Splunk® Add-on for Splunk Attack Analyzer

User Guide

Source types for the Splunk Add-on for Splunk Attack Analyzer

The Splunk Add-on for Splunk Attack Analyzer provides various source types in the following formats. After you add a completed jobs input, the splunk:aa:job, splunk:aa:job:resource, and splunk:aa:job:task source types are ingested from Splunk Attack Analyzer. If you decide to configure forensic components, forensic source types are ingested as well depending on what components you selected to ingest. For more information, see Configure a completed jobs input.

Don't collect information for the splunk:aa:forensic:images,splunk:aa:forensic:savedartifacts, and the splunk:aa:forensic:screenshots source types.

Source type Description
splunk:aa:job Contains job information including the analysis for the initial resource as well as any other resources that were discovered during analysis.
splunk:aa:job:resource Contains resource information related to the items sent to and being analyzed in Splunk Attack Analyzer.
splunk:aa:job:task Contains task information related to the specific run of an engine for a particular resource.
splunk:aa:forensic:detections Contains detections that were run as part of a job and the resulting verdict.
splunk:aa:forensic:dnsrequests Contains DNS requests detected as part of analysis.
splunk:aa:forensic:files Contains file information recorded as part of analysis.
splunk:aa:forensic:hosts Contains host information identified by the analysis engine.
splunk:aa:forensic:http Contains information about network calls identified as part of the analysis.
splunk:aa:forensic:mitreattacks Contains information about detected MITRE ATT&CK techniques and tactics.
splunk:aa:forensic:network Contains information about network activity recorded as part of analysis.
splunk:aa:forensic:processes Contains information about processes that were recorded as part of analysis.
splunk:aa:forensic:registrykeys Contains information about registry key modifications recorded as part of analysis.
splunk:aa:forensic:strings Contains strings extracted from web pages as part of web analysis.
splunk:aa:forensic:tls Contains TLS information recorded as part of analysis.
splunk:aa:forensic:urls Contains information about URLs encountered as part of analysis and the context in which they were encountered.
Last modified on 31 August, 2023
About the Splunk Add-on for Splunk Attack Analyzer   Installation requirements and version dependencies

This documentation applies to the following versions of Splunk® Add-on for Splunk Attack Analyzer: 1.0.0, 1.1.0, 1.1.1, 1.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters