Splunk® Add-on for Splunk Attack Analyzer

User Guide

Search Splunk Attack Analyzer data in the Splunk platform

After you have installed and configured the Splunk Add-on for Splunk Attack Analyzer, you can search Splunk Attack Analyzer data using Splunk search capabilities in the Splunk platform. Use these searches to learn more about Splunk Attack Analyzer data. From the Splunk Add-on for Splunk Attack Analyzer, select Search to access Splunk search capabilities.

All searches on this page assume that the data has been indexed into an index named saa_data. Change the index to match the configuration of your environment.

Search for an individual job

To search for an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:job" SAA_JOB_ID=<job-id>

Search for resources and tasks analyzed in an individual job

To search for the resources and tasks analyzed in an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:job:task" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | join type=left left=Task right=Resource where Task.ResourceID = Resource.ID [search index=x sourcetype="splunk:aa:job:resource" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | eval r_id = ID] | sort _time | table _time, Task.ID, Task.Engine, Resource.ID, Resource.Name, Task.Results.Score

Search for a detection run in an individual job

To search for a detection run in an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:forensic:detections" SAA_JOB_ID=<job-id> | table Engines{}, Name, Description, Severity, Verdict

Requires forensics from Splunk Attack Analyzer to be ingested with jobs.

Use the Submit URL in Attack Analyzer workflow action

From the Splunk Platform, you can open any event with a URL field in Search & Reporting and use the workflow action Submit URL in Attack Analyzer to open and submit the URL in Attack Analyzer to quickly pivot between products.

  1. From the Splunk Platform, after executing a search, select the search you want to use the URL from.
  2. From the url field action menu, select Submit URL in Attack Analyzer.
    Splunk Attack Analyzer opens in a new tab and the URL is populated.
  3. Select Submit.

The workflow action only appears on fields named url or URL. If the URL you want to submit is returned in a different field, for example, request_url, you can use the rename or eval command to move the value into a field named url as part of the search. See rename or eval in the Spunk Enterprise Search Reference manual for more information.

Last modified on 18 January, 2024
View Attack Analyzer job information in Splunk Enterprise Security   Troubleshoot the Splunk Add-on for Splunk Attack Analyzer

This documentation applies to the following versions of Splunk® Add-on for Splunk Attack Analyzer: 1.1.0, 1.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters