Security: Automated Threat Analysis with Splunk Attack Analyzer - Wed 4/17/24

Community Office Hours
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Security: Automated Threat Analysis with Splunk Attack Analyzer - Wed 4/17/24

Security: Automated Threat Analysis with Splunk Attack Analyzer - Wed 4/17/24

1 Comment
Cover Images - Office Hours (15).png
Published on ‎03-07-2024 05:12 PM by Splunk Employee | Updated on ‎04-19-2024 11:04 AM

Register here. This thread is for the Community Office Hours session with Neal Iyer, Sr. Principal Product Manager, on automated threat analysis with Splunk Attack Analyzer on Wed, April 17, 2024 at 1pm PT / 4pm ET.

 

Join us for an office hours session to ask questions about how automated threat analysis can enhance your existing security workflows, including:

  • Practical applications and common use cases
  • How Splunk Attack Analyzer integrates with other Splunk security solutions 
  • Anything else you'd like to learn!

 

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here)

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (2)
loriexi
Splunk Employee
Splunk Employee
3 weeks ago
3 weeks ago

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

Q1: How to best optimize threat analysis?

  • Your goal should be to get to auto-containment / auto-reinforcement
  • Using a trustworthy analysis signal is key for you to take containment actions via automation
  • Splunk Attack Analyzer with its consistent, comprehensive and automated threat analysis can provide a strong foundation

Q2: How does Splunk differentiate from Palo Alto Networks?

  • Attack Chain Following - Allows SAA to navigate complex attack chains involving obfuscation techniques like lure pages, QR codes, captchas. Sandbox analysis often ends up incomplete in such scenarios
  • Phishing Detection - Traditional sandboxes provide very little coverage for phishing which is often the highest volume of analysis for SOC/IR teams

Q3: Is Attack Analyzer part of a standard Splunk package or a separate application?

  • Attack Analyzer is an independent solution with close integrations to Splunk SOAR, Splunk ES and Splunk Platform
  • It’s pricing is determined by answers to the following questions:
    • How many individuals gain value from it - # of seats
    • How many artifacts need to be analyzer - # of submissions

 

Other Questions (check the #office-hours Slack channel for responses):

  • Is it possible to have a free version of it installed for a limited time for a small POC?
  • How does Attack Analyzer integrate with Splunk Enterprise Security?
  • How does Attack Analyzer compare to a sandbox tool?
  • How does Attack Analyzer deal with things like QR codes or Cloudflare Captchas?

 

Live Questions:

  • To detect this kind of phishing attacks, Splunk Attack Analyzer is scanning the mail server or the client? Or does it work with the firewall?
  • Does Splunk Attack Analyzer works on the object objectives expose to Internet or acts inside a company.
  • Mostly,we know that there aren't usually eyes on a monitor 24/7.  So what mechanism does SAA use to notify security team members that some high percentage risk was identified, a particular Soar playbook was triggered, or where no Soar playbook is associated with the finding then what is the notification mechanism to make security team members aware of the situation?
  • Besides phishing and URL scanning, are there any other use cases for this product?
  • Is there an option to get scannings of other users/customers like of IOC, etc... ?
0 Karma