Anvilogic Core Detect

The main use cases for Anvilogic are around detections and detection engineering, trying to accomplish everything from identifying, prioritizing threats, baselining current capabilities, and, based on the threat prioritization, identifying the gaps and recommended use cases that we will have to deploy to bridge those gaps. These are the use cases that we have deployed.

We enjoy a good partnership with the Anvilogic product and engineering teams. We could put many features that were not available in their pipeline, and they are quick to deliver key features for us. Deploying Anvilogic required training our team to adopt it, but during the evaluation, we planned our success criteria, which included training. The Anvilogic team has been with us since the beginning of the evaluation until now, maintaining the same cadence of meetings to review progress and areas for improvement, which is very helpful as a customer because we know they are not just after the next sale.

We were one of the first customers of Anvilogic, so many of its features were still under development when we began our journey with them. During the first 90 days, our primary focus was on migrating our detection content from the previous platform to Anvilogic. We concentrated on ensuring that this migration was done correctly. As we got more familiar with the platform, we discovered that Anvilogic has a highly robust detection library, with over 3,000 detections available. Their research team plays a crucial role in building these detections. Initially, we only deployed our custom detections that we had migrated, but over time, we began utilizing the detections from the library as well.

With each new feature that was released, we found our experience improved significantly. For instance, we appreciated the option to automatically deploy recommended detections. The insights capability was particularly impactful for us, as it automatically identified recommendations for tuning our use cases and fixing issues that needed attention. It also helped us discover areas we weren't actively monitoring. These differentiating features made a significant difference in our operations. Although it took us nearly a year to fully adopt Anvilogic, we are now at a point where all key stakeholders on the security operations team love the product and the user experience. Most importantly, we value the level of support we receive from Anvilogic.

From a maturity perspective, it has been very easy to measure our detection maturity over time. By using this detection engineering platform, we can manage the entire detection engineering lifecycle. Therefore, it’s simple to show executives our progress: where we started, where we currently are, and what remains to be done. We can also demonstrate how our maturity is evolving as new threats are identified and how we respond to them. All of this information is easy to justify thanks to the maturity dashboards available within the platform.

The features of Anvilogic that I prefer the most include having a holistic approach, from identifying the concept of analyzing maturity, doing it similarly to how we were doing it, looking at data maturity, data timeliness, data availability, and then into our detection maturity, and not only looking at prioritized detections needed for our specific area or domain, which was very important for us. From that point, deploying any recommended content is very simple. 

Another important feature is the concept of a multistage threat scenario. After we started subscribing to Anvilogic, in future releases, they built out new features around automated threat detections and insights, such as health insights, hunt insights, and tuning insights, which are all neat features that allow my team to be more efficient.

I believe the future is very exciting, especially regarding the agentic approaches that have gained popularity following the rise of generative AI and large language models. We fully expect that within a year, Anvilogic will incorporate some level of agentic workflow capabilities. We might adopt these features solely within Anvilogic, or we may choose to integrate them with our own homegrown agentic workflows. This is the direction I see for Anvilogic's adoption moving forward.

Anvilogic can be improved by focusing on the agentic way of doing things, similar to what we saw with Monte Copilot, which still needs work. The team is currently doing that work as seen in the roadmap, including having an agent for search, a detection agent, and a hunt agent, making those concepts come to fruition.

We started looking at Anvilogic in late 2021, and then we started evaluating them in early 2022. By late 2022, we were already subscribed to Anvilogic.

Other than scheduled downtimes, I have not experienced any outages.

Anvilogic scales effectively with the growing needs of our organization, and we don't have issues when onboarding our primary stakeholders into the platform. They can use it and receive necessary training and coaching, while the most important part is that we can meet with the Anvilogic customer success team almost weekly to review our adoption and share feedback.

They are top-notch. They are always available. The customer service team is always available to us. The product management and the product engineering team are available to us if we need to review something with them.

