{"id":51439755,"url":"https://github.com/usv240/argus-detection-evolution","last_synced_at":"2026-07-05T10:30:21.318Z","repository":{"id":364481871,"uuid":"1264569074","full_name":"usv240/argus-detection-evolution","owner":"usv240","description":"ARGUS: Adversarial Detection Evolution Engine: Red AI attacks, Blue AI defends, on real Splunk data. Splunk Agentic Ops Hackathon 2026 (Security track).","archived":false,"fork":false,"pushed_at":"2026-06-13T06:17:31.000Z","size":196,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-13T08:11:37.079Z","etag":null,"topics":["adversarial-ml","ai","anthropic","claude","detection-engineering","hackathon","mcp","security","splunk"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/usv240.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-10T02:06:36.000Z","updated_at":"2026-06-13T06:17:35.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/usv240/argus-detection-evolution","commit_stats":null,"previous_names":["usv240/argus-detection-evolution"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/usv240/argus-detection-evolution","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usv240%2Fargus-detection-evolution","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usv240%2Fargus-detection-evolution/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usv240%2Fargus-detection-evolution/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usv240%2Fargus-detection-evolution/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/usv240","download_url":"https://codeload.github.com/usv240/argus-detection-evolution/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/usv240%2Fargus-detection-evolution/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35151638,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-05T02:00:06.290Z","response_time":100,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversarial-ml","ai","anthropic","claude","detection-engineering","hackathon","mcp","security","splunk"],"created_at":"2026-07-05T10:30:18.282Z","updated_at":"2026-07-05T10:30:21.309Z","avatar_url":"https://github.com/usv240.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ARGUS - Adversarial Detection Evolution Engine\n\n\u003e **Red AI vs Blue AI, live on real Splunk data.**\n\nAn attacker AI and a defender AI co-evolve inside real Splunk data - generation after generation - \nuntil your detections catch attacks **no human ever wrote a rule for**, and ARGUS **proves the\ncoverage gain with every number computed live.**\n\n---\n\n## What it does\n\nMost security tools tell you what they caught. **ARGUS shows you what they would miss** - by\nbreeding an attacker against your own detections and watching the defender evolve.\n\nStarting from a real Splunk ESCU-based detection:\n\n| Step | Agent | What happens |\n|---|---|---|\n| **Attack** | **Red** (Synthesizer) | Invents evasive variants of the attack, targeting the current detection's weaknesses. Materializes them as synthetic CloudTrail events sampled from **real field distributions**, injected via HEC - clearly labeled `argus_synthetic=true`. |\n| **Score** | **Evaluator** | Runs the detection **live against Splunk** and measures: recall (% of attacks caught), false-positive rate on real benign traffic, per-variant outcomes, and per-evasion shape. Every number is computed live - nothing is asserted. |\n| **Evolve** | **Blue** (Evolver) | Rewrites the SPL detection to catch the survivors, calibrated to the **real measured shape** of each miss, without firing on benign traffic. Hill-climbing: only adopted if recall improves and false positives stay zero. |\n| **Escalate** | **Orchestrator** | Next generation, Red attacks the **evolved** rule. The arms race escalates until it converges - or you see exactly why it can't. |\n\n---\n\n## What a run produces (all computed live, nothing hardcoded)\n\n- **Coverage gain** - measured: baseline **0%** → evolved **up to 100%** of attack variants caught\n- **Real-attack validation** - does the evolved rule catch the genuine attack in the BOTS dataset? (yes/no, computed live)\n- **MITRE ATT\u0026CK coverage