AI-IR: AI-Driven Incident Response Analysis Toolset for Extracting Security Knowledge from Slack Logs

AI-IR is an AI-driven toolset specifically designed to analyze Slack conversation records from security incident responses. It aims to solve the documentation challenges in incident response by automatically generating incident summaries, activity reports, role inferences, and reusable investigative tactical knowledge. It supports multilingual translation and local Web UI viewing, helping to transform valuable knowledge scattered in chat records into structured, inheritable organizational assets.

In cybersecurity incident response, teams often coordinate via Slack, but conversation records face issues such as information loss (buried in historical messages), knowledge silos (no systematic knowledge accumulation mechanism), difficulty in post-incident review (time-consuming and error-prone manual browsing), and lack of structure (hard to convert into training or audit documents). The AI-IR project is designed to address these problems.

Event Summary Generation

Auto-generates reports including timeline reconstruction, root cause analysis, and executive summaries

Activity Analysis Report

Records participants' methods/tools, discovery summaries, time distribution, supporting team evaluation

Role Inference

Automatically identifies roles such as incident commander, subject matter expert, analyst, communication liaison, and their collaboration relationships

Knowledge Extraction and Precipitation

Extracts tactical knowledge (in YAML format) like investigation methods, tool usage, decision rules, and IoC patterns from conversations; can be exported as Markdown for RAG knowledge bases

Process Quality Evaluation

Analyzes response phase time consumption, communication quality, role clarity, and provides improvement suggestions

Multilingual Support

Built-in multilingual translation for Japanese/Chinese/Korean, retaining original English technical terms

Local Web UI

Launch a local read-only server to view reports via uv run aiir serve

Data Preparation

Use stail/scat tools to export Slack channel data (example command: stail export -c "#incident-response" --output incident.json)

Preprocessing

Execute uv run aiir ingest for IoC desensitization, prompt injection detection, and XML tag wrapping

Analysis Execution

Supports direct processing, pipeline mode, or multiple analyses after preprocessing (e.g., generating summary/activity/role reports)

Report Generation

Generates complete JSON/Markdown reports; can extract tactical knowledge (using --knowledge-only parameter)

Translation and Localization

Convert reports to multilingual versions via uv run aiir translate

Process Evaluation

Generate response process quality evaluation reports

Knowledge Base Export

Convert tactical YAML to Markdown for RAG systems

• No External Transmission: Only transmits data to configured LLM endpoints; parsing and preprocessing are executed locally
• IoC Desensitization: Desensitizes sensitive information like IPs/URLs/hashes to reduce leakage risks
• Prompt Injection Protection: Wraps messages with XML tags and scans for injection patterns
• Local Processing Priority: Reduces LLM dependency, improves efficiency, and minimizes data exposure surface

• SOC Teams: Automates report generation, freeing analysts to focus on threat hunting
• Enterprise Security Teams: Establishes incident knowledge bases to avoid knowledge loss
• Security Consulting Services: Quickly organizes client data to generate professional reports
• Security Training and Drills: Uses real incident knowledge for red-blue exercises and new employee training

AI-IR solves the long-standing documentation and knowledge accumulation challenges faced by security teams. Through automated analysis, it transforms chat records into manageable, searchable, and inheritable organizational assets. Its open-source nature allows users to customize and extend it, making it a practical tool for organizations that value security operation maturity and knowledge management.