1 of 42

Public Docs

Welcome to Anvilogic

What is Anvilogic?

Anvilogic is an AI SOC solution and multi-data platform that enables detection engineers and threat hunters to detect, hunt, and investigate seamlessly across disparate data lakes and SIEMs without the need to centralize data, learn new languages or deploy new sensors.

Anvilogic empowers enterprise SOCs to rapidly mature their detection programs with a dual approach: instantly deployable, curated detections and a powerful low-code builder for crafting correlated custom alerts. With thousands of expert-built detections ready to deploy in a single click, teams can accelerate threat coverage from day one. Anvilogic’s platform also features automated workflows and AI-driven insights for tuning, triage, maintenance, and critical alert escalation—helping SOCs hunt threats with greater speed and precision. Real-time SOC maturity scoring gives teams continuous visibility into their detection posture, mapped against their most critical threats.

Get Started

Onboarding guide

Congratulations and welcome to Anvilogic!

This guide will help you log in, complete the guided onboarding to set threat priorities and integrate a data repository, get data in, and deploy detections.

Onboarding workflow

The following flowchart summarizes the tasks you will complete to get started.

Get started

The Anvilogic platform is supported on the highest versions of Google Chrome and Mozilla Firefox.

If you're ready, to get started with your Anvilogic onboarding.

Need help?

If you run into any issues, see for information about how you can contact us.

Log in and set your password

Your welcome packet email from Anvilogic contains a link to log in to the Anvilogic platform for the first time. You must change your password the first time you log in to the Anvilogic platform.

Make sure you are a user with administrator privileges on the Anvilogic platform.
Click Set Password in the welcome package email. You are directed to set password page.
Enter the email address with which you have registered. This email address must match the email address that the welcome email was sent to.

Define your company's threat profile

After you log in, use the guided onboarding experience to define your company's threat profile.

Use the guided onboarding to define your company's threat profile and make the Anvilogic platform work according to your needs and priorities.

Benefits of setting threat priorities

Anvilogic provides prioritized content recommendations based on the following factors:

Your threat priorities

Select your data repository and get data in

Select the data repository where you store your logs.

After defining your company profile in the guided onboarding, select a data repository:

Next step

Follow the instructions for your data repository.

Integrate Splunk as your data repository

Integrate Splunk as your data repository

Integrate the Anvilogic platform with your Splunk Enterprise or Splunk Cloud Platform instance.

After defining your company profile in the guided onboarding, select Splunk as the data logging platform.

You must have admin privileges in Splunk in order to complete the integration.

Download and install the Anvilogic App for Splunk

Integrate Splunk with the Anvilogic platform using the Anvilogic App for Splunk.

The Anvilogic App for Splunk provides triage, allow list and suppressions management, and analytics used by the data feed and productivity scores on the maturity score pages.

You can also enable automated threat detection in the Anvilogic App for Splunk, which is required to generate tuning insights and some hunting insights.

Snowflake-only customers can get tuning insights without the Anvilogic App for Splunk.

I am a Splunk user

If you are already using Splunk Enterprise or Splunk Cloud Platform, follow the instructions in the documentation to download and install the Anvilogic App for Splunk.

Next step

Select one of the following to continue:

I don't have Splunk

If you don't have Splunk, and you want the capabilities provided by the Anvilogic App for Splunk, Anvilogic will provision a Splunk instance for you and manage the installation and upgrade of the Anvilogic App for Splunk.

Next step

After the Anvilogic platform is connected to a hosted Splunk instance, .

Splunk Cloud Platform

High-level steps for downloading and install the Anvilogic App for Splunk on Splunk Cloud Platform.

Perform the following tasks to download and install the Anvilogic App for Splunk on Splunk Cloud Platform:

Verify requirements
Install the Anvilogic App for Splunk

Next step

Verify requirements

Verify the requirements on this page before you download and install the Anvilogic App for Splunk.

