Search in Splunk Attack Analyzer

You can search for information that either you or your organization have sent to Splunk Attack Analyzer. You can search for specific keywords, verdicts, scores, and so on. To search in Splunk Attack Analyzer, follow these steps:

  1. From Splunk Attack Analyzer, navigate to search by selecting Search from the menu.
  2. Use the default option, Resource, to search resources, such as files or URLs. Or, select Resource or Forensics to search both. Forensics are the generated data from completed jobs in Splunk Attack Analyzer.
  3. Select what type of data you want to search for from the drop-down menu. Available options are various file types, URLs, or tags.
  4. Select the type of search you want to perform.
    1. The default search type, includes keyword, tokenizes the items you're searching for, removing special characters and matching on the word boundaries.
    2. The equals search type looks for exact matches, such as an exact IP address.
    3. The contains substring search type is different from the includes keyword search type in that it matches your search query anywhere in the returned strings, where includes keyword matches on word boundaries.
    4. The starts with and ends with search types are substring searches that match either the beginning or end of the string you are searching for.
  5. (Optional) Enter the keyword or string you want to search for in the Filename field.
  6. (Optional) Select Tag from the drop-down menu and enter a tag you want to search for. For more information on available tags, see Understanding tags in Splunk Attack Analyzer.
    Note: Use underscores in place of spaces when entering the tag you want to search for. For example, password_not_cracked or file_too_large.
  7. (Optional) Select a score range to look for results with a specific score.
  8. (Optional) Select a Verdict from the drop-down menu to filter the results based on if the verdict was malware, spam, or phishing.
  9. (Optional) Select an API Key from the drop-down menu to filter results based on what API key was used.
  10. (Optional) Enter a name or email address in the Submitted by field to filter results based on the user or process that submitted the data.
  11. (Optional) Select a Timeframe from the drop-down menu to filter results in a specific timeframe. Select Custom to select a specific start and end date for the search.
    Note: These results can be impacted by the data retention policy of your organization.
  12. Select Search.

If your search returned results, you can view the results in the Search Results table.

Summarize scripts with AI Analysis

Select a file name or URL from the Search Results table. See Search in Splunk Attack Analyzer.
Note: The AI Assistant for Splunk Attack Analyzer is not automatically available by default. An administrator must reach out to their account management team to get started.
Quickly understand and investigate potentially malicious scripts using the AI Analysis in Splunk Attack Analyzer.

Many attacks use obfuscated or complex scripts that can be written in different languages, which makes them time-consuming to interpret. Even when Splunk Attack Analyzer flags a script as suspicious, you might not have the context you need to understand what it does or how to respond.

With the AI Analysis, you can automatically generate a structured summary of script behavior. The summary highlights execution steps, code excerpts, severity, MITRE ATT&CK mappings, and indicators of compromise (IOCs), giving you the details you need to triage and investigate without manually reviewing every line of code.

The AI Analysis provides the following:

  • A suggested severity rating

  • A high-level description of script behavior

  • A step-by-step breakdown of what the script does

  • Relevant code snippets that demonstrate malicious activity

  • MITRE ATT&CK mapping for observed behaviors

  • A list of IOCs with suggested next steps

To find the AI Analysis for your selected file or URL, follow these steps:

  1. On the job details page for the selected file or URL, select Static Doc Analysis.
  2. In the AI Analysis box, toggle between the following tabs: Summary, MITRE TTPs, and IOCs and Recommendations.

After you review the AI Analysis, you can use the suggested next steps to produce SPL for further investigation.

You receive an alert with a script attachment. In the past, you might rely on a sandbox detonation to see if anything suspicious occurs. With the AI Analysis, Splunk Attack Analyzer automatically produces a summary that shows:

  • The script attempts to download a second-stage payload.

  • Obfuscated PowerShell commands used to execute the payload.

  • MITRE ATT&CK mapping to "Command and Scripting Interpreter".

  • IOCs including external IPs and a malicious file library (DLL).

Instead of spending time de-obfuscating the script, you can move directly to verifying the IOCs in your environment or escalating with evidence.