What is Splunk?

Splunk is a Security Information and Event Management (SIEM) tool that is used to collect data from logs, applications, servers, and devices. Splunk is a key cybersecurity platform at CMS used for incident detection and response. It watches all incoming and outgoing traffic, logins, log outs, system access, downloads, and configuration changes.

Splunk pulls in massive amounts of raw information, like logs, firewall activities, VPN events, and server alerts, turning the chaos into understandable data on dashboards, timelines, heat maps, and alerts. 

How are we using Splunk at CMS?

Splunk is the security nerve center for our organization. It can be compared to a car’s dashboard, but instead of monitoring speed and fuel levels, we track login attempts, policy violations, system errors, and data movement. The tool monitors who logged in, from where and when, what files were accessed, whether they had permission, and what else they did during that session. 

Splunk is also vital to audit readiness. When auditors request logs, access trails, or policy compliance reports, they can be found in Splunk rather than digging through Excel sheets from five different departments or asking around to figure out who approved each access. Without Splunk, these moments become chaotic firedrills. 

SIEM limitations

But even with all the power, traditional Splunk and other SIEMs have limits because they operate on rules, which could be viewed as a digital version of “if this, then that.” If someone logs in five times unsuccessfully, or downloads a sensitive file after hours, it will trigger an alert. 

But bad actors know the rules — and, in fact, study them. They test the rules and tiptoe right past them, like a burglar who crawls in through the basement because they know the alarm only goes off if someone breaks in through the front window. 

When you receive 500 alerts a day and only two of them matter, this produces “alert fatigue” and we stop paying attention. In security, that’s exactly what hackers want. They blend in, mimic normal user behavior and do just enough to seem boring and go unnoticed. That's where AI steps in. 

Why do we need AI?

Artificial intelligence doesn’t rely on fixed rules or wait for us to define every possible threat path. Instead, it learns. AI watches normal behavior over time and sees who typically logs in, where and when they do it, and how they interact with systems. Then it builds a model of what normal looks like. So, when something abnormal happens — like a user accessing files they’ve never touched before from a new device and during odd hours — AI identifies it as “weird.”

Traditional systems wait for us to write a rule for when to alert us, while AI finds the anomaly for you, without having to know what to look for ahead of time.

How does AI enhance Splunk?

Splunk has always been good at collecting and organizing data, but with the integration of AI, it thinks critically about that data. Three big upgrades happen:

• Smarter detection: AI looks at behavior across time, systems, and context
• Better correlation: AI connects logs that look unrelated to identify what might be a slow moving breach
• Ongoing learning: AI constantly updates its understanding of what normal means for your system and your users, adapting its ability to detect potential threats

In addition, AI offers real-time detection as a frontline defense so we no longer have to wait for incidents to be discovered after the fact. AI allows us to catch them as they unfold and watch for suspicious patterns. This kind of speed can be the difference between containing a threat and having to notify the media or Congress — or maybe the entire internet.

AI helps address alert fatigue by learning what “noise” looks like and filtering it out. Instead of giving us MORE alerts, AI gives us BETTER alerts. It redefines and prioritizes what is worth our attention. 

It’s a shift from high volume to high value, allowing analysts to focus on what matters most — the actual threats — and not digital background noise. AI-enhanced Splunk allows us to quickly identify logging anomalies, data exfiltration, privilege misuse, and other signs that could mean trouble.

When you have an active incident, you need three things fast:

• Clarity: What happened?
• Speed: Can we isolate it before it spreads?
• Confidence: Are we making the right move at the right time?

AI-enhanced Splunk gives us all three by providing a summarized story. It’s like walking into a crime scene and having CSI already on the case, helping us respond quickly, whether by isolating a device, escalating to leadership, or starting remediation efforts. In short, AI is the difference between chasing shadows and actually closing the case.

What’s next?

Splunk is evolving rapidly as we move to a conversational interface. Soon, we’ll be able to ask Splunk to show us a log of any suspicious activity for the week, and it will build a dashboard automatically. Other upcoming improvements are:

• Smart alert tuning: AI will help adjust thresholds on the fly and reduce noise
• Risk simulation: AI will allow us to model “what if” scenarios

Splunk collects, organizes, and presents data in a way that helps CMS stay secure and compliant. But without AI, it’s limited to what we already know and look for. With AI, we gain foresight, real-time analysis, behavioral tracking, and pattern recognition. It’s not about automating us out of the equation; it’s about giving us superpowers. 

AI-enhanced Splunk responds faster, reduces noise, strengthens security, and builds trust across the agency and with the public. While AI won’t replace us, it will amplify us, helping security analysts become faster, sharper, and more effective.

About the author

Dr. Mary Margaret Chantre is a military veteran with a background in IT and cybersecurity. She’s a program manager at the Information Security and Privacy Group (ISPG) within the Centers for Medicare & Medicaid Services (CMS) and a professor at Arizona State University, where she teaches cybersecurity and artificial intelligence.