Supported versions

You can integrate the Anvilogic platform with Splunk Cloud Platform versions 8.0.x and higher. Splunk Enterprise Security (ES) versions: 5.0 - 7.0.x are supported.

If you are using the Splunk Cloud Platform Classic experience, you won't be able to accept tuning insights.

See for more information about the differences between Splunk Cloud Platform Classic Experience and Splunk Cloud Platform Victoria Experience.

Install the Anvilogic App for Splunk

The process to get the Anvilgic App for Splunk differs depending on whether you are using Splunk Cloud Platform Classic Experience or Splunk Cloud Platform Victoria Experience.

Splunk Cloud Platform Classic Experience

File a service ticket to have Splunk install the Anvilogic App for Splunk for you.

Splunk Cloud Platform Victoria Experience

Follow the instructions in in the Splunk Cloud Pkatform Admin Manual to install the Anvilogic App for Splunk.

Next step

Splunk Enterprise

High-level steps for downloading and install the Anvilogic App for Splunk on Splunk Cloud Platform.

Perform the following tasks to download and install the Anvilogic App for Splunk on Splunk Enterprise

Verify requirements

Verify the requirements on this page before you download and install the Anvilogic App for Splunk.

Supported versions

You can integrate the Anvilogic platform with Splunk Enterprise versions 9.0.x and 8.0 - 8.3.x.

Splunk Enterprise Security (ES) versions 5.0 - 7.0.x are supported.

Where to install the app

Install the Anvilgic App for Splunk on your Splunk search head. The server where you install the Anvilogic App for Splunk must meet the following requirements:

The server must be able to connect to over port 443. This is required to download Splunk code and rules metadata.
The server must be able to connect to over port 443.
The server must be able to connect to over port 443 to send events for third party vendor alert integrations.

If you have multiple Splunk Enterprise instances, install the Anvilogic App for Splunk in only one of those environments.

Splunk Enterprise deployment considerations

For performance considerations, review the following factors in your Splunk Enterprise deployment:

The number of concurrent users.
The number of concurrent searches.
The types of searches used.

See in the Splunk Enterprise Capacity Planning Manual.

When you deploy threat identifiers on the Anvilogic platform, saved searches are created in your Splunk deployment. You can use cron scheduler recommendations on the Anvilogic platform to manage the load on your Splunk deployment.

Splunk Enterprise resource and hardware considerations

Resource and hardware considerations for the Anvilogic App for Splunk match the recommendations for your Splunk Enterprise deployment. See in the Splunk Enterprise Capacity Planning Manual.

Last updated 1 month ago

Download the Anvilogic App for Splunk

This page provides instructions for downloading the Anvilogic App for Splunk.

Download instructions

Perform the following steps to download the Anvilogic App for Splunk:

Access .

Install the Anvilogic App for Splunk

Install the Anvilogic App for Splunk in your Splunk Enterprise environment.

Follow the instructions in the Splunk documentation to install the Anvilogic App for Splunk in your environment:

If you have a distributed Splunk Enterprise deployment, use the deployer to install the app on your search heads. See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Supported Add-ons manual.
If you have a single-instance Splunk Enterprise deployment, install the app on the search head. See Install an add-on in a single-instance Splunk Enterprise deployment in the Splunk Supported Add-ons manual.

You must restart Splunk to complete the installation.

Create the Anvilogic indexes

Create the required custom indexes on the Splunk platform.

The Anvilogic App for Splunk requires custom Splunk indexes used by the HTTP Event Collector (HEC) collector command for auditing, metrics and reporting:

Create an index named <your-org-name>_anvilogic for storing Anvilogic rule output and auditing the app. See in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Create a metrics index named <your-org-name>_anvilogic_metrics for storing the output of baselining rules. See in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Configure the HEC collector commands

Create a HEC token that can write to the custom indexes you just created.

The Anvilogic App for Splunk contains a custom Splunk command that uses the HTTP Event Collector (HEC) to send results from threat identifiers into the events of interest index. This command is critical to the frameworks ability to store events for advanced correlation, and manages auditing on all objects.

