Splunk and AI, Part 1- Automating Threat Hunting With Artificial Intelligence

With the rapid rise of artificial intelligence tools within our daily lives and careers, it’s no surprise that cybersecurity tools are utilizing AI to better secure computing environments. These days, you can’t find a modern cybersecurity defense tool that doesn’t utilize AI in some form. EDR solutions, cloud security solutions, and SIEMs are some of the most popular cybersecurity tools that utilize some kind of AI in their offerings.

I do believe that the use of AI in cybersecurity is not going anywhere. In fact, its use will only continue to grow as the volume of security data to analyze increases and cybersecurity teams continue to be understaffed. Simply put, most cybersecurity teams do not have the manpower to investigate every possible cybersecurity anomaly. AI, when implemented properly, can help bring those hidden security threats to the surface and can help prevent analysts from looking for needles in haystacks that would normally require larger, more established cybersecurity teams that have the resources and manpower to burn on activities like these.

However, the biggest challenge for companies and businesses using AI is the monetary investment required to use it. Whether you train your analysts to utilize AI or buy an outside tool to do it for you, you will have to spend some money to use it. As someone who has used Splunk quite a bit in his cybersecurity career, I wanted to find a free Splunk solution that can be used to implement AI to help cybersecurity teams automate the threat hunting process and produce high fidelity results that analysts can use for their own threat hunting activities.

Fortunately, I came across the Splunk Data Science and Deep Learning (DSDL) app. The DSDL app allows you to create your own AI models, train the models with your own Splunk data, and deploy the models in production where you can run new data through your trained model for whatever purpose you are trying to accomplish. I obviously chose to use the app for threat hunting purposes. The only investment required to use the app is Splunk itself and having some training in creating AI models. I personally recommend the SANS SEC595 course. While pricey, it’s definitely worth the investment.

The Splunk DSDL app works by creating a development environment using virtualization software of your choosing (either Docker or Kubernetes). The idea is create your AI model within the development environment using typical AI tools like TensorFlow, PyTorch, pandas, etc. Once created, you can train it using typical Splunk Machine Learning Toolkit syntax. I personally did not have great results from training the model within Splunk because the training took way too long due to the amount of data with which the model was trained. Instead, I trained it outside of DSDL and imported the trained model into the development environment. You can then deploy a dedicated container containing your trained model against which you can run your Splunk data to gain some insights into the data.

I managed to create an AI model that determines whether a command executed on the domain controller within my lab is normal or anomalous. Interestingly enough, it accurately detects commands that are not commonly executed on the domain controller. In a Part 2 follow up post, I’ll show the approach that I used in order to create this AI.