Anvilogic Core Detect

Anvilogic serves as our main SIEM and detection engineering platform. We use Anvilogic to create alerts based on our data, and the AI capability to detect alerts based on whatever data we are feeding into it is a feature that our team at Kroll particularly values.

We have SentinelOne data, which is our EDR, and we have EDR data directly set up through Anvilogic input without using any third-party tool to get that data. Anvilogic has integrations directly in place, and we are using the SentinelOne input through Anvilogic. Since we uploaded or ingested that data, Anvilogic has started to give us suggestions about what alerts could be fired through that data. Anvilogic has flagged the threat identifiers through which we can build some use cases or modify them for our use. Anvilogic has also helped us understand what is a false positive and what could be a promising use case for our company in particular, providing valuable support.

Regarding how Anvilogic supports our detection engineering, the uniqueness is about AI, which we did not have in Splunk earlier. This helps us not only to close the false positives but also features AI to write our queries. This capability lifts a lot of burden from the SOC team as they do not have to focus on how to write a query but can concentrate on investigating an alert or a use case, which has really caught my eye, and I am glad we have onboarded that feature.

Anvilogic has positively impacted our organization with a significant decrease in false positives and providing the independence of multiple data repositories, allowing us the choice of having different repositories. This flexibility enhances our operational efficiency, and the AI also assists with writing queries, making it scalable and cost-effective as we can adjust according to our needs.

The best features that Anvilogic offers include its independence from a particular solution, allowing us to have Snowflake as a data repository now and the flexibility to move to other platforms such as Databricks or Splunk while keeping our detections intact. Another valuable feature is the AI capability, which not only assists in detection but also helps us to write queries, completing multiple tasks efficiently. Additionally, Anvilogic is a no-code platform, so the base search is already ready for us, and we just have to tweak it according to our use cases. Anvilogic's new features enable us to improve SOC efficiency and filter out a lot of false positive alerts. Additionally, it has an attached MITRE framework, automatically detecting it so we do not have to manually add the MITRE framework IDs as we did in Splunk.

Among those features, the one that has made the biggest difference for our team is the AI capability; we have seen a significant shift in our SOC operations. Many false positives are handled by the AI, allowing the team more time to discuss and investigate the actual use cases. Each use case also includes a description of what it is trying to detect, which helps engineers understand the use case's purpose without needing to reach out to seniors for clarification.

Currently, there is a limitation of 100 inputs in Anvilogic integrations, which is less than our needs, making it a challenge to fit all our inputs. Additionally, I believe the documentation should be publicly accessible. We work with different teams to get the data, but since the documentation is not available to everyone, we often have to explain how to make integrations. Also, there are features that do not work as expected; for example, we recently tried to ingest an AWS CloudTrail input to which Anvilogic could not accept any more data past a certain point, forcing us to look for alternatives. We have found that data mapping is sometimes not adequate, as it can only parse JSON data, contrary to the documentation suggesting that CSV or XML formats are acceptable, which has caused issues.

I have been working in my current field for three years, and it has been one year that we have moved to Anvilogic. Prior to that, we were using Splunk as our data ingestion platform and as well as SIEM.

Anvilogic is somewhat stable. Regarding data inputs, we have had issues, but in terms of downtime, we have not experienced any.

Anvilogic is quite scalable, allowing us to significantly lower storage and processing costs compared to legacy SIEM-only approaches. Thanks to having a different data repository, we do not crowd Anvilogic with data and accordingly adjust it to our specific needs.

Customer support is generally good, though we sometimes have to wait longer for answers, which can be a bit frustrating, but overall the support is satisfactory.

Positive

We were previously using Splunk and decided to switch due to its lack of AI capabilities related to the SIEM product. We also evaluated other options before settling on Anvilogic.

The AI capabilities mentioned on Anvilogic's website are indeed good and promising; however, there are areas that require work, particularly concerning data ingestion. Users may encounter roadblocks while integrating inputs, as we faced significant delays due to data input inconsistencies.

Initially, the triage piece was not integrated into Anvilogic's UI, but since its integration, it has helped the team to easily check the triage dashboard and assess current use cases, encouraging us to continue seeking new ways to use it more efficiently.

