Search Splunk Attack Analyzer data in the Splunk platform

After you have installed and configured the Splunk Add-on for Splunk Attack Analyzer, you can search Splunk Attack Analyzer data using Splunk search capabilities in the Splunk platform. Use these searches to learn more about Splunk Attack Analyzer data. From the Splunk Add-on for Splunk Attack Analyzer, select Search to access Splunk search capabilities.

Note: All searches on this page assume that the data has been indexed into an index named saa_data. Change the index to match the configuration of your environment.

Search for an individual job

To search for an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:job" SAA_JOB_ID=<job-id>

Search for resources and tasks analyzed in an individual job

To search for the resources and tasks analyzed in an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:job:task" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | join type=left left=Task right=Resource where Task.ResourceID = Resource.ID [search index=x sourcetype="splunk:aa:job:resource" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | eval r_id = ID] | sort _time | table _time, Task.ID, Task.Engine, Resource.ID, Resource.Name, Task.Results.Score

Search for a detection run in an individual job

To search for a detection run in an individual job based on the job ID, use the following search.

index=saa_data sourcetype="splunk:aa:forensic:detections" SAA_JOB_ID=<job-id> | table Engines{}, Name, Description, Severity, Verdict

Note: Requires forensics from Splunk Attack Analyzer to be ingested with jobs.