Search Splunk Attack Analyzer data in the Splunk platform
After you have installed and configured the Splunk Add-on for Splunk Attack Analyzer, you can search Splunk Attack Analyzer data using Splunk search capabilities in the Splunk platform. Use these searches to learn more about Splunk Attack Analyzer data. From the Splunk Add-on for Splunk Attack Analyzer, select Search to access Splunk search capabilities.
saa_data. Change the index to match the configuration of your environment.Search for an individual job
To search for an individual job based on the job ID, use the following search.
        index=saa_data sourcetype="splunk:aa:job" SAA_JOB_ID=<job-id>
      
Search for resources and tasks analyzed in an individual job
To search for the resources and tasks analyzed in an individual job based on the job ID, use the following search.
        index=saa_data  sourcetype="splunk:aa:job:task" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | join type=left left=Task right=Resource where Task.ResourceID = Resource.ID [search index=x sourcetype="splunk:aa:job:resource" SAA_JOB_ID=009e8cf9-de14-4f4c-9a67-f5a0a0bfaf9c | eval r_id = ID] | sort _time | table _time, Task.ID, Task.Engine, Resource.ID, Resource.Name, Task.Results.Score
      
Search for a detection run in an individual job
To search for a detection run in an individual job based on the job ID, use the following search.
index=saa_data sourcetype="splunk:aa:forensic:detections" SAA_JOB_ID=<job-id> | table Engines{}, Name, Description, Severity, VerdictUse the Submit URL in Attack Analyzer workflow action
From the Splunk Platform, you can open any event with a URL field in Search & Reporting and use the workflow action Submit URL in Attack Analyzer to open and submit the URL in Attack Analyzer to quickly pivot between products.
- From the Splunk Platform, after executing a search, select the search you want to use the URL from.
- From the url field action menu, select Submit URL in Attack Analyzer. Splunk Attack Analyzer opens in a new tab and the URL is populated.
- Select Submit.
rename or eval command to move the value into a field named url as part of the search. See rename or eval in the Splunk Enterprise Search Reference manual for more information.