How Splunk Attack Analyzer engines and integrations with third-party engines help detect threats
When a URL or file is submitted to Splunk Attack Analyzer, many different microservices, called engines, are used by Splunk Attack Analyzer to detect if the URL or file is potentially malicious. From Splunk Attack Analyzer, you can select Recent and then select the entry for the recent file or URL you submitted to see what engines analyzed the data. To learn more about submitting URLs and files to Splunk Attack Analyzer, see Get data into Splunk Attack Analyzer.
Engines included in Splunk Attack Analyzer
The following engines are included in Splunk Attack Analyzer.
Engine | Description |
---|---|
URL Reputation | The URL Reputation engine uses a variety of reputation sources to check whether or not a domain or URL might have previously hosted malicious content. This engine gives a score for the data. If a score seems too high or too low, select Send Feedback to add your feedback. Also, if you have a VirusTotal API key with sufficient quota, you can provide it to your Splunk Attack Analyzer account team so that you can also check URLs or files against VirusTotal. Splunk Attack Analyzer doesn't submit information directly to VirusTotal, but instead queries VirusTotal for prior analyses of a file hash or URL. |
Web Analyzer | The Web Analyzer engine is an automated and instrumented web browser that navigates to websites to analyze the content on the page. Web Analyzer gathers the relevant information and sends it to Splunk Attack Analyzer. Website traffic is captured in a HAR archive or PCAP file. Select the navigational menu from a task that used Web Analyzer to download either the HAR archive or PCAP file. |
Static Doc Analysis | The Static Doc Analysis engine analyzes documents, HTML, images, and scripts. This engine often shows detections related to screenshots, macro code, and images that are associated with malicious docs. Metadata about the document is extracted and sent to Splunk Attack Analyzer. The engine also converts images, such as QR codes, to a link and resends the information to Splunk Attack Analyzer for analysis. |
Static File Analysis | The Static File Analysis engine analyzes files. This engine returns information such as file size, common hashes, EXIF metadata, icons, and PE data if it's a type of Microsoft Windows file. This engine also pulls out executable metadata and does some analysis and scoring of that metadata using a ML model. CAPA analysis is also run on the executables to determine the capabilities of the file. These capabilities are then linked to MITRE ATT&CK techniques. |
Email Analyzer | The Email Analyzer engine analyzes emails. This engine takes a screenshot of the email and pulls out message headers, text, and any attachments or URLs. You can select the Message Headers, Message Text Parts, Attachments, and URLs tabs to see more information about each of the message parts. |
Archive Extraction | The Archive Extraction engine extracts the data from archives and sends it to Splunk Attack Analyzer for analysis. If the archive is password protected, Splunk Attack Analyzer tries to bypass it with a custom brute force list or possible passwords from places like the Email Analyzer engine or the advanced submission tab. The Archive Extraction engine doesn't automatically apply detections, but all extracted data is sent to other engines for processing. |
Splunk Attack Analyzer Sandboxes | The Splunk Attack Analyzer Sandboxes take the URL or file provided to Splunk Attack Analyzer and run it in a virtual machine. The engines take screenshots of what happens while it runs, capturing network connections, files, processes, and so on. There are two separate Splunk Attack Analyzer sandboxes, one running Windows 7 and the other running Windows 10. |
ClamAV | The ClamAV engine returns detected signatures and gives a score to the signature. |
YARA | The YARA engine scans files against a YARA ruleset created by Splunk Attack Analyzer. The engine returns the YARA rules that are matched with the data and a score. You can provide any additional YARA rules you want to use to your Splunk Attack Analyzer account team. |
Optional third-party integrations
You can optionally configure the following third-party services in Splunk Attack Analyzer. See the following table for integration requirements.
Engine | Description | Integration requirements |
---|---|---|
Cisco SMA | The Cisco Secure Malware Analytics engine helps analyze suspicious files and behavior in a secure sandbox environment. | To use this engine, provide a hostname and your Cisco SMA API key to your Splunk Attack Analyzer account team. |
Falcon/FalconX | The Falcon/FalconX engine submits files for analysis to Falcon/FalconX. | To use this engine, provide your Falcon/FalconX API key to your Splunk Attack Analyzer account team. |
FireEye | The FireEye sandbox submits files for analysis to FireEye. | To use this engine, provide your FireEye username, password, and endpoint URL to your Splunk Attack Analyzer account team. |
Hatching.io Triage | The Hatching.io Triage engine submits files and URLs for analysis to Hatching.io Triage. | To use this engine, provide your Hatching.io Triage API key to your Splunk Attack Analyzer account team. |
Hybrid Analysis | The Hybrid Analysis engine submits files for analysis to Hybrid Analysis. Hybrid Analysis submissions are public. |
To use this engine, provide your Hybrid Analysis API key to your Splunk Attack Analyzer account team. |
Intezer | The Intezer engine submits files for analysis to Intezer. | To use this engine, provide your Intezer API key to your Splunk Attack Analyzer account team. |
ReversingLabs A1000 | The ReversingLabs A1000 engine provides static analysis for files that are submitted to Splunk Attack Analyzer. The result of the analysis contributes to the overall Job score. | To use this engine, provide a hostname and your ReversingLabs A1000 API key to your Splunk Attack Analyzer account team. |
VirusTotal | The VirusTotal engine checks files or URLs against VirusTotal. In Splunk Attack Analyzer, you can see what VirusTotal engines detected that the information might be malicious. If information is found, you can select the VirusTotal link to navigate directly to VirusTotal to learn more. Splunk Attack Analyzer doesn't submit information directly to VirusTotal, but instead queries VirusTotal for prior analyses of a file hash or URL. |
To use this engine, provide your VirusTotal API key with sufficient quota to your Splunk Attack Analyzer account team. |
VMRay | The VMRay engine submits files and URLs for analysis to VMRay. | To use this engine, provide the following to your Splunk Attack Analyzer account team:
|
Wildfire | The Wildfire engine submits files and URLs for analysis to Wildfire. | To use this engine, provide the following to your Splunk Attack Analyzer account team:
|
Learn more
To learn more about Splunk Attack Analyzer engines, watch this video on Attack Analyzer Engines.
Connect Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control | Analyze completed jobs with Splunk Attack Analyzer |
This documentation applies to the following versions of Splunk® Attack Analyzer: Current
Feedback submitted, thanks!