With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep reinforcement learning (DRL) with two layers for initial triage, and a large language model (LLM) for contextual analysis. We evaluated the framework against a publicly available benchmark dataset, as well as against a simulated dataset. The experimental results show that the framework can effectively adapt to different SOC objectives autonomously and identify suspicious and malicious traffic. The framework enhances operational effectiveness by supporting SOC analysts in their decision-making to block, allow, or monitor network traffic. This study thus enhances cybersecurity and threat hunting literature by presenting the novel threat hunting framework for security decision- making, as well as promoting cumulative research efforts to develop more effective frameworks to battle continuously evolving cyber threats.

翻译：随着网络空间中高级持续性威胁（APT）的频繁演变，传统安全解决方案已难以满足组织威胁狩猎的需求。此外，安全运营中心（SOC）的分析人员往往不堪重负，难以分析从组织内不同设备接收的海量日志。为应对这些挑战，我们提出了一种自动化、动态的威胁狩猎框架，用于监控不断演变的威胁、适应变化的网络环境，并对可疑及恶意流量执行基于风险的优先级排序以进行缓解。通过将智能体AI与成熟的SIEM平台Splunk相集成，我们开发了一种独特的威胁狩猎框架。该框架系统且无缝地将不同威胁狩猎模块整合在一起，涵盖从流量摄取到基于重建自编码器的异常评估、用于初始分类的双层深度强化学习（DRL），以及用于上下文分析的大型语言模型（LLM）。我们针对公开基准数据集以及模拟数据集对框架进行了评估。实验结果表明，该框架能够自主适应不同的SOC目标，并有效识别可疑及恶意流量。该框架通过支持SOC分析人员在阻止、允许或监控网络流量方面进行决策，从而提升了运营效率。本研究通过提出一种用于安全决策的新型威胁狩猎框架，丰富了网络安全与威胁狩猎领域的文献，并促进了旨在开发更有效框架以对抗持续演变的网络威胁的累积性研究工作。