Search in Splunk Attack Analyzer

You can search for information that either you or your organization have sent to Splunk Attack Analyzer. You can search for specific keywords, verdicts, scores, and so on. To search in Splunk Attack Analyzer, follow these steps:

  1. From Splunk Attack Analyzer, navigate to search by selecting Search from the menu.
  2. Use the default option, Resource, to search resources, such as files or URLs. Or, select Resource or Forensics to search both. Forensics are the generated data from completed jobs in Splunk Attack Analyzer.
  3. Select what type of data you want to search for from the drop-down menu. Available options are various file types, URLs, or tags.
  4. Select the type of search you want to perform.
    1. The default search type, includes keyword, tokenizes the items you're searching for, removing special characters and matching on the word boundaries.
    2. The equals search type looks for exact matches, such as an exact IP address.
    3. The contains substring search type is different from the includes keyword search type in that it matches your search query anywhere in the returned strings, where includes keyword matches on word boundaries.
    4. The starts with and ends with search types are substring searches that match either the beginning or end of the string you are searching for.
  5. (Optional) Enter the keyword or string you want to search for in the Filename field.
  6. (Optional) Select Tag from the drop-down menu and enter a tag you want to search for. For more information on available tags, see Understanding tags in Splunk Attack Analyzer.
    Note: Use underscores in place of spaces when entering the tag you want to search for. For example, password_not_cracked or file_too_large.
  7. (Optional) Select a score range to look for results with a specific score.
  8. (Optional) Select a Verdict from the drop-down menu to filter the results based on if the verdict was malware, spam, or phishing.
  9. (Optional) Select an API Key from the drop-down menu to filter results based on what API key was used.
  10. (Optional) Enter a name or email address in the Submitted by field to filter results based on the user or process that submitted the data.
  11. (Optional) Select a Timeframe from the drop-down menu to filter results in a specific timeframe. Select Custom to select a specific start and end date for the search.
    Note: These results can be impacted by the data retention policy of your organization.
  12. Select Search.

If your search returned results, you can view the results in the Search Results table.

Use the AI-powered Malware Reversing Agent and Phishing Analysis Agent to analyze scripts

Note: The AI agent for Splunk Attack Analyzer is not automatically available by default. An administrator must reach out to their account management team to get started.
Quickly understand and investigate potentially malicious scripts using the AI Analysis in Splunk Attack Analyzer.

Many attacks use disguised or complex scripts that can be written in different languages, which makes them time-consuming to interpret. Even when Splunk Attack Analyzer flags a script as suspicious, you might not have the context you need to understand what it does or how to respond.

With the AI Analysis, you can automatically generate a structured summary of script behavior to help reverse malware or analyze a phishing attempt. The summary highlights execution steps, code excerpts, severity, MITRE ATT&CK mappings, and indicators of compromise (IOCs), giving you the details you need to triage and investigate without manually reviewing every line of code.

The Malware Reversing Agent and Phishing Analysis Agent capabilities in Splunk Attack Analyzer provide the following in an AI Analysis :

  • A suggested severity rating

  • A high-level description of script behavior

  • A step-by-step breakdown of what the script does

  • Relevant code snippets that demonstrate malicious activity

  • MITRE ATT&CK mapping for observed behaviors

  • A list of IOCs with suggested next steps

Supported file types

The following file types can be analyzed by the AI agent to reverse malware and analyze phishing attempts:
Category Supported file type or extension Content analyzed by the AI agent
Script and code files .js, .vbs, .vbe, .wsh, .wsc, .ps1, .psm1, .psd1, .ps1xml, .psc1, .pssc, .bat, .cmd, .html, .htm, .shtml, .hta, .wsf, .ws, .sct, .xsl, .application, .url, .svg (containing scripts or URLs), other detected code files Scripts and URLs
Office documents .doc, .docx, .docm, .dotx, .dotm, .docb, .xls, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .ppt, .pptx, .pptm, .potx, .potm, .ppsx, .ppsm Macros, commands, active content, and screenshots
PDF documents .pdf Embedded JavaScript commands and screenshots with URLs or suspicious content
Image files .png, .jpg, .jpeg, .gif, .bmp, .tif, .tiff, .wmf, .emf, .heic, other formats QR codes and suspicious content
Calendar files .ics
  1. On the job details page for the selected artifact, select a file from either the Resources Analyzed tree or from the Summary box.
    If the file type is supported by the AI agent, you can see the AI Analysis under the Resource Summary tab, or after selecting Static Doc Analysis.
  2. In the AI Analysis box, toggle between the following tabs: Summary, MITRE TTPs, and IOCs and Recommendations.

After you review the AI Analysis, you can use the suggested next steps to produce SPL for further investigation.

You receive an alert with a script attachment. In the past, you might rely on a sandbox detonation to see if anything suspicious occurs. With the AI Analysis and agent capabilities, Splunk Attack Analyzer automatically produces a summary that shows:

  • The script attempts to download a second-stage payload.

  • Hidden PowerShell commands used to execute the payload.

  • MITRE ATT&CK mapping to "Command and Scripting Interpreter".

  • IOCs including external IPs and a malicious file library (DLL).

Instead of spending time decoding the script, you can move directly to verifying the IOCs in your environment or escalating the malware.