Explore the Armory

Problem: Detection engineering using current processes requires specialized sets of skills including security domain expertise as well as data platform query skills across potentially multiple data platforms and languages. It is difficult to create good-quality content quickly enough to keep up with emerging threats.

Anvilogic Solution: Our expert team of security researchers acts like a purple-team-as-a-service, providing our customers with a constant flow of high-quality, correlated detection content. It is developed in labs using real-world attack tools modeled on real-world attack patterns. This content is delivered in a very timely manner (particularly for severe and urgent threats), and spans different data platforms, log sources, and security tools in the environment.

There are many ways to explore and deploy the detections Anvilogic’s Forge team provides to our customers. We have deployed content in the previous section, but now let’s take some time to delve more deeply into the content in the Armory. Let’s start at the main Armory page.

From the main navigation on the left, hover over and click on “Armory”

As you can see, there is a large amount of content available in the armory, and there are many ways to find what you want. Anvilogic’s purple-team-as-a-service is constantly creating new content, both to deepen coverage of existing known threats, and to address new and emerging threats, campaigns, and vulnerabilities. We are able to roll out detections to the armory for instant deployment very quickly for critical vulnerabilities, ensuring our customers can protect their organizations in minutes when these events occur.

The actual detection content falls into 3 major categories:

• Threat Identifiers - These are specific detections looking for patterns or strings in log events that indicate something suspicious has occurred. Alerts from your vendor security products (e.g. an EDR) can also be fed into Anvilogic directly, generating their own threat identifiers. Note that most threat identifiers don’t generate alerts to your triage team on their own - rather they generate warning signals (“events of interest”) that are then used as parts of higher fidelity detections based on risk or real-world threat scenarios. You can, however, generate alerts for higher-fidelity threat identifiers as well.

• Threat Scenarios - These are correlated detections based on the warning signals created by Threat Identifiers and security vendor alerts. These correlations are based on real-world attack patterns and known adversary behaviors, which yields much better results than merely looking for indicators of compromise or simple pattern-based detections. This is how Anvilogic helps detection engineers deliver much better, actionable results to the SOC without a lot of noisy false positives.

• Macros - These are the building blocks of data collection, normalization, and enrichment used within threat identifiers. They allow our detections to gather, normalize, enrich, and tune detection rules easily and inline with your detection searches, creating more useful warning signals and alerts without the need for additional backend enrichment through a SOAR.

You can click on any of the numbers at the top to see the detection content under the labels including the full armory, type of content described above, or broken down by MITRE ATT&CK tactic, platform coverage, or domain coverage. You can further filter any of these views using the filters on the left for a very granular way to find content.

In addition, you can use the search bar at the top of any Anvilogic window to instantly search for detection content using any search criteria.

Going back to the main Armory page (back button on the browser, or main navigation - armory), as you scroll down the page you will see a few key groupings of detections in addition to the counts and breakdowns near the top. These include:

• Trending Topics - These are collections of detection content that are routinely put out by the Forge team to address emerging trends, new vulnerabilities, campaigns, techniques, etc. This content is available on a timely and ongoing basis for Anvilogic customers directly in the platform, and anyone can subscribe to our rollup email on emerging threats by subscribing to our email threat report. Click on one of these, or click on See All to see a larger, filterable list of available trending topics.

Here you can see if you are covered for this trending topic, read the threat intelligence summary, mass deploy the content, or drill into and deploy individual detection content.

• Recommended Detections - Anvilogic will automatically recommend specific detection content based on your custom priorities, coverage gaps, and available good quality data. Each recommended detection is marked with a star and a recommendation score on a scale of 1 to 100. If you hover over the score, you will see why the particular detection is recommended and what contributed to that score.

• Recommended Detection Packs - Detection packs are collections of detections mapped to a specific data platform (e.g. Splunk, Snowflake, Azure, or Devo), specific data category (e.g. Windows Events), and specific MITRE ATT&CK tactic (e.g. Initial Access) that you can deploy en masse. These are a great way to generate a lot of relevant warning signals when getting started with the platform, without overwhelming the SOC with alerts.