{"id":"https://openalex.org/W7140448654","doi":"https://doi.org/10.48550/arxiv.2603.23966","title":"Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage","display_name":"Policy-Guided Threat Hunting: An LLM enabled Framework with Splunk SOC Triage","publication_year":2026,"publication_date":"2026-03-25","ids":{"openalex":"https://openalex.org/W7140448654","doi":"https://doi.org/10.48550/arxiv.2603.23966"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.23966","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23966","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.23966","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5130682781","display_name":"Rishikesh Sahay","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Sahay, Rishikesh","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5119998464","display_name":"Bell Eapen","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Eapen, Bell","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130690614","display_name":"Weizhi Meng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Meng, Weizhi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029405967","display_name":"Md Rasel Al Mamun","orcid":"https://orcid.org/0000-0002-2710-6599"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mamun, Md Rasel Al","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130687776","display_name":"Nikhil Kumar Dora","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Dora, Nikhil Kumar","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5119998463","display_name":"Manjusha Sumasadan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sumasadan, Manjusha","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5013858251","display_name":"Sumit Kumar Tetarave","orcid":"https://orcid.org/0000-0002-6937-3564"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tetarave, Sumit Kumar","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":null,"display_name":"De La Cruz, Elyson","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"De La Cruz, Elyson","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":["https://openalex.org/A5130682781"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.45809999108314514,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.45809999108314514,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.3255999982357025,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10714","display_name":"Software-Defined Networks and 5G","score":0.05979999899864197,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/botnet","display_name":"Botnet","score":0.5888000130653381},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.5127000212669373},{"id":"https://openalex.org/keywords/triage","display_name":"Triage","score":0.4052000045776367},{"id":"https://openalex.org/keywords/prioritization","display_name":"Prioritization","score":0.4032000005245209},{"id":"https://openalex.org/keywords/cyber-threats","display_name":"Cyber threats","score":0.3912000060081482},{"id":"https://openalex.org/keywords/benchmark","display_name":"Benchmark (surveying)","score":0.38190001249313354},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.3610000014305115},{"id":"https://openalex.org/keywords/network-security","display_name":"Network security","score":0.36000001430511475},{"id":"https://openalex.org/keywords/reinforcement-learning","display_name":"Reinforcement learning","score":0.34529998898506165}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6545000076293945},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6226999759674072},{"id":"https://openalex.org/C22735295","wikidata":"https://www.wikidata.org/wiki/Q317671","display_name":"Botnet","level":3,"score":0.5888000130653381},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.5127000212669373},{"id":"https://openalex.org/C2777120189","wikidata":"https://www.wikidata.org/wiki/Q780067","display_name":"Triage","level":2,"score":0.4052000045776367},{"id":"https://openalex.org/C2777615720","wikidata":"https://www.wikidata.org/wiki/Q11888847","display_name":"Prioritization","level":2,"score":0.4032000005245209},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.39480000734329224},{"id":"https://openalex.org/C3018725008","wikidata":"https://www.wikidata.org/wiki/Q4071928","display_name":"Cyber threats","level":2,"score":0.3912000060081482},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.38190001249313354},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3610000014305115},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.36000001430511475},{"id":"https://openalex.org/C97541855","wikidata":"https://www.wikidata.org/wiki/Q830687","display_name":"Reinforcement