ARIA

Your Splunk sees 6% of known attacks. ARIA finds the other 94% and writes the detection rules to close them

Comment

Technical Note: Splunk AI Activation & Fallback Behavior

ARIA is natively implemented with Splunk AI Assistant via MCP as the primary runtime generation path. That integration is fully active in our codebase (agents/gap_agent.py, core/splunk_mcp_client.py).

During the final submission window, our trial tenant consistently returned: "Error generating Splunk Cloud access token," and a UI bug on the support portal prevented us from opening a ticket. Because of this platform-side activation issue, parts of our recorded run demonstrate our system's resilient Gemini fallback behavior.

Even with this blocker, ARIA successfully executes live Splunk operations at runtime (MITRE audit, SPL validation, saved-search deployment, KV Store persistence). We invite judges to review the actual implementation code to verify our MCP-first compliance.

Inspiration

Modern security teams are drowning in telemetry but still missing detections.

Organizations invest heavily in Splunk to collect endpoint logs, authentication events, network traffic, cloud activity, and application data. But collecting data is not the same as detecting threats. In many environments, the data needed to detect adversary behavior already exists, yet the actual detection rules are missing.

According to the 2025 CardinalOps State of SIEM report:

  • The average enterprise Splunk environment is blind to 79% of known MITRE ATT&CK techniques.
  • Organizations already ingest the data needed to cover up to 90% of those threats.

The bottleneck is not data availability. The bottleneck is detection-engineering bandwidth.

ARIA was built to close that gap.

Detection engineering is one of the most important and slowest workflows in security operations. A team may identify a coverage gap today, but turning that gap into a researched, tested, validated, reviewable Splunk detection can take days or weeks. Attackers do not wait for backlogs to clear.

ARIA reimagines this as an agentic operation: coordinated agents that audit coverage, model the threat context, generate SPL, validate it, and route it to a human for approval.

The goal is not to replace analysts. The goal is to give them leverage.

What it does

ARIA is an Autonomous Red-Blue Intelligence Agent for Splunk detection coverage.

It helps security teams move from “we have a blind spot” to “we have a validated detection ready for review” in minutes.

ARIA performs a complete detection-engineering loop:

  1. Audits Splunk coverage against MITRE ATT&CK
    The Blue Agent reads Splunk detection-coverage data and maps existing rules to ATT&CK techniques. Each technique is classified as COVERED, PARTIAL, or GAP.
  2. Finds high-value blind spots
    ARIA surfaces uncovered techniques so analysts can see where their Splunk environment is exposed.
  3. Builds adversary context
    The Red Agent profiles each gap using ATT&CK context: tactics, likely log sources, keywords, severity, and detection guidance.
  4. Generates SPL detections with Splunk AI Assistant via MCP
    The Gap Agent uses Splunk AI Assistant tools through MCP to generate candidate SPL detections, then optionally optimize and explain them. A fallback model path exists only for resiliency when MCP is unavailable.
  5. Validates SPL before human review
    Generated SPL is validated with Splunk parser checks before being staged for approval, preventing broken queries from entering analyst workflow.
  6. Routes rules through human approval
    ARIA stages validated detections in an approval queue where analysts can inspect, approve, or reject each rule.
  7. Deploys approved rules back into Splunk
    Approved detections are created as Splunk saved searches, and lifecycle metadata is persisted in Splunk KV Store.

ARIA turns detection gap closure into a governed, agentic workflow: audit, reason, generate, validate, approve, deploy.

How we built it

ARIA is built as a multi-agent security operations system. The backend is Python + FastAPI, coordinated by an Orchestrator that manages state, agent execution, approvals, and deployment.

Agent layer:

  • Blue Agent: audits Splunk detection coverage against MITRE ATT&CK.
  • Red Agent: profiles uncovered adversary techniques.
  • Gap Agent: generates and validates SPL detections.
  • Orchestrator: coordinates execution and approval lifecycle.

Splunk integration stack:

  • Splunk Python SDK
  • Splunk saved searches
  • Splunk SPL parser validation
  • Splunk KV Store
  • Splunk MCP Server
  • Splunk AI Assistant (generation/optimization/explanation)

Frontend stack:

  • React
  • TypeScript
  • Vite
  • TanStack Router
  • TanStack Query

The UI provides live coverage metrics, pipeline status, reasoning logs, technique inspection, generated SPL, provider traces, and approvals.

Hackathon compliance note: ARIA’s primary runtime generation path is Splunk AI Assistant via Splunk MCP Server. The fallback path is resilience-only and not the default operating path.

We also built deterministic demo support for reproducibility, while live mode runs against real Splunk services for audit, validation, deployment, and lifecycle persistence.

Challenges we ran into

The biggest challenge was designing an AI workflow that security teams can trust.

Generating a rule is easy. Generating one responsibly is much harder.

ARIA needed guardrails:

  • AI-generated SPL should not auto-deploy.
  • Invalid SPL should not reach analysts as “ready.”
  • Analysts should inspect context and reasoning before approval.
  • Approved rules should remain traceable after deployment.
  • Demo mode should be reproducible while live mode preserves real Splunk integration.

We also encountered a critical Splunk Cloud SAIA activation-token issue on our trial tenant during the final submission window. Furthermore, the official Splunk Support portal UI had a blocking bug that prevented us from opening a ticket. Instead of giving up, we built a resilient fallback model path, preserved the MCP-first implementation in our code, and submitted full bug reports to the Splunk AI team and the official Hackathon Feedback portal to help improve the developer onboarding experience!

Accomplishments that we're proud of

ARIA is not just a chatbot for Splunk.
It is a full agentic workflow for a real SOC problem.

In one flow, ARIA can:

  • Measure detection coverage
  • Identify ATT&CK blind spots
  • Generate adversary-informed SPL detections
  • Validate generated SPL
  • Explain generated rules
  • Queue rules for human approval
  • Deploy approved detections to Splunk
  • Persist lifecycle memory for generated/approved/rejected/deployed rules

We are especially proud of the human-in-the-loop model. In security, automation without control creates risk. ARIA keeps analysts in control while removing repetitive research and drafting work.

What we learned

The future of agentic operations is not just agents taking action. It is agents taking the right action inside clear boundaries.

For security operations, trust matters as much as speed.

ARIA reinforced that production-useful agent systems need:

  • clear ownership between agents
  • transparent reasoning logs
  • validation before action
  • human approval for high-impact changes
  • lifecycle memory for auditability

We also learned that Splunk is a strong foundation for agentic workflows because data, detection logic, validation, and deployment can live in one ecosystem.

What's next

ARIA can evolve into a full detection-engineering copilot for Splunk.

Next steps:

  • Add ATT&CK sub-technique coverage
  • Deepen Splunk Enterprise Security integration
  • Tune generated SPL against sample event data to reduce false positives
  • Add detection quality scoring beyond syntax validation
  • Add pre-approval simulation/replay
  • Add role-based approval controls
  • Track longitudinal coverage improvement
  • Integrate additional Splunk AI and hosted model capabilities
  • Generate pull-request-style analyst review artifacts for detection changes

Long-term vision:
Security teams should not need weeks to close known detection gaps.
ARIA makes detection coverage continuous, explainable, validated, and human-governed.

Built With

  • fastapi
  • gemini
  • google-gemini-fallback
  • mitre-att&ck-stix-data
  • python
  • react
  • splunk
  • splunk-ai-assistant
  • splunk-kv-store
  • splunk-mcp-server
  • splunk-python-sdk
  • splunk-saved-searches
  • splunk-spl-parser-validation
  • tailwind
  • tanstack-query
  • tanstack-router
  • typescript
  • vite
  • websockets
Share this project:

Updates