Backslash Vibe Coding Security for Splunk
Splunk integration for Backslash Security vibe coding findings. Ingests workstation inventory, MCP server risk analysis, AI rules, and security events (data leakage, prompt injection) and presents them through SOC-focused dashboards.
Packages
TA-backslash (Technology Add-on)
Backend component that handles API ingestion and field extraction. Not visible in the Splunk UI.
- Modular input (
backslash://) polls the Backslash API on a configurable interval - 4 sourcetypes:
backslash:workstations,backslash:mcp_servers,backslash:ai_rules,backslash:events - Zero external dependencies — uses only Python stdlib (
urllib.request) - Stable
backslash_event_id(SHA-256 hash) injected into every event for deduplication
backslash_app_for_splunk (Splunk App)
Dashboards, saved searches, alerts, and sample data.
Dashboards:
| Dashboard | Description |
|---|---|
| Executive Summary | KPI panels, event timeline, IDE distribution, top MCP risks |
| SOC Triage Queue | Filterable by severity/attack vector/time, unapproved users |
| MCP Server Risk | Risk distribution, attack vectors, remote vs local, tool inventory |
| Workstation Coverage | Host/user counts, approval status, AI models, security rules |
| Health Monitoring | Last poll age, ingestion volume, API errors |
Alerts:
- High Risk MCP Server Detected (securityRank >= 70)
- Unapproved User Activity
- Data Leakage Events
- Ingestion Health Check (no events in 30 min)
Quick Start
Requirements
- Splunk Enterprise 9.x+ (free tier works — 500 MB/day)
- Python 3 (ships with Splunk)
- Backslash API token for live ingestion (not currently functional)
1. Install
Copy both packages into your Splunk apps directory:
cp -r TA-backslash $SPLUNK_HOME/etc/apps/ cp -r backslash_app_for_splunk $SPLUNK_HOME/etc/apps/ splunk restart
2. Load Sample Data
splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_workstations.sample \ -sourcetype backslash:workstations -index main splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_mcp_servers.sample \ -sourcetype backslash:mcp_servers -index main splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_events.sample \ -sourcetype backslash:events -index main
Open the Backslash Vibe Coding Security app in Splunk Web and set the time picker to All time.
3. Configure Live API Input
splunk edit input backslash://production \
-api_url https://api.app.backslash.security/api \
-api_token YOUR_TOKEN \
-interval 300 \
-disabled falseAPI Endpoints
| Endpoint | Method | Sourcetype |
|---|---|---|
/v1/query (category: AI_AGENTS) |
POST | backslash:workstations |
/v1/query (category: MCP) |
POST | backslash:mcp_servers |
/v1/query (category: AI_RULES) |
POST | backslash:ai_rules |
/v1/vibe-coding/events/widgets |
GET | backslash:events |
Project Structure
TA-backslash/
├── bin/
│ ├── backslash_input.py # Modular input
│ └── lib/backslash_api_client.py # API client (stdlib only)
├── default/
│ ├── app.conf
│ ├── inputs.conf
│ └── props.conf # Sourcetype definitions
├── README/
│ └── inputs.conf.spec
└── metadata/
└── default.meta
backslash_app_for_splunk/
├── default/
│ ├── app.conf
│ ├── macros.conf
│ ├── savedsearches.conf
│ └── data/ui/
│ ├── nav/default.xml
│ └── views/ # 5 dashboards
├── samples/ # Demo data (1 JSON per line)
└── metadata/
└── default.meta