Last updated: 2026-07-02
This demo shows the deterministic edge SOC/NOC decision loop. It is not a full SIEM replacement, not an autonomous AI defender, and not a broad feature tour.
- Evidence is ingested.
- NOC and SOC are evaluated separately.
- The Action Arbiter selects a bounded response.
- The system records explanation, rejected alternatives, and audit evidence.
- The operator inspects the decision and response trace.
Mandatory:
azazel-edge-webazazel-edge-control-daemon- deterministic replay CLI (
bin/azazel-edge-scenario-replay) azazel-edge-corewhen live Suricata path is includedazazel-edge-opencanarywhen redirect behavior is shownbin/azazel-edge-dummy-evewhen a live dashboard demo (fabricated EVE traffic through the real pipeline) is included
Optional:
- Mattermost
- Ollama
- Aggregator
- TAXII/STIX
- SNMP/NetFlow
- Vector
- Wazuh
Live dashboard demo (primary — bin/azazel-edge-injector / bin/azazel-edge-dummy-eve):
- injects fabricated Suricata EVE alerts into
eve.json; the real pipeline (Rust core -> AI agent -> control daemon) processes them and the real operational dashboard displays the result - the demo shows the production system reacting to injected test data, not a demo-purpose feature: no separate demo screen, which removes any "is the demo faked?" doubt
bin/azazel-edge-injectoris the interactive scenario menu (list / emit / staged flow / stream, with live pipeline status);bin/azazel-edge-dummy-eveis the scripted CLI equivalent for frozen command sheets- works on the appliance and the dev Mac (profile auto-detection)
- must preserve immediate one-step fallback to deterministic scenario replay if the live path is unstable
- remains subordinate to the same deterministic evaluator and Action Arbiter path
Deterministic scenario replay (immediate fallback + verification, offline):
- stable evaluator output, reproducible artifacts for verification/rehearsal/freeze tooling
- no dependency on live packet generation — survives total booth-environment failure, so it is the final fallback
- best surface for the audit walkthrough (fixed trace id, known expected output)
- does not replace the normal live Tactical first-pass path
- freeze the fallback scenario to
mixed_correlation_demounless a clear demo blocker appears
Boundary statement:
- normal operation uses live Tactical first-pass triage when available
- BHUSA 2026 booth operation leads with live injection through the real pipeline; deterministic replay is the immediate fallback for short-session stability and the backbone of the audit walkthrough
- neither injected traffic nor booth replay must be described as the normal operating model (normal input is real telemetry)
systemctl status azazel-edge-web --no-pager
systemctl status azazel-edge-control-daemon --no-pager
systemctl status azazel-edge-core --no-pager
systemctl status azazel-edge-opencanary --no-pager
bin/azazel-edge-scenario-replay list
bin/azazel-edge-scenario-replay run mixed_correlation_demoRecommended API sanity checks:
TOKEN="$(cat ~/.azazel-edge/web_token.txt)"
curl -fsS -H "X-AZAZEL-TOKEN: ${TOKEN}" http://127.0.0.1:8084/api/state >/dev/null
curl -fsS -H "X-AZAZEL-TOKEN: ${TOKEN}" http://127.0.0.1:8084/api/aggregator/nodes >/dev/null || true- Suricata failure: switch to deterministic scenario replay immediately.
- dummy-eve/live dashboard demo failure: fall back to
bin/azazel-edge-scenario-replay run mixed_correlation_demoand the CLI audit review path. - OpenCanary failure: continue replay demo without redirect execution path.
- Mattermost failure: continue local Web UI + audit walkthrough.
- Ollama failure: continue deterministic core story (AI assist is optional).
- Network instability: run local replay scenarios only.
- Web UI failure: use CLI replay output + JSON logs for deterministic trace.
Final fallback rule:
- the deterministic replay path must remain the final fallback.
Presenter note:
- BHUSA 2026 Booth Message
- BHUSA 2026 Replay Runbook
- BHUSA 2026 Audit Walkthrough
- BHUSA 2026 Live Boundary
- BHUSA 2026 Booth Runbook
- BHUSA 2026 Freeze Candidate
- BHUSA 2026 Final Command Sheet
Do not lead with optional integration tours:
- Wazuh
- TAXII/STIX
- Aggregator fleet view
- multilingual captive portal
- vehicle deployment
Lead with deterministic path consistency and bounded action behavior.
bin/azazel-edge-audit-review is a read-only CLI tool for walking a decision
through its v2 explanation record and the hash-chained audit log. It makes no
writes, no policy changes, and no enforcement actions.
- Reads the decision-explanations JSONL file and selects the requested record
(by
--trace-id, or the most-recent record if omitted). - Prints the review fields:
trace_id,selected_action,rejected_actionswithwhy_not_othersreasons,release_condition,policy_profile,config_hash,evidence_ids,operator_wording. - Runs
validate_v2_explanationon the record and reports whether it is schema-valid (lists any problems if it is not). - Runs
P0AuditLogger.verify_chainon the triage-audit JSONL and reportsOK (N entries)orMISMATCH: <error detail>.
Standard (formatted) output:
bin/azazel-edge-audit-reviewSelect a specific trace:
bin/azazel-edge-audit-review --trace-id trace-audit-review-01Condensed output for booth screens:
bin/azazel-edge-audit-review --compactMachine-readable JSON:
bin/azazel-edge-audit-review --jsonCustom paths (useful in test or staging environments):
bin/azazel-edge-audit-review \
--explanations-path /tmp/decision-explanations.jsonl \
--audit-path /tmp/triage-audit.jsonlThe audit path can also be set via the environment variable
AZAZEL_TRIAGE_AUDIT_PATH.
| Code | Meaning |
|---|---|
| 0 | Explanation record found; audit chain verified OK |
| 2 | Explanation file missing, empty, or trace-id not found |
| 3 | Audit chain verification failed (hash mismatch or parse error) |
The command only opens files for reading. It calls P0AuditLogger.verify_chain
(a classmethod that reads the log file without instantiating a writer) and
validate_v2_explanation (a pure validation function). No logger is
instantiated, no file is opened for writing, and no control-plane state is
modified. This property is verified by the test suite (see
tests/test_audit_review_v1.py, read-only test case).
After running a scenario, show the audit review path to demonstrate end-to-end traceability:
bin/azazel-edge-scenario-replay run mixed_correlation_demo
bin/azazel-edge-audit-review --compactThis confirms that the decision recorded in the explanation file matches what was written to the hash-chained audit log, and that neither has been tampered with.