SentinelFlow

AI agents autonomously investigate security incidents in 60 seconds - from alert triage to Splunk SPL queries to MITRE ATT&CK mapping - replacing 45 minutes of manual SOC analyst work.

Comment

Inspiration

Security Operations Centers face an impossible challenge: 11,000+ alerts per day, yet 76% are never investigated due to analyst fatigue and staffing shortages. A single missed alert can mean the difference between a contained incident and a full breach. We asked: what if an AI agent could autonomously investigate every alert with the rigor of a senior analyst — in under 60 seconds?

What it does

SentinelFlow is an autonomous AI security operations agent that investigates security incidents end-to-end without human intervention. Given a security alert, it:

  1. Triages — Classifies severity, extracts IOCs, maps to MITRE ATT&CK
  2. Investigates — Generates and executes SPL queries across Splunk indexes, correlating auth, network, DNS, and endpoint data
  3. Detects anomalies — Identifies behavioral deviations using statistical analysis
  4. Recommends response — Suggests containment actions (block IP, disable account, isolate host)
  5. Reports — Produces a structured investigation summary with evidence chain

Result: 45 minutes of manual investigation → 60 seconds of autonomous AI analysis (98% time reduction).

How we built it

Our system is a specialized Agentic SecOps platform orchestrated by LangGraph, utilizing Claude Sonnet 4 for all reasoning, SPL query generation, and deep log analysis.

Key Components:

  • Orchestration via LangGraph: Five specialized AI agents — Triage, Investigation, Anomaly, Response, and Report — orchestrated in a directed flow. Every step streams to the user via real-time WebSocket.
  • Security Data Platform: Integrated directly with Splunk Enterprise to query authentic security data across 4 indexes (auth_logs, network_traffic, dns_logs, endpoint_logs).
  • Schema-Aware SPL Generation: Agents perform real-time schema discovery on Splunk indexes, ensuring contextually accurate SPL queries before execution.
  • Self-Correction Loop: Failed SPL queries automatically trigger a retry loop (up to 3x), with the agent using the error context to rewrite the query.
  • Advanced Threat Detection: Threats classified using Foundation-Sec-8B, anomalies identified by Cisco DTSM, with graceful fallback chains ensuring continuous detection.
  • Next.js 15 Frontend: Real-time dashboard with MITRE ATT&CK heatmap, visual attack kill chain timeline, and interactive follow-up queries — delivering full investigation transparency in under 60 seconds.

Challenges we faced

  • SPL Hallucination: LLMs frequently generate plausible-but-invalid SPL queries referencing non-existent fields or indexes. We solved this with mandatory schema discovery before every query — the agent receives verified index names, sourcetypes, and field names.
  • Graceful Degradation: Splunk Hosted Models (Foundation-Sec-8B, Cisco DTSM) aren't always available. We built a 3-tier fallback chain: hosted model → Claude LLM classification → statistical analysis, ensuring the system always produces results.
  • Real-time Transparency: Streaming agent reasoning, raw SPL, and results to the frontend in real-time required careful WebSocket state management and incremental UI rendering.

What we learned

  • Schema-aware prompting eliminates 90%+ of SPL generation errors
  • Self-correction loops are essential — agents that can diagnose and fix their own query failures are dramatically more reliable than single-shot approaches
  • Full transparency (showing every query and reasoning step) builds trust that black-box "AI investigated this" never can

What's next

  • Integration with Splunk SOAR for automated playbook execution
  • Multi-tenant deployment with investigation history and analyst collaboration
  • Fine-tuned Foundation-Sec model for organization-specific threat patterns

Built With

Share this project:

Updates