More information on the HEC and how to set it up can be found in in the Splunk Enterprise Getting Data In manual.

Perform the following steps to create inputs on a single search head. Some steps may vary if you are managing a search head cluster.

In Splunk Web, select Settings > Data inputs.
Select

Connect to the Anvilogic platform

After you install the Anvilogic App for Splunk, you must configure the app to connect to the Anvilogic platform.

Connect the app to the Anvilogic platform

Perform the following steps to complete your initial configurationand connect the Anvilogic App for Splunk to the Anvilogic platform:

You must have the avl_admin role to edit the app configuration page.

Integrate Snowflake as your data repository

Integrate the Anvilogic platform with Snowflake.

Choose Snowflake

After defining your company profile in the guided onboarding, select Snowflake as the data logging platform.

You must have admin privileges in Snowflake in order to complete the integration.

Connect Snowflake to the Anvilogic platform

Perform the following steps to complete the integration with Snowflake:

Input your Snowflake account identifier to establish a connection between your Snowflake instance and the Anvilogic platform.
Click Copy Code, then click Go to Snowflake to go to your Snowflake instance and run the copied SQL commands. This set of SQL commands creates the necessary Snowflake components, the anvilogic_service Snowflake user used by the Anvilogic platform, and assigns the necessary permissions to the anvilogic_admin role for the anvilogic_service user.
Perform the following tasks in your Snowflake instance:

Next step

After you have defined your company's threat profile and connected Snowflake as a data repository, it's time to .

Get data into Snowflake

Get your data into Snowflake, where it can be used to generate detections on the Anvilogic platform.

Assumptions

This document assumes you have completed the guided onboarding:

You have defined your company threat profile.
You have integrated Snowflake as your data repository

Before you continue, make sure you are a user with administrator privileges on the Anvilogic platform.

Data onboarding summary

The following flowchart summarizes the process for getting your data into Snowflake.

Data onboarding steps

Pick one of the following next steps, depending on your infrastructure:

Self-managed pipelines

Before you begin, make sure you read . This document contains important information for optimizing your data onboarding for the best performance.

After you review the best practices, see for supported data sources and onboarding instructions for each data source.

Anvilogic-managed pipelines

See for a list of supported data sources. Click on the name of a data source and follow the instructions to get the data into Snowflake. Anvilogic manages the pipelines for these data sources once you have the data source integrated.

If you have a data source that is not listed here, use to get your data in. is the recommended way to get your data sources into Snowflake. If you don't use Cribl Stream, you can use your own pipelines to Snowflake.

Next step

Review data feeds

Review the category mappings and quality of your data feeds.

Your data feeds are automatically categorized and synchronized to the Anvilogic platform every 7 days. When you add a data feed, you can view it on the Data Feeds page within 7 days.

Review the data feed category

Verify the category of your data feeds matches what you expect, as this affects your MITRE coverage. Select Maturity Score () > Data Feeds from the navigation bar, the review the categories for each data feed:

To change or add categories to a data feed:

(Optional) Upload your existing detections

Upload your existing detections using a CSV file.

This is an optional step and if you choose not to do it now, you can come back and do this later at any point in time.

If you have existing detections, you can export them to a CSV file, then import the CSV into Anvilogic. Doing this helps you get an idea of what your MITRE coverage looks like, so you can address and strengthen the areas where you need additional coverage.

The CSV file must have the title, description, and search of the existing detection. See for instructions to import the CSV file into Anvilogic. This document also describes how to properly format the CSV file when you create it.

Review and deploy recommended content

Review and deploy a variety of detections on the Anvilogic platform.

The Anvilogic platform generates recommended content for you to deploy based on your threat priorities and good quality data feeds.

Where can I view recommended content?

You can view recommended content on the Home page and in the Armory, which shows you all available detections not yet deployed in your system.

Additional tasks

As an admin user, grant additional users access to the Anvilogic platform, or set up more secure authentication settings.

