Threads & Briefings: Hours of Manual Investigation Into Minutes
Every security team knows the drill. An alert fires at 2 AM. The on-call analyst opens Splunk, runs a query, copies the results into a Slack thread, runs another query, pastes that too, and starts trying to connect the dots in a Google Doc. By morning, there's a half-finished incident summary scattered across three tools, and the CISO is asking for a status update before the analyst has had coffee.
Prism's Threads and Briefings were built to eliminate this exact friction. Together, they turn ad-hoc investigation into structured, shareable, AI-synthesized intelligence — without changing how analysts work.
Threads: Your Investigation Notebook That Thinks
A Thread is a living collection of related queries and their results. Instead of running queries in isolation and losing context, you build a Thread entry by entry — and Prism's AI connects the dots for you.
How It Works
You investigate the way you already do — ask questions, look at results, follow the trail. The difference is that every result you care about can be pinned to a Thread with a single click. Data rows, charts, AI analysis — all captured permanently, all in one place. No copy-pasting between tools. No screenshots that lose context the moment someone asks a follow-up question.
The Part That Changes Everything: Thread Synthesis
Once a Thread has multiple entries, Prism generates a Thread Synthesis — a narrative that connects all of your queries into a coherent picture. It also produces a Human Meaning alongside each entry's AI insight, translating raw data findings into language relevant to your role.
The synthesis doesn't guess or speculate. It states distributions, identifies patterns across your queries, and acknowledges when data represents a single snapshot without historical baseline.
Real-Life Example: Investigating a Credential Stuffing Campaign
Tuesday, 10:15 AM
Your SIEM flags an unusual spike in failed authentication attempts. You open Prism.
Query 1: "Show me failed login attempts by source IP in the last 12 hours"
Result: 3 IPs account for 84% of failures. You add this to a new Thread called “March Credential Stuffing Investigation.”
Query 2: "What user accounts were targeted by these top 3 source IPs?"
Result: 47 unique accounts targeted, 12 of which are service accounts. Added to Thread.
Query 3: "Were any of these accounts successfully authenticated in the same period?"
Result: 2 service accounts had successful logins from one of the flagged IPs. Added to Thread.
Query 4: "Show me all activity from the IP that had successful logins"
Result: Post-authentication activity includes access to 3 internal APIs. Added to Thread.
Thread Synthesis (auto-generated):
"Across four queries spanning the last 12 hours, three source IPs generated 84% of 1,247 failed login attempts targeting 47 accounts. Two service accounts were successfully compromised from 198.51.100.23, which subsequently accessed three internal API endpoints. The pattern is concentrated — 12 of the 47 targeted accounts are service accounts, suggesting targeted rather than opportunistic activity."
Each entry also gets a Human Meaning card:
- Entry 1: "Three IPs dominate failure volume, indicating coordinated rather than distributed activity."
- Entry 3: "Two service accounts were compromised — these typically have elevated privileges and are less likely to have MFA enforced."
What this replaced: 2-3 hours of manual Splunk queries, copying results into Confluence, writing a summary, formatting it for leadership, and re-running queries to double-check numbers. The Thread captures the investigation as it happens, and the synthesis writes itself.
Share and Export Without Reformatting
When the CISO asks for an update, you don't scramble to build a slide deck. Share a Thread via email — one click, enter the recipient, and they get the synthesis, every chart rendered as an image, data table previews, AI insights, and per-entry context. Or export as PDF for an incident ticket or compliance filing. Either way, zero reformatting.
Tags for Organizational Memory
Threads support up to 3 tags each, drawn from a shared autocomplete registry. Your team builds a shared vocabulary over time — credential-stuffing, lateral-movement, pci-scope, production-east. When a similar incident happens next quarter, searching by tag surfaces your prior investigation instantly.
Briefings: Automated Intelligence Reports That Run While You Sleep
If Threads are your investigation notebook, Briefings are your scheduled intelligence digest. You define what questions matter, pick a schedule, and Prism runs every query, collects the results, and generates a structured executive report — automatically.
How It Works
You tell Prism what questions matter to your team, how often you want them answered, and who's reading the output. That's the setup — five minutes, once. From there, the scheduler takes over. Every run executes your queries against live data and produces a structured report: executive overview, status assessment, key metrics, per-query chapters, and cross-query pattern analysis. It shows up ready to read, not ready to assemble.
The Report: What You Actually Get
A completed Briefing run isn't just raw query results dumped in a list. It's a structured document:
| Section | What It Contains |
|---|---|
| Executive Overview | 3-5 sentence synthesis across all queries |
| Status Assessment | A single-word assessment (Nominal, Stable, Elevated, Attention, Critical) with rationale |
| Key Metrics | Top 3 numbers that matter most, pulled from actual data |
| Chapters | One per query — the data finding (factual) plus business meaning (role-appropriate) |
| Cross-Query Patterns | Themes, correlations, or contrasts the AI identified across all queries |
The status assessment uses domain-agnostic language by design. It doesn't assume your data is security, infrastructure, or financial — it reads the actual results and assesses based on what it sees.
Persona Awareness: Reports That Speak Your Language
A Briefing configured for a CISO emphasizes risk posture, compliance implications, and strategic exposure. The same queries configured for a SOC Analyst emphasize detection coverage, indicator prevalence, and actionable response steps. An Executive persona focuses on business impact and resource allocation.
This isn't cosmetic. The AI receives role-specific guidance that shapes the executive overview, every chapter's business meaning, and the cross-query pattern analysis.