The moment we realized we needed something better was triggered by Splunk's lack of AI integration, which prompted my manager to consider Anvilogic due to its promising AI features. Since onboarding, we have evolved to remove false positives effectively, which was a challenge with Splunk, allowing for fewer alerts due to Anvilogic's capabilities. Additionally, we no longer need to be dependent on a particular data repository, benefiting from the flexibility that Anvilogic provides.

I rate Anvilogic a six out of ten. I chose a six out of ten for Anvilogic because, despite the impressive detection capabilities and intriguing features, I still see a need for improvement with the data ingestion process. If the data is not ingested properly, the detections could be compromised. While it excels at detection and offers good use cases, my personal experiences with certain problems influenced the decision to rate it just above average.

Negative

Anvilogic  serves as our security analytics tool on top of our security data lake.

In my day-to-day work, we perform detection engineering on Anvilogic , and we also use the Armory  to provide us with strong coverage from a MITRE perspective and security coverage over our logs to ensure that we can detect threats and respond to those threats efficiently and effectively.

We pursued Anvilogic as a piece of the puzzle to replace Splunk, our legacy SIEM  platform, and it was a big part of being able to decouple the detection capabilities that Anvilogic offers from the data storage capabilities of a data lake, which is a big use case as well.

Our data lake is run on top of AWS  using Snowflake .

One of the best features Anvilogic offers is the Armory , which is full of various different pre-built detections; that was a huge improvement from any kind of pre-built detections we had in Splunk and saved a lot of time to really increase our coverage capability. I also appreciate the normalization process for log sources, normalizing them to a consistent schema where those alerts automatically apply is a nice feature and gives us a very clear-cut way to handle lots of different log sources in a centralized manner, ensuring that we are doing threat detection on those log sources.

The normalization process has enhanced our log monitoring maturity; previously in Splunk, we had SIEM  mapping set up for log sources, but it did not translate necessarily to immediate security value because there were not pre-built detections that leveraged that SIEM mapping. The ability for Anvilogic to have built-in curated detection logic that automatically applies once we normalize logs creates immediate maturity and value every time we normalize a log source. It gives us a target to identify if a log source should be normalized. If it should, we know the value and output from Anvilogic; if it should not, we can identify custom use cases and build custom logic in Anvilogic or hold onto those logs in our data lake without any detections running on them if it is more for compliance or incident response.

Anvilogic plus Snowflake  has vastly improved our total cost of ownership for the SIEM platform; we went from a pretty expensive platform in Splunk that was not vertically scalable due to budget limitations to a platform now that is far more efficient per terabyte of data ingested and processed per day. The savings per terabyte of data being ingested and monitored for security threats was a pretty significant percentage, which was a huge advantage. We now have budgetary space to scale up our solution as needed as the business grows.

We have had to make difficult decisions to not ingest certain logs in the past due to budgetary restrictions, but now we can take a more liberal approach in accepting most requests and ingesting those logs into our SIEM because the cost to do so is not a problem for the company and for our internal budgets, which is huge.

There is room for growth in the product platform; our detection engineers using Anvilogic every day encounter some frustrating UX experience issues where buttons are not logically placed, and workflows are not working as expected. There is also room for growth in integrating the platform with third parties, as we have encountered limitations in what can be executed via API and what is documented. We are a heavy automation integration team, so having this well documented is important for us. The enterprise capabilities within the platform also seem somewhat limited, as we run into limitations in managing detections at scale and making changes to those detections at scale. Especially at an enterprise level, if we need to add enrichment logic to every single detection deployed, it can be quite onerous; we had to develop custom scripts to manage that. Thus, enhancing enterprise-type features for managing the platform at scale rather than clicking through the GUI is important as we continue to grow. Additionally, the AI capabilities have been somewhat unstable and unintuitive to use, which is key for increasing adoption.

One other thing is that the detection logic builder today is somewhat limited in flexibility regarding implementing detections, grouping detections together, and handling alerts when they fire. This might be partly due to our need to adjust to a different platform, but flexibility is key for any enterprise platform to meet our unique business requirements. Having the capability to build custom detection logic not tied to a specific structure would be helpful; although a lot can be done, it often requires working with our account team which is time-consuming and less intuitive.

I have been working in my current field for a little under 10 years.

