Enhancing SIEM Events with Automated Threat Analysis of URLs

The Splunk team released the Splunk Add-on for Splunk Attack Analyzer and Splunk App for Splunk Attack Analyzer version 1.1. These apps strengthen the unified security operations experience.

In particular, this release allows users to bring automated threat analysis verdicts of URLs into Splunk Enterprise Security (ES) notable events to provide enhanced security measures for SOC teams.

This integration brings a new level of sophistication and efficiency to monitoring and analysis capabilities. By automating the scrutiny of URLs, organizations can rapidly identify and respond to potential threats hidden in web traffic, a common vector for cyber attacks. 

Splunk Attack Analzyer automates analysis on suspected threats

Splunk Attack Analyzer automates analysis of suspected malware and credential phishing threats. Unlike other analysis tools that require cumbersome manual workflows, the solution automatically follows and analyzes each step in complex attack chains to get to the final payload.

Splunk Attack Analyzer renders a verdict and extracts forensics to provide analysts with the associated intelligence and context of the active threat — giving the team a clear and rapid view into how threat actors are operating. 

Splunk Enterprise Security, our industry-defining SIEM solution, delivers high-fidelity alerts called notable events that provide a starting point for an incident you're investigating. You can easily sort notable events by severity, so you can prioritize security incidents and remediate them quickly.

Adaptive response actions are actions that can be taken either manually or automatically against any notable event generated and help accelerate response and remediation when investigating a notable event. 

Auto-submit URL objects for threat analysis

The Splunk Add-on for Splunk Attack Analyzer utilizes adaptive response actions to automatically submit a URL object within a notable event to Splunk Attack Analyzer for analysis. 

The URL verdict results are then delivered directly within the history of the notable event to provide security analysts with details such as:

• The overall verdict and score 
• The step-by-step analysis actions to process the attack chain

Analysts can also use the job link within the notable event history to view analysis results within the Splunk Attack Analyzer user interface for more detailed insights on:

• The engines that completed the analysis 
• The individual resources analyzed

This proactive approach of incorporating automated threat analysis of URLs into Splunk ES accelerates the detection of malicious activities — and it enriches ES notable events with deeper insights, allowing for more informed and timely decision-making.

In an era where speed and complexity of cyber threats are constantly increasing, the value of this integration lies in its ability to provide a more comprehensive, agile, and effective security posture, seamlessly blending Splunk Attack Analyzer URL verdicts into the robust framework of Splunk Enterprise Security. 

Upgrade to Version 1.1 Today 

• Get started by downloading the Splunk Add-on for Splunk Attack Analyzer and Splunk App for Splunk Attack Analyzer version 1.1 from Splunkbase.
• For more information, check out the release notes for the Splunk App and Add On for Splunk Attack Analyzer. 

New to Splunk Attack Analyzer? 

Learn more by watching the webinar Reduce Investigation and Response Time with Automated Threat Analysis.