map** - per technique, baseline vs final coverage, visibly self-improving\n- **Judge Proof panel** - one place with every measurable fact: coverage, false positives, variants tested, real attack caught, live Splunk searches run, synthetic index, run ID, certificate SHA-256\n- **Baseline → evolved SPL diff** - highlighted changes Blue made, with plain-English rationale\n- **Resilience Certificate** - downloadable JSON artifact, SHA-256 fingerprinted, before/after summary\n- **MCP/search receipt** - downloadable JSON of every live Splunk search (query + provider + rows)\n- **Residual frontier** - evasions the final rule still can't catch = your real, prioritized blind spots\n- **Anomaly scores** - every variant scored 0–100% against a live Splunk-trained baseline (hosted model / MLTK / SPL `anomalydetection` / local IsolationForest - first available tier), shown per-evasion\n- **Exportable Splunk app** - one click turns the evolved detection into an installable `.spl` bundle (disabled saved search + README + certificate), automatically validated with Splunk AppInspect (embedded `APPINSPECT_REPORT.json` + a pass/warning/fail badge in the UI)\n- **Approve / Edit / Reject** - human-in-the-loop review of the evolved detection before any deploy\n\n---\n\n## Why it's different\n\nThe \"AI that explains a security alert\" space is crowded. ARGUS does the opposite: it **breeds an attacker against your defenses** to discover blind spots you never knew existed, then proves it closed them. The things that make it genuinely different:\n\n- **Adversarial co-evolution, not a chatbot.** Red and Blue take turns - Red exploits your rule, Blue adapts. You watch the arms race, not a summary.\n- **No hardcoded data.** Every query runs live on Splunk, every metric is computed at runtime. If you pull the plug on Splunk, every number disappears - by design.\n- **Honest.** ARGUS labels synthetic events, shows what it couldn't fix (the frontier), and attributes all scores to their real source. No staged results.\n- **Scenario-agnostic engine.** A `Scenario` carries its attack briefing, distributions query, and event builder. Changing attack family = adding one object, no engine changes.\n\n---\n\n## Bonus prize coverage\n\nARGUS targets all three optional bonuses - each is load-bearing in the core loop, not bolted on for judging:\n\n| Bonus | How ARGUS earns it |\n|---|---|\n| **Best Use of Splunk MCP Server** | **All 5 documented tools exercised.** `SEARCH_PROVIDER=mcp` routes every agent search (75+ live searches per run) through the official Splunk MCP Server (Splunkbase app 7931): `splunk_run_query` (Red/Blue/Evaluator/scorer), `splunk_get_indexes`, `splunk_get_index_info`, `splunk_get_info` (proven by `/api/health` returning `server_info: {version: \"10.2.4\", ...}`), and `splunk_run_saved_search` (exercised on the \"Approve \u0026 Deploy\" path to verify evolved rules exist in Splunk). `GET /api/mcp_probe` runs a one-shot live query judges can curl directly. |\n| **Best Use of Splunk Hosted Models** | **4-tier scorer verified live.** `backend/models/scorer.py` cascades: hosted model → Splunk MLTK `\\| fit IsolationForest \\| apply` → **built-in `\\| anomalydetection`** (default, ships with core Splunk, zero app install) → scikit-learn fallback. **Every tier trains on live per-hour baseline** (launches/IPs/regions from `botsv3`), never fabricated. Verified: RUN-D7884823 shows `anomaly_scorer_backend: \"splunk-spl-anomalydetection\"`, with 2 of 3 frontier evasions flagged 62.5%/100% anomalous. Each variant shows `anomaly NN%` badge in the Arena; scorer backend recorded in Resilience Certificate. |\n| **Best Use of Splunk Developer Tools** | **SDK used in two production paths.