Generally, Anvilogic is stable, although we have experienced some usability issues; the biggest instability has been with the AI agent, which the team is not using fully due to inconsistent results. Aside from that, the platform itself is stable.

Anvilogic's scalability is quite good; however, we require more and more detection capabilities, and there is a ceiling based on what the Armory offers or what our team can custom develop. I would love to see an increase in out-of-the-box detections curated by the team, which would be a significant value add. As for the platform technology being based on Snowflake, it has essentially unlimited scalability, so I have no concerns there.

Customer support is great, particularly from our immediate contact, Brad, who is very engaged and responds quickly, dedicating time to answer questions and onboard us effectively. However, outside of him, the process can get vague, with requests sometimes disappearing and lacking a clear tracking system, but overall, the experience is generally positive with some expected challenges from a smaller team.

We previously used Splunk and switched to Anvilogic + Snowflake.

The moment we realized we needed something better was triggered by the lack of detection coverage and the overhead required to improve detection in Splunk, along with the non-scalable cost of operating it. We constantly dropped logs from monitoring, which is not the focus of a security organization; we wanted better coverage and monitoring, and that is what Anvilogic and Snowflake enabled us to achieve.

Since onboarding, we started with rough, quick migrations of log sources and detections from Splunk to Anvilogic, but we have since cleaned up a lot of our normalization tasks and ensured things are correctly categorized, steadily deploying more Armory detections onto our existing data sets for better coverage.

While I do not have specific metrics, we have certainly seen a return on investment, mainly in time taken to improve detection coverage and the ability to detect threats on our logs. The Armory has greatly increased our coverage while reducing the time that would have been needed to develop detections ourselves in Splunk. However, the volume of alerts generated is shifting the cost to the operations side, requiring us to ensure that detections are tuned and alerts are efficiently firing to prevent noise that could increase costs for operations personnel and risk missing incidents.

My experience with pricing, setup cost, and licensing has been overall positive; the Anvilogic team has been very engaged throughout the process, which helped us adopt the platform. Weekly calls and a hands-on approach over the significant changes in how we do SIEM have been beneficial. Licensing is reasonably affordable and should be evaluated over time concerning the platform's value. Setup costs primarily involved internal work to configure our pipelines, but mostly consisted of man-hours.

We evaluated various options before choosing Anvilogic, including Gurucul, Panther  Security, and Splunk Cloud, among others. Ultimately, we found Anvilogic to be the best fit for our needs.

Another feature we are excited about, but we have not seen the value in yet, is the AI capabilities for detection engineering; it is, in theory, going to be very powerful and really reduce our time to develop new detections. There are more agentic features coming on the roadmap that have not been released yet, and we have not been able to see the full picture of value of that aspect of the product yet, but in theory, those should be extremely beneficial and really magnifying the amount of detection engineering work our team can do.

What surprised me the most about Anvilogic was the modern solution it offered to solving a SIEM business problem, which was different from other vendors. Anvilogic being a detection engineering tool makes sense and allows us to run it on any data lake background, which is unique. This decoupling of security detection from security data storage enabled us to pursue this path.

If Anvilogic disappeared tomorrow, we would lose our detection capability, which would be significant and necessitate finding another vendor's solution.

I rate Anvilogic about a seven on a scale of 1 to 10.

I chose a seven because the platform is a huge improvement from our legacy SIEM platform in Splunk, especially from a detection perspective. However, there are certainly opportunities to improve the user experience and capabilities, as well as to mature the platform. These three aspects make a difference in execution and can improve competitive edge significantly.

I convinced our leadership to adopt Anvilogic by emphasizing the cost benefits of increased capabilities at a lower cost. The Anvilogic-Snowflake combination presented a centralized source, which is advantageous for reusing security data across other non-SIEM use cases, making it an easy sell.

My advice for others considering Anvilogic is that depending on your company's detection engineering needs and maturity with your legacy SIEM platform, Anvilogic can provide a swift, significant value add. If you have a dedicated SIEM team with many custom use cases built on a platform such as Splunk, Anvilogic may not be the correct fit. We were a small team managing a complex old system and were not getting the full value from Splunk. Anvilogic provided a more dynamic, low-overhead solution, making it a great fit for us, but for larger teams with custom detection needs, it might be less flexible.

Positive