Unravel

Unravel reconstructs an active intrusion (phishing to domain compromise) from live Splunk telemetry and tells us what happened, why it matters, and what to do, while the attack is still in progress.

Comment

Inspiration

We were heavily inspired by the graph-viewer on a program called Obsidian (which is a markdown note-taking app). We loved the idea of having notes "link" to each other and that "link" being visualized on a graph.

What it does

We took the inspiration from the Obsidian "links" and built it into a security-focused incident constructor in Unravel. The typical flow is that events stream out of Splunk; the engine grows a typed provenance graph in memory, scores each new edge against a learned baseline, and the moment a connected cluster crosses a threshold it walks backward to recover the single most suspicious causal path.

How we built it

We built Unravel using Go, BadgerDB, and React as the frontend framework. We compiled it as a binary for our demo. We used AI Agents to reach out and gather what we call "threat intel" from CISA KEV and CVE DBs to compare against the events reconstructed in the timeline.

Challenges we ran into

We ran into the most difficult challenge of all -> time. We ran out of time to make our demo the best version it could be. Our idea was to place Unravel and a Splunk Instance in the middle of a virtual network (interconnected virtual machines). This way, we could generate real baseline traffic as well as real-time incident construction by attacking Windows clients anda domain controller with a Kali box. From there, Unravel would use Splunk MCP to find out-of-baseline events, determine if it is a security incident, then reconstruct the incident timeline.

Accomplishments that we're proud of

Despite not being able to demo the virtual network, we are extremely proud to have been able to build Unravel in the first place. We pushed through all the technical challenges of learning Go optimization, learning how to best extract data from Splunk via its MCP, and much more.

What we learned

We learned so much, from best optimizing graphs, nodes, and edges in Go, learning how to integrate Splunk MCP into our threat intel and event indexing, and even compiling the project as a single binary.

What's next for Unravel

We plan to continue to develop Unravel past the hackathon, especially demoing it within a virtual network environment. There are a lot more features we planned to implement, including more agentic cross-checking of information, such as possibly including an additional agent to check OWASP's Top 10 against events in the connected Splunk instance.

Built With

Share this project:

Updates