Getting started

Quickstart

Run your first grounded investigation. This assumes you've finished Installation & setup: Python and uv, a model provider key, and a reachable Splunk MCP Server.

1. Clone and install

git clone https://github.com/Pavilion-devs/argus
cd argus
uv sync

2. Configure your environment

Copy the example env and fill in your model provider and Splunk MCP details:

cp .env.example .env

Every variable is documented in Configuration.

3. Run an investigation

uv run argus investigate "Investigate the AWS IAM activity from web_admin"

Argus recalls prior cases, writes SPL, runs it through the MCP Server, and pivots until it is confident — streaming each tool call, result, and hypothesis to your terminal. It finishes with a grounded report: verdict, severity, an attack timeline, IOCs, validated MITRE ATT&CK, and a 0–100 risk score.

4. Contain and harden (optional)

Add --respond to run the gated response phase — a Splunk KV-store blocklist, a recorded case, and, on a confirmed true positive, a freshly installed detection:

uv run argus investigate "Investigate the AWS IAM activity from web_admin" --respond

Each action pauses for an explicit approval. Nothing is written to Splunk without your confirmation. To run unattended, add --auto.

5. Prove the detection fires

After a true positive, Argus deploys a scheduled detection. Run the deployed detections on demand to prove they match:

uv run argus detections --run --earliest 0

What you just saw

On BOTS v3, Argus autonomously surfaces the Frothly AWS compromise (a leaked key, a hijacked web_admin, attacker IP 139.198.18.205), contains it, and installs the detection that catches the recurrence — every step linked to the SPL that proves it.

Next: How Argus works.