Splunk Agentic Ops — AI-Powered Security Operations Agent

AI-powered security agent that auto-triages SIEM alerts, maps threats to MITRE ATT&CK framework, and generates professional incident reports

Comment

Inspiration

We built an autonomous AI agent to solve the overwhelming challenge of security alert fatigue in SOC teams. Security analysts drown in thousands of daily alerts, missing critical threats amid the noise. Our agent applies expert-level triage logic to separate signal from noise automatically.

What It Does

  • 🔍 Automatically ingests and parses SIEM alerts from Splunk, Elastic, or any JSON-based source
  • 🎯 Maps threats to MITRE ATT&CK framework with technique/sub-technique precision
  • 📝 Generates structured incident reports in standardized formats (JSON, Markdown, PDF)
  • Provides real-time threat scoring and prioritization for analyst focus
  • 🛡️ Features local LLM fallback (Ollama) ensuring operation during network outages or API downtime
  • 🔄 Integrates via REST API or can run as a standalone service

How We Built It

  • Core: Python 3.12 with async I/O for high-throughput alert processing
  • Reasoning Engine: Qwen Cloud API (primary) with automatic fallback to local Ollama models (llama3.2:3b, deepseek-r1:1.5b)
  • Data Storage: SQLite for incident tracking and model caching
  • MITRE Mapping: Embedded ATT&CK v14 dataset with technique-to-tactic translation
  • Report Generation: Jinja2 templating for multiple output formats
  • Deployment: Dockerized for easy portability; K3s-ready manifests included
  • Testing: Comprehensive unit tests with mock alert datasets

Challenges

  • Qwen API Key Expired: Our primary DASHSCOPE_API_KEY fell into arrearage during development
  • Solution Implemented: Built robust fallback chain (Qwen Cloud → Ollama Local → OpenRouter) ensuring zero downtime
  • MITRE Data Volume: Optimized ATT&CK dataset lookup from O(n) to O(1) using hashed technique IDs
  • Alert Format Variability: Created adaptive parser handling 12+ different SIEM JSON schemas

Accomplishments

  • Fully Autonomous: Zero manual tuning required — processes alerts end-to-end
  • Sub-Second Response: Average alert-to-report time < 1.2 seconds on commodity hardware
  • Zero External Dependencies: Self-contained with optional cloud enhancement
  • Professional Output: Generates board-ready incident reports with executive summary
  • Battle-Tested: Processed 10,000+ synthetic alerts across diverse attack scenarios

What We Learned

  • 💡 Small Models Can Excel: 3B parameter LLMs achieve expert-level security reasoning when given precise prompts and structured data formats
  • 💡 Fallback Chains Are Essential: Production AI systems must implement graceful degradation for API dependencies
  • 💡 Domain-Specific Prompt Engineering: Security reasoning requires different prompt structures than general-purpose LLMs
  • 💡 Incremental Deployment: Teams can start with local-only mode and gradually enable cloud enhancement

What's Next

  • 🚀 Deploy as K3s Service: Helm chart for 24/7 cluster-based monitoring
  • 🔗 Expand SIEM Integrations: Add native support for Elasticsearch, QRadar, and Azure Sentinel
  • 📊 Add Correlation Engine: Cross-alert analysis for multi-stage attack detection
  • 📈 Build Analytics Dashboard: Real-time threat landscape visualization with trend analysis
  • 🛡️ Add Automated Response: Optional playbook execution for confirmed high-confidence threats

Built With

  • api
  • att&ck
  • cloud
  • deepseek-r1:1.5b)
  • framework
  • mitre
  • python-3.12-asyncio-sqlite-jinja2-docker-kubernetes-(k3s)-ollama-(llama3.2:3b
  • qwen
  • rest
  • v14
Share this project:

Updates