Submit jobs for threat analysis

For findings that indicate a potential phishing threat, Splunk Enterprise Security builds a queue of threat analysis jobs. Each job corresponds to an artifact such as the raw email, attached files, or linked domains. For example, screenshot.pdf or malicious-site.com. Powered by Splunk Attack Analyzer, threat analysis in Splunk Enterprise Security processes each job and returns results you can view inline, without switching applications.

You can resubmit jobs from the list to change the processing order, or to reprocess canceled jobs.

  1. In Splunk Enterprise Security, select Mission Control.
  2. From the queue you're working in, open the finding you want to analyze and select Start investigation.
  3. In the investigation, select the Threat analysis tab.
  4. In the Jobs panel on the left, review the list of pending, completed, and canceled threat analysis jobs.

    The badge on the Jobs heading shows the total number of threat analysis jobs queued for the investigation.

  5. Submit jobs for analysis. To submit a job, select the job in the Jobs panel, then select Submit.

After submission, you can monitor the job status by selecting the completed job to view its analysis results. Jobs are submitted from Splunk Attack Analyzer and are processed automatically. Any detailed threat verdicts, file metadata, and resource analysis for each submitted job are available directly within Splunk Enterprise Security.

For advanced investigation or to manage submitted jobs, open the Splunk Attack Analyzer application. See Get data into Splunk Attack Analyzer or Analyze completed jobs with Splunk Attack Analyzer.