dns-abuse-dashboard Python · Splunk · SPL · OSINT

DNS Abuse Trend Intelligence Dashboard

Synthetic DNS log pipeline → behavioral detections → live IOC enrichment → Splunk dashboard

Python 3 Splunk Enterprise NIST CSF MITRE ATT&CK abuse.ch AlienVault OTX
50KDNS Events
31,986IOCs Enriched
3Threat Classes
5Dashboard Panels

Overview

End-to-end DNS threat detection pipeline built to demonstrate detection engineering and SIEM development in a Security Operations context. Generates high-volume synthetic DNS telemetry, runs behavioral detections across three threat categories, enriches matches against live open-source threat intelligence, and surfaces everything in a five-panel Splunk dashboard.

Pipeline

01generate_dns_logs.py→ 50,000 DNS events, today's timestamps
02Splunk ingest→ index: dns_logs · sourcetype: dns_custom
03detection_queries.spl→ fast-flux · DGA scoring · phishing candidates
04ioc_enrichment.py→ URLhaus + ThreatFox + OTX → 31,986 indicators
05dashboard.xml→ 5-panel Splunk Classic dashboard

Dashboard

DGA Detections
DGA DETECTIONS OVER TIME
Fast Flux Domains
FAST FLUX DOMAINS
Phishing Candidates
PHISHING CANDIDATES

Detection Logic

Threat Intel Feeds

FeedProviderIOCsType
URLhausabuse.ch30,338Malware distribution URLs
ThreatFoxabuse.ch948C2 indicators, malware IOCs
AlienVault OTXAT&T Cybersecurity700Community threat pulses

NIST CSF Mapping

PanelFunctionCategory
DGA Detections Over TimeDetectDE.AE — Anomalies & Events
Fast Flux DomainsDetectDE.CM — Continuous Monitoring
Phishing CandidatesDetectDE.CM — Continuous Monitoring
IOC MatchesIdentifyID.RA — Risk Assessment
Top Suspicious ClientsRespondRS.AN — Analysis

Author

Harsha Vardhan U S
MEng Cybersecurity · University of Maryland, College Park
Targeting: Security Operations · Detection Engineering
GitHub LinkedIn
dns-abuse-dashboard · Python + Splunk Enterprise github.com/Harsha-Vardhan-cmd