AI analysis in Splunk Enterprise Security

What the triage agent does

When you select a finding in the queue, an AI Analysis section appears in the side panel. The agent has already investigated the finding by the time you open it, searching your third-party connectors and gathering relevant evidence. The AI Analysis presents:

• A disposition recommendation: true positive, false positive, benign positive, or other

• A summary of the finding and the reasoning behind the recommended disposition

• The tools and evidence consulted to reach the conclusion, including any connectors used during analysis

If you want to go deeper, select View details for a step-by-step breakdown of the agent's investigation, including the full timeline of actions taken and the specific evidence that informed each conclusion.

How to use the recommendations

The AI triage agent never changes any fields on your behalf. Its role is to give you a well-reasoned starting point so you can make a faster, more confident decision. You remain in control of the final disposition.

Use the recommendation to validate your own assessment, skip repetitive investigative steps you would otherwise perform manually, or quickly close out findings the agent has identified as false or benign positives with high confidence.

Providing feedback

Your feedback helps improve the quality of future analysis. After reviewing a recommendation, select the thumbs up or thumbs down icon, provide a brief reasoning, and select Submit.

Flagging cases where the steps followed were incorrect, or where the conclusion does not match what you would expect, directly informs how the agent handles similar findings going forward.