search
Product Documentation

Anvilogic on Splunk Architecture

Anvilogic implementation with Splunk (Cloud & Splunk on-premise).

hashtag
Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of Splunk.

circle-info

This supports both Splunk Cloud (Classic & Victoria) and Splunk on-premise.

Diagram:

Anvilogic on Splunk (Cloud and On-Premise)

PDF Download:

file-pdf
5MB
Anvilogic Reference Architecture - Splunk.pdf
PDF
arrow-up-right-from-squareOpen

hashtag
Frequently Asked Questions (FAQs)

chevron-rightHow does Anvilogic get installed for Splunk?hashtag

The Anvilogic App for Splunk gets installed on your Search head (single or clustered). It is approved for Splunk on-premises and Splunk Cloud (both Victoria and Classic).

Detections run as saved searches in the AVL app on cron & results go into the Anvilogic index.

chevron-rightHow does the Anvilogic SaaS platform communicate with Splunk?hashtag

All communication (detection use cases deployments) are done over REST API using HTTPS/443 with TLS v1.2+.

chevron-rightCan you help bring raw log data into Splunk for us?hashtag

No, Anvilogic does not provide a connector service or forwarding agent to help bring security logs into Splunk. Anvilogic only supports raw data ingestion for Snowflake.

chevron-rightCan you help bring alert data into Splunk for us?hashtag

Yes, Avilogic can help retrieve alerts/signals from SaaS security tools (ex. Proofpoint, Wiz, Crowdstrike, etc.) and can ingest those into the Anvilogic index for correlation.

chevron-rightDoes Anvilogic require Splunk Enterprise Security (ES)?hashtag

No, Anvilogic does not require Splunk ES to operate. However, Anvilogic can integrate with the existing ES framework if required.

Anvilogic does have a native triage capability that can replace certain ES components if required.

chevron-rightWhat data will Anvilogic have access to?hashtag

The Anvilogic Splunk app should be installed on a search head that has access to security data. This will allow the detection team to build and deploy detections to the search heads that have access to the indexed data.

All RBAC controls are still maintained by your existing Splunk admins.

chevron-rightWhat is the Anvilogic Index?hashtag

Anvilogic Index will store the output from all detections that are running within the Anvilogic Splunk app.

This is a fully normalized set of signals that we call “events of interest” that can be used to escalate activity to your SOAR or can be used as a hunting index to create Threat Scenario correlations.

chevron-rightDo you collect the alerts stored in the Anvilogic index?hashtag

Not by default. Alerts are stored inside of your Splunk index you specify during the Splunk app setup.

The Anvilogic AI-Insights (ex. Hunting, Tuning, Health) package requires a copy of these events to be collected and stored by Anvilogic. If enabled, a copy of those events will be collected into Anvilogic.

chevron-rightDo you provide parsers for un-normalized data?hashtag

Yes, Anvilogic does not require any Splunk add on to function. We provide hundreds of out-of-the-box parsers that can be used to normalize your security data inside of Splunk.

chevron-rightDo you integrate with SOAR?hashtag

Yes, Anvilogic can integrate with most SOARs via REST API through either a push or a pull method.

chevron-rightDoes Anvilogic have a triage capability in Splunk?hashtag

Yes, our Anvilogic app for Splunk has built in triage and allowlisting capabilities to make it easy to investigate alerts that are being generated.

We can also easily integrate with any downstream SOAR platform you are using.

Last updated

Was this helpful?