Inspiration

Security Operations Centre analysts spend 40-60% of their time not on active threat hunting, but on documentation — triaging alerts, writing incident reports, mapping techniques, extracting indicators. We watched SOC workflows firsthand and realized the bottleneck wasn't detection. Splunk already surfaces the alerts. The bottleneck was everything that happens after the alert fires. We built ThreatBrief to automate that entire post-detection workflow using a multi-agent AI pipeline so analysts can focus entirely on response.

What it does

ThreatBrief ingests raw security alerts from Splunk Enterprise and runs them through a five-agent AI pipeline powered by NVIDIA NIM. The system automatically triages alert severity, maps events to MITRE ATT&CK techniques, extracts Indicators of Compromise, reconstructs a chronological attack timeline, and generates a structured incident brief with an executive summary, technical narrative, recommended response actions, and a confidence score. Analysts can then interrogate the brief directly via a natural language Q&A interface — asking questions like "what should I isolate first?" and receiving answers grounded in the specific incident data.

How we built it

The backend is built on FastAPI with a LangGraph StateGraph orchestrating five sequential agents — Ingestor, Triager, Enricher, Analyst, and Writer. Each agent calls NVIDIA NIM's Llama 3.1 70B model via an OpenAI-compatible SDK, with carefully engineered system prompts that return structured JSON output. The Splunk integration uses the Splunk Enterprise REST API on port 8089 for alert retrieval and the HTTP Event Collector on port 8088 for injecting mock scenarios. The frontend is React with Tailwind CSS in a dark SOC aesthetic, receiving real-time pipeline updates via Server-Sent Events. The entire stack runs locally to ensure no alert data leaves the environment.

Challenges we ran into

The biggest challenge was prompt reliability — getting NVIDIA NIM to consistently return valid structured JSON across all five agents without markdown fences, preamble, or hallucinated fields. We solved this by embedding strict output instructions in every system prompt and stripping markdown before parsing. The second challenge was SSE synchronization — ensuring the frontend pipeline stepper stayed in sync with actual agent execution without a database. We solved this with an in-memory job store polled every 500ms. Finally, Splunk Enterprise's REST API requires SSL with self-signed certificates locally, which required disabling SSL verification carefully without breaking production patterns.

Accomplishments that we're proud of

A fully working five-agent LangGraph pipeline that takes raw Splunk alerts to a structured incident brief end-to-end MITRE ATT&CK mapping that correctly identifies techniques from raw log data without a lookup database — purely from LLM reasoning The Ask The Brief feature — turning a static report into an interactive analyst conversation grounded in real incident data Real-time pipeline visualization that shows judges exactly what the AI is doing at each step Full Splunk Enterprise integration with both mock scenario injection and live alert retrieval

What we learned

Multi-agent pipelines require obsessive prompt discipline — each agent's output becomes the next agent's input, so one malformed JSON response breaks the entire chain NVIDIA NIM's OpenAI-compatible API makes swapping models trivial — the same codebase works across Llama, Mixtral, and Nemotron with one config change SSE is significantly simpler than WebSockets for one-way streaming use cases like pipeline status updates Splunk's REST API is powerful but underdocumented — the export endpoint for streaming search results behaves differently from the standard jobs endpoint

What's next for ThreatBrief

Splunk SOAR integration — automatically trigger response playbooks from the recommended actions in the brief Multi-incident correlation — detect when separate alerts belong to the same attacker campaign across time Custom MITRE profile — let teams define which technique mappings matter most for their environment Brief history and search — persistent storage of past incidents with semantic search across all generated briefs Slack and PagerDuty output — push the executive summary directly to on-call channels the moment analysis completes Role-based views — separate brief formats for CISO (executive), analyst (technical), and IR team (action-focused)

Built With

  • http-event-collector-(port-8088)-libraries:-openai-sdk-(nim-compatible)
  • javascript-(jsx)-frameworks:-fastapi
  • langchain
  • langgraph
  • langgraph-stategraph
  • languages:-python
  • pydantic
  • react
  • requests
  • sse-starlette
  • tailwind-css
  • uvicorn-streaming:-server-sent-events-(sse)-dev-tools:-cursor
  • vite-ai-/-llm:-nvidia-nim-api-?-meta/llama-3.1-70b-instruct-siem-platform:-splunk-enterprise-(local)-splunk-apis:-rest-api-(port-8089)
Share this project:

Updates