Nabugu -

Splunk AI update adds specialized models for SecOps tasks

Splunk AI updates this week included specialized models for SecOps that detect and automatically respond to common issues such as DNS exfiltration and suspicious processes.

After Splunk CEO Gary Steele took the helm last year, he pledged to lead Splunk's product development with a focus on AIOps. This week at .conf23, the company rolled out updates showcasing the fruits of that endeavor, including a set of specialized Splunk AI models for SecOps teams.

Splunk has included AI and machine learning in its observability and security monitoring tools since 2015. Several of this week's updates included features meant to make it easier for enterprise IT pros to use its existing Search Processing Language (SPL), Machine Learning Toolkit (MLTK) and App for Data Science and Deep Learning through natural language processing.

Where this week's Splunk AI updates stand out the most, however, is in the security realm, said Andy Thurai, an analyst at Constellation Research. Over the last year, the company's threat research team has trained deep learning AI models on security data to create six new AI-driven automation tools that can detect and automatically address specific SecOps issues, such as DNS exfiltration attempts. These updates became available this week in the Splunk Enterprise Security Content Update.

"The six ML [updates] based on deep learning models, such as recurrent neural networks and convolution neural networks, to detect DNS data exfiltration, command exploits and suspicious processes can all be pretty powerful in detecting security issues before they happen," Thurai said.

These deep learning models also stand out from large language models (LLMs) used by a number of Splunk competitors through partnerships with OpenAI and Google, which require massive amounts of data to train -- more than most large IT vendors can access. But smaller, specialized language models accessible to vendors such as Splunk can offer specialized analytics for domain-specific use through tools such as MLTK, according to Thurai.

The six SecOps AI models can generate Notable Events workflows within the Splunk Enterprise Security security information and event management product. Splunk Enterprise Security is integrated with Splunk Mission Control, which was refreshed in March and combines security analytics from Splunk Enterprise Security, orchestration and automation from Splunk SOAR, and threat intelligence under one interface. This week, Splunk SOAR integrated new automated threat analysis features from TwinWave Security, a company Splunk acquired in November, under the name Splunk Attack Analyzer.

Splunk CEO Gary Steele at .conf
Splunk CEO Gary Steele presents at Splunk .conf23.

Splunk AI adds incremental updates for observability

Other Splunk AI updates this week joined competitors in weaving together natural language interfaces with existing tools. Such tools, built using LLMs, have been trendy among observability and DevSecOps vendors over the last year, as they looked to ride a massive wave of hype generated by OpenAI's ChatGPT.

Splunk AI Assistant, released this week in preview, replaces a previous product named SPL Copilot, which functioned similarly to GitHub's Copilot AI pair programming tool, generating SPL query code from plain English prompts. The new AI Assistant "also explains what a given SPL query is doing in plain English with a summary as well as a detailed breakdown of the query," according to Splunk documentation.

Separate updates this week to ML features in Splunk's observability product, IT Service Intelligence, brush up anomaly detection with the ability to exclude outliers from adaptive alert thresholds and a preview of ML-assisted thresholding, which will set up alert thresholds based on historical data patterns "with just one click," according to a Splunk press release.

For the most part, these updates to Splunk's AIOps tools this week were incremental additions to existing offerings that don't necessarily break new ground in the industry, Thurai said. Still, they could be welcome additions to Splunk's toolsets for existing customers.

Splunk AI Assistant … can be a good tool to help support SREs, SecOps folks and even DevOps teams to find information faster for incident management, whether it is for security or service incidents.
Andy ThuraiAnalyst, Constellation Research

"Most of their announcements are very 'catchup-y,' as many of their competitors have announced something similar or better already," he said. "[But] Splunk AI Assistant … can be a good tool to help support SREs, SecOps folks and even DevOps teams to find information faster for incident management, whether it is for security or service incidents."

One Splunk enterprise customer said he's interested in what Splunk AI Assistant can do, but the fine print on the preview version gave him pause.

"I think it will lower the entry barrier a lot for users to extract insights from Splunk without having strong SPL skills," said Steve Koelpin, lead Splunk engineer for a Fortune 1,000 company in the Midwest.

However, at least in the preview version, Splunk's documentation warns, "The app collects data that can be used to fine tune the model. Please do not enter any data that is personally identifiable, confidential or otherwise sensitive. The preview app should not be installed in any compliance environment."

If those caveats also turn out to apply to the generally available version, it would be a deal-breaker for his organization, Koelpin said.

"We would need control of that data or at a minimum it would need to be secured in Splunk's systems," he said. "The other concern I have is cost. Each query to the LLM will cost money, and multiplied across thousands of users who issue tons of queries per day, it could lead to unexpected costs. We would need guard rails before we set this loose."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center