I primarily use Anvilogic as a wrapper over SIM, mainly Splunk, but it can also be applied to other SIM platforms like Kibana. I utilize it for versioning the rules and detection logic I write, which can get stale or require enhancement. For example, if I wrote a detection rule for detecting script execution that needed additional logic, I used Anvilogic to maintain those versions or to build behavioral detection patterns, which is complicated in Splunk alone.

Anvilogic allows me to extract a plethora of information, including mapping TTPs assigned for detection logic, which effectively helps in setting quarterly coverage agendas, thus illustrating its vital role in detection strategy and management presentations. The first thing that would break without Anvilogic is the complex detection logic involved in creating behavioral patterns, which yield high-fidelity alerts. Additionally, losing the control over Splunk SPL queries, due to lack of version control provided by Anvilogic, would pose a nightmare for any detection engineering team.

The deployment model for Anvilogic was private.

The best features of Anvilogic include easy usability for beginner analysts, good version control, though it could be enhanced, and the need for improved access controls and better training notifications for users. The quick responses regarding new threats and the thorough curation of detection rules were also positives. However, hiring customization based on customer environments and reducing noise from detections is critical.

I was surprised by the effective version control capabilities and how easily one can configure complex behavioral patterns. The learning curve is not steep, allowing even those with basic knowledge in writing detection rules to adapt quickly. However, after a year, I noticed limitations, especially concerning issue resolution timeframes.

My experience with Anvilogic is still in detection engineering, but writing detection logic in scripting languages, like the Splunk processing language, has limitations compared to programming languages. Anvilogic does provide some flexibility but has limitations when baseline detection rules or complex behavioral patterns are involved. I found it very efficient for version control with Splunk, although it lacked a robust CI/CD pipeline, which is crucial for comprehensive testing before changes go into production. The API documentation was also limited, affecting data analytics capabilities regarding detection logic. Nonetheless, Anvilogic's support team was responsive and provided good support when I raised issues.

One suggestion I have for Anvilogic is improving the whitelisting process, as maintaining a CSV for that can become cumbersome when it reaches 10,000 lines. Additionally, the separation for customer-specific detection rules and suppressions could be better defined so the changes can be made without needing customer support every time.

I was informed about the AI SOC solutions Anvilogic was working on; however, they were not functional at the time, and I cannot comment on their effectiveness since I lacked access to those features. The version controlling and behavioral patterns are strong suits of Anvilogic, but there needs to be stronger access control and CI/CD pipeline integration. Additionally, customer support could be more prompt, and custom detections should be tailored more effectively.

It has been almost eight months since I last worked with Anvilogic because I switched companies, so I have not worked with it since.

I generally handle scalability through Splunk admin team support, and I did not face significant downtime or reliability issues with Anvilogic. It felt stable and sufficiently reliable throughout my time using it.

In 12 months, I do not believe Anvilogic will be replaced since it is deeply integrated into the detection framework at Rakuten, and the time taken to stabilize integrations is considerable. Even with its shortcomings, the value Anvilogic brings in detection and threat investigation is hard to replicate quickly.

Anvilogic will not be replaced at Rakuten, as its integration is extensive, and the time to build stable detection solutions is significant. Even small companies face challenges transitioning expertise, which makes Anvilogic a viable long-term solution.

The rating for the technical support of Anvilogic would depend on factors like who handles the request, but on a scale of 1 to 10, I would rate it around 6.5 to 7. Requests are typically addressed within 45 to 60 days, which I consider a reasonable timeframe given the number of customers.

Anvilogic was introduced at my last company before I joined the detection engineering team, and I know it is mainly used by that team. I am unsure if they have switched back to any other MSSP or whether they have switched back from Anvilogic to any other product.

The deployment process took place before my arrival at the company.

Based on the context of the environment, I find Anvilogic is highly beneficial for smaller cybersecurity teams needing an efficient detection tool. Larger organizations may explore alternatives, but for small to intermediate teams, Anvilogic fits well in their detection processes.

