SoftServe Ingenuity Creates EventLab to Simulate Events for Secure Testing and Threat Detection on Splunk
4 min read
In brief:
- SoftServe’s cybersecurity team has created EventLab, an AI-led and Splunk-native application for safer testing.
- It generates synthetic events.
- It simulates external attacks and scores batches against real data, for fast, secure testing.
- It means security teams can have access to realistic data to build, test and tune detections.
- It’s available now free to install on Splunkbase.
- It is a Splunk-native application that solves the test-data problem end to end.
SoftServe’s cybersecurity team has created EventLab, an AI-led and Splunk-native application that generates synthetic events, simulates external attacks and scores batches against real data, for fast, secure testing. It means security teams can have access to realistic data to build, test and tune detections and it’s available now free to install on Splunkbase.
In every Security Operations Centre (SOC) you will find analysts, detection engineers, and content developers sharing the frustration that, while they need data to do their job, they don’t have it.
Not data about threats, there is plenty of that available, but data for testing. The kind of data you need when you are:
- Tuning a new detection rule before it goes to production
- Training an analyst how to triage an alert they have never seen before
- Building a demo for a customer, or a board meeting
- Validating an SPL query on a schema your customer uses but your lab does not
- Reproducing a weird false positive a colleague reported last Tuesday
Compliance constraints
Production data would be ideal, but is also radioactive due to privacy regulations, customer contracts and data residency rules. Internal compliance policies also mean security engineers cannot casually copy real events into a test index and, even when they are allowed to, moving production data into a sandbox can introduce the very risk the team exists to prevent.
Instead, teams fall back to manual fakes: hand-edited sample files, SPL make results incantations, and half-finished, or inherited Python scripts. A senior detection engineer estimated that 15% of her week is spent creating, finding, or fixing test data. Multiply that across a fifty-person SOC and you are losing the equivalent of seven full-time analysts to data-plumbing work.
The synthetic data that comes out of these efforts has three chronic problems:
The solution: EventLab
EventLab is a Splunk-native application that solves the test-data problem end to end. It installs like any other Splunkbase app, runs entirely inside the customer’s Splunk environment, and exposes five ways to generate realistic, synthetic security events:
- A natural-language AI assistant with 22 specialised tools — ask in plain English, the AI picks the right tool
- A Models page for point-and-click generation with full parameter control
- A REST API for CI/CD pipelines and external automation
- Five SPL custom commands (eventlabgenerate, injectscenario, eventlabquality, and more) for analysts who live in Splunk Search
- Cron-based scheduled jobs that keep dev and training environments continuously populated
Out of the box, EventLab ships with:
- Five prebuilt generation models — Palo Alto firewall, Windows Security, DNS query, web access, Linux syslog
- Fifty-four MITRE ATT&CK scenarios mapped across all 14 tactics, each with tuned field overrides matching the technique’s signature
- A statistical quality engine that scores synthetic data against real samples using Kolmogorov–Smirnov, chi-squared, and temporal cosine similarity tests
- Full audit trail, RBAC with four roles and six capabilities, and multi-tenancy out of the box