Splunk-Guard is a hybrid, ML-driven threat detection system for monitoring USB activity and VPN login anomalies. Built using Splunk's free version, the Machine Learning Toolkit (MLTK), and an interactive Streamlit Web Dashboard, it provides affordable threat detection for smaller teams, prototypes, and educational use.
🌐 Try the Live App: Splunk-Guard Web Dashboard
- Detects abnormal USB write patterns to flag potential data exfiltration
- Identifies suspicious VPN logins from unusual or distant locations
- Streamlit Web App for interactive anomaly detection, even without Splunk
- Splunk dashboards and alerts included for real-time enterprise monitoring
- Leverages free Splunk tools — No paid plugins required
- USB Anomaly Detection: Detects unusual spikes in per-device write volumes
- VPN Login Anomalies: Flags geo-distance outliers for potential credential misuse
- Modes:
- Live Mode — Connects to your Splunk backend via REST API
- CSV Upload — Analyze your own USB or VPN logs
- Demo Mode — Uses built-in synthetic data for offline testing
- Interactive charts, anomaly reports, and CSV exports
├── .devcontainer/ # VSCode Devcontainer settings ├── .streamlit/ # Streamlit config files (secrets.toml) ├── Splunk_Guard/ # Core Splunk content (dashboards, models) │ ├── dashboards/ # Splunk Studio dashboard JSON exports │ ├── mltk_configs/ # Model guides for Splunk MLTK │ ├── spl_queries/ # SPL scripts for field extraction & models | ├── screenshots/ # Backened preview images for judges/users | └── sample_data/ # Example USB and VPN log files ├── app.py # Final Streamlit Web Application foe local system use ├── demos_app.py # Alternate Streamlit demo version for public usage ├── requirements.txt # Python dependencies ├── README.md # Project overview (this file) ├── LICENSE # MIT License
- Install dependencies:
pip install -r requirements.txt - Update
.streamlit/secrets.tomlwith Splunk credentials (for Live mode) - Run the app:
streamlit run app.py - Or use the public link: Splunk-Guard Web Dashboard
- Install Splunk Enterprise (Free Trial) + Machine Learning Toolkit (MLTK)
- Ingest
usb_logs.csvandvpn_logs.csvinto indexes (e.g.,splunk_guard,vpn) - Use provided SPL scripts for field extraction and anomaly model training
- Import dashboards from
Splunk_Guard/dashboards/ - Configure alerts using queries in
spl_queries/
- 🔌 USB Write Volume Trends and Outlier Detection
- 🌍 VPN Login Geo Distribution and Distance-Based Anomalies
- 📈 User and Device-Level Activity Charts
Screenshots available in the screenshots/ folder.
- Insider Threat Detection — Unusual USB activity suggests data exfiltration
- Credential Misuse Alerts — VPN logins from suspicious geo-locations
- Security Demos — Showcase Splunk's ML capabilities with real-world examples
Splunk-Guard is intended for research, educational, and prototype purposes. It is not production-hardened. Perform extensive security validation before enterprise deployment.
Released under the MIT License. See LICENSE for full terms.