Regarding triage, I usually perform analysis directly through Splunk, so I do not find Anvilogic enhances my triaging process significantly. However, it does provide useful triggered rules, but Splunk remains my primary tool for queries and triage.

My overall review rating for Anvilogic is 6.5 out of 10.

Our use cases for Anvilogic primarily revolve around detection engineering. We ingest the logs to figure out our cybersecurity score and improve detection.

Anvilogic provides security analytics across multiple data platforms. We integrate it with Splunk, but it also integrates with Snowflake and other data platforms. Overall, it's been good since many people aim to move away from Splunk to save on overall costs. The fact that it integrates with various data lakes, specifically Snowflake, the most popular, makes sense.

Using Anvilogic decreases your detection engineering time while helping you build out additional detections and increasing your assurance and protection. It has decreased the engineering time by at least 20 percent.

It's been decent in terms of false positives. It doesn't necessarily reduce them, but the new detections have been pretty well-tuned so they aren't producing additional false positives. Anvilogic has increased security coverage by building out some detections, specifically in areas like Active Directory and IAM-type rules. While it hasn't reduced the overall cost, it may have helped the optimization side.

We integrate Anvilogic directly with Splunk rather than using the Amplitude platform separately. That has been helpful because we don't need to bring logs to a third-party source.

Anvilogic's AI assistant is pretty good. It helps us build out detections within your environment. It has improved our detection logic by a small amount and slightly reduced the time involved in detection writing. Generally, the detection builder is decent.

The drag-and-drop detection engine portal has been helpful because you don't need any programming experience. One area where the generative AI aspect has been helpful is when we are figuring out the specific threats about something that's triggered or similar campaigns. You can write in the latest from this type of detection that I'm looking at and get information back.

We need more around case management. I know that's something on the road map. We would like a way to create a ticket that we can export into a third-party platform like Jira. Anvilogic's prebuilt rules and threat scenarios didn't work the best for us because many of the rules were geared toward a Windows environment, whereas we're more of a Mac environment, so many of them didn't necessarily fit with what we have. I know a few other people who use them, and they've worked out well there.

I've been a full-time customer of Anvilogic for about two years now, and we did a proof of concept eight months or so before we became a customer.

We haven't had any issues with stability.

Anvilogic is as scalable as the environments you've integrated it with, whether it's Snowflake or Splunk.

We have a biweekly standing call with the Anvilogic team to talk through detections and updates, but I can't think of a case where we've had to contact them outside of that call.

The initial deployment was easy because we had it set up for our proof of concept, so it just took a little tuning, and we had it set up within a week. We had one person on our side working with somebody on their side. It's a cloud-based solution, but they push out updates on it. We haven't had any issues where it's broken on our systems, where we've had to lean in on the maintenance side.

We roughly broke even. If we had invested more or tuned our environment a little better, we might have come out on top.

Anvilogic's pricing has been highly competitive.

We did an extensive proof of concept for Anvilogic, Panther, Devo, Google Chronicle, Splunk, and a few different SIEM/detection engines. We did a breakdown based on our criteria and scoring on various features. Anvilogic outperformed the other tools that we tested.

The price was right for the organization. They also offered a multiyear deal that kept the price down looking forward. We compared it to something like the Chronicle, which required us to export our data specifically to that. It required multiple areas for ingestion, bringing up operational costs on top of the licensing cost. It wasn't providing better detection support than Anvilogic because it was able to integrate with Splunk and our case. It was able to pull off of data that was already being ingested, when we needed to have it ingest in multiple locations.

I rate Anvilogic seven out of 10. To prepare for Anvilogic, I recommend leaning into it. Take advantage of the support team and get some additional training. Use the workshops and commit to using the product. It's a tool that's only as good as the time you put into it. If you bring in the detection engine but don't put any time into creating those detections, then there's not much point.