Create users and assign privileges

See Add a new user for instructions on how to add users who can access the Anvilogic platform. When you add a new user, you assign them roles which grant certain privileges to the user when they access the platform. See User roles and privileges (RBAC) for a full list of platform roles.

Configure additional authentication settings

You can configure additional authentication settings for access to the Anvilogic platform, such as multi-factor authentication (MFA) or single sign-on (SSO). See and for more information.

Reference Architectures

The following is Anvilogic's reference architecture to support your environment.

High Level Architecture

Anvilogic on Splunk Detailed Architecture

Anvilogic on Splunk Architecture

Anvilogic implementation with Splunk (Cloud & Splunk on-premise).

Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of Splunk.

This supports both Splunk Cloud (Classic & Victoria) and Splunk on-premise.

Anvilogic on Azure

Anvilogic implementation with Azure (Data Explorer, Log Analytics, and Fabric).

Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of Azure.

This supports both Azure Log Analytics, Azure Data Explorer (ADX), and Fabric workspaces.

We support querying a Log Analytics Workspace in a different tenant than the Anvilogic Azure Data Explorer Cluster.

In order to execute cross-tenant queries against a Microsoft Azure Log Analytics Workspace, the proper permissions first need to be configured.
This can be done using , a free service that assists customers in managing multiple Azure tenants.

Questions around cost? Review .

Diagram:

PDF Download:

Frequently Asked Questions (FAQs)

What gets installed in my Azure environment?

The following infrastructure will be created in the resource group you create for Anvilogic. We use an to deploy the infrastructure.

User managed identity (gives permissions to access key vault, and ADX tables)
Azure Key Vault

Does Anvilogic's integration incur any Azure costs?

Yes, there are costs associated with running the Anvilogic Resource Group in Azure, specifically on the Azure Data Explorer hosting cluster. These costs depend on the compute required to execute detections within your environment.

The average costs of running Anvilogic's required infrastructure in Azure range from $6,000-$25,000 per year annually depending on how many detections you will be running.

What costs money?

During the set up process, a VM is created that will manage the Data Explorer Cluster. The default size upon our automated installation of that VM is a Standard_E8ads_v5 (Medium 8vCPUs).

Calculate Costs:

What permissions do I need to create/use to install Anvilogic’s Azure integration?

You will be creating the following: 

Create new App registration for Anvilogic
Create a new secret in the new App that was created in Step 1

Can you query Data Explorer, Log Analytics, and Fabric?

Yes, Anvilogic supports searching and running detection against any data source inside of an Azure LA, ADX cluster, or Fabric workspace.

You will need to give the Anvilogic app service principal permissions to query any of the ADX, LA clusters, or Fabric workspaces you want Anvilogic searches and detections to use.

For Microsoft Fabric you need to create a workspace, leverage an event stream under real time intelligence, and the destination from the event stream MUST be a KQL Database.

The will then be able to query the KQL database.

Currently, we do not support querying a Log Analytics Workspace in a different tenant than the Anvilogic Azure Data Explorer Cluster.

How does the Anvilogic platform query our LA, ADX, or Fabric Clusters?

We connect into your ADX cluster and then use the Microsoft to initiate a query to any other LA, ADX cluster, or Fabric workspace that our app service principal have access to.

For Microsoft Fabric you need to create a workspace, leverage an event stream under real time intelligence, and the destination from the event stream MUST be a KQL Database.

The will then be able to query the KQL database.

Currently, we do not support querying a Log Analytics Workspace in a different tenant than the Anvilogic Azure Data Explorer Cluster.

What if Azure isn't my primary SIEM and I have a hybrid set up?

Since Anvilogic supports multiple SIEM/Data Lakes, you can configure all of the events if interest (EOIs) generated from detection queries to also write a copy back to your primary Alert Lake or EOI data store. That can be located in any of the other support platforms (ex. Splunk, Snowflake).

