This work proposes an automated, dynamic threat-hunting framework that integrates AI agents with the Splunk SIEM platform to address the evolving challenges posed by advanced persistent threats (APTs) and the inefficiencies in processing massive volumes of heterogeneous logs within security operations centers (SOCs). The framework uniquely combines a reconstruction-based autoencoder, a two-layer deep reinforcement learning architecture, and a large language model to establish a policy-guided, context-aware autonomous hunting mechanism. This enables an end-to-end closed-loop pipeline—from traffic ingestion and anomaly detection to risk prioritization. Experimental results demonstrate that the approach adaptively aligns with diverse SOC objectives and effectively identifies suspicious and malicious network traffic on both public and simulated datasets, significantly enhancing analysts’ decision-making efficiency.

With frequently evolving Advanced Persistent Threats (APTs) in cyberspace, traditional security solutions approaches have become inadequate for threat hunting for organizations. Moreover, SOC (Security Operation Centers) analysts are often overwhelmed and struggle to analyze the huge volume of logs received from diverse devices in organizations. To address these challenges, we propose an automated and dynamic threat hunting framework for monitoring evolving threats, adapting to changing network conditions, and performing risk-based prioritization for the mitigation of suspicious and malicious traffic. By integrating Agentic AI with Splunk, an established SIEM platform, we developed a unique threat hunting framework. The framework systematically and seamlessly integrates different threat hunting modules together, ranging from traffic ingestion to anomaly assessment using a reconstruction-based autoencoder, deep reinforcement learning (DRL) with two layers for initial triage, and a large language model (LLM) for contextual analysis. We evaluated the framework against a publicly available benchmark dataset, as well as against a simulated dataset. The experimental results show that the framework can effectively adapt to different SOC objectives autonomously and identify suspicious and malicious traffic. The framework enhances operational effectiveness by supporting SOC analysts in their decision-making to block, allow, or monitor network traffic. This study thus enhances cybersecurity and threat hunting literature by presenting the novel threat hunting framework for security decision- making, as well as promoting cumulative research efforts to develop more effective frameworks to battle continuously evolving cyber threats.