Inspiration
I was inspired by two things: first, the ability of agentic coding assistants to troubleshoot quickly by reading logs, and second, the emerging landscape of AI chatbots with rich UI features like the generative UI capabilities in the current generations of Gemini and Claude chatbots.
What it does
This is an agentic threat hunter that can carry out investigations end-to-end with a deep integration with the Splunk UI.
How we built it
This project uses the Splunk UI Toolkit and extensive Python code. It runs a Uvicorn (Python) server along side the Splunk instance. Most of the code for the project is written for the Uvicorn server that handles the agentic loop, but there is some python code written to extend the Splunk app, and plenty of Typescript to make the UI work in a way that is aligned with Splunk's visual language.
Challenges we ran into
Proper governance is challenging when integrating agents with any traditional platform. I decided to use the "least bad" approach for this hackathon, but I learned just how difficult it is to implement governance outside of a more robust solution like properly implemented Amazon Bedrock or similar.
Accomplishments that we're proud of
The LLM is able to tell the UI how to render Splunk searches (column, line, table, pie), and the UI is able to properly handle the LLM's directives.
What we learned
I gained experience using "structured responses" from LLMs to create artifacts that pages could render. I also learned about orchestrating multiple agents around one central agent which drives the task forward by itself.
What's next for Splunk Agentic Threat Hunter
I'd like to get this tool to the point where it can be run on a purpose built platform like Bedrock, with proper authentication and governance.
Log in or sign up for Devpost to join the conversation.