Skip to content

Latest commit

 

History

History
211 lines (163 loc) · 7.36 KB

File metadata and controls

211 lines (163 loc) · 7.36 KB

Arsenal Demo Profile

Last updated: 2026-07-02

1. Purpose

This demo shows the deterministic edge SOC/NOC decision loop. It is not a full SIEM replacement, not an autonomous AI defender, and not a broad feature tour.

2. Demo story

  1. Evidence is ingested.
  2. NOC and SOC are evaluated separately.
  3. The Action Arbiter selects a bounded response.
  4. The system records explanation, rejected alternatives, and audit evidence.
  5. The operator inspects the decision and response trace.

3. Required components

Mandatory:

  • azazel-edge-web
  • azazel-edge-control-daemon
  • deterministic replay CLI (bin/azazel-edge-scenario-replay)
  • azazel-edge-core when live Suricata path is included
  • azazel-edge-opencanary when redirect behavior is shown
  • bin/azazel-edge-dummy-eve when a live dashboard demo (fabricated EVE traffic through the real pipeline) is included

Optional:

  • Mattermost
  • Ollama
  • Aggregator
  • TAXII/STIX
  • SNMP/NetFlow
  • Vector
  • Wazuh

4. Demo modes

Live dashboard demo (primary — bin/azazel-edge-injector / bin/azazel-edge-dummy-eve):

  • injects fabricated Suricata EVE alerts into eve.json; the real pipeline (Rust core -> AI agent -> control daemon) processes them and the real operational dashboard displays the result
  • the demo shows the production system reacting to injected test data, not a demo-purpose feature: no separate demo screen, which removes any "is the demo faked?" doubt
  • bin/azazel-edge-injector is the interactive scenario menu (list / emit / staged flow / stream, with live pipeline status); bin/azazel-edge-dummy-eve is the scripted CLI equivalent for frozen command sheets
  • works on the appliance and the dev Mac (profile auto-detection)
  • must preserve immediate one-step fallback to deterministic scenario replay if the live path is unstable
  • remains subordinate to the same deterministic evaluator and Action Arbiter path

Deterministic scenario replay (immediate fallback + verification, offline):

  • stable evaluator output, reproducible artifacts for verification/rehearsal/freeze tooling
  • no dependency on live packet generation — survives total booth-environment failure, so it is the final fallback
  • best surface for the audit walkthrough (fixed trace id, known expected output)
  • does not replace the normal live Tactical first-pass path
  • freeze the fallback scenario to mixed_correlation_demo unless a clear demo blocker appears

Boundary statement:

  • normal operation uses live Tactical first-pass triage when available
  • BHUSA 2026 booth operation leads with live injection through the real pipeline; deterministic replay is the immediate fallback for short-session stability and the backbone of the audit walkthrough
  • neither injected traffic nor booth replay must be described as the normal operating model (normal input is real telemetry)

5. Pre-demo checklist

systemctl status azazel-edge-web --no-pager
systemctl status azazel-edge-control-daemon --no-pager
systemctl status azazel-edge-core --no-pager
systemctl status azazel-edge-opencanary --no-pager
bin/azazel-edge-scenario-replay list
bin/azazel-edge-scenario-replay run mixed_correlation_demo

Recommended API sanity checks:

TOKEN="$(cat ~/.azazel-edge/web_token.txt)"
curl -fsS -H "X-AZAZEL-TOKEN: ${TOKEN}" http://127.0.0.1:8084/api/state >/dev/null
curl -fsS -H "X-AZAZEL-TOKEN: ${TOKEN}" http://127.0.0.1:8084/api/aggregator/nodes >/dev/null || true

6. Failure fallback

  • Suricata failure: switch to deterministic scenario replay immediately.
  • dummy-eve/live dashboard demo failure: fall back to bin/azazel-edge-scenario-replay run mixed_correlation_demo and the CLI audit review path.
  • OpenCanary failure: continue replay demo without redirect execution path.
  • Mattermost failure: continue local Web UI + audit walkthrough.
  • Ollama failure: continue deterministic core story (AI assist is optional).
  • Network instability: run local replay scenarios only.
  • Web UI failure: use CLI replay output + JSON logs for deterministic trace.

Final fallback rule:

  • the deterministic replay path must remain the final fallback.

BHUSA 2026 booth message

Presenter note:

7. What not to show first

Do not lead with optional integration tours:

  • Wazuh
  • TAXII/STIX
  • Aggregator fleet view
  • multilingual captive portal
  • vehicle deployment

Lead with deterministic path consistency and bounded action behavior.

8. Audit Review Path (read-only operator command)

bin/azazel-edge-audit-review is a read-only CLI tool for walking a decision through its v2 explanation record and the hash-chained audit log. It makes no writes, no policy changes, and no enforcement actions.

What it does

  1. Reads the decision-explanations JSONL file and selects the requested record (by --trace-id, or the most-recent record if omitted).
  2. Prints the review fields: trace_id, selected_action, rejected_actions with why_not_others reasons, release_condition, policy_profile, config_hash, evidence_ids, operator_wording.
  3. Runs validate_v2_explanation on the record and reports whether it is schema-valid (lists any problems if it is not).
  4. Runs P0AuditLogger.verify_chain on the triage-audit JSONL and reports OK (N entries) or MISMATCH: <error detail>.

Usage

Standard (formatted) output:

bin/azazel-edge-audit-review

Select a specific trace:

bin/azazel-edge-audit-review --trace-id trace-audit-review-01

Condensed output for booth screens:

bin/azazel-edge-audit-review --compact

Machine-readable JSON:

bin/azazel-edge-audit-review --json

Custom paths (useful in test or staging environments):

bin/azazel-edge-audit-review \
  --explanations-path /tmp/decision-explanations.jsonl \
  --audit-path /tmp/triage-audit.jsonl

The audit path can also be set via the environment variable AZAZEL_TRIAGE_AUDIT_PATH.

Exit codes

Code Meaning
0 Explanation record found; audit chain verified OK
2 Explanation file missing, empty, or trace-id not found
3 Audit chain verification failed (hash mismatch or parse error)

Read-only contract

The command only opens files for reading. It calls P0AuditLogger.verify_chain (a classmethod that reads the log file without instantiating a writer) and validate_v2_explanation (a pure validation function). No logger is instantiated, no file is opened for writing, and no control-plane state is modified. This property is verified by the test suite (see tests/test_audit_review_v1.py, read-only test case).

Demo talk track

After running a scenario, show the audit review path to demonstrate end-to-end traceability:

bin/azazel-edge-scenario-replay run mixed_correlation_demo
bin/azazel-edge-audit-review --compact

This confirms that the decision recorded in the explanation file matches what was written to the hash-chained audit log, and that neither has been tampered with.