Positive

Like many companies in this field, we utilize the MITRE ATT&CK framework to benchmark our current capabilities and build detections. Each year, at the beginning of the year, we download the latest version of the MITRE ATT&CK framework and assess our current detections. We tag and benchmark them, prioritize threats, and identify which use cases require new detection capabilities. Previously, this process took my team about two to three weeks, and we only performed it annually. However, around 2021, MITRE introduced the concept of sub-techniques. Initially, we were analyzing around 300 techniques, but now we have to analyze over 600. This effectively doubled the time that my team needed to complete the analysis. The work became repetitive and monotonous. As a result, I began searching for a solution that could streamline this process.

When Anvilogic reached out, we discussed our detection processes, and they explained the capabilities of their platform. It felt like a meeting of the minds because what we were doing manually, they could automate. We realized this solution could save us a significant amount of time and make us more agile. By automating the processes of prioritization, identifying gaps, and deploying recommended detections, we could conduct threat prioritization exercises whenever necessary. Given that the threat landscape evolves almost daily, completing these exercises only once a year would put us at a disadvantage. When we recognized Anvilogic’s capabilities, we knew we had to consider their solution.

In early to mid-2021, Anvilogic was the only one doing it this way. We were doing it manually while they were building it, and now there are many similar companies emerging, but we are happy with the success we have had with Anvilogic, choosing to partner with them and providing feedback and feature requests they can incorporate into subsequent releases.

Since Anvilogic was a new concept and product, we needed to invest a lot of time in training our team to adopt it. Fortunately, during the evaluation phase, we established clear success criteria, one of which was training on Anvilogic. The Anvilogic team has been with us from the very beginning of this process and continues to support us today. 

We have detections in multiple places. Most of our detections are on-prem, but there are some that are in the cloud. We use their integration pipelines to bring all of them together.

It was fair. All of us like to deal with vendors who have a certain level of integrity, and the people who run Anvilogic have the highest level of integrity, which makes those sorts of negotiations much easier.

During our evaluation, we encountered many products making various promises. However, when it came to Anvilogic, they were able to identify key aspects of our processes during the evaluation period, which was impressive. This demonstrated that the Anvilogic product was engineered effectively and was functioning as intended. As a result, we started to trust both the team and the platform more.

Since then, we have enjoyed a strong partnership with the Anvilogic product and engineering teams. There were times when features we needed were not initially available, but we were able to communicate our requests, and they were quick to prioritize and deliver those key features for us.

If Anvilogic were to disappear tomorrow, my heart would break. My advice to Anvilogic is to prioritize my request. 

I would rate Anvilogic a nine out of ten.

We use Anvilogic  as an SOC detection engineering platform. In addition to that, we use it for hunting and investigation purposes.

We are a fairly small team with three people in total in the SOC. Their prebuilt configurations and all the detections and scenarios are the reason why we have good coverage today. We use them as a template to start off with. Of course, it needs a bit of customization for the organization it is being deployed for, but it works in our case. We use that, build it, and then fine-tune it for our scenario. We are then good to deploy it. Usually, what used to take us about a week's worth of detection development can be done in about an hour and a half or two at best by using these templates.

Anvilogic provides security analytics across multiple data platforms. It can integrate with different data platforms and provide the same kind of analytics.

We have been able to reduce the cost of having some of these analytics and capabilities deployed across different platforms because we route most of our alerts into Anvilogic. The analytics work on those, whether they are from endpoints, SaaS applications, Identity, or SIEM. We have been able to save costs by not having to deploy these across different platforms. There is also efficiency in terms of getting some of these done quickly and faster rather than jumping between different things.

Anvilogic enables us to break free from vendor lock-in. That was one of the key reasons why we chose Anvilogic. We have changed SIEM once since we moved to Anvilogic. In between, when we were looking at some other integrations, Anvilogic was ready to integrate easily with them. Vendor lock-in is a much lesser concern now.

Anvilogic's AI assistant has helped improve our detection logic. Prior to Anvilogic, somebody would do the investigation, come up with the results, go ahead with a review process, and implement the findings. Since we have had Anvilogic, it automatically does the assessment and gives us a daily report. The analyst just has to do the implementation after the review, so the investigation process from my analyst is no longer required. We feel that the outcome from Anvilogic is also reliable. We do not have to go back and get into the weeds to see specifically whether it is the right analysis.

