Review threat analysis results

The finding you want to review was ingested by MS Graph O365 or another supported email gateway integration.

Threat analysis runs automatically when a finding is generated and suspected of being a phishing threat. Use the side panel to review results.

  1. In Splunk Enterprise Security, select Mission Control.
  2. In your working queue, locate the finding you want to review and select it to open the side panel.

    Use the search bar or filter controls at the top of the queue to narrow results by time range, risk score, or finding type.

  3. In the side panel, expand the Threat analysis section.

    If the threat analysis job has not been completed yet, you'll see a loading or pending status indicator.

  4. From the drop-down menu, select the artifact type you want to review. For example, Email analysis.
  5. Review the analysis fields.
    Table 1. Threat analysis fields
    Field Description
    Verdict The system determination of whether the artifact is malicious. A color-coded confidence score appears alongside the verdict label. For example, Phish 67.
    System tags Classification tags automatically applied by the analysis engine.
    Phishkit families Phishing kit frameworks detected in the artifact, such as Zphisher, 16Shop, or Kr3pto.
    Phished brands The brands or services being impersonated, such as Office365.
    Resource analyzed The redirect chain showing how URLs or QR codes resolve, including intermediate redirects and the final destination. Warning icons indicate flagged resources.

You can determine whether the finding is a true positive based on the verdict, phishing signals, and resource chain, all from within Splunk Enterprise Security.

For advanced investigation or to manage submitted jobs, open the Splunk Attack Analyzer application. See Get data into Splunk Attack Analyzer or Analyze completed jobs with Splunk Attack Analyzer.

Based on your findings, you can escalate the finding by selecting Start investigation . Then, select View complete analysis to open the full Threat analysis tab.