The Anomali ThreatStream sample Foundry app is a community-driven, open source project which serves as an example of an app which can be built using CrowdStrike's Foundry ecosystem. foundry-sample-anomali-threatstream is an open source project, not a CrowdStrike product. As such, it carries no formal support, expressed or implied.
This app is one of several App Templates included in Foundry that you can use to jumpstart your development. It comes complete with a set of preconfigured capabilities aligned to its business purpose. Deploy this app from the Templates page with a single click in the Foundry UI, or create an app from this template using the CLI.
Important
To view documentation and deploy this sample app, you need access to the Falcon console.
Automates threat intelligence ingestion from Anomali ThreatStream, synchronizing IOCs (IPs, domains, URLs, email addresses, file hashes) hourly as CSV lookup files for Falcon Next-Gen SIEM detection and hunting workflows.
- The Foundry CLI (instructions below).
- For Python development: Python 3.13+. See Python For Beginners for installation instructions.
- For Go development: Go 1.25+. See Go Downloads for installation instructions.
You can install the Foundry CLI with Scoop on Windows or Homebrew on Linux/macOS.
Windows:
Install Scoop. Then, add the Foundry CLI bucket and install the Foundry CLI.
scoop bucket add foundry https://github.com/crowdstrike/scoop-foundry-cli.git
scoop install foundryOr, you can download the latest Windows zip file, expand it, and add the install directory to your PATH environment variable.
Linux and macOS:
Install Homebrew. Then, add the Foundry CLI repository to the list of formulae that Homebrew uses and install the CLI:
brew tap crowdstrike/foundry-cli
brew install crowdstrike/foundry-cli/foundryRun foundry version to verify it's installed correctly.
Clone this sample to your local system, or download as a zip file and import it into Foundry.
git clone https://github.com/CrowdStrike/foundry-sample-anomali-threatstream
cd foundry-sample-anomali-threatstreamLog in to Foundry:
foundry loginSelect the following permissions:
- Create and run RTR scripts
- Create, execute and test workflow templates
- Create, run and view API integrations
- Create, edit, delete, and list queries
Deploy the app:
foundry apps deployTip
If you get an error that the name already exists, change the name to something unique to your CID in manifest.yml.
Once the deployment has finished, you can release the app:
foundry apps releaseNext, go to Foundry > App catalog, find your app, and install it. During installation, you'll be prompted to configure the Anomali ThreatStream API integration with your credentials (API key format: email:key). After installation, go to Fusion SOAR > Workflows to see the scheduled workflow from this app.
This app includes:
- Foundry Function:
anomali-ioc-ingest- A memory-efficient function that ingests IOC data from Anomali ThreatStream and creates CSV lookup files for Falcon Next-Gen SIEM using disk-based streaming (O(1) memory usage). Available in both Python and Go implementations. - API Integration: Anomali ThreatStream API configuration for authentication and data retrieval
- Collections:
ingest_jobs- Tracks each job run for ingesting IOCsupdate_id_tracker- Tracks the update_id from Anomali ThreatStream API for incremental sync
- Workflow: Scheduled workflow that automatically runs the ingest function hourly to keep threat intelligence up to date
Key features:
- Memory-Efficient Streaming: Disk-based CSV processing with O(1) memory usage, enabling 200MB file processing with ~3-5MB constant memory overhead
- 200 MB File Size Protection: Detects when files approach NGSIEM upload limit and provides actionable filtering guidance
- Fail-Fast Estimation: Optional early file size projection to prevent hours of pagination when dataset exceeds limits
- Automated IOC Ingestion: Hourly synchronization of threat intelligence with workflow-managed pagination
- Multiple IOC Types: IP addresses, domains, URLs, email addresses, file hashes (MD5/SHA1/SHA256)
- Incremental Sync: Efficient processing using update_id tracking with type-specific state management
- Missing File Recovery: Automatically recreates deleted lookup files on next run
- Early Termination: Intelligent pagination stops when no new unique IOCs are found
- Secure Integration: API-based authentication (no hardcoded credentials)
- Comprehensive Testing: Extensive unit tests with 90%+ code coverage, stress testing scripts, and workflow simulation
This app includes two function implementations: Python (original) and Go (high-performance alternative). Both implementations provide identical functionality.
To switch between implementations, edit manifest.yml and change the language field under the function definition:
functions:
- name: anomali-ioc-ingest
# ...
language: python # Use 'python' or 'go'Then redeploy: foundry apps deploy
-
Create and activate virtual environment:
cd functions/anomali-ioc-ingest python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies:
pip install -r requirements.txt --upgrade pip
-
Run tests (69 tests):
python -m pytest test_main.py -v
-
Test with coverage:
pip install pytest-cov python -m pytest test_main.py --cov=main --cov-report=html # View: open htmlcov/index.html -
Code quality:
python -m pylint main.py
-
Navigate to function directory:
cd functions/anomali-ioc-ingest -
Download dependencies:
go mod download
-
Run tests (76 tests):
go test -v ./... -
Test with coverage:
go test -coverprofile=coverage.out ./... go tool cover -html=coverage.out -o coverage.html # View: open coverage.html
-
Code quality:
go vet ./... go build ./...
Set TEST_MODE=true to enable local file output instead of API calls:
export TEST_MODE="true"📖 App Documentation - Complete setup instructions, usage, and threat intelligence queries
