SplunkGuard-AI

Inspiration

Modern Security Operations Centers face severe alert fatigue, forcing analysts to sift through hundreds of high-velocity alerts per shift. Tier 1 analysts spend critical minutes performing repetitive, manual context-gathering, decoding obfuscated command scripts, and compiling incidents into reports. SplunkGuard-AI was designed to eliminate this operational friction by creating an autonomous, on-premises companion that finishes initial threat triaging and context enrichment before a human analyst even opens the ticket.

What it does

SplunkGuard-AI is an end-to-end, closed-loop incident response automation system. It intercepts security alerts from Splunk via webhooks, automatically queries the environment to gather contextual system performance metrics (such as host CPU spikes) to measure immediate infrastructure impact, and orchestrates a local multi-agent AI pipeline to dissect the threat. The system then automatically pushes its finalized forensic verdict back into Splunk via the HTTP Event Collector (HEC), feeding a real-time, human-readable triage dashboard.

How we built it

The architecture features a FastAPI Python server that serves as the central orchestrator and webhook listener. For threat analysis, we integrated Ollama to run Llama 3 entirely on local hardware, preserving data privacy and ensuring zero external data leakage. We structured a two-agent hierarchy: Agent 1 acts as a malware analyst mapping payloads to the MITRE ATT&CK framework, while Agent 2 acts as an incident response lead synthesizing findings into standardized JSON. The data loop is finalized by sending data back through Splunk HEC and visualizing it via Splunk Dashboard Studio using an Absolute Layout configuration.

Challenges we ran into

We encountered significant technical hurdles stabilizing local LLM orchestration and managing background service connectivity, which initially resulted in connection errors. We also faced the classic LLM challenge of conversational formatting leaks inside strict JSON payloads, requiring us to implement robust regular expression parsing on the backend to guarantee system compatibility. On the frontend, configuring Splunk Dashboard Studio to dynamically color-code text-based AI severity metrics rather than default numeric ranges required careful tuning of match-based visual thresholds.

Accomplishments that we're proud of

We successfully constructed a fully operational, closed-loop AI pipeline that completes advanced threat triage in under 45 seconds natively on local consumer hardware. We are particularly proud of bridging the gap between raw LLM intelligence and enterprise security tooling, ensuring that the local AI directly enriches the existing SIEM dashboard rather than existing as an isolated, manual terminal script.

What we learned

This project provided deep insights into the mechanics of multi-agent prompt engineering and the critical importance of input/output data validation when integrating LLMs with structured enterprise APIs. We also learned how to manage local inference workloads efficiently and how to leverage Splunk's native JSON ingestion capabilities to build highly responsive, low-overhead dashboards without relying on complex regex inside the SIEM itself.

What's next for SplunkGuard-AI

The next phase focuses on transitioning from automated triage to automated containment. We plan to integrate active remediation webhooks that allow analysts to execute the AI's suggested containment steps directly from the Splunk dashboard canvas, such as isolating a compromised host or blocking an attacker's IP address across network firewalls with a single click.