Community Blog
Get the latest updates on the Splunk Community, including member experiences, product education, events, and more!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

loriexi
Splunk Employee
Splunk Employee

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the hype. Many teams are experiencing the radical transformation AI brought to the world. In security operations, the change brings new threat vectors and risks, too.

SecOps teams need to stay ahead of evolving threats, investigate efficiently, and respond quickly at scale. More importantly, they need to be able to focus on the most critical tasks. Besides managing their own investigations, analysts must also manage escalations, stakeholder updates, and shift handoffs, adding to the operational strain and slowing response efforts.

That is where Splunk’s AI Assistant in Security comes in. It is designed to help your team work more efficiently by accelerating investigation workflows and making security insights easier to understand. It helps analysts quickly interpret findings, summarize key information, and produce investigation-ready outputs.

This feature is now available to all Splunk Enterprise Security Cloud customers. On-prem availability is just around the corner, so please stay tuned for future product announcements this summer. 💪

 

Key Takeaways:

Splunk’s AI Assistant in Security can help you

 

  • Accelerating investigation workflows by providing immediate context and recommended next steps.

  • Generating SPL queries and clarifying technical mechanics (such as PowerShell misuse) from simple, natural language prompts.

  • Empowering better collaboration by auto-generating structured reports for stakeholder handoffs and case notes to reduce manual administrative overhead.

 

Operational Workflow: Triage Under Pressure

Let’s break down how the AI Assistant in Security can help when you see a 24hour risk threshold exceeded for user at 4:45PM on a Friday

Screenshot 2026-06-25 at 21.45.18.png

It is a critical threat — looks like a phishing attack with data exfiltration. ☹️

Strategy: Summarizing Findings for Rapid Context

The first thing you need to do is summarize the findings to help you understand the context more efficiently:

Screenshot 2026-06-25 at 21.37.35.png

 

With a single click, you get the overview of the findings with critical context, including that this high-risk activity was observed with PowerShell execution techniques and details of the MITRE ATT&CK tactics identified. It looks like an attack that you need to response fast. In the summary, there are also AI-recommended follow up steps based on the context of the investigation, such as isolating the user account, investigating the source IPs and more, helping you move fast from understanding the threat to taking action it.  

 

Tactical Analysis: Generating Queries and Clarifying Technical Mechanics with Natural Language

As you investigate further, use the AI Assistant in Security to help clarify questions and generate queries

 

Screenshot 2026-06-25 at 21.46.08.png

 

Going through the context the AI Assistant in Security provided, if there is anything that feels unclear to you, you can ask it with natural language. For example, you can ask “What are malicious use cases for PowerShell.exe?” The AI Assistant in Security will return the search results to you. In this case, the most misused examples are Obfuscation, Execution of Malicious Payloads, Lateral Movement and Data Exfiltration, which are involved in our risk finding.

You can also ask the AI Assistant in Security to write you an SPL query to find all activities in windows event logs for this particular user at a particular timeframe to get more context. This lowers the barrier to entry for users who may be less familiar with SPL, speeding up the investigation process. Even for experienced users, it can improve efficiency by helping them move from a question to a workable search more quickly.

After fully investigating the threat, you can quickly put together a response plan to remediate the threat.

 

Case Closure: Report Automation and Shift Handoffs

After remediating the threat, the next step is to generate a report to document and escalate the investigation to close the case:

 

Screenshot 2026-06-25 at 22.23.23.png

 

Another key benefit of the AI Assistant in Security is its ability to generate full reports that help you document or escalate a finding or investigation more efficiently.

Instead of manually summarizing details, with the AI Assistant in Security’s help, you quickly create a structured report that captures the relevant context and findings, helping save time and improve consistency in documentation. Then, you can add the investigation report to the case notes, so your team will have access to all the contexts. This is especially useful when preparing information for handoff, collaboration, or escalation.

Strategic Value: Driving Down MTTR at Machine Speed

With AI Assistant in Security’s help, you won’t be working overtime on Friday night to put together the investigation and response plan manually and write the report by yourself. You can quickly understand and remediate the threat - along with updating your key stakeholders to make sure the team always stays aligned.

The AI Assistant in Security is a great example of how Splunk Enterprise Security is scaling your operations, decreasing MTTD and MTTR, and stopping threats at machine speed. It is available at no additional cost for all Enterprise Security (cloud) users, making it easy to start exploring and using right away without changing your existing UI. To learn more about how Splunk is empowering the SOC with AI, check out the“Defending at Machine Speed: Splunk Advances the Agentic SOC” blog to gain more insights!

 

Keep the good stuff coming. Here’s how to subscribe to this blog — and stay in the loop on the topics that matter to you.  

 

 

Contributors
Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...