[2603.23966] Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage

Computer Science > Cryptography and Security arXiv:2603.23966 (cs) [Submitted on 25 Mar 2026 (v1), last revised 30 Mar 2026 (this version, v2)] Title:Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage Authors:Rishikesh Sahay, Bell Eapen, Weizhi Meng, Md Rasel Al Mamun, Nikhil Kumar Dora, Manjusha Sumasadan, Sumit Kumar Tetarave, Rod Soto, Elyson De La Cruz View a PDF of the paper titled Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage, by Rishikesh Sahay and 8 other authors View PDF HTML (experimental) Abstract:With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep ...