Saved in:
Bibliographic Details
Main Authors: Sahay, Rishikesh, Eapen, Bell, Meng, Weizhi, Mamun, Md Rasel Al, Dora, Nikhil Kumar, Sumasadan, Manjusha, Tetarave, Sumit Kumar, De La Cruz, Elyson
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.23966
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915931100282880
author Sahay, Rishikesh
Eapen, Bell
Meng, Weizhi
Mamun, Md Rasel Al
Dora, Nikhil Kumar
Sumasadan, Manjusha
Tetarave, Sumit Kumar
De La Cruz, Elyson
author_facet Sahay, Rishikesh
Eapen, Bell
Meng, Weizhi
Mamun, Md Rasel Al
Dora, Nikhil Kumar
Sumasadan, Manjusha
Tetarave, Sumit Kumar
De La Cruz, Elyson
contents With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep reinforcement learning (DRL) with two layers for initial triage, and a large language model (LLM) for contextual analysis. We evaluated the framework against a publicly available benchmark dataset, as well as against a simulated dataset. The experimental results show that the framework can effectively adapt to different SOC objectives autonomously and identify suspicious and malicious traffic. The framework enhances operational effectiveness by supporting SOC analysts in their decision-making to block, allow, or monitor network traffic. This study thus enhances cybersecurity and threat hunting literature by presenting the novel threat hunting framework for security decision-making, as well as promoting cumulative research efforts to develop more effective frameworks to battle continuously evolving cyber threats.
format Preprint
id arxiv_https___arxiv_org_abs_2603_23966
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage
Sahay, Rishikesh
Eapen, Bell
Meng, Weizhi
Mamun, Md Rasel Al
Dora, Nikhil Kumar
Sumasadan, Manjusha
Tetarave, Sumit Kumar
De La Cruz, Elyson
Cryptography and Security
Artificial Intelligence
With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep reinforcement learning (DRL) with two layers for initial triage, and a large language model (LLM) for contextual analysis. We evaluated the framework against a publicly available benchmark dataset, as well as against a simulated dataset. The experimental results show that the framework can effectively adapt to different SOC objectives autonomously and identify suspicious and malicious traffic. The framework enhances operational effectiveness by supporting SOC analysts in their decision-making to block, allow, or monitor network traffic. This study thus enhances cybersecurity and threat hunting literature by presenting the novel threat hunting framework for security decision-making, as well as promoting cumulative research efforts to develop more effective frameworks to battle continuously evolving cyber threats.
title Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2603.23966