It simplifies detection engineering and threat hunting across multiple search languages, although we do not fully leverage all the benefits. Most of our platforms are pulled in from the SIEM, and some of them are from the likes of CrowdStrike and other places. We leverage a standard taxonomy. If this were to be between two different SIEMs, the search capability would be very helpful. However, the AI capability for writing out a quick query by using things like regex or regular expressions and building out regular expressions helps. When an analyst is investigating something or building something, they quickly want to understand what a certain component means, so having that within the same pane helps. So, we use it in some capability, but those capabilities are very helpful so far.

Anvilogic has significantly reduced our end-to-end detection engineering time. Earlier, it used to take about a week and a half for someone to go in and check. With their templates and prebuilt scenarios and cases, it now takes just about a day or two where we have to look at it and then customize it for us.

Anvilogic has helped our organization reduce false positives. The tuning insights feature of Anvilogic comes up with proactive ways to reduce false positives. It gives the analyst a view of what is causing the false positives. Is it genuine or not? Is it malicious or not? They can then action items on those. They also maintain an ongoing allow list and deny list, which helps to suppress false positives temporarily, or in the longer run, makes the whole process both accountable with audit logs and quicker.

We were able to realize its benefits immediately. We did a proof of concept in 2021, and our coverage at that point was in the lower twenties. We got to about the upper eighties in two quarters, and it was very steep, quick growth.

Before Anvilogic, we had no visibility into our detection coverage. The ability to break it down by industry verticals, such as attackers and adversaries, is valuable.

Detection insights help us easily identify the most noisy ones, the effective ones, and what needs to be fixed to move the noisy ones to effective ones.

The hunting capabilities are very good. The AI components and hunting packages give us quick insights into what needs to be looked at.

The partnership has been very good. Their professional services and customer relationship have been very good. Our features and bugs have been fixed on time without a lot of follow-up, and their support has been excellent.

Finally, there is a feature within Anvilogic  that provides the threat landscape or our effectiveness towards the threat landscape on an ongoing basis. That is another feature that we liked.

The hunting insight needs integrable capability with different platforms to gather all of that insight and show it on a single canvas on Anvilogic. That is the only feature that could improve the way we do operations.

The pricing is slightly edging towards being a bit much for smaller organizations.

We have used the solution for close to three years.

For the most part, Anvilogic has been performing well, but because they use a Splunk backend, there is sometimes a bit of slowness and Splunk-related issues. It is generally stable, however.

Anvilogic has worked well for us. We started with about 55 detections and scaled up to about 980 odd detections so far. It has scaled very well for us. We have been able to get to a good scale. We do not have a multi-SIEM environment, so I do not know how it is for customers with that kind of environment.

One of the best things about Anvilogic is the partnership, their knowledge, the depth of technical understanding, and the speed at which they respond. I would rate them the topmost, a ten out of ten.

Positive

We used SOC Prime long ago, but it was in a limited capability. We were just looking at certain detections and logic to use from there. Anvilogic definitely is far better for us.

The initial setup was quite easy for us. There was a bit of a learning curve, which involved just understanding how the platform worked, taking about a month, but integrating with our existing platforms was a piece of cake. They have APIs for most things and standard off-the-shelf solutions such as SIEMs, endpoints, firewalls, and identity providers. It was very easy to integrate. The technical integration was very easy. It took about a month of learning from my team to get comfortable with the product and how to use it. It is one of the easiest security tools to learn.

The platform does not require any maintenance on our end, but once we start building out the detections, it requires some maintenance on our side to see that everything is running properly. That is more like an operational aspect.

Anvilogic has saved us about 25% percent of what a detection engineering platform would be. It is difficult to put quantitative aspects like better operations and structure quality, but I would say efficiency increased by about 50%.

Anvilogic has not helped reduce our overall SOC or IR operations costs because we use the time we saved to do more. If we were not doing more and did not have Anvilogic, we would need one dedicated person to do this detection engineering. That cost has significantly been reduced.