For example - if Splunk is your primary SIEM, then you can configure all of your Azure detection results to also send a copy of the event of interest (EOI) back to the Anvilogoic index in Splunk. The Anvilogic platform handles all of this EOI routing for you.

Can you help bring alert data into Azure for us?

Yes, Anvilogic can help retrieve alerts/signals from SaaS security tools (ex. Proofpoint, Wiz, Crowdstrike, etc.) and can ingest those into the Anvilogic table in ADX for correlation.

Can you help bring raw data into Azure for us?

No, Anvilogic does not support raw data ingestion into ADX, LA, or Fabric. Data must already be present in those environments.

Anvilogic only supports raw data ingestion for Azure Snowflake.

Do you provide parsers for un-normalized data?

Yes, we provide hundreds of out-of-the-box parsers that can be used to normalize your security data inside of ADX,LA, or Fabric.

What is the Anvilogic Alert Table in ADX?

Anvilogic Alert table in ADX will store the output from all detections that are running within the App container environment.

This is a fully normalized set of signals that we call “events of interest” that can be used to escalate activity to your SOAR or can be used as a hunting index to create Threat Scenario correlations.

Do you collect the alerts stored in the Anvilogic Alert Table in ADX?

Alerts are stored inside of your Azure table in ADX you specify during the setup.

The Anvilogic AI-Insights (ex. Hunting, Tuning, Health) package requires a copy of these events to be collected and stored by Anvilogic. If enabled, a copy of those events will be collected into Anvilogic.

Do you integrate with SOAR?

Yes, Anvilogic can integrate with most SOARs via REST API through either a push or a pull method.

Log Analytics Cross-Tenant Search

Learn how to configure Azure Lighthouse to enable cross-tenant searches in Microsoft Log Analytics.

In order to execute cross-tenant queries against a Microsoft Azure Log Analytics Workspace, the proper permissions first need to be configured. This can be done using Azure Lighthouse, a free service that assists customers in managing multiple Azure tenants. In this case, it is used to assign role-based access control (RBAC) permissions to grant service principals permissions across tenants.

What follows are the instructions to set up Azure Lighthouse to enable the Anvilogic Azure integration to query across Log Analytics Workspaces in different Azure tenants.

Terminology

Provider - The tenant that is providing the service (in which the Anvilogic ADX cluster was deployed).
Customer - The tenant that the provider needs access to. This contains the Log Analytics Workspaces that will be searched.

There is only one provider, but there can be many customers.

Other Considerations

At the moment, Microsoft does not support resource-level permissions. Their guidance is to place active DENY permissions for the Anvilogic service principal on any resources in the Customer Resource Group that you don't want it to be able to access.

Alternatively, you can move the Log Analytics Workspace to it's own resource group using the . This is a non-destructive change and would not impact the workspace (i.e. it can be done while in production).

Microsoft also recommends that customers have only one Log Analytics Workspace per region. If customers are using multiple, that is an anti-pattern from Microsoft's perspective. For more information, see .

Anvilogic on Snowflake Architecture

Anvilogic implementation on Snowflake (AWS, GCP, Azure).

Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of Snowflake.

This supports Snowflake on Azure, AWS, and GCP.

Overall Diagram:

ETL Parsing & Normalization Process

PDF Download:

Frequently Asked Questions (FAQs)

Does it matter which public cloud I own?

Snowflake will be configured in the IaaS environment that you have and is available across AWS, GCP, and Azure.

You can also have a separate Snowflake account per environment if you are a multi-IaaS organization.

Data that already originates in IaaS that can be sent to cloud storage does not require a streaming tool and can be onboarded to Snowflake directly.

How do I onboard logs from data center assets?

Datasets that come from assets hosted within a data center or not in a public IaaS environment will require a solution to route that data to Snowflake.

Data streaming tools (ex. Cribl, Fluentbit, Apache NiFi) can be used to send on-prem. logs directly to Snowflake.

It is a requirement that you have a data transport/streaming tool to send data to IaaS storage or Anvilogic pipelines for ingestion.

