DFIR Copilot transforms how security analysts interact with Splunk data by integrating privacy-first LLM analysis into common DFIR and threat hunting tasks. Using a robust progressive summarization pipeline, the app maintains context when processing thousands of events and provides coherent narrative insights, anomaly explanation, and investigative suggestions — all performed locally using Ollama.
- 100% local, private analysis — no outbound data required.
- AI-driven insights tailored for incident response and forensic workflows.
- Progressive summarization pipeline to retain context on large result sets.
- Easy configuration and integration with Splunk search.
Key Features & Use Cases
- Conversational analysis of search results (using llmhandler).
- Automated summarization for incident triage and timeline construction.
- Threat hunting assistance, e.g., spotting C2 patterns or lateral movement.
- Flexible prompts for custom investigation objectives.
Typical use cases include:
- Incident triage and executive summaries
- Forensic reconstruction of attack narratives
- Deep pattern detection in proxy/DNS/endpoint logs
- Reducing SPL complexity with human-friendly analysis