Real-Life Example: The Monday Morning Security Posture Briefing
You create a Briefing called “Weekly Security Posture” with five queries:
- "Failed authentication attempts by source country this week vs last week"
- "Top 10 accounts with the most privilege escalation events"
- "Firewall deny events by destination port, last 7 days"
- "New service accounts created this week"
- "Average authentication latency by identity provider"
Schedule: Weekly, Monday 7:00 AM. Persona: CISO.
At 7:00 AM, Prism executes all 5 queries against your live Splunk data, applies governance validation, collects results, and generates the report. By 7:05 AM, the Briefing has a new completed run.
Executive Overview:
"Authentication failure volume decreased 12% week-over-week (8,420 vs 9,567), with geographic distribution narrowing from 14 to 9 source countries. Two accounts — svc-deploy-prod and svc-monitoring — appeared in both the privilege escalation and new service account lists, indicating recently provisioned accounts with elevated activity. Firewall deny events on port 445 increased 340% (1,204 events), concentrated from 6 internal IPs. Authentication latency averaged 1.2s across providers, with Okta at 0.8s and on-prem AD at 2.1s."Status Assessment: Elevated
"The 340% increase in port 445 denials from internal sources warrants review."Key Metrics:
• 8,420 — Failed auth attempts (down 12%)
• 1,204 — Port 445 deny events (up 340%)
• 2 — New service accounts with escalation activityChapter 3 — Firewall Deny Events by Destination Port
Finding: Port 445 (SMB) deny events rose from 272 to 1,204, sourced from 6 internal IPs in the 10.4.x.x range. Port 443 denials remained flat at ~320/day.
Business Meaning: Internal SMB scanning from a small IP cluster may indicate lateral movement attempts or misconfigured network segments. The concentration in a single /16 range suggests a localized issue rather than widespread compromise.
What this replaced: A senior analyst spending Monday morning running each query manually, building a PowerPoint, writing the narrative, and emailing it to leadership by noon. That's 4-5 hours of skilled analyst time, every single week, for a single report.
Real-Life Example: Daily SOC Shift Handoff
Briefing: “SOC Night Shift Handoff.” Schedule: Daily, 6:00 AM. Persona: SOC Analyst.
Four queries — critical alerts in the last 12 hours, top source IPs by event volume, failed VPN attempts by user, endpoints with excessive process executions. Every morning at 6:00 AM, the incoming day shift opens their Briefing and has a structured handoff — what happened overnight, which alerts fired, what's anomalous, and what deserves follow-up. No waiting for the night shift analyst to write a handoff email. No lost context when someone calls in sick.
Real-Life Example: Monthly Compliance Evidence Collection
Briefing: “PCI-DSS Monthly Evidence — Q1.” Schedule: Monthly, 1st at 9:00 AM. Persona: Executive.
Four queries covering CDE user access, failed access attempts, admin usage outside business hours, and firewall rule changes on PCI segments. On the 1st of every month, Prism runs these queries and produces a report with executive-friendly language. The compliance team exports the PDF and attaches it to their evidence package. What used to require a dedicated analyst for half a day every month now takes zero manual effort.
Threads + Briefings Together: The Full Picture
These features complement each other. Briefings answer the recurring questions: "What does our security posture look like this week?" Threads answer the ad-hoc ones: "What happened with that anomaly we saw on Thursday?"
When a Briefing surfaces something unusual — say, that 340% spike in SMB deny events — you start a Thread. You investigate, build context entry by entry, and the AI synthesizes your findings. Then you share the Thread to the team that needs to act on it.
| Threads | Briefings | |
|---|---|---|
| Trigger | Manual (ad-hoc investigation) | Scheduled (daily/weekly/monthly) or manual |
| Content | Query results added one at a time | Pre-defined query set, all run together |
| AI Output | Thread Synthesis + per-entry Human Meaning | Executive Overview + Status Assessment + Chapters + Cross-Query Patterns |
| Best For | Incident investigation, deep dives, ad-hoc analysis | Recurring reports, shift handoffs, compliance evidence, executive summaries |
| Sharing | Email with embedded charts, PDF export | Email, PDF export from run output |
| Persona | Inherited from user profile | Explicitly set per briefing |
The Time Math
Here's what teams report before and after adopting Threads and Briefings:
| Task | Before Prism | With Prism |
|---|---|---|
| Weekly security posture report | 4-5 hours analyst time | 5 min setup, then automated |
| Incident investigation documentation | 2-3 hours (queries + copy-paste + writeup) | Built during investigation, synthesis auto-generated |
| SOC shift handoff | 30-45 min per handoff | Automated daily, ready at shift start |
| Monthly compliance evidence | 4-6 hours per collection cycle | 5 min setup, then automated |
| Sharing findings with leadership | 1-2 hours reformatting for executives | One-click email or PDF export |
For a team running one weekly Briefing, one daily handoff Briefing, and averaging two Thread-based investigations per week, that's roughly 10-15 hours per week returned to actual analysis instead of report assembly.
Getting Started
Most teams start with one of two things: a Thread around whatever they're investigating this week, or a weekly Briefing that replaces their most painful recurring report. Either way, you're up and running in under five minutes — no configuration, no templates to build, no formatting to fiddle with. Both features work with whatever data sources your tenant has connected, and the time savings are immediate.
See Threads & Briefings in action
Walk through a live investigation Thread, see a Briefing run in real time, and discover how your team can reclaim 10+ hours a week.
Book a 30-minute Demo →Ask questions, build context, let the AI do the paperwork.
Druv Prism is a multi-tenant AI analytics platform for security and IT operations teams. Natural language querying, automated schema discovery, agentic self-healing, and continuous learning — built for teams who run Splunk.