Forwarding agents that are installed on endpoints also need to be re-configured to send to the streaming tools for ingestion into Snowflake.

Snowflake and/or Anvilogic does not provide any data streaming or endpoint agent technology.

How do you get data that originates in public cloud into Snowflake?

Configure your security tools & appliances to log to cloud storage services like S3, Blob storage, or GCP storage - Snowpipe then picks it up and ingests into Snowflake.

How does the Anvilogic SaaS platform communicate with the Snowflake database that gets installed in your Snowflake account?

All communication (search and detection use cases deployments) are done over REST API using HTTPS/443 with TLS v1.2+.

Can Anvilogic help with getting raw data into Snowflake?

Yes, if you have a streaming tool (ex. Cribl, , Apache NiFi) you can send custom data sources directly to Anvilogic’s ingestion pipeline. Anvilogic also has some out of the box support for raw data ingestion sources in our integrations armory.

This will send data to our S3 storage service, which temporarily stores data to process it into Snowflake.

Does Anvilogic help with parsing and normalization of raw data into Snowflake?

Yes, Anvilogic helps with all of the parsing and normalization of security relevant data into the Anvilogic schema. We have onboarding templates and configs that will help ensure the data you are brining into Snowflake is properly formatted to execute detections and perform triage, hunting, and response.

Can Anvilogic help getting enrichment data into Snowflake?

Yes, if you have third party Intel or CMDB tools that are required to be used within detection enrichment, those can be called via REST API and transported into a Snowflake table.

Anvilogic detections can then leverage those enrichment tables to enrich detections before those detections are stored in the Alert lake (upstream of SOAR).

Does Anvilogic have out-of-the-box integrations for specific vendors alert sources?

Yes, Anvilogic can provide out of the box integrations for common vendor alerts and data collection for specific SaaS Security tools (ex. Crowdstrike FDR).

Tools not listed in our integration marketplace can be sent through the Custom Data Integration pipeline as a self service option.

What is the difference between raw data vs Alert data?

Raw data sources are events/telemetry that is generated from endpoints/tools/appliances (ex. Windows Event logs, EDR logs).

Alerts data is curated signals from security tools (ex. Proofpoint alerts, Anti-virus alerts, etc.) that has already been identified to be suspicious or malicious by the vendor.

Do you use Snowflake Warehouses?

Yes, Anvilogic requires 2 warehouses to run.

Ad-hoc Warehouse - Compute for queries to assist search, hunt, and IR
Detect Warehouse - Run 24/7 executing scheduled tasks (detections) on a cron

Do you integrate with SOAR?

Yes, Anvilogic can integrate with most SOARs via REST API through either a push or a pull method.

Does Anvilogic have a search user interface (UI) for Snowflake?

Yes, Anvilogic has a search user interface (UI) to make it easy to query data that is inside of a Snowflake database.

In addition, Anvilogic makes it easy to build repeatable detections that can execute on top of Snowflake using a low-code UI builder.

Does Anvilogic have a data model? Does it work with OCSF?

Yes, Anvilogic has a data model and offers parsing and normalization code for any security data set that you want to use within the platform.

Yes, we can also work with OCSF data, and each data feed can be modified/controlled to customize to your needs.

Does Anvilogic support IOC collection & searching?

Yes, Anvilogic can onboard IOCs from your third party threat intel tools (ex. Threat Connect) and use that data to create new detections, conduct ongoing exposure checks across your data feeds, or use it to enrich your alert output for triage analysts.

FluentBit

The following page will help you understand how you can use FluentBit to send data to Anvilogic to ingest into Snowflake.

What is FluentBit?

Fluentd is an open source streaming tool that can be used to send data to Snowflake to leverage with Anvilogic.

You can leverage the below configs as templates for how to stream common security data sets to Anvilogic's data onboarding pipeline.

Remember: Anvilogic helps to parse and normalize this data to our schemas automatically once the data has been sent to our pipeline.

Data Type Examples:

Linux data

This page is designed to help customers leverage the Forward Events integration within their Anvilogic account for FluentBit.

