Connect Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control

You can integrate Splunk Attack Analyzer with Splunk Mission Control and Splunk SOAR using the Splunk Attack Analyzer Connector for Splunk SOAR. This connector allows you to get data to and from Splunk Attack Analyzer to Splunk SOAR and Splunk Mission Control and take actions on the data using the functionality of these products.

By default, Splunk Attack Analyzer retains data for 180 days after which it is deleted. If you want to retain data for a longer period of time, before the data is deleted you can use the Splunk Add-on for Splunk Attack Analyzer or the Splunk Attack Analyzer APIs to store data in the Splunk platform or another SIEM tool you might be using. See the User Guide for the Splunk Add-on for Splunk Attack Analyzer and the API documentation in Splunk Attack Analyzer for more information.

Configure the Splunk Attack Analyzer Connector for Splunk SOAR

Perform the following steps to configure the Splunk Attack Analyzer Connector for Splunk SOAR.

Prerequisite

Access to a Splunk Attack Analyzer API key. See Create and manage API keys in Splunk Attack Analyzer.

Steps

1. From Splunk SOAR, select Apps, then Unconfigured Apps, then search for Splunk Attack Analyzer and select Configure new asset.

   Alternately, you can download the Splunk Attack Analyzer Connector for Splunk SOAR from Splunkbase and upload it to Splunk SOAR.

2. From the Asset Info tab, enter information in the following fields. The Automation Broker field is not relevant for this connector.
   1. In the Asset name field, enter a name for the asset.
   2. In the Asset description field, enter a description for the asset.
   3. (Optional) In the Tags field, enter tags to associate information from this connector with certain playbooks.
   4. Select Save.
3. Select the Asset Settings tab, and enter information in the following fields.
   1. In the API token from the app field, enter the API token from Splunk Attack Analyzer.
   2. (Optional) Specify the time range in hours that you want the connector to use. If no time range is specified, the default time range is the past 24 hours.
   3. Select Save.
4. Select the Ingest Settings tab and configure how often you want the connector to poll Splunk Attack Analyzer for data.
   1. Select a Label to apply to objects from this source. Labels are used to categorize information and you can run a playbook against labels.
   2. Select either Manual or Interval polling from the drop-down menu. Select Interval and enter a polling time in minutes to have the connector poll Splunk SOAR in intervals. For example, enter 30 minutes to have the connector check for new Splunk SOAR data every 30 minutes. Or, select Manual and then Poll Now to have the connector poll for data now.
   3. Select Save.
5. Select the Approval Settings tab to add or edit primary and secondary approvers for sending or ingesting data from Splunk Attack Analyzer.
6. Select the Access Control tab to configure what users or roles have access to the Splunk Attack Analyzer connector.

After you configure your desired fields for the connector, select the Asset Settings tab and then Test Connectivity to test whether or not the connector is working.

Use the Splunk Attack Analyzer Connector for Splunk SOAR with Splunk Mission Control

You can run actions with the Splunk Attack Analyzer Connector for Splunk SOAR in Splunk Mission Control to use the functionality of Splunk Attack Analyzer to perform actions on data associated with incidents.

1. Navigate to your Splunk Mission Control instance.
2. From the Incident review page, select the incident you want to run an action on.
3. Select the Automation tab, then Run action.
4. Select By connector, then Splunk Attack Analyzer.
5. Select the action that you want to run from the list. For example, select detonate URL to detonate a URL associated with this incident in Splunk Attack Analyzer.
   1. In the Select connector configuration field, select the name you entered during set up for the connector.
   2. Enter the URL you want to detonate in Splunk Attack Analyzer in the URL field.
   3. Select Run action.
      After the action completes, the automation results page appears with information about the action. If the action was successful, "success" appears in the Status column.
6. (Optional) If you want to see more information about an action that you ran in Splunk Attack Analyzer, copy the Job ID from the automation results of the action and select Run action.
   1. Select By connector, then Splunk Attack Analyzer.
   2. Select the action you want to run from the list. For example, select get job summary to see the score associated with data you previously sent to Splunk Attack Analyzer.
   3. Paste the Job ID you previously copied in the job_ID field.
   4. (Optional) Enter a number in the Timeout field in minutes. You might want to enter a number in the timeout field if you want the action to stop running if it hasn't succeeded after a certain period of time.
   5. Select Run action.

After the action completes, the automation results page appears with information on the data, such as the score of the URL from Splunk Attack Analyzer. See https://github.com/splunk-soar-connectors/splunkattackanalyzer on GitHub to learn more about supported actions with the Splunk Attack Analyzer connector and the parameters required to run them. You can also build a playbook in Splunk SOAR that automates detonating a file or URL and then sends the results to Splunk Mission Control. See Automate incident response with playbooks and actions in Splunk Mission Control in the Investigate and Respond to Threats in Splunk Mission Control manual.

Use the Splunk Attack Analyzer connector with Splunk SOAR

You can run actions with the Splunk Attack Analyzer Connector for Splunk SOAR in Splunk SOAR to use the functionality of Splunk Attack Analyzer to perform actions on data associated with notables.

1. Navigate to your Splunk SOAR instance.
2. Select the notable that you want to run an action on.
3. Select Action, then By App, then Splunk Attack Analyzer.
4. Select the action that you want to run from the list. For example, select detonate URL to detonate a URL associated with this notable in Splunk Attack Analyzer.
   1. Search for and select the name you created for the connector during the setup process. For example, "SAA".
   2. Enter the URL that you want to detonate in Splunk Attack Analyzer in the URL field.
   3. Select Save.
   4. Select Launch.
      After the action completes in Splunk Attack Analyzer, a results page appears with information about the action, such as the URL and Job ID.
5. (Optional) If you want to see more information about an action that you ran in Splunk Attack Analyzer, select the Job ID from the results page of a previous action you ran, and then select the Run Action tab.
   1. Select the action you want to run from the list. For example, select get job summary to see the score associated with data you previously sent to Splunk Attack Analyzer.
   2. Search for and select the name you created for the connector during the setup process. For example, "SAA".
   3. (Optional) Enter a number in the Timeout field in minutes. You might want to enter a number in the timeout field if you want the action to stop running if it hasn't succeeded after a certain period of time.
   4. Select Launch.

After the action completes, the results page appears with information on the data, such as the score of the URL from Splunk Attack Analyzer. See https://github.com/splunk-soar-connectors/splunkattackanalyzer on GitHub to learn more about supported actions with the Splunk Attack Analyzer Connector for Splunk SOAR and the parameters required to run them. You can also build a playbook in Splunk SOAR that automates detonating a file or URL and then sends the results to Splunk SOAR. See Create a new playbook in Splunk SOAR (Cloud) in the Build Playbooks with the Playbook Editor manual.