Inspiration
SOC analysts face massive alert fatigue. Every time a flagged IP pops up, someone spends 45 minutes manually querying SPL and cross-referencing logs. Real threats slip through the cracks. I built Incident Narrator to do the heavy lifting. It condenses an hour of manual Splunk hunting into a 90 second autonomous loop, giving analysts their time back to make decisions instead of gathering data.
What it does
You feed it an initial security alert, and the agent automatically writes and executes its own SPL queries against Splunk via the MCP Server. It cross references HTTP, DNS, and IP streams, evaluates the evidence, and generates a structured, MITRE aligned incident report with confidence scores and actionable remediation steps.
How we built it
The backend is Python and Flask. Google Gemini 2.5 Flash acts as the reasoning engine. It connects directly to Splunk using the new Splunk MCP Server. Running against the BOTS v3 dataset, the agent reads an alert, creates targeted SPL queries, pulls logs, and makes autonomous decisions about when to pivot from web logs to DNS data. Finally, it outputs the report directly to a custom Splunk dashboard.
Challenges we ran into
Making the agent resilient was difficult. LLMs struggle to output rigid, multi step JSON formats. Early on, the AI would write a perfect SPL query but include an unescaped double quote, causing the Python JSON parser to crash instantly. I engineered a custom, fault tolerant parsing architecture to fix this. Now, if the agent encounters a syntax error or a zero result query, it catches the anomaly, corrects itself, and keeps hunting.
Accomplishments that we're proud of
Bridging the gap between theoretical AI concepts and a live enterprise security environment was a huge win. Watching the agent hit a dead end query, write a reasoning statement about why it failed, and autonomously pivot to a new Splunk log source without human intervention proved that the fault tolerant architecture works in practice.
What we learned
Building an AI agent for enterprise operations requires a massive focus on error handling. To make an AI genuinely useful in a strict SIEM environment, you have to build robust guardrails so it can gracefully recover from broken API calls, malformed strings, or zero result queries.
What's next for Incident Narrator
The next step is moving from investigation to active remediation. I want to expand the tool integrations so that once the agent confirms a high confidence threat, it can execute automated response actions directly from the dashboard, like blocking malicious IPs at the firewall or isolating compromised endpoints.
Log in or sign up for Devpost to join the conversation.