Anvilogic Core Detect

We use Anvilogic  as an SOC detection engineering platform. In addition to that, we use it for hunting and investigation purposes.

We are a fairly small team with three people in total in the SOC. Their prebuilt configurations and all the detections and scenarios are the reason why we have good coverage today. We use them as a template to start off with. Of course, it needs a bit of customization for the organization it is being deployed for, but it works in our case. We use that, build it, and then fine-tune it for our scenario. We are then good to deploy it. Usually, what used to take us about a week's worth of detection development can be done in about an hour and a half or two at best by using these templates.

Anvilogic provides security analytics across multiple data platforms. It can integrate with different data platforms and provide the same kind of analytics.

We have been able to reduce the cost of having some of these analytics and capabilities deployed across different platforms because we route most of our alerts into Anvilogic. The analytics work on those, whether they are from endpoints, SaaS applications, Identity, or SIEM. We have been able to save costs by not having to deploy these across different platforms. There is also efficiency in terms of getting some of these done quickly and faster rather than jumping between different things.

Anvilogic enables us to break free from vendor lock-in. That was one of the key reasons why we chose Anvilogic. We have changed SIEM once since we moved to Anvilogic. In between, when we were looking at some other integrations, Anvilogic was ready to integrate easily with them. Vendor lock-in is a much lesser concern now.

Anvilogic's AI assistant has helped improve our detection logic. Prior to Anvilogic, somebody would do the investigation, come up with the results, go ahead with a review process, and implement the findings. Since we have had Anvilogic, it automatically does the assessment and gives us a daily report. The analyst just has to do the implementation after the review, so the investigation process from my analyst is no longer required. We feel that the outcome from Anvilogic is also reliable. We do not have to go back and get into the weeds to see specifically whether it is the right analysis.

It simplifies detection engineering and threat hunting across multiple search languages, although we do not fully leverage all the benefits. Most of our platforms are pulled in from the SIEM, and some of them are from the likes of CrowdStrike and other places. We leverage a standard taxonomy. If this were to be between two different SIEMs, the search capability would be very helpful. However, the AI capability for writing out a quick query by using things like regex or regular expressions and building out regular expressions helps. When an analyst is investigating something or building something, they quickly want to understand what a certain component means, so having that within the same pane helps. So, we use it in some capability, but those capabilities are very helpful so far.

Anvilogic has significantly reduced our end-to-end detection engineering time. Earlier, it used to take about a week and a half for someone to go in and check. With their templates and prebuilt scenarios and cases, it now takes just about a day or two where we have to look at it and then customize it for us.

Anvilogic has helped our organization reduce false positives. The tuning insights feature of Anvilogic comes up with proactive ways to reduce false positives. It gives the analyst a view of what is causing the false positives. Is it genuine or not? Is it malicious or not? They can then action items on those. They also maintain an ongoing allow list and deny list, which helps to suppress false positives temporarily, or in the longer run, makes the whole process both accountable with audit logs and quicker.

We were able to realize its benefits immediately. We did a proof of concept in 2021, and our coverage at that point was in the lower twenties. We got to about the upper eighties in two quarters, and it was very steep, quick growth.

Before Anvilogic, we had no visibility into our detection coverage. The ability to break it down by industry verticals, such as attackers and adversaries, is valuable.

Detection insights help us easily identify the most noisy ones, the effective ones, and what needs to be fixed to move the noisy ones to effective ones.

The hunting capabilities are very good. The AI components and hunting packages give us quick insights into what needs to be looked at.

The partnership has been very good. Their professional services and customer relationship have been very good. Our features and bugs have been fixed on time without a lot of follow-up, and their support has been excellent.

Finally, there is a feature within Anvilogic  that provides the threat landscape or our effectiveness towards the threat landscape on an ongoing basis. That is another feature that we liked.

The hunting insight needs integrable capability with different platforms to gather all of that insight and show it on a single canvas on Anvilogic. That is the only feature that could improve the way we do operations.

The pricing is slightly edging towards being a bit much for smaller organizations.

We have used the solution for close to three years.

For the most part, Anvilogic has been performing well, but because they use a Splunk backend, there is sometimes a bit of slowness and Splunk-related issues. It is generally stable, however.

Anvilogic has worked well for us. We started with about 55 detections and scaled up to about 980 odd detections so far. It has scaled very well for us. We have been able to get to a good scale. We do not have a multi-SIEM environment, so I do not know how it is for customers with that kind of environment.

One of the best things about Anvilogic is the partnership, their knowledge, the depth of technical understanding, and the speed at which they respond. I would rate them the topmost, a ten out of ten.

Positive

We used SOC Prime long ago, but it was in a limited capability. We were just looking at certain detections and logic to use from there. Anvilogic definitely is far better for us.

