Solution Guide
Streamline Your Detection Engineering
Unlock the full potential of your current SIEM
Table of Content
What Are the Challenges of the Current Detection Engineering Lifecycle?
The detection lifecycle and maturity face several challenges related to how teams currently manage their SIEM and security tech stack across their people and internal processes. These include:
- Detection development pressure: Ensuring comprehensive coverage amidst a shortage of skilled personnel.
- Lifecycle maintenance: Constant updating and tuning of detections due to changing data formats and new telemetry.
- Alert triage complexity: Managing alert noise and lacking contextual information to identify root causes.
- Feedback loop deficiency: Absence of continuous feedback from analysts to refine detections.
All these challenges impact the throughput of getting detections out the door but can be transformed with the power of Anvilogic’s feature set.
60%
Improved ATT&CK Coverage
15K
Saved in Detection Engineering Hours
3X
More Efficient in Deploying Detections
30%
Reduction in Detection Deployment Time
Anvilogic Streamlines Your Detection Engineering Processes
Anvilogic is a SaaS platform that enhances detection engineering, enabling detection engineers to create more accurate detections and hunt more effectively across their data platforms. It uniquely augments existing Splunk and other SIEM deployments, simplifying complex detection engineering tasks.
Improve Detection Creation
Deliver more high-fidelity detections, faster.
Optimize Detection Management
Maintain healthier detections with version management and tuning insights.
Maximize Atomic Detections
Correlate saved searches using our robust detection engineering framework.
Streamline SecOps
Utilize our Gen AI assistant for triage, hunting, and query logic generation across the SOC.
Legacy Detection Lifecycle
Takes Days or Weeks...
Manual Research
Internet search
Social media
Threat intel feeds
Tracking & Feedback
Ticket MGMT
Bug trackers
.svg)
Develop, Test,
Deploy
Deploy
SIEM
Log Analytics
Manual Health & Performance Maintenance
WIKIS
DOCS
Metrics & Reporting
Dashboard Tools
BI
.svg)
Performed in Minutes
Threat Research
Anvilogic Purple Team
New detections released daily to combat threats
Build, Test, Deploy
One-Click Deploy
1000s of detections for multiple logging platforms with version management
Gen AI-Powered
SecOps Copilot
Automated triage, hunting and detection building assistance through natural language
Mature & Improve
AI Recommendations
Automated tuning, health monitoring, and hunting insights
Use Case One
Close Detection Gaps Faster
Use Case:
Building detections to cover the organization against threats.
Current Way:
It is a time-consuming process to research threats and build saved searches to cover detection gaps. Limited data schema skill sets make building query logic time and labor-intensive.
Now with Anvilogic, you can...
Leverage our detection content through a repository updated weekly with new saved searches and advanced attack correlation patterns. These patterns are meticulously curated by our in-house Anvilogic Forge Purple Team, who enrich them with metadata on threat actor groups and the TTPs (Tactics, Techniques, and Procedures) they defend against. All our detections can be further customized to fit your specific needs.
Our detailed tagging of each detection content helps you identify the most relevant rulesets. With our AI Recommendation Engine, easily choose the best TTPs from our extensive library based on your available data feeds. Enhance your defense against MITRE ATT&CK TTPs with quantifiable coverage scores, and identify areas for improvement to close your detection gaps.
Our detailed tagging of each detection content helps you identify the most relevant rulesets. With our AI Recommendation Engine, easily choose the best TTPs from our extensive library based on your available data feeds. Enhance your defense against MITRE ATT&CK TTPs with quantifiable coverage scores, and identify areas for improvement to close your detection gaps.
Case Study: SAP
SAP is the biggest private cloud in the world, controlling data for 95 of the Forbes 100. For their security teams, managing the lifecycle of threat detections is a time-consuming and inefficient task, especially given that they deal with over 20,000 common vulnerabilities annually, along with zero-days, ransomware, and other threats.
SAP chose Anvilogic to incorporate automation and AI into their security incident detection to streamline this process. SAP can now:
- Centralize and unify visibility across various detection tools.
