Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

Analyze completed jobs with Splunk Attack Analyzer

When you submit a URL or file to Splunk Attack Analyzer for analysis, the report of the analysis is called a job. The items processed or found during analysis are called resources. The output from the engines are called tasks. As an analyst, you might want to review the job, resources, and associated tasks in order to decide whether or not you want to investigate a potentially malicious URL or file further.

To start your analysis of a job, follow these steps:

  1. Select the entry for the job in Recent Submissions, or select the Recent tab and select the job you want to review. You can also search for a specific job using the Search tab. To learn more about searching in Splunk Attack Analyzer, see Search in Splunk Attack Analyzer.
  2. Review the top-level job details.
    1. Top-level job details include things like score, verdict, requested engines, and so on. Scores are on a 0 to 100 scale and are returned by the engine once the engine has completed analysis for a given resource. A score of 0 indicates no evidence of maliciousness, while a score of 100 indicates a high evidence of maliciousness. Scores also have a color associated with the number ranges: 0-29 is green, 30-69 is yellow, 70-100 is red.
    2. The score listed in the top-level job details is the consolidated score, or the highest score given to the URL or file from any of the Splunk Attack Analyzer engines. The verdict might be Phish, Malware, or Spam.
  3. Review the Resources Analyzed heading and select the links to see the engines path of analysis, including screenshots of what any attachments looked like, or the sites the URLs navigated to.
  4. Review the task-level details. These task-level details include the engines run on this data, the detections found by the engines with their associated scores, and additional information that might include screenshots of what the Web Analyzer engine saw on the web page, forms, HTML source, artifacts of the files that loaded during analysis and so on.
  5. (Optional) Review the Normalized Forensics or Raw Forensics tabs. Raw forensics is the JSON output from all the engines that ran on the URL or file, while normalized forensics is a more organized version with tabs for detections, network, system, and so on. See Understanding normalized and raw forensics to learn more.
  6. (Optional) Review the Artifact Downloads tab visible on the Consolidated job view to gather more information about submitted URLs or files.
    1. Select Group by Resource, Group by Artifact Type, or Group by Engine to further sort the information.
    2. Select the Download as PCAP or Download original HAR buttons for the resources to download those file types.
    3. If you have submitted a file, you can use the Download Resource button to download the original file. If you choose to download the resource, it appears as a password protected ZIP file. Use the password "infected" to access the download.

You can select the Send Feedback button to send any comments or suggestions to the Splunk Attack Analyzer team. You can also select the More icon to download a PDF report with relevant information from the job, and if you have been granted permissions, you can also delete the job.

Understanding normalized and raw forensics

To see a detailed view of the analysis results from the engines, use the raw and normalized forensics tabs on the results page for a job. Raw forensics is the JSON output from all the engines that ran on the URL or file, while normalized forensics is a more organized version with tabs for detections, network, system, and so on. For more details on the normalized forensics tabs and their purposes, see the following table.

Normalized forensics tab name Description
Detections Shows the detections found by the engines that ran on the data as well as any MITRE ATT&CK data.
Network Shows information about the network traffic such as hosts, IP addresses, and some domain information. This tab also shows information about network connections, HTTP requests, including information about SSL decrypted sessions, as well as URLS observed in the task. You can see if Splunk Attack Analyzer visited the URLs, or only used them as a resource. Finally, this tab shows Whois results, if available, and forms. Forms contain a breakdown of any HTML input forms and relevant inputs that were observed on a web page.
System Shows artifacts from the analysis such as files, processes, registry keys and so on.
Strings & Configs Shows extracted configuration and strings.
Images Shows extracted images from the analysis or screenshots that were taken during the analysis.
All Shows a consolidated view of all of the information from all of the tabs.


Learn more

To learn more about analyzing completed jobs, watch this video on Reviewing Completed Jobs in Attack Analyzer.

Last modified on 07 February, 2024
How Splunk Attack Analyzer engines and integrations with third-party engines help detect threats   Search in Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Attack Analyzer: Current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters