. Anomali arms security teams with machine learning optimized threat intelligence to identify hidden threats targeting their environments. With Anomali, organizations collaborate and share threat information among trusted communities. Anomali is the most widely adopted platform for ISACs and leading enterprises worldwide.

For more information, visit us at

Did this answer your question?