- Significantly reduce the time required for essential tasks.
- Create new detections and conduct research with incredible speed.
“Now our people can actually create new detections and research them with incredible speed. What we used to do in one year, now we can do in one or two months.”
Use Case Two
Centralize Your End-to-End Detection Lifecycle
Use Case:
Managing detections throughout their lifecycle.
Current Way:
Iterative process that requires constant updating and tuning of logic as data formats change or if new telemetry is added makes it difficult to effectively scale and maintain high-quality detections.
Now with Anvilogic, you can...
Easily track, manage, and optimize your saved searches and advanced detections with a workbench that facilitates version control and tuning. Our intuitive detection-building wizard streamlines the entire detection lifecycle, offering metadata fields for tagging customization, risk score customization, and the ability to input reasoning and track change history for tracking detection logic changes. As versions evolve and multiply, you can compare change updates side-by-side to monitor and manage the progression of your detections.
We offer Tuning Insights linked to all deployed detections by continuously collecting metadata about them and automatically send you tuning recommendations on a regular basis. Each insight is tied to a use case in your SIEM, providing specific recommendations. For example, we might suggest allowlisting a particular process value to reduce alerts by a certain percentage, and explain to you why it's likely benign.
There is no mysterious black box - it's all based on computational math to ensure your detections are performing optimally, and we make the deployment of these suggestions straightforward and simple.
There is no mysterious black box - it's all based on computational math to ensure your detections are performing optimally, and we make the deployment of these suggestions straightforward and simple.
Case Study: eBay
eBay is a leading e-commerce company that connects millions of buyers and sellers worldwide. Their security team sought a new solution to lessen alert fatigue among security and incident response teams, decrease the operational costs of deploying detections, and stay ahead of the latest threats.
With Anvilogic's platform, eBay achieved significant improvements:
- 30% decrease in detection deployment time.
- 20% increase in security detection coverage.
- 48 hours to deploy detections in emergency scenarios.
“The ramp-up time to learn how to build a detection is greatly reduced with Anvilogic, especially for those not primarily in the security detection team.”
Use Case Three
Reduce Alert Fatigue with Multi-Stage Attack Correlation
Use Case:
Correlating saved searches and building advanced detections to cover the organization against threats.
Current Way:
Saved searches restricts detection to discrete/atomic events, causing high alert volumes. Advanced correlations require complex query logic, which is time-consuming and requires deep schema knowledge to build.
Now with Anvilogic, you can...
Build complex detection logic using a simple Low Code Builder that can correlate atomic events across multiple stages and upon correlated entities
Easily correlate Crowdstrike, Defender, or other EDR alerts with SIEM Saved Searches
Leverage hundreds of out-of-the-box scenarios or easily create your own
Automatically builds SPL, KQL, & SQL Logic
Automated MITRE mapping and risk-based scoring
You can maximize the value of your team's atomic saved searches in your SIEM by correlating them to model sophisticated attack narratives. Each saved search is tagged to MITRE, scored, and correlated into threat scenarios and augments the fidelity of your alerts.
Anvilogic's low-code detection builder allows you to create advanced detections across data platforms like Splunk, Snowflake, and Azure without complexity. It can automatically translate natural language query requirements into SPL, SQL, and KQL search logic, empowering practitioners by lowering entry barriers and reducing reliance on specific logging platforms.
When higher-fidelity alerts are generated, Monte Copilot is ready to assist. Trained with Tier 3 Analyst expertise and access to common data sets and tools, Monte Copilot provides real-time answers for your triage needs. Transform slow, manual tasks into smarter, automated workflows with Monte Copilot's powerful functions, empowering your team to work more efficiently and effectively.
When higher-fidelity alerts are generated, Monte Copilot is ready to assist. Trained with Tier 3 Analyst expertise and access to common data sets and tools, Monte Copilot provides real-time answers for your triage needs. Transform slow, manual tasks into smarter, automated workflows with Monte Copilot's powerful functions, empowering your team to work more efficiently and effectively.