** (1) `POST /api/export_app`: evolved rule packages as an audited Splunk app (app.conf, savedsearches.conf disabled, certificate, README), validated live with Splunk's `splunk-appinspect` CLI (report embedded as JSON, verdict shown as badge). (2) **\"Approve \u0026 Deploy\"** (`POST /api/approval`): `splunklib.client` creates a real disabled Splunk saved search from the evolved SPL, verified live via `splunk_run_saved_search` (5th MCP tool) - closing the loop from AI-proposed rule to deployed artifact with human approval gates. |\n\n---\n\n## Scenarios\n\nTwo ship. Both run on BOTS v3 CloudTrail (the cleanly field-extracted data):\n\n| Scenario | MITRE | Baseline weakness |\n|---|---|---|\n| **AWS cryptomining** (default) | T1496 Resource Hijacking · T1078 Valid Accounts · T1535 Unused Regions | Per-username hourly count - misses rate-throttling, IP rotation, multi-region spread, AssumedRole mimicry |\n| **AWS IAM persistence** | T1136 Create Account · T1098 Account Manipulation · T1078 Valid Accounts | Per-username IAM-change count - misses rotating actors, throttling, service-identity mimic |\n\nThe registry (`backend/scenarios.py`) supports more. Endpoint/identity scenarios work with the engine - they need the relevant Splunk TAs to field-extract the data.\n\n---\n\n## No-hardcoded-data rule (project invariant)\n\n\u003e Per-PR test: *\"If I deleted my Splunk instance, would this number still appear?\"* If yes, fix it.\n\n- No mock API responses, canned search results, fabricated metrics, pre-written verdicts\n- Every SPL query generated and run live against Splunk (via MCP or SDK)\n- The only synthetic data is Red's variants - generated at runtime from real distributions, labeled\n- All recall / FP / lead-time / coverage / certificate values computed from real Splunk search output\n\n---\n\n## Architecture\n\nARGUS is a small FastAPI backend, a React frontend, and an orchestrator that runs three agents,\nRed, Blue, and an Evaluator, in rounds against real Splunk data. Red looks for ways around the\ncurrent detection rule, the Evaluator tests the rule for real, and Blue rewrites it to close the\ngap. This repeats for a few rounds, with each round building on the last.\n\n```mermaid\nflowchart TB\n    subgraph UI[\"React UI (Vite + Tailwind + Framer Motion)\"]\n        LAND[\"Landing / Home\\n(18-term glossary · 4-step how-it-works · ⓘ on every term)\"]\n        ARENA[\"Arena view\\n(scenario selector · status header)\"]\n        PANELS[\"Arena panels:\\n• Coverage headline (0%→X%, FP, real-attack caught/missed, search count)\\n• Judge Proof panel (all measurable facts in one block)\\n• Generation cards (per-evasion MITRE · why-missed · changed fields)\\n• Baseline→Evolved SPL diff (green added lines + rationale)\\n• Approve / Edit / Reject (human-in-the-loop)\\n• MITRE coverage map (self-improving bars)\\n• Residual frontier (uncaught evasions = blind spots)\\n• Resilience Certificate (download + SHA-256 fingerprint)\\n• Search activity trace (every live Splunk search streamed)\"]\n    end\n\n    subgraph API[\"FastAPI backend (port 8810)\"]\n        HEALTH[\"GET /api/health\\n(live connectivity - no mock; MCP tool probe)\"]\n        SCENARIOS[\"GET /api/scenarios\\n(returns scenario registry)\"]\n        ARENA_EP[\"POST /api/arena  → SSE stream\\n(streams: search, variants_generated, generation_scored,\\n blue_evolved, converged, arena_finished, ...)\"]\n        APPROVAL[\"POST /api/approval\\n(Approve / Edit / Reject - deploy disabled by default)\"]\n        EXPORT[\"POST /api/export_app\\n(generates Splunk .spl app bundle with evolved detection\\n → auto-runs splunk-appinspect inspect, embeds report,\\n returns X-Appinspect-* verdict headers)\"]\n        ORCH[\"ArenaOrchestrator (arena_orchestrator.py)\\n(purpose-built async agentic loop:\\n plan→act→observe→reflect per generation;\\n inner hill-climbing; run_id; _CountingSearch tracer;\\n ingest polling; AnomalyScorer wiring)\"]\n    end\n\n    subgraph AGENTS[\"Agents\"]\n        RED[\"RED - Attack Synthesizer\\n(LLM proposes evasions targeting the current rule;\\n builds synthetic events from real field distributions;\\n materializes via HEC; tags argus_synthetic=true + run_id)\"]\n        EVAL[\"EVALUATOR\\n(live SPL recall · FP on real benign · per-variant shape;\\n real-attack validation against BOTS attacker)\"]\n        BLUE[\"BLUE - Detection Evolver\\n(LLM evolves SPL from real miss-shapes + invariant hints;\\n fenced-block SPL; hill-climbing acceptance;\\n corrects dotted-field eval