• 

  SentinelAi Architecture Overview

Inspiration

Modern Security Operations Centers (SOCs) and observability teams face an overwhelming number of alerts every day. Analysts spend significant time manually investigating logs, correlating events, and identifying root causes. This process is often slow, repetitive, and prone to human error. We wanted to build a solution that leverages Splunk's AI capabilities to transform raw alerts into actionable intelligence, helping teams respond faster and make better decisions. SentinelAI was inspired by the need to reduce alert fatigue and empower both experienced and junior analysts with AI-driven incident investigation.

What it does

SentinelAI is an AI-powered incident commander built on top of Splunk. It continuously analyzes security events, logs, and observability data to provide the following:

• Automatic incident summaries
• Root cause analysis
• Intelligent alert prioritization
• Natural language interaction with Splunk data
• AI-generated remediation recommendations
• Executive-ready incident reports

Instead of manually reviewing thousands of log entries, users receive concise explanations of what happened, why it happened, and what actions should be taken next.

How we built it

We built SentinelAI using Splunk as the central data platform for ingesting and querying logs, events, and metrics. The application connects to Splunk through its REST APIs and retrieves relevant incident data.

The AI layer analyzes alerts, correlates related events, identifies potential root causes, and generates human-readable summaries. A conversational interface allows users to interact with Splunk using natural language queries. The system combines observability data, security events, and AI reasoning to create a unified incident response experience.

Core components include the following:

• Splunk Enterprise / Splunk Cloud
• Splunk REST APIs
• AI-powered summarization and reasoning engine
• Incident analysis workflow
• Natural language query interface
• Reporting and recommendation engine

Challenges we ran into

During development, several challenges emerged:

• Correlating multiple events across different systems into a single incident context.
• Converting raw machine-generated logs into meaningful summaries.
• Reducing false positives while maintaining sensitivity to critical events.
• Designing AI prompts that consistently generate useful incident explanations.
• Handling different log formats and data sources.
• Ensuring recommendations remain actionable and relevant.

Balancing automation with analyst trust was one of the most important challenges throughout the project.

Accomplishments that we're proud of

We are proud that SentinelAI can

• Automatically explain incidents in plain language.
• Reduce the amount of manual investigation required by analysts.
• Provide AI-generated remediation guidance.
• Prioritize alerts based on context and impact.
• Make Splunk data accessible through natural language interactions.
• Generate executive-friendly reports for stakeholders.

Most importantly, SentinelAI transforms complex operational data into actionable insights that teams can use immediately.

What we learned

Building SentinelAI taught us valuable lessons about the following:

• AI-assisted security operations
• Observability workflows
• Incident response processes
• Event correlation and root cause analysis
• Prompt engineering for operational intelligence
• Designing AI systems that analysts can trust

We also learned that the biggest value of AI is not replacing analysts but helping them focus on higher-value decisions.

What's next for SentinelAI

Future improvements include:

• Real-time anomaly detection using advanced machine learning models.
• Automated runbook execution and remediation workflows.
• Integration with ticketing platforms such as Jira and ServiceNow.
• Multi-agent AI collaboration for complex investigations.
• Predictive incident analysis to identify issues before they become critical.
• Team collaboration features for incident response workflows.
• Support for additional cloud and observability platforms.

Our long-term vision is to evolve SentinelAI into a fully autonomous AI operations companion that helps organizations monitor, understand, and respond to incidents faster than ever before.

Built With

• actions
• agents
• ai
• ai-powered
• alert
• analysis
• analytics
• api
• apis
• built
• cause
• cloud
• correlation
• css
• data
• databases
• devops
• docker
• engine
• enterprise
• event
• fastapi
• frameworks
• generative
• git
• github
• html
• incident
• indexes
• integrations
• javascript
• json-based
• key
• language
• languages
• learning
• libraries
• local
• log
• machine
• management
• natural
• natural-language-processing
• observability
• openai
• operations
• pandas
• platforms
• prioritization
• processing
• python
• react
• requests
• response
• rest
• root
• search
• secops
• security
• splunk
• sqlite
• storage
• summarization
• tailwind
• technologies
• webhooks
• with