Anvilogic Core Detect

My main use case for Anvilogic  is security incident event management. A quick specific example of how I use Anvilogic  for security incident event management is triaging or correlation of security events from multiple security platforms and log sources.

I currently utilize multiple of Anvilogic's AI features, both for fine-tuning and developing new content, as well as the threat intelligence feeds that it provides.

In my opinion, the best features Anvilogic offers are the AI features, which are great, and their common language rule tuning and modeling is much simpler than those other vendors that require query building skills.

The common language rule tuning and modeling have made things easier for my team because it is broken down into multiple smaller chunks rather than one large chunk of code. Multiple smaller, pre-processed data points are basically visible and editable in those smaller chunks without having to actually code at all.

Anvilogic has impacted my organization positively because it is native for cloud-type infrastructures and they have a significant proactive approach to cost licensing. Rather than having to import all data, it actually sits on top of Snowflake , which reduces overall cost for data storage itself. Since implementing Anvilogic, our overall costs have been reduced.

Anvilogic can be improved further by maturing certain intelligence aspects outside of articles. This is an aspect that lacks in most SIEM  and secure analytics tools, but personally the framework or "barebone" is in Anvilogic, it just needs further maturing

I have been using Anvilogic for six months.

Anvilogic is stable.

Anvilogic's scalability is good and it scales properly.

I have not directly worked with customer support since I am a manager, but I have not heard any complaints from my employees.

I previously used top tier SIEM 's. I switched to Anvilogic because it looked overall better and proved to be a better fit for our type of architecture.

I have seen a return on investment in the form of time saved developing new content.

My experience with pricing, setup cost, and licensing was straightforward. They provide estimates because obviously every business is different, but they provided reasonable estimates that were fairly accurate based on other customers from a similar type of background or size.

Before choosing Anvilogic, I evaluated other options. including vendors in the top quadrant

Anvilogic has changed how my team thinks about detection and data usage because it makes it easier to follow than other tool sets. Since a lot of the content is dynamic, you can follow the trail in the threat hunt perspective compared to other tools where you have to manually recreate a new query to investigate the action further.

The moment that led me to choose Anvilogic was triggered because we normally evaluate vendors every so often to make sure we have a proper solution in place.

My usage of Anvilogic has evolved since onboarding and it is a bit more mature now, which certainly does help.

When other teams ask about Anvilogic, I tell them that it is fairly good.

There has not been anything that has become easier to justify or explain to leadership since adopting Anvilogic.

My advice to others looking into using Anvilogic is to conduct a test or proof of concept based on your actual future stance so that you feel the proper controls and everything is adequate to where you want to go.

I am looking forward to seeing how the tool will evolve and grow, especially with the AI features. I would rate this product overall as a 9 out of 10.

My main use case for Anvilogic  is coordinating and tracking indicators of compromise and detection rules. I use Anvilogic  for coordinating and tracking indicators of compromise or detection rules by feeding detection rules into Splunk, our Splunk environment, and these are turned into actionable alerts for our security operations center.

Anvilogic has positively impacted my organization by being a force multiplier for our security operations center and has allowed us to coordinate and distribute work more efficiently and provide consistency among the multiple SIEM  environments.

I was able to create 90 detection scenarios in the first two weeks of using Anvilogic, which showcases how it improved efficiency and consistency for my team.

The best features Anvilogic offers are consistent recording and tracking of detection engine detection rules as they adapt over time to adversary's behaviors, and the ability to operate in multiple security SIEM  environments.

Anvilogic works for my team by providing a single point of contact to put detection engineering rules that then get distributed to all of the various event management engines, as we have multiple SIEM environments in our company, including Microsoft Defender, Splunk, Elastic, and others.

Anvilogic has changed how my team thinks about detection by allowing us to no longer apply the same configurations and correlation rules in multiple Splunk environments and can transparently search across multiple SIEMS platforms.

What surprised me the most about Anvilogic once I started using it is the ease of creating and maintaining custom threat intel and threat scenarios.

Anvilogic can be improved with more support for cross-platform and native detection languages such as Sigma  and Yara rules.

I have been using Anvilogic for about six months.

Anvilogic has been very stable and reliable.

Anvilogic's scalability has been great as it has been able to scale and perform well, better than the available resources we have to throw at it, and we have not run into any issues with our analysts not being able to access Anvilogic and perform their activities efficiently.

Anvilogic customer support has been very productive to work with.

