Search Splunk Attack Analyzer data in the Splunk platform
After you have installed and configured the Splunk Add-on for Splunk Attack Analyzer, you can search Splunk Attack Analyzer data using Splunk search capabilities in the Splunk platform. Use these searches to learn more about Splunk Attack Analyzer data. From the Splunk Add-on for Splunk Attack Analyzer, select Search to access Splunk search capabilities.
All searches on this page assume that the data has been indexed into an index named saa_data
. Change the index to match the configuration of your environment.
Search for an individual job
To search for an individual job based on the job ID, use the following search.
index=saa_data sourcetype="splunk:aa:job" SAA_JOB_ID=<job-id>
Search for resources and tasks analyzed in an individual job
To search for the resources and tasks analyzed in an individual job based on the job ID, use the following search.
index=saa_data sourcetype="splunk:aa:job:task" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | join type=left left=Task right=Resource where Task.ResourceID = Resource.ID [search index=x sourcetype="splunk:aa:job:resource" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | eval r_id = ID] | sort _time | table _time, Task.ID, Task.Engine, Resource.ID, Resource.Name, Task.Results.Score
Search for a detection run in an individual job
To search for a detection run in an individual job based on the job ID, use the following search.
index=saa_data sourcetype="splunk:aa:forensic:detections" SAA_JOB_ID=<job-id> | table Engines{}, Name, Description, Severity, Verdict
Requires forensics from Splunk Attack Analyzer to be ingested with jobs.
Use the Submit URL in Attack Analyzer workflow action
From the Splunk Platform, you can open any event with a URL field in Search & Reporting and use the workflow action Submit URL in Attack Analyzer to open and submit the URL in Attack Analyzer to quickly pivot between products.
- From the Splunk Platform, after executing a search, select the search you want to use the URL from.
- From the url field action menu, select Submit URL in Attack Analyzer.
Splunk Attack Analyzer opens in a new tab and the URL is populated. - Select Submit.
The workflow action only appears on fields named url or URL. If the URL you want to submit is returned in a different field, for example, request_url, you can use the rename
or eval
command to move the value into a field named url as part of the search. See rename or eval in the Splunk Enterprise Search Reference manual for more information.
View Attack Analyzer job information in Splunk Enterprise Security | Troubleshoot the Splunk Add-on for Splunk Attack Analyzer |
This documentation applies to the following versions of Splunk® Add-on for Splunk Attack Analyzer: 1.1.0, 1.1.1, 1.2.0
Feedback submitted, thanks!