Anvilogic on Azure
Anvilogic implementation with Azure (Data Explorer, Log Analytics, and Fabric).
Last updated
Anvilogic implementation with Azure (Data Explorer, Log Analytics, and Fabric).
Last updated
Below is the generic architecture digram for how Anvilogic works on top of Azure.
This supports both Azure Log Analytics, Azure Data Explorer (ADX), and Fabric workspaces.
Diagram:
PDF Download:
The following infrastructure will be created in the resource group you create for Anvilogic. We use an Azure ARM template to deploy the infrastructure.
User managed identity (gives permissions to access key vault, and ADX tables)
Azure Key Vault
ADX Cluster, database, and tables Azure Container App/environment/jobs/instance
Log analytics workspace for the container app
Azure Container app registry & cache
You will be creating the following:
Create new App registration for Anvilogic
Create a new secret in the new App that was created in Step 1
Create an Anvilogic resource group
Go through our integration set up on the Anvilogic Platform
Yes, Anvilogic supports searching and running detection against any data source inside of an Azure LA, ADX cluster, or Fabric workspace.
You will need to give the Anvilogic app service principal permissions to query any of the ADX, LA clusters, or Fabric workspaces you want Anvilogic searches and detections to use.
For Microsoft Fabric you need to create a workspace, leverage an event stream under real time intelligence, and the destination from the event stream MUST be a KQL Database.
The cluster command will then be able to query the KQL database.
We connect into your ADX cluster and then use the Microsoft cluster command to initiate a query to any other LA, ADX cluster, or Fabric workspace that our app service principal have access to.
For Microsoft Fabric you need to create a workspace, leverage an event stream under real time intelligence, and the destination from the event stream MUST be a KQL Database.
The cluster command will then be able to query the KQL database.
Yes, Anvilogic can help retrieve alerts/signals from SaaS security tools (ex. Proofpoint, Wiz, Crowdstrike, etc.) and can ingest those into the Anvilogic table in ADX for correlation.
No, Anvilogic does not support raw data ingestion into ADX, LA, or Fabric. Data must already be present in those environments.
Anvilogic only supports raw data ingestion for Azure Snowflake.
Yes, we provide hundreds of out-of-the-box parsers that can be used to normalize your security data inside of ADX,LA, or Fabric.
Anvilogic Alert table in ADX will store the output from all detections that are running within the App container environment.
This is a fully normalized set of signals that we call “events of interest” that can be used to escalate activity to your SOAR or can be used as a hunting index to create Threat Scenario correlations.
Alerts are stored inside of your Azure table in ADX you specify during the setup.
The Anvilogic AI-Insights (ex. Hunting, Tuning, Health) package requires a copy of these events to be collected and stored by Anvilogic. If enabled, a copy of those events will be collected into Anvilogic.