LogoLogo
Anvilogic WebsiteProduct Documentation
  • Welcome to Anvilogic
  • What's New
    • What's new?
      • 6.x releases
      • 5.x releases
  • Get Started
    • Onboarding guide
      • Log in and set your password
      • Define your company's threat profile
      • Select your data repository and get data in
        • Integrate Splunk as your data repository
          • Download and install the Anvilogic App for Splunk
            • Splunk Cloud Platform
              • Verify requirements
              • Install the Anvilogic App for Splunk
            • Splunk Enterprise
              • Verify requirements
              • Download the Anvilogic App for Splunk
              • Install the Anvilogic App for Splunk
          • Create the Anvilogic indexes
          • Assign the avl_admin role
          • Configure the HEC collector commands
          • Connect to the Anvilogic platform
        • Integrate Snowflake as your data repository
          • Get data into Snowflake
      • Review data feeds
      • (Optional) Upload your existing detections
      • Review and deploy recommended content
      • Additional tasks
    • Reference Architectures
      • Anvilogic on Splunk Architecture
      • Anvilogic on Azure
      • Anvilogic on Snowflake Architecture
        • FluentBit
          • Linux data
          • Syslog data
          • Windows data
        • Fluentd
      • Anvilogic on Databricks Architecture
      • Hybrid - Anvilogic on Splunk & Snowflake Architecture
  • Anvilogic Free Trial
    • Introduction and Overview
    • Sign Up for Free Trial
    • Initial Setup
    • Detection Engineering Workflow
    • Explore the Armory
    • Building a Scenario-Based Detection
    • Create SQL Detections
    • MonteAI for SQL
    • Monte Copilot
      • Monte Copilot supported tools
      • Monte Copilot licensing
      • Monte Copilot privacy and controls
    • Set MITRE ATT&CK Priorities
    • Review Maturity Score
    • Further Exploration and Next Steps
  • Anvilogic Lab
    • Anvilogic Lab Intro
      • Create SQL Detections
      • MonteAI for SQL
      • MITRE & Detection Armory
      • Deploy New Detections
  • Security Controls
    • AI security controls
    • Monte Copilot & AI privacy and controls
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Anvilogic Free Trial

Explore the Armory

Last updated 1 year ago

Was this helpful?

Problem: Detection engineering using current processes requires specialized sets of skills including security domain expertise as well as data platform query skills across potentially multiple data platforms and languages. It is difficult to create good-quality content quickly enough to keep up with emerging threats.

Anvilogic Solution: Our expert team of security researchers acts like a purple-team-as-a-service, providing our customers with a constant flow of high-quality, correlated detection content. It is developed in labs using real-world attack tools modeled on real-world attack patterns. This content is delivered in a very timely manner (particularly for severe and urgent threats), and spans different data platforms, log sources, and security tools in the environment.

There are many ways to explore and deploy the detections Anvilogic’s Forge team provides to our customers. We have deployed content in the previous section, but now let’s take some time to delve more deeply into the content in the Armory. Let’s start at the main Armory page.

From the main navigation on the left, hover over and click on “Armory”

As you can see, there is a large amount of content available in the armory, and there are many ways to find what you want. Anvilogic’s purple-team-as-a-service is constantly creating new content, both to deepen coverage of existing known threats, and to address new and emerging threats, campaigns, and vulnerabilities. We are able to roll out detections to the armory for instant deployment very quickly for critical vulnerabilities, ensuring our customers can protect their organizations in minutes when these events occur.

The actual detection content falls into 3 major categories:

  • Threat Identifiers - These are specific detections looking for patterns or strings in log events that indicate something suspicious has occurred. Alerts from your vendor security products (e.g. an EDR) can also be fed into Anvilogic directly, generating their own threat identifiers. Note that most threat identifiers don’t generate alerts to your triage team on their own - rather they generate warning signals (“events of interest”) that are then used as parts of higher fidelity detections based on risk or real-world threat scenarios. You can, however, generate alerts for higher-fidelity threat identifiers as well.

  • Threat Scenarios - These are correlated detections based on the warning signals created by Threat Identifiers and security vendor alerts. These correlations are based on real-world attack patterns and known adversary behaviors, which yields much better results than merely looking for indicators of compromise or simple pattern-based detections. This is how Anvilogic helps detection engineers deliver much better, actionable results to the SOC without a lot of noisy false positives.

  • Macros - These are the building blocks of data collection, normalization, and enrichment used within threat identifiers. They allow our detections to gather, normalize, enrich, and tune detection rules easily and inline with your detection searches, creating more useful warning signals and alerts without the need for additional backend enrichment through a SOAR.

You can click on any of the numbers at the top to see the detection content under the labels including the full armory, type of content described above, or broken down by MITRE ATT&CK tactic, platform coverage, or domain coverage. You can further filter any of these views using the filters on the left for a very granular way to find content.

In addition, you can use the search bar at the top of any Anvilogic window to instantly search for detection content using any search criteria.

Going back to the main Armory page (back button on the browser, or main navigation - armory), as you scroll down the page you will see a few key groupings of detections in addition to the counts and breakdowns near the top. These include:

Here you can see if you are covered for this trending topic, read the threat intelligence summary, mass deploy the content, or drill into and deploy individual detection content.

  • Recommended Detections - Anvilogic will automatically recommend specific detection content based on your custom priorities, coverage gaps, and available good quality data. Each recommended detection is marked with a star and a recommendation score on a scale of 1 to 100. If you hover over the score, you will see why the particular detection is recommended and what contributed to that score.

  • Recommended Detection Packs - Detection packs are collections of detections mapped to a specific data platform (e.g. Splunk, Snowflake, Azure, or Devo), specific data category (e.g. Windows Events), and specific MITRE ATT&CK tactic (e.g. Initial Access) that you can deploy en masse. These are a great way to generate a lot of relevant warning signals when getting started with the platform, without overwhelming the SOC with alerts.

Trending Topics - These are collections of detection content that are routinely put out by the Forge team to address emerging trends, new vulnerabilities, campaigns, techniques, etc. This content is available on a timely and ongoing basis for Anvilogic customers directly in the platform, and anyone can subscribe to our rollup email on emerging threats by subscribing to . Click on one of these, or click on See All to see a larger, filterable list of available trending topics.

our email threat report