Skip to content

voidd0/tracelock-find-evil

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TraceLock

TraceLock is a defensive FIND EVIL! build: a read-only incident-response agent harness that turns case events into evidence-backed findings, catches weak claims, and re-runs a focused second pass when the first analysis leaves gaps.

It is intentionally small, reproducible, and audit-heavy. Every finding has:

  • a source event id,
  • a tool name,
  • a confidence level,
  • a SHA-256 evidence hash,
  • a self-check note,
  • and a final status of confirmed, needs-corroboration, or rejected.

Public support demo: https://voiddo.com/devpost/find-evil/ Public repository: https://github.com/voidd0/tracelock-find-evil

Why this fits FIND EVIL!

FIND EVIL! asks for autonomous defensive analysis that behaves more like a senior analyst and less like a chatbot. TraceLock focuses on three qualities:

  1. Evidence integrity: the harness never writes into the case file and logs every tool result with a hash.
  2. Self-correction: if a finding lacks a corroborating event, the agent launches a targeted second pass instead of pretending the first answer is enough.
  3. Audit trail quality: the output can be traced from summary to finding to exact input event.

Run locally

python3 tracelock.py --case cases/demo_case.json --out output/latest.json

Then open index.html or serve it:

python3 -m http.server 8098

Current scope

This first package uses structured demo case data and a deterministic local agent loop. The next required FIND EVIL step is to run against SIFT/Protocol SIFT case material and attach terminal video evidence.

splunk-ops — TraceLock Ops (Splunk Agentic Ops extension)

The splunk-ops/ subdirectory extends TraceLock for Splunk teams.

TraceLock Ops takes a Splunk-style alert bundle (ESCU notable + raw events) and produces:

  • evidence-linked findings, each citing exact event IDs and SHA-256 hashes
  • contradictions and missing-proof warnings surfaced explicitly
  • next SPL/MCP search proposals as planned actions, not executed ones
  • a responder-ready handoff summary

Three-case accuracy suite (all perfect):

  • Account takeover — P=1.0, R=1.0
  • Ransomware staging — P=1.0, R=1.0
  • Insider exfiltration — P=1.0, R=1.0

Public demo: https://voiddo.com/devpost/splunk-agentic-ops/

cd splunk-ops
python3 run_suite.py   # runs all 3 cases, writes output/accuracy_report.json

MCP integration: when SPLUNK_URL and SPLUNK_TOKEN are set, splunk_mcp.py calls the official Splunk MCP Server for live searches. Without credentials, responses are marked stub_no_auth instead of silently faking success.

Built by vøiddo — a small studio shipping AI-flavoured products, free dev tools, Chrome extensions and weird browser games.

About

TraceLock: evidence-backed defensive incident-response agent harness for FIND EVIL

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors