Splunk SentinelOps AI

An agentic SOC assistant for Splunk that investigates alerts with REST evidence, builds attack timelines, scores risk, keeps analysts in control, and exports reports.

Comment

Inspiration

Security Operations Centers face constant alert fatigue. Analysts often receive high-severity alerts, but they still need to manually search logs, correlate evidence, reconstruct the attack timeline, calculate risk, approve response actions, and write incident reports. I built Splunk SentinelOps AI to turn that manual SOC triage workflow into a faster, evidence-backed investigation powered by Splunk data.

What it does

Splunk SentinelOps AI is an agentic SOC investigation assistant for the Splunk Agentic Ops Hackathon Security Track. It takes a security alert, plans Splunk SPL searches, queries Splunk Enterprise through the REST API, collects evidence, builds a chronological incident timeline, calculates a deterministic risk score, recommends human-in-the-loop remediation actions, and generates a markdown incident report.

The main demo case is alert-001: a suspicious login and command execution cascade involving repeated failed logins, a successful admin login, suspicious PowerShell execution, privileged account creation, and high outbound data movement. The system correlates authentication, endpoint, and firewall evidence and calculates a risk score of 100 Critical.

How we built it

The frontend is built with Next.js, React, TypeScript, and Tailwind CSS. The backend is built with FastAPI and Python. Splunk Enterprise is used as the live evidence source through the Splunk REST API. The backend dispatches SPL searches against the sentinelops index and returns generated SPL queries, evidence cards, risk scoring, timeline events, recommendations, and report markdown to the frontend.

The system uses a modular agentic pipeline:

  1. Alert Parser
  2. SPL Query Planner
  3. Evidence Collector
  4. Risk Scorer
  5. Timeline Builder
  6. Recommendation Agent
  7. Report Writer

For stable local judging and zero-dependency execution, the AI gateway runs in Mock AI Mode. The investigation itself uses real Splunk REST evidence, deterministic scoring, and human-in-the-loop response control.

Challenges we ran into

The biggest challenge was integrating Splunk’s AI/MCP ecosystem in a local environment. We explored Splunk MCP Server and hosted model paths, but live MCP execution was blocked by a local Splunk KV Store certificate-chain / SSL validation issue. Instead of overclaiming unsupported functionality, we finalized the verified live path through Splunk Enterprise REST API.

Another challenge was making the demo reliable. The frontend, backend, Splunk REST searches, risk scoring, HITL approval workflow, and report export all had to work consistently for a short hackathon demo video.

Accomplishments that we're proud of

I am proud that the final project demonstrates a complete SOC workflow, not just a static dashboard. The system connects to Splunk Enterprise, dispatches SPL searches, retrieves real evidence, calculates an explainable risk score, builds an incident timeline, keeps high-impact actions behind human approval, and exports an audit-ready incident report.

The project is also honest about its implementation: Splunk REST API is live and verified, Mock AI Mode is used for stable local execution, and MCP-ready assets are included as a future-ready blueprint.

What we learned

I learned how to design an end-to-end agentic security workflow around Splunk data, how to build a reliable FastAPI and Next.js demo under time pressure, how to structure deterministic risk scoring for explainability, and how important it is to keep security automation human-approved instead of fully automatic.

I also learned that hackathon projects need both technical depth and clear storytelling. A working integration, honest limitations, and a polished demo flow are all important.

What's next for Splunk SentinelOps AI

Next, I would like to add production-ready authentication, improve the AI gateway with verified Gemini or OpenAI provider mode, add richer threat intelligence enrichment, support more alert types, and deploy the project as a full Splunk app. Once the local KV Store blocker is resolved, the packaged MCP-ready assets can also be connected to Splunk MCP Server for deeper tool-based workflows.

Built With

Share this project:

Updates