Intermediate Pro

Splunk+ n8n + Suricata: Automated Malicious URL Enrichment

Automated Malicious URL Detection and Response with Suricata, Splunk, and n8n.

Self-Paced by Aman Gupta

Overview

This project outlines an automated security workflow that detects and responds to potentially malicious domain lookups on a network. The process begins with Suricata, an open-source IDS, which monitors network traffic and logs all DNS queries. These logs are forwarded to Splunk for centralized analysis.

Within Splunk, a scheduled alert is configured with a specific Search Processing Language (SPL) query to parse these DNS logs, extract the queried domain names, and filter out noise (like queries to your own domain). When a new domain query is detected, the Splunk alert triggers a webhook, sending the domain information to an n8n workflow.

The n8n workflow receives the domain, queries the VirusTotal API to analyze its reputation, and determines if it is "Safe" or "Suspicious." Based on this status, it orchestrates a multi-faceted response: an HTML-formatted email report is sent via Gmail, a real-time alert is posted to Slack, and for any suspicious domains, an incident ticket is automatically created in ServiceNow.

What You'll Learn

  • IDS Log Analysis

    How to query Intrusion Detection System (IDS) logs in Splunk to identify specific network events like DNS queries.

  • Splunk to Webhook Integration

    Configure Splunk alerts to send real-time data to an external automation platform using webhooks.

  • Domain Reputation Analysis

    Use the VirusTotal API to enrich security event data by checking domain reputation and categories.

  • End-to-End SOAR Workflow

    Build a complete Security Orchestration, Automation, and Response (SOAR) workflow from detection to notification and ticketing.

Prerequisites

  • Prerequisites

    Suricata: An operational Suricata instance configured to log DNS events.

  • Prerequisites

    Splunk: A Splunk instance ingesting Suricata logs, with alert configuration capabilities.

  • Prerequisites

    n8n: A running n8n instance accessible from the Splunk instance.

  • Prerequisites

    VirusTotal API Key: For programmatic domain reputation analysis.

  • Prerequisites

    ServiceNow Credentials: For creating incident tickets.

  • Prerequisites

    Gmail and Slack Credentials: For sending automated notifications.

About Trainer

Aman Gupta

Aman Gupta

Aman Gupta is an emerging voice in automation-driven cybersecurity, combining strong engineering skills with a passion for knowledge sharing. He has worked on advanced projects spanning security monitoring, intelligent alerting, process automation, and AI-powered decision systems. With experience bridging software engineering and modern DevSecOps practices, Aman focuses on simplifying complex technologies into practical, real-world applications.

LinkedIn Twitter GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.

Apache Web Server Log Monitoring using Wazuh
Pro Beginner

Apache Web Server Log Monitoring using Wazuh

Real-time detection of HTTP errors, brute-force and suspicious requests from Apache logs