Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

How Splunk Attack Analyzer engines and integrations with third-party engines help detect threats

When a URL or file is submitted to Splunk Attack Analyzer, many different microservices, called engines, are used by Splunk Attack Analyzer to detect if the URL or file is potentially malicious. From Splunk Attack Analyzer, you can select Recent and then select the entry for the recent file or URL you submitted to see what engines analyzed the data. To learn more about submitting URLs and files to Splunk Attack Analyzer, see Get data into Splunk Attack Analyzer.

Engines included in Splunk Attack Analyzer

The following engines are included in Splunk Attack Analyzer.

Engine Description
URL Reputation The URL Reputation engine uses a variety of reputation sources to check whether or not a domain or URL might have previously hosted malicious content. This engine gives a score for the data. If a score seems too high or too low, select Send Feedback to add your feedback. Also, if you have a VirusTotal API key with sufficient quota, you can provide it to your Splunk Attack Analyzer account team so that you can also check URLs or files against VirusTotal.

Splunk Attack Analyzer doesn't submit information directly to VirusTotal, but instead queries VirusTotal for prior analyses of a file hash or URL.

Web Analyzer The Web Analyzer engine is an automated and instrumented web browser that navigates to websites to analyze the content on the page. Web Analyzer gathers the relevant information and sends it to Splunk Attack Analyzer. Website traffic is captured in a HAR archive or PCAP file. Select the navigational menu from a task that used Web Analyzer to download either the HAR archive or PCAP file.
Static Doc Analysis The Static Doc Analysis engine analyzes documents, HTML, images, and scripts. This engine often shows detections related to screenshots, macro code, and images that are associated with malicious docs. Metadata about the document is extracted and sent to Splunk Attack Analyzer. The engine also converts images, such as QR codes, to a link and resends the information to Splunk Attack Analyzer for analysis.
Static File Analysis The Static File Analysis engine analyzes files. This engine returns information such as file size, common hashes, EXIF metadata, icons, and PE data if it's a type of Microsoft Windows file. This engine also pulls out executable metadata and does some analysis and scoring of that metadata using a ML model. CAPA analysis is also run on the executables to determine the capabilities of the file. These capabilities are then linked to MITRE ATT&CK techniques.
Email Analyzer The Email Analyzer engine analyzes emails. This engine takes a screenshot of the email and pulls out message headers, text, and any attachments or URLs. You can select the Message Headers, Message Text Parts, Attachments, and URLs tabs to see more information about each of the message parts.
Archive Extraction The Archive Extraction engine extracts the data from archives and sends it to Splunk Attack Analyzer for analysis. If the archive is password protected, Splunk Attack Analyzer tries to bypass it with a custom brute force list or possible passwords from places like the Email Analyzer engine or the advanced submission tab. The Archive Extraction engine doesn't automatically apply detections, but all extracted data is sent to other engines for processing.
Splunk Attack Analyzer Sandboxes The Splunk Attack Analyzer Sandboxes take the URL or file provided to Splunk Attack Analyzer and run it in a virtual machine. The engines take screenshots of what happens while it runs, capturing network connections, files, processes, and so on. There are two separate Splunk Attack Analyzer sandboxes, one running Windows 7 and the other running Windows 10.
ClamAV The ClamAV engine returns detected signatures and gives a score to the signature.
YARA The YARA engine scans files against a YARA ruleset created by Splunk Attack Analyzer. The engine returns the YARA rules that are matched with the data and a score.

You can provide any additional YARA rules you want to use to your Splunk Attack Analyzer account team.

Optional third-party integrations

You can optionally configure the following third-party services in Splunk Attack Analyzer. See the following table for integration requirements.

Engine Description Integration requirements
Falcon/FalconX The Falcon/FalconX engine submits files for analysis to Falcon/FalconX. To use this engine, provide your Falcon/FalconX API key to your Splunk Attack Analyzer account team.
FireEye The FireEye sandbox submits files for analysis to FireEye. To use this engine, provide your FireEye username, password, and endpoint URL to your Splunk Attack Analyzer account team.
Hatching.io Triage The Hatching.io Triage engine submits files and URLs for analysis to Hatching.io Triage. To use this engine, provide your Hatching.io Triage API key to your Splunk Attack Analyzer account team.
Hybrid Analysis The Hybrid Analysis engine submits files for analysis to Hybrid Analysis.

Hybrid Analysis submissions are public.

To use this engine, provide your Hybrid Analysis API key to your Splunk Attack Analyzer account team.
Intezer The Intezer engine submits files for analysis to Intezer. To use this engine, provide your Intezer API key to your Splunk Attack Analyzer account team.
VirusTotal The VirusTotal engine checks files or URLs against VirusTotal. In Splunk Attack Analyzer, you can see what VirusTotal engines detected that the information might be malicious. If information is found, you can select the VirusTotal link to navigate directly to VirusTotal to learn more.

Splunk Attack Analyzer doesn't submit information directly to VirusTotal, but instead queries VirusTotal for prior analyses of a file hash or URL.

To use this engine, provide your VirusTotal API key with sufficient quota to your Splunk Attack Analyzer account team.
VMRay The VMRay engine submits files and URLs for analysis to VMRay. To use this engine, provide the following to your Splunk Attack Analyzer account team:
  • VMRay API key
  • (Optional) Endpoint URL
Wildfire The Wildfire engine submits files and URLs for analysis to Wildfire. To use this engine, provide the following to your Splunk Attack Analyzer account team:
  • Wildfire API key
  • (Optional) Endpoint URL

Learn more

To learn more about Splunk Attack Analyzer engines, watch this video on Attack Analyzer Engines.

Last modified on 03 August, 2023
Connect Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control   Analyze completed jobs with Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Attack Analyzer: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters