Inspiration
We saw a dangerous trend in cybersecurity: treating Large Language Models as the ultimate "find the bad guy" button. Feeding terabytes of raw logs into an AI leads to severe hallucinations, blown API quotas, and "evidence" that would never hold up in a court of law. We wanted to build a tool that respects the strict, mathematical nature of digital forensics while harnessing the incredible reasoning power of modern AI. We were inspired to build a true "Tier 3 Analyst Copilot"—one that uses deterministic logic to find the anomaly, and agentic AI to explain and neutralize it.
What it does
ForensIQ is a hybrid SIEM (Security Information and Event Management) and triage workspace that bridges the gap between threat detection and remediation. It operates on a three-stage pipeline:
Detect (The Muscle): A Python backend runs strict Splunk Processing Language (SPL) rules to mathematically identify high-value, covert threats like insider log tampering (deleted sequences), time drift, and brute-force attacks.
Investigate (The Brain): Once an anomaly is proven, the system passes only that highly-targeted JSON evidence to Google Gemini. Gemini instantly translates the raw data, maps the attack to the MITRE ATT&CK framework, and generates a plain-English briefing.
How we built it
We built the frontend dashboard using Streamlit (Python) for rapid, data-centric UI development. For our data layer, we integrated with the Splunk API, writing custom SPL scripts and Python loops to execute our deterministic detection rules.
To power the intelligence layer, we utilized the Google Gemini 2.5 Flash API. Instead of using vulnerable "agentic tool calling" that burns quotas and risks hallucination, we engineered a highly constrained "One-Shot Context Injection" pipeline
Challenges we ran into
Our biggest hurdle was the classic "Context Window Trap" and API rate limits. Initially, we tried giving the AI tools to query Splunk autonomously to look for anomalies. We blew through our API quotas almost immediately, and we quickly realized the LLM struggled to mathematically prove when something was missing (like a deleted log sequence)
Accomplishments that we're proud of
We are incredibly proud that we didn't just build another "AI Wrapper." We successfully engineered a "Deterministic RAG" pipeline where hard-coded facts strictly guardrail the AI, ensuring zero hallucinations in our evidence chain
What we learned
We learned a massive lesson in architectural discipline: AI is a terrible detective, but an incredible investigator. We learned that the secret to building enterprise-ready GenAI applications isn't giving the AI more unrestricted power, but giving it better-constrained context. Additionally, we significantly deepened our understanding of the MITRE ATT&CK framework and how to write optimized Splunk Processing Language (SPL) to process large datasets efficiently.
Log in or sign up for Devpost to join the conversation.