Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):
Q1: How to best optimize threat analysis?
- Your goal should be to get to auto-containment / auto-reinforcement
- Using a trustworthy analysis signal is key for you to take containment actions via automation
- Splunk Attack Analyzer with its consistent, comprehensive and automated threat analysis can provide a strong foundation
Q2: How does Splunk differentiate from Palo Alto Networks?
- Attack Chain Following - Allows SAA to navigate complex attack chains involving obfuscation techniques like lure pages, QR codes, captchas. Sandbox analysis often ends up incomplete in such scenarios
- Phishing Detection - Traditional sandboxes provide very little coverage for phishing which is often the highest volume of analysis for SOC/IR teams
Q3: Is Attack Analyzer part of a standard Splunk package or a separate application?
- Attack Analyzer is an independent solution with close integrations to Splunk SOAR, Splunk ES and Splunk Platform
- It’s pricing is determined by answers to the following questions:
- How many individuals gain value from it - # of seats
- How many artifacts need to be analyzer - # of submissions
Other Questions (check the #office-hours Slack channel for responses):
- Is it possible to have a free version of it installed for a limited time for a small POC?
- How does Attack Analyzer integrate with Splunk Enterprise Security?
- How does Attack Analyzer compare to a sandbox tool?
- How does Attack Analyzer deal with things like QR codes or Cloudflare Captchas?
Live Questions:
- To detect this kind of phishing attacks, Splunk Attack Analyzer is scanning the mail server or the client? Or does it work with the firewall?
- Does Splunk Attack Analyzer works on the object objectives expose to Internet or acts inside a company.
- Mostly,we know that there aren't usually eyes on a monitor 24/7. So what mechanism does SAA use to notify security team members that some high percentage risk was identified, a particular Soar playbook was triggered, or where no Soar playbook is associated with the finding then what is the notification mechanism to make security team members aware of the situation?
- Besides phishing and URL scanning, are there any other use cases for this product?
- Is there an option to get scannings of other users/customers like of IOC, etc... ?