Automated Threat Detection

A lightweight Python project that detects suspicious domains, monitors file access activity, and sends structured alerts to Splunk via HEC. The goal is to keep everything simple, readable, and easy for anyone to run.

---

Features

Suspicious Domain Detector

• Parses DNS logs (.jsonl)
• Optional VirusTotal enrichment
• Normalized JSON alert output
• Safe --dry-run mode (no external calls)

File Access Monitor

• Real-time directory monitoring using watchdog
• Replay mode using sample data
• Outputs clean, Splunk-friendly events

Splunk Integration

• Sends alerts to Splunk HEC
• Uses secure environment variables (no secrets in repo)
• Includes a safe sample config

---

Project Structure

.
├── suspicious_domain_detector.py
├── file_access_monitor.py
├── splunk_sender.py
│
├── config/
│   └── sample_config.json
│
├── data/
│   └── sample_dns.jsonl
│
├── logs/               # ignored
├── requirements.txt
└── README.md

---

Setup

# optional virtual environment
python -m venv .venv

# activate
# Windows:
.venv\Scripts\activate
# macOS/Linux:
source .venv/bin/activate

# install dependencies
pip install -r requirements.txt

---

Environment Variables

Set these before sending anything to Splunk:

export SPLUNK_HEC_URL="https://your-splunk-hec-endpoint"
export SPLUNK_HEC_TOKEN="your-token"

Windows PowerShell:

setx SPLUNK_HEC_URL "https://your-splunk-hec-endpoint"
setx SPLUNK_HEC_TOKEN "your-token"

---

How to Run

Suspicious Domain Detector

python suspicious_domain_detector.py --input data/sample_dns.jsonl --dry-run

File Access Monitor (live)

python file_access_monitor.py --path .

Replay Mode

python file_access_monitor.py --replay data/sample_events.jsonl

Send a test Splunk event

python splunk_sender.py --test

---

Requirements

pandas
requests
watchdog
python-dotenv

---

About This Project

Built to demonstrate:

• clear Python code
• simple detection logic
• Splunk HEC integration
• a clean project structure

Focused, minimal, and easy to review.