Backslash Vibe Coding Security for Splunk

Splunk integration for Backslash Security vibe coding findings. Ingests workstation inventory, MCP server risk analysis, AI rules, and security events (data leakage, prompt injection) and presents them through SOC-focused dashboards.

Packages

TA-backslash (Technology Add-on)

Backend component that handles API ingestion and field extraction. Not visible in the Splunk UI.

• Modular input (backslash://) polls the Backslash API on a configurable interval
• 4 sourcetypes: backslash:workstations, backslash:mcp_servers, backslash:ai_rules, backslash:events
• Zero external dependencies — uses only Python stdlib (urllib.request)
• Stable backslash_event_id (SHA-256 hash) injected into every event for deduplication

backslash_app_for_splunk (Splunk App)

Dashboards, saved searches, alerts, and sample data.

Dashboards:

Dashboard	Description
Executive Summary	KPI panels, event timeline, IDE distribution, top MCP risks
SOC Triage Queue	Filterable by severity/attack vector/time, unapproved users
MCP Server Risk	Risk distribution, attack vectors, remote vs local, tool inventory
Workstation Coverage	Host/user counts, approval status, AI models, security rules
Health Monitoring	Last poll age, ingestion volume, API errors

Alerts:

• High Risk MCP Server Detected (securityRank >= 70)
• Unapproved User Activity
• Data Leakage Events
• Ingestion Health Check (no events in 30 min)

Quick Start

Requirements

• Splunk Enterprise 9.x+ (free tier works — 500 MB/day)
• Python 3 (ships with Splunk)
• Backslash API token for live ingestion (not currently functional)

1. Install

Copy both packages into your Splunk apps directory:

cp -r TA-backslash $SPLUNK_HOME/etc/apps/
cp -r backslash_app_for_splunk $SPLUNK_HOME/etc/apps/
splunk restart

2. Load Sample Data

splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_workstations.sample \
  -sourcetype backslash:workstations -index main

splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_mcp_servers.sample \
  -sourcetype backslash:mcp_servers -index main

splunk add oneshot $SPLUNK_HOME/etc/apps/backslash_app_for_splunk/samples/backslash_events.sample \
  -sourcetype backslash:events -index main

Open the Backslash Vibe Coding Security app in Splunk Web and set the time picker to All time.

3. Configure Live API Input

splunk edit input backslash://production \
  -api_url https://api.app.backslash.security/api \
  -api_token YOUR_TOKEN \
  -interval 300 \
  -disabled false

API Endpoints

Endpoint	Method	Sourcetype
/v1/query (category: AI_AGENTS)	POST	backslash:workstations
/v1/query (category: MCP)	POST	backslash:mcp_servers
/v1/query (category: AI_RULES)	POST	backslash:ai_rules
/v1/vibe-coding/events/widgets	GET	backslash:events

Project Structure

TA-backslash/
├── bin/
│   ├── backslash_input.py            # Modular input
│   └── lib/backslash_api_client.py   # API client (stdlib only)
├── default/
│   ├── app.conf
│   ├── inputs.conf
│   └── props.conf                    # Sourcetype definitions
├── README/
│   └── inputs.conf.spec
└── metadata/
    └── default.meta

backslash_app_for_splunk/
├── default/
│   ├── app.conf
│   ├── macros.conf
│   ├── savedsearches.conf
│   └── data/ui/
│       ├── nav/default.xml
│       └── views/                    # 5 dashboards
├── samples/                          # Demo data (1 JSON per line)
└── metadata/
    └── default.meta