Splunk Developer Day

AI-assisted SOC investigations

Summary: Mohammed Azadur Rahman sarker discusses the enhanced capabilities of Splunk applications, emphasizing their role in delivering operational intelligence, security analytics, and more. With the introduction of the Model Context Protocol (MCP), these applications can now expose insights directly to external platforms like Large Language Models (LLMs) and AI agents, facilitating seamless interoperability. The MCP acts as a standardized layer for securely sharing Splunk-generated data, enabling innovative use cases such as AI-assisted SOC investigations and automated threat hunting. Through tools configured in the tools.conf file, Splunk apps are transformed into AI-operational services, broadening their application beyond traditional analytics.
AI Summary

Applications in Splunk serve as modular delivery frameworks for operational intelligence, security analytics, automation workflows, and domain-specific use cases. These apps encapsulate knowledge objects such as dashboards, saved searches, data models, alerting logic, lookup tables, custom REST endpoints, and correlation rules, enabling organizations to package and operationalize Splunk-driven insights in a reusable and scalable manner.

With the introduction of the Model Context Protocol (MCP) integration framework, Splunk applications can now expose their operational intelligence directly to Large Language Models (LLMs), AI agents, and external orchestration platforms. MCP acts as an interoperability layer that standardizes how Splunk-generated insights, detections, and contextual data are securely shared for AI-driven analysis, automated reasoning, and response execution.

Through MCP enablement, Splunk apps are capable of dynamically publishing MCP-compatible tools generated from:

  • Custom REST API endpoints

  • Saved searches and scheduled searches

  • Correlation searches

  • SOAR-triggered workflows

  • External enrichment integrations

These tools are exposed to the Splunk MCP Server using a dedicated configuration layer introduced through the tools.conf file. The tools.conf configuration contains individual stanzas for each MCP-exposed tool, defining metadata such as:

  • Tool name

  • Functional description

  • Input parameters

  • Execution context

  • Access scope and permissions

  • Associated REST endpoint or search object

The metadata defined in tools.conf is consumed by MCP-aware agents and LLM platforms, allowing them to discover, interpret, and invoke Splunk-native capabilities programmatically. This architecture transforms traditional Splunk apps into AI-consumable operational services, enabling advanced use cases such as:

  • AI-assisted SOC investigations

  • Automated threat hunting

  • Natural language querying of SIEM data

  • Autonomous incident enrichment

  • Context-aware remediation workflows

  • Cross-platform security orchestration

By leveraging MCP, Splunk extends beyond conventional analytics into an AI-integrated operational intelligence ecosystem where machine reasoning engines can securely interact with Splunk knowledge objects in real time.

0 comments
Mohammed Azadur Rahman sarker
3 weeks, 2 days ago