Pre-Reqs

Anvilogic account
Snowflake data repository connected to your Anvilogic account

Setting up FluentBit Config

Anvilogic will provide a S3 bucket and the corresponding access keys/ids (note these change for each integration) when you create a forward events integration in your Anvilogic deployment.
Create a credential file on the machine that fluentBit can read from. For example, /home/<username>/creds . Inside the file please paste the following config with your specific access key/id

Since our credentials are already updated in the /home/<username>/creds file, we need to configure the service config file for Fluent Bit and set the path to this credential file (see image for reference). To do that, fire up your favorite text editor and edit the fluent-bit.service file located at /usr/lib/systemd/system/fluent-bit.service.
1. Environment="AWS_SHARED_CREDENTIALS_FILE=/home/<username>/creds"

Then run the following commands in a terminal window
1. sudo systemctl daemon-reload
2. sudo systemctl start fluent-bit

Once you have pasted the above config into your fluentBit.conf file (typically located at /etc/fluent-bit/fluent-bit.conf)

NOTE: You can also edit or add any of your own customer parsers for logs by editing the parser.conf file at /etc/fluent-bit/
Once you have edited your fluent-bit.conf, please restart the fluentBit service sudo systemctl restart fluent-bit
- You can validate that your config is working by heading to /tmp/fluent-bit/s3/ and looking inside that folder.

You can now confirm that data has landed in your snowflake account.

Please update the input section of this example config to fit your exact needs.

Windows data

This page is designed to help customers leverage the Forward Events integration within their Anvilogic account for FluentBit.

Pre-Reqs

Anvilogic account
Snowflake data repository connected to your Anvilogic account

Setting up FluentBit Config

Anvilogic will provide a S3 bucket and the corresponding access keys/ids (note these change for each integration) when you create a forward events integration in your Anvilogic deployment.
Following the steps of the AWS CLI install, once you have done the installation correctly - Please run aws configure and paste in the access key and id provided. Once this is completed, validate that the credentials have been created - usually C:\Users\YourUsername.aws\credentials

Once you have pasted the above config into your fluentBit.conf file (typically located at C:\Program Files\fluent-bit\conf )

NOTE: You can also edit or add any of your own customer parsers for logs by editing the parser.conf file at /etc/fluent-bit/
Once you have edited your fluent-bit.conf, please restart the fluentBit application

You can now confirm that data has landed in your snowflake account.

Please update the input section of this example config to fit your exact needs.

Fluentd

The following page will help you understand how you can use Fluentd to send data to Anvilogic to ingest into Snowflake.

What is Fluentd?

Fluentd is an open source streaming tool that can be used to send data to Snowflake to leverage with Anvilogic.

You can leverage the below configs as templates for how to stream common security data sets to Anvilogic's data onboarding pipeline.

Remember: Anvilogic helps to parse and normalize this data to our schemas automatically once the data has been sent to our pipeline.

Anvilogic on Databricks Architecture

Anvilogic implementation on Databricks (AWS, Azure, GCP).

Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of Databricks.

This supports Databricks on AWS, Azure, and GCP.

Hybrid - Anvilogic on Splunk & Snowflake Architecture

Anvilogic implementation with Splunk & Snowflake.

Architecture Diagram

Below is the generic architecture digram for how Anvilogic works on top of a hybrid data environment like Snowflake & Splunk

This supports Snowflake on Azure, AWS, and GCP.
This supports Splunk on Splunk Cloud, Splunk Enterprise on-premise, and Splunk Enterprise Security (ES)

Diagram:

PDF Download:

Hybrid FAQ

What is the EOI routing pipeline?

With a multi platform SIEM, you need to select a primary location to store all of your Alerts, this in the Anvilogic platform is called your “Events of Interest (EOI)”.

You will select which logging platform you want to contain your consolidated EOIs from all detection inputs and the EOI routing pipeline will ensure all alerts (regardless where they original from) get routed to land in the correct destination for correlation opportunities across your data repositories.