learning","level":2,"score":0.34529998898506165},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.3416000008583069},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.33090001344680786},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.3294000029563904},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.32679998874664307},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.3149000108242035},{"id":"https://openalex.org/C2778868856","wikidata":"https://www.wikidata.org/wiki/Q18394273","display_name":"Threat assessment","level":2,"score":0.3091999888420105},{"id":"https://openalex.org/C2779606945","wikidata":"https://www.wikidata.org/wiki/Q5145847","display_name":"Collaborative network","level":2,"score":0.3001999855041504},{"id":"https://openalex.org/C136197465","wikidata":"https://www.wikidata.org/wiki/Q1729295","display_name":"Variety (cybernetics)","level":2,"score":0.29269999265670776},{"id":"https://openalex.org/C29852176","wikidata":"https://www.wikidata.org/wiki/Q373338","display_name":"Critical infrastructure","level":2,"score":0.2888000011444092},{"id":"https://openalex.org/C14224292","wikidata":"https://www.wikidata.org/wiki/Q13600188","display_name":"Conceptual framework","level":2,"score":0.2700999975204468},{"id":"https://openalex.org/C145804949","wikidata":"https://www.wikidata.org/wiki/Q478123","display_name":"Situation awareness","level":2,"score":0.2590999901294708},{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.2563000023365021},{"id":"https://openalex.org/C14185376","wikidata":"https://www.wikidata.org/wiki/Q30232","display_name":"Agile software development","level":2,"score":0.2554999887943268},{"id":"https://openalex.org/C206345919","wikidata":"https://www.wikidata.org/wiki/Q20380951","display_name":"Resource (disambiguation)","level":2,"score":0.2524999976158142}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.23966","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23966","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.23966","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.23966","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.7804121971130371,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"With":[0],"frequently":[1],"evolving":[2,60,228],"Advanced":[3],"Persistent":[4],"Threats":[5],"(APTs)":[6],"in":[7,43,184],"cyberspace,":[8],"traditional":[9],"security":[10,211],"solutions":[11],"approaches":[12],"have":[13],"become":[14],"inadequate":[15],"for":[16,19,58,71,125,134,210],"threat":[17,55,93,103,200,207],"hunting":[18,56,94,104,201,208],"organizations.":[20,44],"Moreover,":[21],"SOC":[22,166,182],"(Security":[23],"Operation":[24],"Centers)":[25],"analysts":[26,183],"are":[27],"often":[28],"overwhelmed":[29],"and":[30,53,67,76,99,128,169,172,199],"struggle":[31],"to":[32,63,111,164,187,220,225],"analyze":[33],"the":[34,72,139,159,205],"huge":[35],"volume":[36],"of":[37,74],"logs":[38],"received":[39],"from":[40,108],"diverse":[41],"devices":[42],"To":[45],"address":[46],"these":[47],"challenges,":[48],"we":[49,89],"propose":[50],"an":[51,85],"automated":[52],"dynamic":[54],"framework":[57,97,140,160,176,209],"monitoring":[59],"threats,":[61],"adapting":[62],"changing":[64],"network":[65,192],"conditions,":[66],"performing":[68],"risk-based":[69],"prioritization":[70],"mitigation":[73],"suspicious":[75,171],"malicious":[77,173],"traffic.":[78,174,193],"By":[79],"integrating":[80],"Agentic":[81],"AI":[82],"with":[83,122],"Splunk,":[84],"established":[86],"SIEM":[87],"platform,":[88],"developed":[90],"a":[91,115,129,142,151],"unique":[92],"framework.":[95],"The":[96,154,175],"systematically":[98],"seamlessly":[100],"integrates":[101],"different":[102,165],"modules":[105],"together,":[106],"ranging":[107],"traffic":[109],"ingestion":[110],"anomaly":[112],"assessment":[113],"using":[114],"reconstruction-based":[116],"autoencoder,":[117],"deep":[118],"reinforcement":[119],"learning":[120],"(DRL)":[121],"two":[123],"layers":[124],"initial":[126],"triage,":[127],"large":[130],"language":[131],"model":[132],"(LLM)":[133],"contextual":[135],"analysis.":[136],"We":[137],"evaluated":[138],"against":[141,150],"publicly":[143],"available":[144],"benchmark":[145],"dataset,":[146],"as":[147,149,213,215],"well":[148,214],"simulated":[152],"dataset.":[153],"experimental":[155],"results":[156],"show":[157],"that":[158],"can":[161],"effectively":[162],"adapt":[163],"objectives":[167],"autonomously":[168],"identify":[170],"enhances":[177,197],"operational":[178],"effectiveness":[179],"by":[180,203],"supporting":[181],"their":[185],"decision-making":[186],"block,":[188],"allow,":[189],"or":[190],"monitor":[191],"This":[194],"study":[195],"thus":[196],"cybersecurity":[198],"literature":[202],"presenting":[204],"novel":[206],"decision-making,":[212],"promoting":[216],"cumulative":[217],"research":[218],"efforts":[219],"develop":[221],"more":[222],"effective":[223],"frameworks":[224],"battle":[226],"continuously":[227],"cyber":[229],"threats.":[230]},"counts_by_year":[],"updated_date":"2026-04-15T05:59:14.812645","created_date":"2026-03-27T00:00:00"}