Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About Splunk Attack Analyzer

Splunk Attack Analyzer, formerly TwinWave, is a cloud-based application that navigates complex attack chains to detect credential phishing and malware threats, generates actionable insights, and reduces the friction of repetitive manual tasks typically associated with investigating threats.

Use Splunk Attack Analyzer to perform the following tasks:

Splunk Attack Analyzer use cases

You can use Splunk Attack Analyzer for a variety of use cases when investigating potential security threats. Some of these use cases include the following:

  • Creating consistent Security Operations Center (SOC) triage processes.
  • Improving data review and analysis for security analysts.
  • Helping automate the user-reported phishing process.

Use Splunk Attack Analyzer to create consistent SOC triage processes

SOC analysts often deal with the issue of having a lack of consistency in their triage processes. Splunk Attack Analyzer helps to solve these issues because security analysts can submit data that is a potential threat directly to Splunk Attack Analyzer. Data submitted directly to Splunk Attack Analyzer, or through the API, is then analyzed, has relevant information extracted, and is given a score. This helps to create a common, repeatable triage process.

Use Splunk Attack Analyzer to improve incident review and analysis for security analysts

Analysts who respond to security threats often use disparate tools to investigate them. Because of the variety of disparate tools, they might come to different conclusions as to if they need to investigate a security incident or not. Splunk Attack Analyzer combines data generated across various systems into one product. Also, when analysts submit potential security threats to Splunk Attack Analyzer common processes are used every time to analyze and extract relevant information, helping organize and standardize analysts' approach to incident review. Splunk Attack Analyzer allows analysts to prioritize their time in the review and analysis process instead of spending time on organizing and generating data.

Use Splunk Attack Analyzer to add automation to the user-reported phishing process

Many people have become more aware of phishing as a security threat and more organizations have added plugins to their company email tools to make it easier for users to report suspicious emails. Because of the ease of reporting, the volume of reported potential phishing emails has increased, which can make it difficult for analysts using manual processes or tools to keep up with investigating these emails. Also, most user-reported phishing emails contain URLs or files that could potentially be malicious but are difficult to investigate unless you download the file or visit the website. Splunk Attack Analyzer has an email gateway that allows automatic forwarding of user-reported phishing emails to Splunk Attack Analyzer. When these emails are sent to Splunk Attack Analyzer, the attachments and URLs are automatically analyzed and the relevant information extracted, allowing analysts to spend more time reviewing and analyzing security incidents.

Last modified on 28 September, 2023
  NEXT
Get started with Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Attack Analyzer: Current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters