Following our announcement of Splunk Attack Analyzer in July 2023, we are excited to announce the launch of the Splunk Add-on for Splunk Attack Analyzer and Splunk App for Splunk Attack Analyzer. These offerings help us bolster our unified security operations experience by bringing threat analysis results from Splunk Attack Analyzer into the Splunk platform.
The challenges with hiring top talent to staff a modern Security Operations Center (SOC) are ubiquitous. Every SOC team has to contend with a few top-tier analysts being barraged with escalations from tier 1 analysts tasked with triaging an ever-growing volume of alerts hitting the SOC. Splunk Attack Analyzer can serve as a force multiplier for SOC teams with its capabilities of:
- Attack chain following for URLs and files originating from the initial payload
- Capturing rich forensics at each stage of the attack chain, including screenshots
- Proprietary phishing detections with phished brand and phish kit attribution
- Malware detections with malware family attribution
- Interactive web browser and interactive sandbox to detonate malicious payloads safely
With Splunk Attack Analyzer, every analyst can triage each alert with a high level of proficiency. Moreover, integrations with Splunk SOAR can help automate a large number of alerts altogether based on verdicts from the analysis of a threat from Splunk Attack Analyzer thereby eliminating workload from the SOC.
However, the gains with Splunk Attack Analyzer don’t just stop at triaging individual alerts. Aggregating data across submissions can help SOC teams gain a broader perspective on how adversaries are targeting the organization past their defenses. The Splunk Add-on and App for Splunk Attack Analyzer combine to help make it easy to visualize and socialize these insights with leadership and across the larger team.
Splunk Add-on for Splunk Attack Analyzer
The Splunk Add-on for Splunk Attack Analyzer ingests results of submissions made to Splunk Attack Analyzer into the Splunk platform. It makes the data searchable and allows teams to build custom queries, reports and dashboards. It can fetch high-level results such as scores and verdicts as well as detailed raw and normalized forensics from static as well as dynamic analysis by Splunk Attack Analyzer engines.
Splunk App for Splunk Attack Analyzer
The Splunk App for Splunk Attack Analyzer takes the data ingested by the Add-on and provides a set of out-of-the-box dashboards that empower SOC leadership to understand patterns in alert volumes and helps blue teams to gain insight on how adversaries are getting past their defenses.
Usage Insights Dashboard
This dashboard provides insight into where Attack Analyzer is being leveraged by the SOC team today and how usage varies across the team. It provides the following visualizations:
- Breakdown by mode of submission - Which use cases are generating the most alerts needing analysis?
- Trends in submission volumes over time - When does the SOC have the most alerts needing investigation?
- Submission volume by analyst - Which analysts may need additional training to leverage Splunk Attack Analyzer more effectively?
Credential Phishing and Malware Insights
Phishing Insights - Impersonated Brands
Provides insights on brands being impersonated to target employees in phishing attacks that are getting past current security controls
- Top phished brands - Which brands are most commonly impersonated to target your employees over a given time period?
- Trends in phished brands - Notable changes in impersonated brands
- Phishing examples by brand - View examples showing the impersonation of a particular brand of interest
Phishing Insights - Phish kits
- Top phish kits - Which phish kits are most commonly used to target your employees over a given time period?
- Trends in phish kits - Notable changes in phish kit usage
- Phishing examples by phish kit - View examples showing a particular phish kit being used in an attack
Malware Insights - Malware Families
- Top malware families - Which malware families are most commonly used to target your employees over a given time period?
- Trends in malware families - Notable changes in malware families
- Malware examples by family - View examples showing a particular malware family that was used in an attack
Blue teams can leverage the insights from the Splunk App for Splunk Attack Analyzer to better understand tactics being leveraged by adversaries and then implement measures that enhance the security posture of the organization. For example security teams can:
- Proactively submit artifacts matching certain signatures to advanced analysis tools like Splunk Attack Analyzer
- Train user behaviors to spot and report common malicious impersonation attempts
- Improve configurations in perimeter defense tools to enhance block rates
To benefit from these new offerings, existing Splunk Attack Analyzer customers can download and install the app on their Splunk platform instance from Splunkbase using the links below:
Learn More About Splunk Attack Analyzer
Ready to automate threat analysis? We’ve got you covered! Visit the Splunk Attack Analyzer webpage or speak to your account manager to learn more.