RavenLedger

Splunk-powered Ops AI agents for audit-ready ERP payment risk investigations.

Comment

Inspiration

RavenLedger was inspired by recent global failures where business operations, security telemetry, and financial risk collided.

The 2024 CrowdStrike outage showed how one operational/security failure can disrupt airlines, banks, hospitals, and critical services worldwide. At the same time, cyber-enabled fraud continues to create massive financial losses: the FBI reported more than $16 billion in cybercrime losses in 2024, including scams where employees were tricked into transferring money to criminal accounts.

These incidents made one thing clear: enterprise risk is no longer isolated inside one department. Finance may see a risky payment, Security may see suspicious behavior, Operations may see system signals, and Audit may see control violations — but the decision needs one shared investigation.

Splunk inspired the evidence layer of RavenLedger. If Splunk can make machine data searchable and actionable, RavenLedger can use that telemetry as evidence alongside ERP-style payment risk and insider behavior.

RavenLedger was built to answer one question before money leaves the enterprise:

Should this payment be released, held, or escalated — and what evidence supports that decision?

What it does

RavenLedger investigates risky enterprise payments before they are released.

It brings together payment risk signals, supplier context, insider behavior, Splunk telemetry, policy controls, and human approval into one investigation workflow.

The user can choose an investigation mode, run the RavenLedger workflow, view the highest-risk cases, inspect the supporting evidence, check policy/control failures, and record a human-approved action.

RavenLedger does not automatically block payments or take blind action. It creates an evidence-backed case that helps Finance, SOC, Audit, and Operations make a safer decision together.

How we built it

We built RavenLedger as a layered investigation system.

The backend is built with Python and FastAPI. The core logic is separated into engines for business risk, insider behavior, Splunk evidence, correlation, policy decisions, audit reports, and human action logging.

On top of those engines, we added a multi-agent layer. A RavenLedger Supervisor Agent coordinates seven specialist agents:

  • Business Risk Agent
  • Insider Behavior Agent
  • Splunk Evidence Agent
  • Correlation Agent
  • Policy Decision Agent
  • Audit Report Agent
  • Human Action Agent

The Business Risk Agent analyzes ERP-style invoice and supplier risk signals. The Insider Behavior Agent uses user activity patterns from insider-risk data. The Splunk Evidence Agent connects to Splunk Enterprise through a REST/Python adapter and runs SPL against the BOTS v3 dataset to attach live telemetry evidence such as _time, host, sourcetype, and source.

The Correlation Agent combines payment risk, insider behavior, and Splunk evidence into one unified case. The Policy Decision Agent maps the case to named controls and escalation targets. The Audit Report Agent generates markdown investigation reports, and the Human Action Agent records analyst-approved actions such as holding a payment or escalating to SOC.

The frontend is built as a demo command center with a landing page, investigation mode selector, top risk queue, case detail view, Splunk evidence panel, controls checklist, human action panel, and audit report viewer.

Splunk is used as the live evidence layer. RavenLedger uses Splunk Enterprise with BOTS v3 to prove that the investigation is backed by searchable telemetry, not only static business data.

Challenges we ran into

One of the biggest challenges was connecting business risk with security evidence in a way that felt like one real investigation, not separate dashboards. Payment fraud signals, insider behavior, Splunk telemetry, policy controls, and audit reports all have different data shapes, so we had to design a common case structure around them.

Another challenge was working with Splunk locally. We had to set up Splunk Enterprise, load and query BOTS v3, handle authentication, connect through the Splunk REST API, and make sure the backend could pull live evidence reliably.

We also had to balance ambition with demo stability. Splunk MCP Server, MLTK, cloud deployment, and SOAR-style workflows are powerful directions, but for the hackathon we focused on building a stable end-to-end investigation workflow first.

Finally, we had to make the product understandable in the frontend. The hardest part was not just calculating a risk score, but showing why a case was ranked first, what evidence supported it, which controls failed, and what human action should happen next.

What we learned

We learned that the hardest part of enterprise risk is not only detecting a suspicious signal. The harder problem is connecting signals across teams and systems.

A risky payment may look like a finance issue at first, but the full story can include supplier risk, insider behavior, security telemetry, control failures, and operational context. Building RavenLedger helped us understand that useful AI agents need grounded evidence, clear reasoning, and human approval — not just automation.

We also learned that Splunk becomes much more powerful when telemetry is connected to business context. A host, sourcetype, source, or timestamp becomes more valuable when it is attached to a real investigation case, a policy decision, and an audit trail.

Most importantly, we learned that trust matters. For high-risk financial workflows, the system should explain why a case is risky, show the evidence, map the controls, and let a human approve the final action.

What's next for RavenLedger

Next, we want to expand RavenLedger from a hackathon workflow into a broader enterprise RiskOps layer.

The first step is deploying the backend on Google Cloud so the full demo can run remotely without relying only on a local Splunk setup.

We also want to add Splunk MCP Server integration so agents can access Splunk through a standard tool-calling interface, and add AI Assistant-style SPL generation so analyst intent can become investigation playbooks.

For risk intelligence, we plan to add Splunk AI Toolkit / MLTK-based anomaly scoring for payment risk, insider behavior, and telemetry patterns. We also want to expand ERP connectivity with SAP, Oracle, vendor master, purchase order, approval workflow, and payment data.

Finally, RavenLedger can grow into a human-approved response layer by integrating with SOAR workflows, creating cases, escalating to Finance/SOC/Audit, and monitoring operations risk such as ERP job health, payment batch delays, ingestion health, and source availability.

Built With

  • ai-agents
  • css-modules
  • fastapi
  • javascript
  • json
  • multi-agent-workflow
  • netlify
  • python
  • react
  • rest-apis
  • splunk-bots-v3
  • splunk-enterprise
  • splunk-rest-api
  • vite
Share this project:

Updates