ContainmentCountdown
Open missionRun the containment countdownReview decisionInspect SPL transcript and approval policyOpen dossierVerify the proof artifact
Seeded Splunk-compatible telemetry

Architecture proof

Seeded Splunk-compatible telemetry is the public evidence model. When live credentials are configured, the same SPL/REST boundary can use Splunk as the evidence and verification source.

SPL/REST boundaryDossier storeRun the replay lab
Seeded Splunk-compatible telemetry

Deterministic identity, DLP, finance, and IAM events drive replay.

SPL / REST query boundary

Live Splunk can replace replay after credentials are configured and smoke-tested.

Policy and action engine

Evidence changes threshold state before human approval unlocks containment.

Containment executor

The endpoint changes identity state in a controlled replay environment.

Dossier store

Approval, SPL transcript, execution, and verification become one proof artifact.

Assumption register
  • Uses seeded Splunk-compatible telemetry for deterministic demo replay.
  • Live Splunk credentials are not configured in this build.
  • Replay containment changes the demo incident state only; no real IAM or firewall change occurs.
  • Root architecture artifact: architecture_diagram.md