Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

Use manual submission to get data into Splunk Attack Analyzer

You can get data into Splunk Attack Analyzer by manually submitting it in the Splunk Attack Analyzer app.

By default, Splunk Attack Analyzer retains data for 180 days after which it is deleted. If you want to retain data for a longer period of time, before the data is deleted you can use the Splunk Add-on for Splunk Attack Analyzer or the Splunk Attack Analyzer APIs to store data in the Splunk platform or another SIEM tool you might be using. See the User Guide for the Splunk Add-on for Splunk Attack Analyzer and the API documentation in Splunk Attack Analyzer for more information.

Basic submission

When you first log in to Splunk Attack Analyzer, the Basic tab is open by default. You might want to use the Basic tab if you don't want to change any of the default analysis options provided by Splunk Attack Analyzer. To submit data for analysis using the Basic tab, follow these steps:

  1. From the Basic tab, enter or paste a URL into the search bar. You can paste up to 25 URLs in this field.

    You must enter a protocol, such as http or https at the start of a URL.

  2. To submit a file for analysis, either drag and drop your file, or select the Choose a file button.
    1. Select a file to upload. The maximum file size accepted by Splunk Attack Analyzer is 500 MB.
    2. Select Open.
  3. Select Submit.

After you submit a file or URL for analysis, see Recent Submissions to view the scores given to the data by the Splunk Attack Analyzer engines. Scores are on a 0 to 100 scale and are returned by the engine after the engine has completed analysis for a given resource. A score of 0 indicates no indication of maliciousness, while a score of 100 indicates a high degree of maliciousness. To learn more about analyzing threat detection results, see Analyze completed jobs with Splunk Attack Analyzer.

Advanced submission

You might want to use the Advanced tab if you want to configure settings for the analysis of the URL or file. To submit data for analysis using the Advanced tab, follow these steps:

  1. Select the Advanced tab and enter or paste a URL into the search bar. You can paste up to 25 URLs in this field.

    You must enter a protocol, such as http or https at the start of a URL.

  2. To submit a file for analysis, either drag and drop your file, or select Choose a file and then select a file to upload. The maximum file size accepted by Splunk Attack Analyzer is 500 MB.
  3. (Optional) Configure the Optional Parameters for a file or URLs.
  4. (Optional) Toggle the Decode rewritten URLs off. By default URLs from services that rewrite URLs in emails are rewritten so that they are not processed by the third-party sandbox, potentially preventing analysis of the malicious URL.
  5. (Optional) Toggle Allow Internet access off so that the URLs or files can't download and run payloads.
  6. (Optional) Enter an Archive/Document password. By default when given an email or web page, Splunk Attack Analyzer looks for passwords that might be useful in future processing of downloaded items such as password-protected archives or password-protected documents. If you are submitting a password-protected archive or document directly, enter the password to the item here.
  7. (Optional) Configure the Web Analyzer Parameters for a file or URLs.
    1. Set the Internet Region to another location if you want to use a different internet region. The Default option is the U.S. residential IP space.
    2. Set the User Agent to identify the browser as a different device. Both mobile and desktop options are available, as well as custom user defined strings.
  8. (Optional) Select the engines that you want to be involved in the analysis from Engine Selection. For more information about Splunk Attack Analyzer engines, see How Splunk Attack Analyzer engines and integrations with third-party engines help detect threats.
  9. Select Submit.

After you submit a file or URL for analysis, see Recent Submissions to view the scores given to the data by the Splunk Attack Analyzer engines. Scores are on a 0 to 100 scale and are returned by the engine after the engine has completed analysis for a given resource. A score of 0 indicates no indication of maliciousness, while a score of 100 indicates a high degree of maliciousness. To learn more about analyzing threat detection results, see Analyze completed jobs with Splunk Attack Analyzer.

Interactive submission

You can use interactive submission to interact with URLs or files that you submit to Splunk Attack Analyzer.

Interactive Web

Use the Interactive Web tab to submit a URL or HTML file and interact with it within a virtual web browser hosted by Splunk Attack Analyzer. The Interactive Web tab is useful for dealing with data that you need to investigate manually, such as solving a CAPTCHA.

To use the Interactive Web tab, follow these steps:

  1. Select the Interactive Web tab and enter or paste a URL into the search bar.

    You must enter a protocol, such as http or https at the start of a URL.

  2. To submit an HTML file for analysis, either drag and drop your file, or select Choose a file and select an HTML file to upload. The maximum file size accepted by Splunk Attack Analyzer is 500 MB.
  3. (Optional) Select the Internet Region you want to use to access the URL or file. By default, US Residential is used.
  4. (Optional) Select the User Agent you want to use to access the URL or file.
  5. Select Launch Session.
    A browser opens that is separate from your host. You can interact with the website or HTML file, and the engine automatically takes screenshots at key points in time. For example, a screenshot is taken when a new page loads. A five minute countdown timer shows how much time you have remaining in the session.
    1. (Optional) Select Add 5 minutes to add 5 additional minutes to your session.
    2. (Optional) Select the Take Screenshot button to take a screenshot manually.
  6. Select End Session to end the session and to send the data to Splunk Attack Analyzer for analysis.

A job page opens that shows the score of the website, files, and documents when the analysis is complete.

Interactive Sandbox

Use the Interactive Sandbox tab to submit a URL or file and interact with it within a selected time frame in a virtual machine. The Interactive Sandbox tab is a safe location to detonate malware or other potentially malicious files. To use this tab, follow these steps:

  1. Select the Interactive Sandbox tab and enter or paste a URL into the search bar.

    You must enter a protocol, such as http or https at the start of a URL.

  2. To submit a file for analysis, either drag and drop your file, or select Choose a file and select a file to upload. The maximum file size accepted by Splunk Attack Analyzer is 500 MB.
  3. (Optional) Select the OS Version you want to use to access the URL or file.
  4. (Optional) Select the Web Browser you want to use to access the URL or file.
  5. (Optional) Select the Session Duration you want to use the sandbox for. The maximum length of time for a session is 15 minutes.
  6. Select Launch Session.
    A virtual machine opens where you can navigate to the URL or file.
  7. Either wait for the session time you chose to complete, or select End Session to end the session manually and to send the data to Splunk Attack Analyzer for analysis.

A job page opens that shows the score of the website, files, and documents when the analysis is complete.

As a best practice, use Interactive Sandbox to detonate malware or other potentially malicious files. For phishing content detection, use Interactive Web instead. Interactive Sandbox renders phishing URLs for viewing but doesn't launch the corresponding phishing detections which can lead to artificially low scores for phishing pages.

Learn more

To learn more about submitting URLs and files to Splunk Attack Analyzer, watch this video on Submitting URLs and Files to Attack Analyzer.

Last modified on 27 November, 2024
Use the Splunk Attack Analyzer API to get data into Splunk Attack Analyzer   Connect Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control

This documentation applies to the following versions of Splunk® Attack Analyzer: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters