A comprehensive DNS anomaly detection system using Splunk and machine learning to identify malicious DNS activity in enterprise networks.
🏆 Splunk Build-a-thon 2025 – 1st Prize Winner, Track 4: AI/ML
Out of all global submissions, this project earned First Place in Track 4: AI/ML at the Splunk Build-a-thon 2025. The challenge: develop advanced ML-based threat detections in Splunk using MLTK, seamlessly ingest data, and build real-time pipelines to identify and stop threat actors.
The result: an award-winning solution recognized for its innovation, technical depth, and real-world impact.
DNS Guard AI is a Splunk App designed to detect various types of DNS anomalies that could indicate malicious activity such as command and control (C2) communication, data exfiltration, or reconnaissance. The system uses Splunk's powerful search capabilities combined with machine learning techniques to identify patterns that deviate from normal DNS behavior.
The architecture shows how DNS Guard AI processes DNS events mapped to the Network_Resolution data model in Splunk. Model training searches extract features from historical DNS traffic to train machine learning models via the MLTK (1a). In parallel, anomaly detection searches continuously scan incoming DNS data to identify suspicious behavior such as exfiltration, tunneling, or domain shadowing (1b). Detected anomalies are stored in a KV Store collection and compared against a whitelist to suppress false positives. Validated anomalies are then sent to two systems: the dashboard interface for visual monitoring, and Splunk Enterprise Security (ES) for risk scoring and alert generation (2). This design ensures scalable, real-time DNS threat detection tightly integrated with Splunk’s security ecosystem.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.