The initial setup was quite easy for us. There was a bit of a learning curve, which involved just understanding how the platform worked, taking about a month, but integrating with our existing platforms was a piece of cake. They have APIs for most things and standard off-the-shelf solutions such as SIEMs, endpoints, firewalls, and identity providers. It was very easy to integrate. The technical integration was very easy. It took about a month of learning from my team to get comfortable with the product and how to use it. It is one of the easiest security tools to learn.

The platform does not require any maintenance on our end, but once we start building out the detections, it requires some maintenance on our side to see that everything is running properly. That is more like an operational aspect.

Anvilogic has saved us about 25% percent of what a detection engineering platform would be. It is difficult to put quantitative aspects like better operations and structure quality, but I would say efficiency increased by about 50%.

Anvilogic has not helped reduce our overall SOC or IR operations costs because we use the time we saved to do more. If we were not doing more and did not have Anvilogic, we would need one dedicated person to do this detection engineering. That cost has significantly been reduced.

We were an early adopter, so the pricing was definitely good. Because they do not completely replace a SIEM, their pricing is slowly edging towards being a little too much for a smaller organization like ours. It is almost on the border. That is a bit of a challenge on our side, but the value still speaks for it. If the price increases more than where it is now, it would be a tough place for us.

Overall, I would rate Anvilogic a nine out of ten, considering its capabilities, features, interactions, and pricing.

Our use cases for Anvilogic primarily revolve around detection engineering. We ingest the logs to figure out our cybersecurity score and improve detection.

Anvilogic provides security analytics across multiple data platforms. We integrate it with Splunk, but it also integrates with Snowflake and other data platforms. Overall, it's been good since many people aim to move away from Splunk to save on overall costs. The fact that it integrates with various data lakes, specifically Snowflake, the most popular, makes sense.

Using Anvilogic decreases your detection engineering time while helping you build out additional detections and increasing your assurance and protection. It has decreased the engineering time by at least 20 percent. 

It's been decent in terms of false positives. It doesn't necessarily reduce them, but the new detections have been pretty well-tuned so they aren't producing additional false positives. Anvilogic has increased security coverage by building out some detections, specifically in areas like Active Directory and IAM-type rules. While it hasn't reduced the overall cost, it may have helped the optimization side. 

We integrate Anvilogic directly with Splunk rather than using the Amplitude platform separately.  That has been helpful because we don't need to bring logs to a third-party source.

Anvilogic's AI assistant is pretty good. It helps us build out detections within your environment. It has improved our detection logic by a small amount and slightly reduced the time involved in detection writing. Generally, the detection builder is decent.

The drag-and-drop detection engine portal has been helpful because you don't need any programming experience. One area where the generative AI aspect has been helpful is when we are figuring out the specific threats about something that's triggered or similar campaigns. You can write in the latest from this type of detection that I'm looking at and get information back. 

We need more around case management. I know that's something on the road map. We would like a way to create a ticket that we can export into a third-party platform like Jira. Anvilogic's prebuilt rules and threat scenarios didn't work the best for us because many of the rules were geared toward a Windows environment, whereas we're more of a Mac environment, so many of them didn't necessarily fit with what we have. I know a few other people who use them, and they've worked out well there.

I've been a full-time customer of Anvilogic for about two years now, and we did a proof of concept eight months or so before we became a customer.

We haven't had any issues with stability.

Anvilogic is as scalable as the environments you've integrated it with, whether it's Snowflake or Splunk.

We have a biweekly standing call with the Anvilogic team to talk through detections and updates, but I can't think of a case where we've had to contact them outside of that call.

The initial deployment was easy because we had it set up for our proof of concept, so it just took a little tuning, and we had it set up within a week. We had one person on our side working with somebody on their side. It's a cloud-based solution, but they push out updates on it. We haven't had any issues where it's broken on our systems, where we've had to lean in on the maintenance side.

We roughly broke even. If we had invested more or tuned our environment a little better, we might have come out on top.

Anvilogic's pricing has been highly competitive. 

We did an extensive proof of concept for Anvilogic, Panther, Devo, Google Chronicle, Splunk, and a few different SIEM/detection engines. We did a breakdown based on our criteria and scoring on various features. Anvilogic outperformed the other tools that we tested.

The price was right for the organization. They also offered a multiyear deal that kept the price down looking forward. We compared it to something like the Chronicle, which required us to export our data specifically to that. It required multiple areas for ingestion, bringing up operational costs on top of the licensing cost. It wasn't providing better detection support than Anvilogic because it was able to integrate with Splunk and our case. It was able to pull off of data that was already being ingested, when we needed to have it ingest in multiple locations.

I rate Anvilogic seven out of 10. To prepare for Anvilogic, I recommend leaning into it. Take advantage of the support team and get some additional training. Use the workshops and commit to using the product. It's a tool that's only as good as the time you put into it. If you bring in the detection engine but don't put any time into creating those detections, then there's not much point.