Case Study: St. George's University
St. George’s University (SGU) is an international university and medical school committed to developing the intellectual capacity, creativity, and professionalism of its student body. Their SOC team faced challenges with SIEM implementation, including inadequate out-of-the-box correlation rules, difficulty adopting new detections and lack of version control for custom rules.
The SGU SOC team chose Anvilogic to enhance their proactive security measures. As a result, they can now:
- Deploy new detections 3x faster using the Detection Armory.
- Implement and adjust detections with greater speed and accuracy.
- Quickly respond to trending threats with pre-built scenarios.
“Anvilogic feels so natural with Splunk. We can customize detections really fast and get an alert out the door that works in our environment without a heavy lift. Because it’s not a black box, you can see the detection code and get ideas on how to build a better SPL search.”
Architecture and Product Features
Anvilogic Architecture
Product Features:
Detection
Detection Content (Anvilogic Armory)
- Forge Threat Research delivering over 1000s of ready-to-deploy detections (updated weekly) in SPL, KQL, SQL.
- Daily detections updated based on trending threats.
- Premium Threat Scenarios & Cloud Detection Content Packs.
- Hunting detection packs to detect anomalous behavior.
Detection Creation
- Low-Code detection builder to create behavior pattern-based detections or risk based detection scenarios.
- Import your pre-existing rules to be standardized across all alert data.
- Frameworks, machine learning recommendations and documentation to help define testing (TTPs) all in one place.
Detection Management
- Automated end-to-end detection lifecycle management.
- Easy to clone/modify/deploy detections.
- Use case documentation.
- Automated maintenance.
- Versioning & audit history of changes.
- Parsing and normalization code management.
Continuous Maturity Scoring
- End-to-end visibility of your SOC maturity based on data quality analysis, detection coverage across MITRE, and productivity metrics (ex. hunting, alert dwell time, etc.).
- Measurable technique coverage and gap analysis.
- Assessment validation testing integrated into maturity scoring framework.
AI-Insights
- Hunting, Tuning, and Health Insights that continuously monitor your unique environment, escalate activity that requires attention, and remind you of crucial maintenance actions.
- Hunting Insights delivered to help identify high-fidelity alerts and suspicious patterns across raw event logs.
- Detection recommendations based on your industry threat.
- Landscape, infrastructure, and MITRE ATT&CK coverage/gaps.
- Data prioritization & recommendations based on your unique environment.
- Automated Tuning recommendations to ensure your deployment is performing optimally.
Deployment Architecture
- Licensing: annual subscription model based on the user count.
- SaaS Deployment: Meta data, analytics, insights, audit logs, alerts, allowlisting, and enrichment stored in Anvilogic Alert Lake.
- Ability to search, query data, and deploy detections across multiple SIEMs and/or cloud data lakes.
- Able to automatically tag, normalize, and enrich detections before storage for optimal correlation.
- Highly flexible, open API platform that integrates with many existing security technologies.
Data & Integrations
- Supported Data Platforms: Splunk (On-Prem & Cloud), Azure Data Explorer, Azure Log Analytics, Snowflake (AWS, Azure, GCP).
- SOAR Integrations: Torq, Tines, XSOAR, Swimlane, more.
- Case Management Integrations: Jira, ServiceNow.
- Security Vendor Integrations: Crowdstrike, Proofpoint, Palo Alto Cortex, Tanium, VMware Carbon Black, Microsoft Defender, StackRox, DarkTrace, SentinelOne, ReversingLabs, Hunters, Abnormal Security, and more.
Triage (Splunk Only)
Triage Management
- Alert tuning, allow listing, triage observations.
- Alert triage assisted by the link analysis of the hunting graph.
- Triage across multiple hybrid cloud, cloud, and data lakes.
- Visualize alert attack pattern and timeline.
Alert Correlation
- We supply detections across multiple data repositories, allowing you to easily query different sources and centralize them for seamless correlation in one location.
Monte Copilot
- SecOps Companion trained across various SOC personas for investigation & detection building assistance.
- Access to common tools and data sets used by analysts for triage ex) VirusTotal, Shodan, IPInfo, and more.
.svg)
