We are extremely excited to introduce a new addition to the Splunk unified security operations experience: Splunk Attack Analyzer (formerly Twinwave), which automates threat analysis of suspected malware and credential phishing threats by identifying and extracting associated forensics to provide accurate and timely detections.
SOC analysts continue to struggle to work across many security tools to help them understand and address threats targeting the organization. They often can not see the full picture of malicious activity or the contextual awareness of a series of coordinated threats.
When it comes to the investigation of an active credential phishing or malware investigation, analysts must manually synthesize data, files or urls to formulate insights, and then take the time to draw conclusions and take corrective action. Analysts often turn to traditional sandboxes for analysis and detection purposes, but these tools are often not designed to detect the latest complex attacks that utilize varying delivery vectors. Even with the use of sandboxes, there is still an element of manual work for analysts to access malicious content, which can lead to inefficient, incomplete, and misleading investigations.
Take the Manual Work Out of Threat Analysis
Splunk Attack Analyzer provides automated threat analysis and associated digital forensics to save analysts’ time and help SOCs achieve the operational efficiency needed to outpace adversaries. The solution uses proprietary technology to analyze credential phishing and malware threats, helping analysts achieve unparalleled detection efficacy with confidence and ease.
Splunk Attack Analyzer automatically navigates through varying delivery vectors of an attack chain, such as accessing malicious content, downloading files, or even entering passwords for archives, to get to the final payload which can then be analyzed.
How It Works
When a suspected sample is submitted to Splunk Attack Analyzer, analysts are provided with an immediate visualization showcasing the step by step actions of the intended attack, along with associated intelligence and context. This insight provides analysts with a clear and rapid view into how threat actors are operating, eliminating the need to manually synthesize data in order to draw conclusions. Analysts are therefore able to save time and get through the backlog of events faster and process alerts with accuracy.
Analysts also have the capability to seamlessly generate non-attributed environments directly within Splunk Attack Analyzer in order to access malicious content, including URLs and files, without compromising the safety of the analyst or the enterprise. The ability to directly access potential phishing sites or files enables analysts to thoroughly conduct an investigation and remain confident their identity is concealed.
Fully Automate End-To-End Threat Analysis and Response Workflow
With the volume and sheer velocity of phishing attacks and alerts that the SOC must triage on a daily basis, analysts require a solution that fully automates end-to-end threat analysis and response workflows. Integrated with Splunk SOAR, Splunk Attack Analyzer conducts automated analysis of identified indicators without SOC analysts having to perform manual investigative tasks or write complex playbooks that utilize multiple threat analytics products. Once Splunk Attack Analyzer has confirmed an active threat, Splunk SOAR will execute the appropriate response playbook to protect the enterprise. The combination of Splunk SOAR and Splunk Attack Analyzer provides the SOC with unique, world-class analysis capabilities, making the SOC more effective and efficient in responding to current and future threats.
Learn More About Splunk Attack Analyzer
Ready to automate threat analysis? We’ve got you covered! Visit the Splunk Attack Analyzer webpage or speak to your account manager to learn more.
Follow all the conversations coming out of #splunkconf23!