About Splunk Attack Analyzer

Splunk Attack Analyzer, formerly TwinWave, is a cloud-based application that navigates complex attack chains to detect credential phishing and malware threats, generates actionable insights, and reduces the friction of repetitive manual tasks typically associated with investigating threats.

Use Splunk Attack Analyzer to perform the following tasks:

• Get data into Splunk Attack Analyzer
• Detect threats
• Analyze threat detection results

Splunk Attack Analyzer use cases

You can use Splunk Attack Analyzer for a variety of use cases when investigating potential security threats. Some of these use cases include the following:

• Creating consistent Security Operations Center (SOC) triage processes.
• Improving data review and analysis for security analysts.
• Helping automate the user-reported phishing process.

Use Splunk Attack Analyzer to create consistent SOC triage processes

SOC analysts often deal with the issue of having a lack of consistency in their triage processes. Splunk Attack Analyzer helps to solve these issues because security analysts can submit data that is a potential threat directly to Splunk Attack Analyzer. Data submitted directly to Splunk Attack Analyzer, or through the API, is then analyzed, has relevant information extracted, and is given a score. This helps to create a common, repeatable triage process.

Use Splunk Attack Analyzer to improve incident review and analysis for security analysts

Analysts who respond to security threats often use disparate tools to investigate them. Because of the variety of disparate tools, they might come to different conclusions as to if they need to investigate a security incident or not. Splunk Attack Analyzer combines data generated across various systems into one product. Also, when analysts submit potential security threats to Splunk Attack Analyzer common processes are used every time to analyze and extract relevant information, helping organize and standardize analysts' approach to incident review. Splunk Attack Analyzer allows analysts to prioritize their time in the review and analysis process instead of spending time on organizing and generating data.

Use Splunk Attack Analyzer to add automation to the user-reported phishing process

Many people have become more aware of phishing as a security threat and more organizations have added plugins to their company email tools to make it easier for users to report suspicious emails. Because of the ease of reporting, the volume of reported potential phishing emails has increased, which can make it difficult for analysts using manual processes or tools to keep up with investigating these emails. Also, most user-reported phishing emails contain URLs or files that could potentially be malicious but are difficult to investigate unless you download the file or visit the website. Splunk Attack Analyzer has an email gateway that allows automatic forwarding of user-reported phishing emails to Splunk Attack Analyzer. When these emails are sent to Splunk Attack Analyzer, the attachments and URLs are automatically analyzed and the relevant information extracted, allowing analysts to spend more time reviewing and analyzing security incidents.

Understanding tags in Splunk Attack Analyzer

System tags are used in Splunk Attack Analyzer to help you search for jobs in certain categories to help guide your analysis. System tags are added to jobs in Splunk Attack Analyzer that fit into any of the following categories:

You can search for jobs with these tags to help guide your analysis. For more information on search, see Search in Splunk Attack Analyzer.

The Phishing Simulation tag might indicate that something in your configuration, such as your SOAR configuration, is broken if a Phishing Simulation job was ingested into Splunk Attack Analyzer.