I have seen a return on investment in that Anvilogic has been more of a fundamental enablement technology than a return on investment, but it has definitely allowed us to move more quickly with integrating our corporate acquisitions as well as with our corporate colleagues who use other SIEM technologies.

When other teams ask about Anvilogic, I tell them it makes detection engineering into a process rather than a one-time operation.

I convinced my leadership to adopt Anvilogic by comparing it to the manual operations and the overhead of repeated detection engineering processes.

My advice for others looking into using Anvilogic is to start with the configurations and detection rules that come prepackaged, and then reach out and create your own to expand your capabilities; once you start using this system, it becomes much easier and more efficient than manually maintaining detection rules.

I provide this review with a rating of 10.

I primarily use Anvilogic as a wrapper over SIM, mainly Splunk, but it can also be applied to other SIM platforms like Kibana. I utilize it for versioning the rules and detection logic I write, which can get stale or require enhancement. For example, if I wrote a detection rule for detecting script execution that needed additional logic, I used Anvilogic to maintain those versions or to build behavioral detection patterns, which is complicated in Splunk alone.

Anvilogic allows me to extract a plethora of information, including mapping TTPs assigned for detection logic, which effectively helps in setting quarterly coverage agendas, thus illustrating its vital role in detection strategy and management presentations. The first thing that would break without Anvilogic is the complex detection logic involved in creating behavioral patterns, which yield high-fidelity alerts. Additionally, losing the control over Splunk SPL queries, due to lack of version control provided by Anvilogic, would pose a nightmare for any detection engineering team.

The deployment model for Anvilogic was private.

The best features of Anvilogic include easy usability for beginner analysts, good version control, though it could be enhanced, and the need for improved access controls and better training notifications for users. The quick responses regarding new threats and the thorough curation of detection rules were also positives. However, hiring customization based on customer environments and reducing noise from detections is critical.

I was surprised by the effective version control capabilities and how easily one can configure complex behavioral patterns. The learning curve is not steep, allowing even those with basic knowledge in writing detection rules to adapt quickly. However, after a year, I noticed limitations, especially concerning issue resolution timeframes.

My experience with Anvilogic is still in detection engineering, but writing detection logic in scripting languages, like the Splunk processing language, has limitations compared to programming languages. Anvilogic does provide some flexibility but has limitations when baseline detection rules or complex behavioral patterns are involved. I found it very efficient for version control with Splunk, although it lacked a robust CI/CD pipeline, which is crucial for comprehensive testing before changes go into production. The API documentation was also limited, affecting data analytics capabilities regarding detection logic. Nonetheless, Anvilogic's support team was responsive and provided good support when I raised issues.

One suggestion I have for Anvilogic is improving the whitelisting process, as maintaining a CSV for that can become cumbersome when it reaches 10,000 lines. Additionally, the separation for customer-specific detection rules and suppressions could be better defined so the changes can be made without needing customer support every time.

I was informed about the AI SOC solutions Anvilogic was working on; however, they were not functional at the time, and I cannot comment on their effectiveness since I lacked access to those features. The version controlling and behavioral patterns are strong suits of Anvilogic, but there needs to be stronger access control and CI/CD pipeline integration. Additionally, customer support could be more prompt, and custom detections should be tailored more effectively.

It has been almost eight months since I last worked with Anvilogic because I switched companies, so I have not worked with it since.

I generally handle scalability through Splunk admin team support, and I did not face significant downtime or reliability issues with Anvilogic. It felt stable and sufficiently reliable throughout my time using it.

In 12 months, I do not believe Anvilogic will be replaced since it is deeply integrated into the detection framework at Rakuten, and the time taken to stabilize integrations is considerable. Even with its shortcomings, the value Anvilogic brings in detection and threat investigation is hard to replicate quickly.

Anvilogic will not be replaced at Rakuten, as its integration is extensive, and the time to build stable detection solutions is significant. Even small companies face challenges transitioning expertise, which makes Anvilogic a viable long-term solution.

The rating for the technical support of Anvilogic would depend on factors like who handles the request, but on a scale of 1 to 10, I would rate it around 6.5 to 7. Requests are typically addressed within 45 to 60 days, which I consider a reasonable timeframe given the number of customers.

Anvilogic was introduced at my last company before I joined the detection engineering team, and I know it is mainly used by that team. I am unsure if they have switched back to any other MSSP or whether they have switched back from Anvilogic to any other product.

The deployment process took place before my arrival at the company.

