Use email to get data into Splunk Attack Analyzer

When your Splunk Attack Analyzer tenant is first set up, an email address is created by the Splunk Attack Analyzer team that you can use to forward suspicious email data to Splunk Attack Analyzer. As an administrator, you can view the email address that was created for you in your Splunk Attack Analyzer tenant.

  1. To view the email address created for you by the Splunk Attack Analyzer team, from Splunk Attack Analyzer select your username, then Email Submission Address.
  2. Forward suspicious emails to this email address.
    Note: You might want to configure inbox rules to automatically forward emails with a certain criteria to Splunk Attack Analyzer.
  3. Navigate to Splunk Attack Analyzer to view your data ingested through email.

Data ingested through email is marked "API-Email Gateway" in the Submitted By column.

Note: By default, Splunk Attack Analyzer retains data for 180 days after which it is deleted. If you want to retain data for a longer period of time, before the data is deleted you can use the Splunk Add-on for Splunk Attack Analyzer or the Splunk Attack Analyzer APIs to store data in the Splunk platform or another SIEM tool you might be using. See the User Guide for the Splunk Add-on for Splunk Attack Analyzer and the API documentation in Splunk Attack Analyzer for more information.