With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep reinforcement learning (DRL) with two layers for initial triage, and a large language model (LLM) for contextual analysis. We evaluated the framework against a publicly available benchmark dataset, as well as against a simulated dataset. The experimental results show that the framework can effectively adapt to different SOC objectives autonomously and identify suspicious and malicious traffic. The framework enhances operational effectiveness by supporting SOC analysts in their decision-making to block, allow, or monitor network traffic. This study thus enhances cybersecurity and threat hunting literature by presenting the novel threat hunting framework for security decision-making, as well as promoting cumulative research efforts to develop more effective frameworks to battle continuously evolving cyber threats.

翻译：随着网络空间中高级持续性威胁（APTs）的频繁演变，传统的安全解决方案方法已不足以应对组织的威胁狩猎需求。此外，安全运营中心（SOC）的分析师往往不堪重负，难以分析来自组织中不同设备的海量日志。为解决这些挑战，我们提出了一种自动化、动态的威胁狩猎框架，用于监控动态演变的威胁、适应不断变化的网络条件，并针对可疑及恶意流量的缓解执行基于风险的优先级排序。通过将Agentic AI与成熟的SIEM平台Splunk集成，我们开发了一种独特的威胁狩猎框架。该框架系统且无缝地将不同威胁狩猎模块整合在一起，涵盖从流量摄入到基于重建的自编码器异常评估、用于初始分类的双层深度强化学习（DRL），以及用于上下文分析的大型语言模型（LLM）。我们针对公开基准数据集及模拟数据集对框架进行了评估。实验结果表明，该框架能够自主适应不同SOC目标，并有效识别可疑及恶意流量。该框架通过支持SOC分析师在阻止、允许或监控网络流量等决策中的判断，提升了运营效率。本研究通过提出用于安全决策的新型威胁狩猎框架，丰富了网络安全与威胁狩猎领域的文献，并促进了开发更有效框架以对抗持续演变网络威胁的累积性研究工作。