Based on the context of the environment, I find Anvilogic is highly beneficial for smaller cybersecurity teams needing an efficient detection tool. Larger organizations may explore alternatives, but for small to intermediate teams, Anvilogic fits well in their detection processes.

Regarding triage, I usually perform analysis directly through Splunk, so I do not find Anvilogic enhances my triaging process significantly. However, it does provide useful triggered rules, but Splunk remains my primary tool for queries and triage.

My overall review rating for Anvilogic is 6.5 out of 10.

My main use case for Anvilogic  is for triage in the SOC. That's the primary use case.

The 'we need something better' moment was triggered when we were trying to roll out custom alerts with Splunk Enterprise Security ; it was atrocious to do that. You would have to clone things and then reuse alerts you made. Just making new alerts, the process was not very good, and there was no versioning for all the alerts we create. So we had to trust Splunk for what they created. Rolling out new alerts was a pain since you had to load them up in a new app and things similar to that.

With Anvilogic , they made it super simple. I can describe a process where they have something they refer to as the Armory . You just go to the Armory , click all the things you want. It automatically pushes it down to your Splunk Enterprise with their app loaded up on there if you modify it as needed. It tends to just work, and you can customize it easily since it tells you the Splunk language plus the normal human language. So it makes modifying it simple with rollback versioning. They have groups based on known attackers coming for you, and you can group them together that way and deploy a whole set of alerts designed just for those specific use cases of those attackers and their IOCs.

Aside from the easy custom alerting with Anvilogic, the next feature I appreciate most is that they also standardized bringing in the logs. They set some macros that help standardize and make more sense than Splunk. They teach you and give you insights every morning or every week, saying, 'Hey, this is not working, so what do you want. You're getting one or two of these alerts per day. Do you want to squash them from error to warning?' They're always giving you tips on how to improve the efficiency of the system itself. Creating scenarios was amazing. In Anvilogic's case, you create scenarios based on MITRE ATT&CK framework. Every  rule that fits that MITRE will get used.

My usage with Anvilogic has evolved since onboarding. After about two or three years, they started offering their cloud-based SOC where instead of just using Splunk as a data set, you could run your searches against Snowflake  databases, Demisto , and others including Azure  log storage. Their generative AI work has been fantastic as it's very specific in what you need to do. The route they've gone with the different types of AI agents aligns exactly with what I was hoping the market would do. Seeing them do the Tier Zero for SOC-type stuff with their playbooks has been impressive.

Since adopting Anvilogic, our team's quick SOC response has become essential. We have been known to respond within five to seven minutes to an attacker compromising an account.

Anvilogic could be better in areas of the triage dashboard as they're beholden to Splunk's functionality. I need to click three times to get to all the information I need. Enterprise Security did that better in the old version. Anvilogic requires three clicks to get the full set of information. More customization on the triage dashboard would be beneficial, however, there have been no limitations so far.

Anvilogic has been in use for just over three years.

Regarding stability and reliability of Anvilogic, I cannot recall an outage. There might be temporary issues with updates, yet they have a Slack chat where they respond really fast. I have never experienced a serious outage.

Anvilogic grows effectively with the needs of my organization. They see where the market and technology are going, and they can institute all the things they wish they had when they were SOC operators.

I would evaluate their customer and technical support as fantastic. Their support is excellent since they answer my questions. When I try to create new solutions within the scope, they work with me effectively.

I did not extensively consider alternatives before selecting Anvilogic. Enterprise Security was still the best SIEM  available since we were a Splunk shop. Through my reseller consortium networks, I received personal introductions to people at the founder level. Within 30 minutes of talking to Anvilogic, I realized they addressed all the problems I had been experiencing.

I would describe my experience with deploying Anvilogic as simple.

I have seen a return on my investment with Anvilogic. We rolled out approximately 1,500 Armory alerts in three months, which would not have been possible with Splunk, and they were all fixed and modified as needed.

My experience with pricing, setup costs, and licensing of Anvilogic was the easiest experience I have ever had.

When other teams ask about Anvilogic, I tell them it is security only. There were no surprises about the Anvilogic solution once I started using it; they were honest from the beginning about what they do and where they are going. Their culture is fantastic, and the people care about what they are doing.

The deployment model for Anvilogic is hybrid. We use Azure  for some machines and have a small AWS  footprint.

I rate Anvilogic a 9 out of 10, as they work effectively and fix the problems that people have with other SOCs and SIEMs.