Review Insights
Last updated
Last updated
Anvilogic provides automated ML (machine learning) driven insights to customers in the areas of detection health, detection tuning, and threat hunting. These will not appear in the system immediately, as the ML algorithms need a certain amount of time and EOI (events of interest) data to come back from your deployed detections and security vendor alerts. Depending on the number and type of EOIs generated in your environment, this could take anywhere from a few days to a week or more.
The most common type of automated insights you should expect during a free trial are Tuning Insights and Hunting Insights, each covered below. You can view a summary of your insights from the Home page or see a detailed list of them from the Insights icon on the main navigation page.
Note that in some free trial environments, you may see a warning message that there is no SIEM connected, and will not be able to accept insights. This is normal and expected as a limitation of the free trial, but in a production implementation you will be able to accept these insights and automatically tune your detection rules.
View tuning insights from the Insights icon on the main navigation menu, then click Tuning on the top of the panel.
From here, you can click into any insight by clicking the name of the use case in the left column. This will bring up a pop up window on the right, from which you can dismiss or accept the insight.
Accepting a tuning insight (may be disabled in a free trial environment) will prompt you with several options, including the ability to require more than 1 field for the allowlist to be applied as well as a time limit for the allowlist entry.
Hunting insights should be reviewed to see automatic, ML-generated alerts about detections that seem highly relevant and correlations that you might not otherwise detect. Hunting insights provides the equivalent of an FTE threat hunter looking at your events of interest for important security events.
View hunting insights from the Insights icon on the main navigation menu, then click Hunting on the top of the panel.
From here you can click on the name of the hunting insight to see additional details.
You can click the Dismiss button if the insight seems to describe benign events, or the Escalate button if you want to create an alert for the SOC or IR team (note that this won't go anywhere in a free trial, but will create a ticket or similar process in a production environment).
If you want more details and context, you can click Open In Hunt to explore the Hunt interface, which will allow you to pivot and various event fields, looking at potentially related events of interest, adding them to your investigation and saving these as a hunt for future review.
