Introducing Splunk Add-On for Splunk Attack Analyzer & Splunk App for Splunk Attack Analyzer

Following our announcement of Splunk Attack Analyzer in July 2023, we are excited to announce the launch of:

These offerings help us bolster our unified security operations experience by bringing threat analysis results from Splunk Attack Analyzer into the Splunk platform.

The challenges with hiring top talent to staff a modern Security Operations Center (SOC) are ubiquitous. Every SOC team has to contend with a few top-tier analysts being barraged with escalations from tier 1 analysts tasked with triaging an ever-growing volume of alerts hitting the SOC.

Splunk Attack Analyzer multiplies force of SOC teams

Splunk Attack Analyzer can serve as a force multiplier for SOC teams with its capabilities of:

Attack chain following for URLs and files originating from the initial payload
Capturing rich forensics at each stage of the attack chain, including screenshots
Proprietary phishing detections with phished brand and phish kit attribution
Malware detections with malware family attribution
Interactive web browser and interactive sandbox to detonate malicious payloads safely

With Splunk Attack Analyzer, every analyst can triage each alert with a high level of proficiency. Moreover, integrations with Splunk SOAR can help automate a large number of alerts altogether based on verdicts from the analysis of a threat from Splunk Attack Analyzer — thereby eliminating workload from the SOC.

However, the gains with Splunk Attack Analyzer don’t stop at triaging individual alerts. Aggregating data across submissions can help SOC teams gain a broader perspective on how adversaries are targeting the organization past their defenses.

The Splunk Add-on and App for Splunk Attack Analyzer combine to help make it easy to visualize and socialize these insights with leadership and across the larger team.

Splunk Add-on for Splunk Attack Analyzer

The Splunk Add-on for Splunk Attack Analyzer ingests results of submissions made to Splunk Attack Analyzer into the Splunk platform. It makes the data searchable and allows teams to build custom queries, reports and dashboards. It can fetch:

High-level results such as scores and verdicts
Detailed raw and normalized forensics from static and dynamic analysis by Splunk Attack Analyzer engines

Splunk App for Splunk Attack Analyzer

The Splunk App for Splunk Attack Analyzer takes the data ingested by the Add-on and provides a set of out-of-the-box dashboards that:

Empowers SOC leadership to understand patterns in alert volumes.
Helps blue teams to gain insight on how adversaries are getting past their defenses.

Usage Insights Dashboard

This dashboard provides insight into where Attack Analyzer is being leveraged by the SOC team today and how usage varies across the team. It provides the following visualizations:

Breakdown by mode of submission: Which use cases are generating the most alerts needing analysis?
Trends in submission volumes over time: When does the SOC have the most alerts needing investigation?
Submission volume by analyst: Which analysts may need additional training to leverage Splunk Attack Analyzer more effectively?

Credential Phishing and Malware Insights

Phishing Insights: Impersonated Brands

Provides insights on brands being impersonated to target employees in phishing attacks that are getting past current security controls.

Top phished brands: Which brands are most commonly impersonated to target your employees over a given time period?
Trends in phished brands: Notable changes in impersonated brands
Phishing examples by brand: View examples showing the impersonation of a particular brand of interest

Phishing Insights: Phish kits

Top phish kits: Which phish kits are most commonly used to target your employees over a given time period?
Trends in phish kits: Notable changes in phish kit usage
Phishing examples by phish kit: View examples showing a particular phish kit being used in an attack

Malware Insights: Malware Families

Top malware families: Which malware families are most commonly used to target your employees over a given time period?
Trends in malware families: Notable changes in malware families
Malware examples by family: View examples showing a particular malware family that was used in an attack

How this helps your analysts

Blue teams can leverage the insights from the Splunk App for Splunk Attack Analyzer to better understand tactics being leveraged by adversaries and then implement measures that enhance the security posture of the organization. For example security teams can:

Proactively submit artifacts matching certain signatures to advanced analysis tools like Splunk Attack Analyzer
Train user behaviors to spot and report common malicious impersonation attempts
Improve configurations in perimeter defense tools to enhance block rates

To benefit from these new offerings, existing Splunk Attack Analyzer customers can download and install the app on their Splunk platform instance from Splunkbase using the links below: