Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

Get started with Splunk Attack Analyzer

To access Splunk Attack Analyzer, your system administrator must provide you with an account username and password. After you receive your username and password, you can log in to Splunk Attack Analyzer and change your password. To change your password, follow these steps:

  1. Log in to Splunk Attack Analyzer.
  2. Select your username then Change Password from the drop-down menu.
    An email is sent to your inbox with instructions for changing your password.
  3. From the password reset email, select Reset Password.
  4. Enter a new password. Passwords must be at least 8 characters in length and contain at least 3 of the following character types: lowercase letters, capitalized letters, numbers, and special characters.
  5. Select the arrow to save your changes and reset your password.

If your password has been reset successfully, a success message appears.

Splunk Attack Analyzer supports single sign-on (SSO). If you want to set up SSO, contact Splunk Support with details on your SSO provider.

Splunk Attack Analyzer components

The main components of Splunk Attack Analyzer each play a role in detecting threats and generating actionable insights. Some of these components are present in other Splunk security software.

Component Description
Resource The item or items being analyzed. Anything submitted to Splunk Attack Analyzer for analysis qualifies as a resource. Additional resources might be discovered during the analysis process and can be added to the original resource for analysis.
Job Once a resource has been submitted for analysis, a job is created. A job contains the analysis for the initial resource as well as any other resources that were discovered during analysis. A job ID is a unique identifier for a job. Once a job is complete, a set of consolidated forensics is generated.
Engine An engine is a microservice that specializes in processing a specific item. A job contains one or more engines. An engine is associated with a set of analysis tasks. For example, the URL Reputation engine contains tasks that check a URL against configured URL reputation services such as Google Safe Browse. A resource can be submitted to one or more engines for analysis.
Task A specific run of an engine for a particular resource. For example, when the URL Reputation engine is run for a given resource, that analysis has a task ID associated with it. Each task has summary data, and also might include normalized forensics data. Normalized forensic data includes the information that was generated by the task.
Normalized forensics When analysis is completed by an engine, the results of that analysis are normalized into a standard Splunk Attack Analyzer forensics format. Some fields generated by the engine might not be converted into this format.
Raw forensics Raw forensics include all fields returned by the engine in the engine specific format. Some of these fields are mapped to normalized forensics. The structure and location of the same field might be different for raw forensics than for normalized forensics.
Score Some engines generate scores as part of their analysis. Scores are generated by adding up the values of the detections from each engine. The task with the highest score is promoted to the overall score of the job. Scores are on a 0 to 100 scale and are returned by the engine once the engine has completed analysis for a given resource. A score of 0 indicates no indication of maliciousness, while a score of 100 indicates a high degree of maliciousness. Scores also have a color associated with the number ranges: 0 to 49 is green, 50 to 74 is yellow, 75 to 100 is red.
Last modified on 17 December, 2024
About Splunk Attack Analyzer   Get data into Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Attack Analyzer: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters