What's new in Splunk Attack Analyzer
Splunk Attack Analyzer releases continuously. This list periodically updates with the latest functionality and changes to Splunk Attack Analyzer.
November 27, 2024
New feature
|
Description
|
Additional time for Interactive Web sessions |
The default session length for Interactive Web increased to 5 minutes. You can also now select the Add 5 minutes button to add an additional 5 minutes to your session. See Interactive Web for more information.
|
ISO 27001 certification |
Splunk Attack Analyzer is now ISO 27001 certified. ISO 27001 is an internationally recognized standard that shows our commitment to data security and privacy.
|
November 21, 2024
New feature
|
Description
|
Third-party integration with ReversingLabs A1000 |
The ReversingLabs A1000 engine provides static analysis for files that are submitted to Splunk Attack Analyzer. The result of the analysis contributes to the overall Job score. For information on integration requirements, see Optional third-party integrations.
|
Third-party integration with Cisco Secure Malware Analytics |
The Cisco Secure Malware Analytics engine helps analyze suspicious files and behavior in a secure sandbox environment. For information on integration requirements, see Optional third-party integrations.
|
Internet region country expansion |
Portugal and Switzerland are now available internet regions on the Advanced and Interactive Web tabs.
|
QR code parsing improvements |
Splunk Attack Analyzer is now able to scan and follow non-standard QR codes, such as microdot and random ASCII character QR codes.
|
Static AV engine |
The new static AV engine helps to improve malware detection.
|
October 9, 2024
New feature
|
Description
|
System tags |
System tags are added to jobs in Splunk Attack Analyzer that fit into any of the following categories: Password Not Cracked, Phishing Simulation, File too large, and Terminal Login. In the future, more tags might be added. You can search for jobs with these tags to help guide your analysis. For more information on system tags, see Understanding tags in Splunk Attack Analyzer. For more information on searching system tags, see Search in Splunk Attack Analyzer.
|
Verdict |
Once job analysis is completed in Splunk Attack Analyzer, if a job receives a verdict of malware or phish it is listed by the job score.
|
September 9, 2024
New feature
|
Description
|
Reanalyze resources from the job page |
You can now resubmit individual resources from the job page using the Resubmit button in the Resource Summary tab for any of the resources. Resubmit allows you to reanalyze the resource using a different internet region or user agent. Additionally, when resubmitting at the job level, you can now customize parameters for the reanalysis such as internet region and user agent. See Analyze completed jobs with Splunk Attack Analyzer for more information.
|
Launch an interactive session for a resource from the job page |
You can now use the Interactive button on the job page to launch an interactive session at the job level, or in the Resource Summary tab on the job page to launch an interactive session for any of the resources. This allows you to easily pivot to interactive sessions from the job page, where previously these could only be launched from the Interactive Web or Interactive Sandbox tabs on the Splunk Attack Analyzer home page. See Analyze completed jobs with Splunk Attack Analyzer for more information.
|
August 28, 2024
New feature
|
Description
|
Search criteria for email fields |
When submitting emails to Splunk Attack Analyzer for analysis, you can now use common email headers such as "To:", "CC:", "From:", and so on as part of the search criteria. Only submissions made post the release of this feature in August 2024 will be searchable using this criteria.
|
July 19, 2024
New feature
|
Description
|
URL Reputation engine is now integrated with Cisco Talos |
Splunk Attack Analyzer now enriches all URLs submitted to the URL reputation engine with intelligence from Cisco Talos in addition to other URL reputation sources. This provides better coverage within Attack Analyzer to detect threats that may have been taken down at the time of analysis but were previously active.
|
June 6, 2024
New feature
|
Description
|
Resource-centric view feature |
Attack Analyzer now supports a default resource-centric view rather than a task-centric or engine-centric view. Selecting a resource either on the resource-tree or on the resource header in the side navigation gives you a consolidated view of all the relevant details about a resource across the various engines. This reduces the need to select individual engine tasks as all the relevant details are already available at a resource level. This improves the user experience by reducing the need to be task or engine aware when consuming Attack Analyzer insights. Task-level views can still be accessed by clicking on specific engine tasks as available previously.
|
Web Analyzer internet regions |
The list of locations that the Web Analyzer engine can analyze an item from has been expanded. You can now choose from 50 countries and analyze the item based on that selected country through a specialized IP to designate location and help improve the success rates of rendering geofenced threats. See API documentation for more details.
|
April 30, 2024
New feature
|
Description
|
Interactive Sandbox default browser |
You can now select a default browser for all links launched by the Interactive Sandbox, rather than just the initial browser the URL for the interactive sandbox is launched with.
|
Web Analyzer QR code and OCR support |
The Web Analyzer engine is now able to analyze QR codes and has improved OCR support.
|
March 26, 2024
New feature
|
Description
|
New regional availability |
Splunk Attack Analyzer is now available in the London, Frankfurt, and Sydney regions.
|
March 8, 2024
New feature
|
Description
|
Drag and drop files to upload |
You can now drag and drop files to upload them to Splunk Attack Analyzer.
|
February 28, 2024
New feature
|
Description
|
Interactive web countdown timer |
A three minute countdown timer now shows how much time you have remaining in the session. See Interactive submission for more information on Interactive web.
|
New key for Get Job Summary API |
A new key, "AppURL", has been added to the Get Job Summary API response. This key contains a link to the Splunk Attack Analyzer page for the job.
|
January 9, 2024
New feature
|
Description
|
Interactive Web v2 |
Use the Interactive Web v2 tab to submit a URL or HTML file and interact with it within a virtual web browser hosted by Splunk Attack Analyzer. Interactive Web v2 has similar functionality to Legacy Interactive Web but contains improved website rendering, improved user interface performance including the ability to drag and drop draggable elements, improved resilience to CAPTCHA loops, and is close to parity with detections on Web Analyzer including support for JavaScript event hooking, data URI capture and so on. Additionally, you can select the Internet Region you want to use to access a website. Legacy Interactive Web will eventually be replaced by Interactive Web v2. See Interactive Web v2 in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
|
Artifact Downloads |
Use the Artifact Downloads tab visible on the Consolidated job view to gather more information about submitted URLs or files. From this tab, you can download the PCAP or original HAR files where available. See Analyze completed jobs with Splunk Attack Analyzer in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
|
November 6, 2023
New feature
|
Description
|
Create and manage API keys |
As an administrator, you can create and manage API keys in Splunk Attack Analyzer to use the API to get data into Splunk Attack Analyzer. Common API integrations include connecting Splunk Attack Analyzer with Splunk SOAR and Splunk Mission Control and connecting the Splunk Add-on for Splunk Attack Analyzer to index job and forensic data from Splunk Attack Analyzer to the Splunk platform. See Create and manage API keys in Splunk Attack Analyzer in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
|
User interface performance improvements |
Splunk Attack Analyzer now loads up to 25 percent faster.
|
QR code improvements |
Splunk Attack Analyzer now follows all QR codes with a mobile user agent.
|
September 27, 2023
New feature
|
Description
|
Create and assign user roles |
As an administrator, you can create users and assign users to roles to manage their access to functionality and data in Splunk Attack Analyzer. See Manage roles and permissions for users of Splunk Attack Analyzer in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
|
Support for .ace files in Archive Extractor |
Archive Extractor now supports the extraction of .ace files for evaluation or inspection.
|
August 11, 2023
The following table lists the new features included in this release of Splunk Attack Analyzer:
New feature
|
Description
|
Interactive sandbox browser choice |
You can now select the browser you want Interactive Sandbox to use to access your submitted content. See Interactive Sandbox in the Detect and Analyze Threats with Splunk Attack Analyzer manual.
|
Improvements to CHM file extraction |
Splunk Attack Analyzer now extracts potentially malicious files attached to .chm files for analysis and inspection.
|
July 28, 2023
The following table lists the new features included in this release of Splunk Attack Analyzer:
New feature
|
Description
|
Sandbox naming convention update |
The name of the TwinWave Sandbox (win7) was updated to Windows 7 Sandbox and the name of the associated former JSON key twinwave_cuckoo was updated to sandbox_win7. The name of the TwinWave Sandbox (win10) was updated to Windows 10 Sandbox and the name of the associated former JSON key twinwave_cuckoo_win10 was updated to sandbox_win10.
This has no immediate impact on your integrations. However, note the following:
|
Improved URL detection from images |
Splunk Attack Analyzer has improved optical character recognition (OCR) capabilities to provide improved URL extraction from images. This can improve smishing detection when mobile device messages are submitted as screenshots to Splunk Attack Analyzer.
|
July 17, 2023
Splunk Attack Analyzer, formerly TwinWave, is a cloud-based application that navigates complex attack chains to detect credential phishing and malware threats, generates actionable insights, and reduces the friction of repetitive manual tasks typically associated with investigating threats.
Use Splunk Attack Analyzer to perform the following tasks:
Feedback submitted, thanks!