In this example Splunk was selected to be the primary EOI data repo, which means all Snowflake alerts get routed to the Splunk index. If Snowflake was selected, then all Splunk alerts would get routed to the Snowflake alert table.

Anvilogic will also store a copy of all alerts generated in the platform Alert Lake, which is used for AI-Insights (ex. Tuning, Health, and Hunting escalations).

Frequently Asked Questions (FAQs)

Hybrid - Anvilogic on Splunk & Azure Architecture

Anvilogic implementation with Splunk & Snowflake.

Below is the generic architecture digram for how Anvilogic works on top of a hybrid data environment like Snowflake & Splunk

This supports Azure on Data Explorer, Log Analytics, Fabric, and Sentinel.
This supports Splunk on Splunk Cloud, Splunk Enterprise on-premise, and Splunk Enterprise Security (ES)

Diagram:

PDF Download:

Hybrid FAQ

What is the EOI routing pipeline?

With a multi platform SIEM, you need to select a primary location to store all of your Alerts, this in the Anvilogic platform is called your “Events of Interest (EOI)”.

Anvilogic will also store a copy of all alerts generated in the platform Alert Lake, which is used for AI-Insights (ex. Tuning, Health, and Hunting escalations).

Frequently Asked Questions (FAQs)

Security Controls

Monte Copilot & AI privacy and controls

Frequently asked questions around privacy and security controls for Monte Copilot and AI used within the Anvilogic platform.

Is any customer data used to train the AI models in either AI Insights or Copilot?

Anvilogic agrees that it shall not use, process, or allow access to sensitive or raw Customer Data for the purpose of training, developing, or refining artificial intelligence (AI) models, or any other automated decision-making technologies.

Is any of the data in the conversations with Monte Copilot being used for model training?

No. Any data sent to Monte Copilot is not used to train the models. Customer feedback when using Monte Copilot in the form of a thumbs up/down will be used to tune the responses using prompt engineering.

Does Monte Copilot use a public or private model?

Monte Copilot uses OpenAI-hosted models.

Is PII, PHI and/or PCI data going to be used by Monte Copilot?

Though Monte Copilot may capture the PII data that was submitted by the users during a conversation, this PII data is removed and not processed via LLM Models.

Do customers have the option to opt out of Monte Copilot?

Yes, all generative AI capabilities are part of add-ons. A customer has to purchase these add-ons to use the capabilities.

Do you inventory all your AI models, and do you regularly reassess them for risk and compliance?

Weekly and Monthly output reviews are conducted on models. Models are stored in either UDFs or Sagemaker endpoints. Risks are identified during output reviews and remediated.

Do you prevent and/or identify and mitigate false positives, data loss prevention and unintended consequences of the AI's outputs?

We use regular expressions to mitigate clearly false positives, if there is a problem with the model, we generate a new model that addresses the perceived shortcomings.

Do you provide training and support to your employees who are using generative AI?

Due to the continuous evolution of AI, the team's training is a hands-on approach through weekly meetings to discuss our research and implementation of generative AI-based technologies. In these discussions, we cover the latest information about best practices and knowledge sharing regarding technology and software libraries related to generative AI.

What customer data, if any, does the solution require for training and/or maintenance?

None.

Does the Monte Copilot solution leverage protected attributes such as gender, race, age, disability, spoken language, mental health, or marital status, and proxy features of protected attributes, such as ZIP code?

No.

Are there roles to control which users can use Monte Copilot?

Not yet, but RBAC around what team members can use Monte Copilot will be implemented before our generally available (GA) release.

Where does the data from questions and answers get stored? For how long are Q&A stored? Can Q&A be deleted?

Questions and answers are stored within an Anvilogic owned database hosted on Anvilogic's AWS instance.

By default, Q&A are stored for 30 days and then rolled off, unless feedback (thumbs down or thumbs up) were provided.

This data can be deleted by an Anvilogic engineer with access if required.