Splunk AI: Catalyzing Digital Resilience in Cybersecurity and Observability

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

Artificial Intelligence (AI) has the potential to transform our industry. At Splunk, we see it as a catalyst for driving digital resilience — a way to accelerate human decision making in service of incident detection, investigation and response.

For modern enterprises, AI brings both new threats and new opportunities to our industry. Sending data to third-party AI providers can raise compliance and privacy concerns. AI is expanding organizations’ attack surface through adversarial attacks, data poisoning, and model theft. Plus, there’s now more threat actors than ever before as AI continues to lower the barriers to entry for new people to conduct novel attacks. And there’s also the challenges that arise from relying on inaccurate models which can lead to the wrong decisions being made. All of this is creating more headaches for those tasked with keeping organizations secure and up-and-running.

On the other hand AI brings an abundance of opportunities for SecOps, ITops, and engineering teams. AI can help detect important events by automatically mining data to better surface key events and signals. It can provide context and situational awareness with intelligent event summarization and interpretation, and it can accelerate learning curves. Productivity and efficiency can drastically increase by freeing users from basic tasks and allowing them to focus on higher-value initiatives. We believe the benefits of AI far outweigh the downsides and are increasing our investments in taking our trusted AI capabilities even further.

Splunk is taking a very deliberate and thoughtful approach to AI driven by three key principles:

Domain and Splunk Specific: Our AI capabilities are personalized to be domain specific for security and observability use cases, and can be tightly integrated within your workflow.
Human in the Loop: Splunk customers keep the world’s most important digital systems secure and performant. The stakes are very high. It is essential that AI assist human decision making.
Open and Extensible: As we plan to directly integrate more AI into the platform, we will allow customers and partners to extend our models or bring their own models in line with their policies and risk tolerance. These models can work with data in Splunk as well as data on other data stores, providing flexible solutions.

We have been embracing AI as a discipline since 2015 both as embedded product capabilities and customizable ML tools. We have ML in the core search capabilities of our products as well as ML-powered detections and behavioral anomaly analysis in Splunk Enterprise Security and Splunk User Behavior Analytics. Throughout our observability solutions, we have many AI and ML capabilities, including predictive analytics, alert noise reduction, anomaly detection, adaptive thresholding, alert autodetect, and incident correlation. Our customizable ML offerings for Splunk Platform include the Machine Learning Toolkit with guided workflows and smart assistants for users of all levels, Splunk App for Data Science and Deep Learning (DSDL) for advanced and custom AI use cases with data science tools, and Python for Scientific Computing add-on with AI-specific libraries. All of these capabilities are in service of our ultimate goal — to build a safer and more resilient digital world — AI just catalyzes it.

At .conf23, we released a wide range of new and improved AI functionality to our portfolio starting with our innovations in the Splunk Platform, all of which are available on Splunkbase today.

Splunk Platform

Splunk AI Assistant (Preview): An improved version of the former SPL Copilot, our AI Assistant uses generative AI to provide a chat experience that helps customers author and learn SPL by interacting in plain English and providing query suggestions, explanations, and detailed breakdowns.
Splunk App for Anomaly Detection: Enables Splunk users to detect anomalies in their time series data sets and metrics using powerful machine learning algorithms in just a few clicks, while providing an end-to-end operationalization workflow to streamline creating and running anomaly detection jobs and triggering alerts based on these jobs.
Machine Learning Toolkit (MLTK) 5.4: Makes machine learning easier for a broad range of users through guided assistance that helps set up outlier and anomaly detection, predictive analytics, and data clustering – now empowers users with the ability to upload their externally pre-trained ONNX models with a simple UI and then use the model with their Splunk data with no modification to their existing workflow.
Splunk App for Data Science and Deep Learning (DSDL) 5.1: Extends MLTK with advanced custom machine learning and deep learning systems, and now includes two new natural language processing AI assistants that allow customers to leverage LLMs to build and train models with their domain specific data for text summarization and text classification use cases.

Security

To empower SecOps teams with rapid threat detections we have added in the last year

6 ML-powered detections in the Splunk Enterprise Security Content Update (ESCU) app developed by our Threat Research Team and released over the last year to help customers with time-sensitive security threats.

Observability

To accelerate detection and realize faster time-to-value in ITOps, we’ve embedded additional ML capabilities in IT Service Intelligence (ITSI) 4.17:

Outlier Exclusion for Adaptive Thresholding detects and omits abnormal data points or outliers (such as network disruptions or outages spikes) for more precise dynamic thresholds to drive accurate detection within the IT environment.
The new ML-Assisted Thresholding (Preview) uses historical data and patterns to create dynamic thresholds with just one click, for more accurate alerting on the health of an organization's technology environment.

The opportunities for using AI in SecOps, ITOps, and engineering teams are vast. Our vision for Splunk AI is to build on our solid foundations in AI but more deeply integrate AI into users’ everyday workflow across Splunk. We want to unlock our insights in the security and observability domains combined with the ability to help you unlock insights from your Splunk environment. We want to improve your ability to detect, investigate, and respond to incidents faster. We want the AI capabilities in our products to ultimately serve as the catalyst that helps your organizations become more digitally resilient.