Backstop Run

The agent works live: enumerate, parse each detection's data lifeline, then one freshness sweep resolves every lifeline. Real tool tags, real measured latency.
● SAMPLEConnecting…
1
Enumerate saved searchessplunk.list_saved_searches
GET /services/saved/searches — raw SPL, cron, window, actions for every alert.
2
Parse dependenciesvertex.gemini
Gemini reads each SPL and emits {index, sourcetype, source, window}. Regex is the floor; Gemini is the accelerator — it never decides health.
3
Freshness sweepsplunk.search
| tstats latest(_time) by index, sourcetype + | metadata type=sourcetypes — one pass, the real last-reporting time of every source.
4
Compute the blind setarithmetic
now − last(dependency) > detection.window ⇒ BLIND. Proof-by-silence — never a model verdict.
5
Grade exposurefoundation-sec
Each blind detection scored for technique class + severity (heuristic fallback if the Hosted Model is not installed).
| tstats latest(_time) as last by index, sourcetype
Resolving lifelines…