quoting)\"]\n    end\n\n    subgraph MODELS[\"Reasoning (tiered for cost)\"]\n        LLM[\"Anthropic Claude\\nSonnet 4.6 (primary) · Haiku 4.5 (fast steps)\"]\n    end\n\n    subgraph SPLUNK[\"Splunk Enterprise 10.2.4 (Docker, named volumes) - REAL data: BOTS v3 (web_admin cryptomining incident, 576 events)\"]\n        MCP[\"Splunk MCP Server (app 7931, v1.2.0)\\ntools: splunk_run_query · splunk_get_indexes\\n splunk_get_index_info · splunk_run_saved_search\\n splunk_get_info\"]\n        SDK[\"Splunk Python SDK (fallback)\"]\n        HEC[\"HEC (SPLUNK_HEC_URL)\\ninjects synthetic variants\"]\n        IDX[(\"indexes:\\nbotsv3 - real benign + real attack\\nargus_sandbox - synthetic variants (per run_id)\")]\n    end\n\n    LAND \u003c--\u003e ARENA\n    ARENA --\u003e PANELS\n    PANELS \u003c--\u003e|SSE + commands| ARENA_EP\n    PANELS -. status .-\u003e HEALTH\n    PANELS -. list .-\u003e SCENARIOS\n    PANELS -. decision .-\u003e APPROVAL\n    PANELS -. export .-\u003e EXPORT\n    ARENA_EP --\u003e ORCH\n    ORCH --\u003e RED \u0026 EVAL \u0026 BLUE\n    RED \u0026 BLUE --\u003e|reason| LLM\n    RED --\u003e|write synthetic events + run_id| HEC\n    RED --\u003e|query real distributions| MCP\n    RED --\u003e|query real distributions, fallback| SDK\n    EVAL --\u003e|run detection SPL + score| MCP\n    EVAL --\u003e|run detection SPL + score, fallback| SDK\n    HEC --\u003e IDX\n    MCP --- IDX\n    SDK --- IDX\n```\n\n- [docs/architecture.md](docs/architecture.md): a plain-English walkthrough, with a simple diagram\n  and a worked example\n- [docs/adr/](docs/adr/): short write-ups of why the system is built this way\n- [`architecture_diagram.md`](architecture_diagram.md): the co-evolution sequence diagram,\n  a components table, and the scenario registry (required at the repo root by the hackathon rules)\n- [`REFERENCES.md`](REFERENCES.md): Splunk SDK / MCP integration docs\n\n```\nargus/\n├── LICENSE                         MIT\n├── README.md                       this file\n├── SETUP.md                        step-by-step setup guide\n├── REFERENCES.md                   Splunk SDK / MCP / data reference links\n├── architecture_diagram.md         (rules-required) system + data-flow diagrams\n├── docs/\n│   ├── architecture.md             plain-English architecture walkthrough\n│   └── adr/                        decision records (why we built it this way)\n│\n├── backend/\n│   ├── api.py                      FastAPI: /api/arena (SSE) /api/health /api/mcp_probe /api/scenarios /api/export_app /api/approval\n│   ├── arena_orchestrator.py       generational co-evolution + hill-climbing + run_id + search tracing\n│   ├── app_export.py               packages the evolved detection as an installable Splunk .spl app\n│   ├── scenarios.py                scenario registry (AWS cryptomining, IAM persistence)\n│   ├── smoke_test.py               judge quickstart: verifies Splunk + search + HEC + LLM in ~10s\n│   ├── agents/\n│   │   ├── red_synthesizer.py      Red - invents evasions, materializes synthetic events via HEC\n│   │   ├── evaluator.py            live recall / FP / real-attack validation / variant profiling\n│   │   └── blue_evolver.py         Blue - evolves SPL calibrated to real miss-shapes + invariant hints\n│   ├── splunk/\n│   │   ├── mcp_client.py           Splunk MCP Server client (primary, with retry)\n│   │   ├── sdk_client.py           Splunk Python SDK client (fallback, with retry)\n│   │   ├── hec.py                  HEC write path for synthetic variants (with retry)\n│   │   └── search.py               SearchProvider abstraction (sdk / mcp)\n│   ├── models/\n│   │   ├── llm.py                  Claude reasoning - tiered: Sonnet (primary) / Haiku (fast steps)\n│   │   └── scorer.py               AnomalyScorer - hosted / MLTK / SPL / local, trained on a live Splunk baseline\n│   ├── requirements.txt\n│   ├── .env.example                all configuration keys, no secrets\n│   └── config.py / exceptions.py\n│\n└── frontend/\n    ├── src/\n    │   ├── App.tsx                 shell: Home / Arena tabs, status header, footer\n    │   ├── content.ts              single-source glossary + landing copy (18 terms, plain English)\n    │   ├── views/\n    │   │   ├── Landing.tsx         onboarding home page - explains ARGUS to zero-knowledge visitors\n    │   │   └── Arena.tsx           the live co-evolution UI (all panels below)\n    │   ├── components/ui.tsx       design system: Button, Card, InfoTip (ⓘ), Term, Stat\n    │   └── api/stream.ts           SSE-over-POST client for /api/arena\n    ├── package.json\n    ├── vite.config.ts\n    └── tailwind.config.js          colorblind-safe palette (blue/amber, not red/green)\n```\n\n---\n\n## Arena UI panels\n\n| Panel | What it shows |\n|---|---|\n| **Status header** | Live green/red dots: Splunk · AI · Inject - with ⓘ on each |\n| **Scenario selector** | Dropdown (populated from `/api/scenarios`), ⓘ on every term |\n| **Coverage headline** | Big `0% → X%` number, false positives, real-attack yes/no, search count + provider |\n| **Judge Proof panel** | All measurable facts in one block - coverage, FP, variants, real-attack, searches, index, run ID, cert SHA-256 |\n| **Generation cards** | Per-round: recall before/after, Red's evasions (name · MITRE · changed fields · why baseline missed · caught/evaded · live **anomaly %** badge), Blue's rationale |\n| **Baseline → Evolved SPL** | Side-by-side, with blue-highlighted lines showing what Blue added, and \"why it catches\" |\n| **Approve / Edit / Reject** | Human-in-the-loop review; deploy disabled by default |\n| **MITRE coverage map** | Per-technique animated bars - baseline (grey) → evolved (blue) - self-improving |\n| **Residual frontier** | Evasions still uncaught, each with its live anomaly % badge; labeled as prioritized blind spots |\n| **Resilience Certificate** | Run ID, before/after, SHA-256 fingerprint, anomaly-scorer backend, download + **Export Splunk App** |\n| **Search activity trace** | Every live Splunk search streamed: provider · SPL · rows. Download as JSON receipt |\n| **Agent log** | Streaming play-by-play of each agent step |\n| **Landing / Home** | Glossary of 18 terms in plain English + 4-step how-it-works - newcomers understand in \u003c 60s |\n\n---\n\n## Setup \u0026 run\n\nFull guide with verification gates: [`SETUP.md`](SETUP.md).\n\n### Quick version (Docker)\n\n**1. Splunk + data**\n```bash\n# Start Splunk (pinned 10.2.4 for MCP app compatibility)\ndocker run -d --name splunk \\\n  -p 8000:8000 -p 8088:8088 -p 8089:8089 \\\n  -e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com \\\n  -e SPLUNK_START_ARGS=--accept-license \\\n  -e 'SPLUNK_PASSWORD=ChangeMe_Strong123!' \\\n  -v splunk-etc:/opt/splunk/etc -v splunk-var:/opt/splunk/var \\\n  splunk/splunk:10.2.4\n\n# Load BOTS v3 real data - REQUIRED (CC0 public download, ~320 MB, ~2.08M events).\n# Both scenarios are scoped to the web_admin cryptomining incident (576 events) - SETUP.md Step 2.\ncurl -L -o botsv3.tgz https://botsdataset.s3.amazonaws.com/botsv3/botsv3_data_set.tgz\ndocker cp botsv3.tgz splunk:/tmp/botsv3.tgz\ndocker exec -u root splunk tar -xzf /tmp/botsv3.tgz -C /opt/splunk/etc/apps\ndocker exec -u root splunk chown -R splunk:splunk /opt/splunk/etc/apps/botsv3_data_set\ndocker restart splunk\n\n# Create the sandbox index\ncurl -sk -u admin:ChangeMe_Strong123! \\\n  --data-urlencode \"name=argus_sandbox\" \\\n  \"https://127.0.0.1:8089/services/data/indexes?output_mode=json\"\n\n# Enable HEC + create a token (Settings → Data inputs → HTTP Event Collector in the UI)\n# Copy the token into SPLUNK_HEC_TOKEN in backend/.env\n```\n\n**2. Backend**\n```bash\ncd backend\npython -m venv .venv \u0026\u0026 .venv\\Scripts\\Activate.ps1    # or: source .venv/bin/activate\npip install -r requirements.txt\ncopy .env.example .env          # fill in: SPLUNK_PASSWORD, SPLUNK_HEC_TOKEN, ANTHROPIC_API_KEY\npython smoke_test.py            # should print ALL PASS - verifies Splunk + search + HEC + LLM\nuvicorn api:app --port 8810\n```\n\n**3. Frontend**\n```bash\ncd frontend \u0026\u0026 npm install \u0026\u0026 npm run dev   # → http://127.0.0.1:5180\n```\n\n**4. Optional: MCP Server (Best Use of MCP Server bonus)**\n\nInstall Splunkbase [app 7931](https://splunkbase.splunk.com/app/7931) into Splunk, create a\nSplunk auth token, and in `.env` set `SPLUNK_MCP_TOKEN=\u003ctoken\u003e` and `SEARCH_PROVIDER=mcp`. No\nother changes needed - the search layer is abstracted. The UI's search-trace panel will then\nshow `splunk-mcp` as the provider for every live query. With this configured, `GET\n/api/mcp_probe` and `/api/health`'s `mcp_tool_diversity` field go live too - see\n[Bonus prize coverage](#bonus-prize-coverage) above.\n\n---\n\n## Verify it's working\n\n```bash\npython backend/smoke_test.py\n```\nShould print: `ALL PASS - ready to run the Arena`\n\nOr manually:\n1. `GET http://127.0.0.1:8810/api/health` → `splunk.connected: true`, `llm_configured: true`, `hec_configured: true`, `scorer_backend: \"splunk_spl\"` (or your configured tier)\n2. `GET http://127.0.0.1:8810/api/mcp_probe` → `ok: true` with a live row from `index=_internal` - proves the Splunk MCP Server (app 7931) is reachable and load-bearing, independent of `SEARCH_PROVIDER`\n3. `GET http://127.0.0.1:8810/api/scenarios` → returns 2 scenarios\n4. Open http://127.0.0.1:5180 → status dots green → **Launch the Arena** → **Run the Arena**\n\n---\n\n## Troubleshooting\n\n| Symptom | Fix |\n|---|---|\n| `splunk.connected: false` | `docker start splunk`; check `SPLUNK_HOST=127.0.0.1`, `SPLUNK_PORT=8089`, `SPLUNK_PASSWORD` in `.env` |\n| `hec_configured: false` | Enable HEC in Splunk UI; create a token; set `SPLUNK_HEC_TOKEN` in `.env` |\n| Searches return 0 rows | Load BOTS v3 (see above); always use `earliest=0` (data is from 2018–2019) |\n| `error: ... not configured` | Set `ANTHROPIC_API_KEY` (LLM) or `SPLUNK_HEC_TOKEN` (HEC) in `.env` |\n| `argus_sandbox` not found | Create the index (curl command above); to reset, DELETE then recreate |\n| `localhost` connection refused | Use `127.0.0.1` (not `localhost`) - on Windows after sleep, `localhost` may resolve to IPv6 `::1` while Docker binds IPv4 |\n| Port conflict | Change `--port` in uvicorn and update `frontend/vite.config.ts` proxy target to match |\n| Want MCP instead of SDK | Install Splunkbase app 7931; set `SPLUNK_MCP_TOKEN` and `SEARCH_PROVIDER=mcp` in `.env`; restart backend |\n\n---\n\n## Configuration reference\n\nAll config is environment-driven (`backend/.env`). See [`.env.example`](backend/.env.example) - no secrets committed.\n\n| Variable | Default | Purpose |\n|---|---|---|\n| `SPLUNK_HOST` | `127.0.0.1` | Splunk management host |\n| `SPLUNK_PORT` | `8089` | Splunk management port |\n| `SPLUNK_PASSWORD` | - | Splunk admin password (required) |\n| `SPLUNK_HEC_URL` | `https://127.0.0.1:8088/services/collector/event` | HEC endpoint for synthetic variants |\n| `SPLUNK_HEC_TOKEN` | - | HEC token (required for Red agent) |\n| `SPLUNK_MCP_URL` | `https://127.0.0.1:8089/services/mcp` | MCP server endpoint |\n| `SPLUNK_MCP_TOKEN` | - | MCP Bearer token (required when `SEARCH_PROVIDER=mcp`) |\n| `SEARCH_PROVIDER` | `sdk` | `mcp` (primary, agentic) or `sdk` (fallback) |\n| `SCORER_BACKEND` | `splunk_spl` | Anomaly scorer tier: `hosted` \\| `splunk_mltk` \\| `splunk_spl` \\| `local`. Every tier trains on a live Splunk baseline; `splunk_spl` (built-in `\\| anomalydetection`) and `local` (scikit-learn IsolationForest) both need no extra apps |\n| `SCORER_HOSTED_ENDPOINT` | - | REST endpoint for the `hosted` scorer tier (Splunk-hosted model serving / MLTK Serving) |\n| `SCORER_HOSTED_MODEL` | - | Model name for the `hosted` scorer tier |\n| `ANTHROPIC_API_KEY` | - | Claude API key - enables Red/Blue reasoning (required) |\n| `ANTHROPIC_MODEL` | `claude-sonnet-4-6` | Primary agent model (Sonnet = best cost/quality) |\n| `ANTHROPIC_MODEL_FAST` | `claude-haiku-4-5-20251001` | Fast tier for narration / cheap steps |\n\n---\n\n## License\n\n[MIT](LICENSE) · Built by Ujwal Suresh Vanjare, June 2026.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusv240%2Fargus-detection-evolution","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fusv240%2Fargus-detection-evolution","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fusv240%2Fargus-detection-evolution/lists"}