We were an early adopter, so the pricing was definitely good. Because they do not completely replace a SIEM, their pricing is slowly edging towards being a little too much for a smaller organization like ours. It is almost on the border. That is a bit of a challenge on our side, but the value still speaks for it. If the price increases more than where it is now, it would be a tough place for us.

Overall, I would rate Anvilogic a nine out of ten, considering its capabilities, features, interactions, and pricing.

Our use cases for Anvilogic primarily revolve around detection engineering. We ingest the logs to figure out our cybersecurity score and improve detection.

Anvilogic provides security analytics across multiple data platforms. We integrate it with Splunk, but it also integrates with Snowflake and other data platforms. Overall, it's been good since many people aim to move away from Splunk to save on overall costs. The fact that it integrates with various data lakes, specifically Snowflake, the most popular, makes sense.

Using Anvilogic decreases your detection engineering time while helping you build out additional detections and increasing your assurance and protection. It has decreased the engineering time by at least 20 percent. 

It's been decent in terms of false positives. It doesn't necessarily reduce them, but the new detections have been pretty well-tuned so they aren't producing additional false positives. Anvilogic has increased security coverage by building out some detections, specifically in areas like Active Directory and IAM-type rules. While it hasn't reduced the overall cost, it may have helped the optimization side. 

We integrate Anvilogic directly with Splunk rather than using the Amplitude platform separately.  That has been helpful because we don't need to bring logs to a third-party source.

Anvilogic's AI assistant is pretty good. It helps us build out detections within your environment. It has improved our detection logic by a small amount and slightly reduced the time involved in detection writing. Generally, the detection builder is decent.

The drag-and-drop detection engine portal has been helpful because you don't need any programming experience. One area where the generative AI aspect has been helpful is when we are figuring out the specific threats about something that's triggered or similar campaigns. You can write in the latest from this type of detection that I'm looking at and get information back. 

We need more around case management. I know that's something on the road map. We would like a way to create a ticket that we can export into a third-party platform like Jira. Anvilogic's prebuilt rules and threat scenarios didn't work the best for us because many of the rules were geared toward a Windows environment, whereas we're more of a Mac environment, so many of them didn't necessarily fit with what we have. I know a few other people who use them, and they've worked out well there.

I've been a full-time customer of Anvilogic for about two years now, and we did a proof of concept eight months or so before we became a customer.

We haven't had any issues with stability.

Anvilogic is as scalable as the environments you've integrated it with, whether it's Snowflake or Splunk.

We have a biweekly standing call with the Anvilogic team to talk through detections and updates, but I can't think of a case where we've had to contact them outside of that call.

The initial deployment was easy because we had it set up for our proof of concept, so it just took a little tuning, and we had it set up within a week. We had one person on our side working with somebody on their side. It's a cloud-based solution, but they push out updates on it. We haven't had any issues where it's broken on our systems, where we've had to lean in on the maintenance side.

We roughly broke even. If we had invested more or tuned our environment a little better, we might have come out on top.

Anvilogic's pricing has been highly competitive. 

We did an extensive proof of concept for Anvilogic, Panther, Devo, Google Chronicle, Splunk, and a few different SIEM/detection engines. We did a breakdown based on our criteria and scoring on various features. Anvilogic outperformed the other tools that we tested.

The price was right for the organization. They also offered a multiyear deal that kept the price down looking forward. We compared it to something like the Chronicle, which required us to export our data specifically to that. It required multiple areas for ingestion, bringing up operational costs on top of the licensing cost. It wasn't providing better detection support than Anvilogic because it was able to integrate with Splunk and our case. It was able to pull off of data that was already being ingested, when we needed to have it ingest in multiple locations.

I rate Anvilogic seven out of 10. To prepare for Anvilogic, I recommend leaning into it. Take advantage of the support team and get some additional training. Use the workshops and commit to using the product. It's a tool that's only as good as the time you put into it. If you bring in the detection engine but don't put any time into creating those detections, then there's not much point.