Get data into Splunk Attack Analyzer
As a user of Splunk Attack Analyzer, you can ingest data into the application using email, the Splunk Attack Analyzer API, manual submission, and the Splunk Attack Analyzer connector.
- Use email to get data into Splunk Attack Analyzer
- Use the Splunk Attack Analyzer API to get data into Splunk Attack Analyzer
- Use manual submission to get data into Splunk Attack Analyzer
- Connect Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control
By default, Splunk Attack Analyzer retains data for 180 days after which it is deleted. If you want to retain data for a longer period of time, before the data is deleted you can use the Splunk Add-on for Splunk Attack Analyzer or the Splunk Attack Analyzer APIs to store data in the Splunk platform or another SIEM tool you might be using. See the User Guide for the Splunk Add-on for Splunk Attack Analyzer and the API documentation in Splunk Attack Analyzer for more information.
File types supported by Splunk Attack Analyzer
Splunk Attack Analyzer accepts all file types submitted for analysis and there are no restrictions on submissions by extension. Every file submitted is subject to anti-virus checks, static file analysis, and YARA rules. Certain file types are sent to the following engines for analysis:
| File type | Engines |
|---|---|
| Emails | Email Analyzer |
| Web files such as HTML, HTA, SVGs | Web Analyzer |
| Documents such as images and PDFs | Static Document Analyzer, Windows Sandboxes |
| Files requiring windows execution such as executables, scripts, and archives | Windows Sandboxes |
For more information on Splunk Attack Analyzer engines, see Engines included in Splunk Attack Analyzer.
| Get started with Splunk Attack Analyzer | Use email to get data into Splunk Attack Analyzer |
This documentation applies to the following versions of Splunk® Attack Analyzer: Current
Download manual
Feedback submitted, thanks!