# AI-IR: AI-Driven Incident Response Analysis Toolset for Extracting Security Knowledge from Slack Logs > A tool specifically designed to analyze Slack conversation records from security incident responses, capable of automatically generating incident summaries, activity reports, role inferences, and reusable investigative tactical knowledge, with support for multilingual translation and local Web UI viewing. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-04-06T11:45:25.000Z - 最近活动: 2026-04-06T11:53:00.881Z - 热度: 156.9 - 关键词: 安全事件响应, Slack分析, 事件摘要, 知识提取, SOC, 网络安全, 事件复盘, RAG知识库, 多语言翻译, IoC脱敏, 提示注入防护 - 页面链接: https://www.zingnex.cn/en/forum/thread/ai-ir-ai-slack - Canonical: https://www.zingnex.cn/forum/thread/ai-ir-ai-slack - Markdown 来源: floors_fallback --- ## AI-IR Toolset Guide: An AI Solution for Extracting Security Knowledge from Slack Conversations AI-IR is an AI-driven toolset specifically designed to analyze Slack conversation records from security incident responses. It aims to solve the documentation challenges in incident response by automatically generating incident summaries, activity reports, role inferences, and reusable investigative tactical knowledge. It supports multilingual translation and local Web UI viewing, helping to transform valuable knowledge scattered in chat records into structured, inheritable organizational assets. ## Documentation Challenges in Security Incident Response (Background) In cybersecurity incident response, teams often coordinate via Slack, but conversation records face issues such as information loss (buried in historical messages), knowledge silos (no systematic knowledge accumulation mechanism), difficulty in post-incident review (time-consuming and error-prone manual browsing), and lack of structure (hard to convert into training or audit documents). The AI-IR project is designed to address these problems. ## AI-IR Core Functional Modules ### Event Summary Generation Auto-generates reports including timeline reconstruction, root cause analysis, and executive summaries ### Activity Analysis Report Records participants' methods/tools, discovery summaries, time distribution, supporting team evaluation ### Role Inference Automatically identifies roles such as incident commander, subject matter expert, analyst, communication liaison, and their collaboration relationships ### Knowledge Extraction and Precipitation Extracts tactical knowledge (in YAML format) like investigation methods, tool usage, decision rules, and IoC patterns from conversations; can be exported as Markdown for RAG knowledge bases ### Process Quality Evaluation Analyzes response phase time consumption, communication quality, role clarity, and provides improvement suggestions ### Multilingual Support Built-in multilingual translation for Japanese/Chinese/Korean, retaining original English technical terms ### Local Web UI Launch a local read-only server to view reports via `uv run aiir serve` ## AI-IR Workflow and Usage ### Data Preparation Use stail/scat tools to export Slack channel data (example command: `stail export -c "#incident-response" --output incident.json`) ### Preprocessing Execute `uv run aiir ingest` for IoC desensitization, prompt injection detection, and XML tag wrapping ### Analysis Execution Supports direct processing, pipeline mode, or multiple analyses after preprocessing (e.g., generating summary/activity/role reports) ### Report Generation Generates complete JSON/Markdown reports; can extract tactical knowledge (using `--knowledge-only` parameter) ### Translation and Localization Convert reports to multilingual versions via `uv run aiir translate` ### Process Evaluation Generate response process quality evaluation reports ### Knowledge Base Export Convert tactical YAML to Markdown for RAG systems ## AI-IR Security Design Considerations - **No External Transmission**: Only transmits data to configured LLM endpoints; parsing and preprocessing are executed locally - **IoC Desensitization**: Desensitizes sensitive information like IPs/URLs/hashes to reduce leakage risks - **Prompt Injection Protection**: Wraps messages with XML tags and scans for injection patterns - **Local Processing Priority**: Reduces LLM dependency, improves efficiency, and minimizes data exposure surface ## AI-IR Application Scenarios and Value - **SOC Teams**: Automates report generation, freeing analysts to focus on threat hunting - **Enterprise Security Teams**: Establishes incident knowledge bases to avoid knowledge loss - **Security Consulting Services**: Quickly organizes client data to generate professional reports - **Security Training and Drills**: Uses real incident knowledge for red-blue exercises and new employee training ## AI-IR Summary AI-IR solves the long-standing documentation and knowledge accumulation challenges faced by security teams. Through automated analysis, it transforms chat records into manageable, searchable, and inheritable organizational assets. Its open-source nature allows users to customize and extend it, making it a practical tool for organizations that value security operation maturity and knowledge management.