Splunk® Attack Analyzer

Detect and Analyze Threats with Splunk Attack Analyzer

Search in Splunk Attack Analyzer

You can search for information that either you or your organization have sent to Splunk Attack Analyzer. You can search for specific keywords, verdicts, scores, and so on. To search in Splunk Attack Analyzer, follow these steps:

  1. From Splunk Attack Analyzer, navigate to search by selecting Search from the menu.
  2. Use the default option, Resource, to search resources, such as files or URLs. Or, select Resource or Forensics to search both. Forensics are the generated data from completed jobs in Splunk Attack Analyzer.
  3. Select what type of data you want to search for from the drop-down menu. Available options are various file types, URLs, or tags.
  4. Select the type of search you want to perform.
    1. The default search type, includes keyword, tokenizes the items you're searching for, removing special characters and matching on the word boundaries.
    2. The equals search type looks for exact matches, such as an exact IP address.
    3. The contains substring search type is different from the includes keyword search type in that it matches your search query anywhere in the returned strings, where includes keyword matches on word boundaries.
    4. The starts with and ends with search types are substring searches that match either the beginning or end of the string you are searching for.
  5. (Optional) Enter the keyword or string you want to search for in the Filename field.
  6. (Optional) Select Tag from the drop-down menu and enter a tag you want to search for. For more information on available tags, see Understanding tags in Splunk Attack Analyzer.

    Use underscores in place of spaces when entering the tag you want to search for. For example, password_not_cracked or file_too_large.

  7. (Optional) Select a score range to look for results with a specific score.
  8. (Optional) Select a Verdict from the drop-down menu to filter the results based on if the verdict was malware, spam, or phishing.
  9. (Optional) Select an API Key from the drop-down menu to filter results based on what API key was used.
  10. (Optional) Enter a name or email address in the Submitted by field to filter results based on the user or process that submitted the data.
  11. (Optional) Select a Timeframe from the drop-down menu to filter results in a specific timeframe. Select Custom to select a specific start and end date for the search.

    These results can be impacted by the data retention policy of your organization.

  12. Select Search.

If your search returned results, you can view the results in the Search Results table.


Learn more

To learn more about searching in Splunk Attack Analyzer, watch this video on Searching in Attack Analyzer.

Last modified on 09 October, 2024
Analyze completed jobs with Splunk Attack Analyzer   Manage roles and permissions for users of Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Attack Analyzer: Current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters