Setting up the triage agent

Security Operations Center (SOC) analysts face a relentless volume of alerts every day. The vast majority turn out to be false or benign positives, but each one still demands review before it can be dismissed. The sheer scale of this work leaves analysts stretched thin, reducing time available for genuine threats and increasing the risk of something critical slipping through.

The AI triage agent in Splunk Enterprise Security is designed for findings with unpredictable investigation paths, and for teams that don't have the time or resources to build custom automation for every detection type.

Powered by a large language model, the AI triage agent autonomously investigates findings as they show up in a queue. It greets analysts with a disposition, a clear rationale, and recommended next steps before a human touches the finding. Every step is documented inline so analysts can follow the agent's reasoning and act with confidence.

The following sections walk you through how to set up and configure the AI triage agent in Splunk Enterprise Security:

  1. Turn on or turn off the triage agent

  2. Turn on or turn off the triage agent for certain detections

For more information on how to use the AI triage agent after setting it up, see AI analysis in Splunk Enterprise Security.