Back to Templates
Score DNS Threats with VirusTotal, Abuse.ch, HashiCorp Vault and Gemini
An end-to-end Cyber Threat Intelligence pipeline that turns raw DNS traffic into actionable security verdicts — without manual triage, without leaking credentials, and without alert fatigue.
What this workflow does
This workflow ingests passive DNS observations, enriches each indicator with multi-source threat intelligence, and uses Google Gemini as a senior security analyst to produce a single, defensible verdict per indicator. Every step that touches a secret pulls it from HashiCorp Vault at runtime, and only confirmed threats reach your inbox.
Problems it solves
Manual threat triage takes hours. A SOC analyst checking a suspicious indicator across VirusTotal, ThreatFox, and URLhaus, then writing up the verdict, typically spends 10-20 minutes per IoC. This workflow performs the same correlation in seconds and produces a structured report ready for review or downstream automation.
Hardcoded credentials are a breach waiting to happen. API keys, database passwords, and provider tokens commonly end up in workflow JSON, environment files, or git history. This workflow fetches every secret directly from HashiCorp Vault during execution, so credentials never live inside n8n configuration.
Alert fatigue trains analysts to ignore real threats. The AI agent applies a detection-first scoring model on a 1–5 scale, with email alerts firing only on confirmed malicious indicators (score ≥ 4). Clean traffic and low-signal noise are silently logged for trend analysis, not pushed to the operator.
Single-source intelligence is misleading. Indicators flagged by one provider but absent from others are often false positives — and indicators marked clean by one source may already be active C2 infrastructure tracked by another. This workflow correlates across three independent CTI sources before assigning a verdict.
Trusted infrastructure produces noise. Cloud providers, CDNs, and developer platforms (AWS, Cloudflare, GitHub, Bitbucket) frequently appear in threat feeds because attackers abuse them — the platforms themselves are not malicious. The scoring model recognizes "big player" infrastructure and caps the score unless a specific malware family is confirmed, eliminating a major source of false positives.
How it works
The workflow runs as five coordinated stages:
1. Indicator capture. Passive DNS logs are read from MySQL using credentials retrieved from Vault. Indicators that have not yet been analyzed are queued for enrichment.
2. Multi-source enrichment. Three independent CTI branches run in parallel:
- VirusTotal — primary source for IP/domain reputation and ownership
- ThreatFox (Abuse.ch) — primary source for active C2 infrastructure and malware family attribution
- URLhaus (Abuse.ch) — supporting context on URLs historically hosted at the indicator
3. AI-driven verdict. Google Gemini receives the consolidated intelligence, applies a detection-first scoring policy loaded dynamically from the database, and returns a structured JSON verdict including a numeric score, malicious flag, threat label, English technical summary, and Polish operator commentary.
4. Persistence. Results are written to MySQL with full referential integrity, ready for Grafana dashboards or further automation.
5. Conditional alerting. Only indicators with score ≥ 4 trigger an email notification. Email styling adapts to severity: green for informational, amber for review, red for confirmed threats.
Architecture components
| Layer | Component | Role |
|---|---|---|
| Traffic source | Passive DNS (MySQL) | Identifies new IoCs from observed network traffic |
| Secret engine | HashiCorp Vault | Provides all credentials and API tokens at runtime |
| Intelligence | VirusTotal, ThreatFox, URLhaus | Independent CTI sources for cross-validation |
| AI reasoning | Google Gemini | Acts as a senior security analyst, correlating data and generating verdicts |
| Persistence | MySQL (partitioned) | Stores results with 6-month automated retention |
| Alerting | Gmail via SMTP | Severity-aware notifications, only for confirmed threats |
Release v1.0.2-rc1 Highlights
This is the release candidate for the first stable v1.0.2 build, available on the Cyber Sentinel GitHub repository.
- Detection-first scoring (1–5 scale) — replaces the previous 1–10 scale with a clearer mapping to operator actions: Allow, Monitor, Review, Block, Block + Alert.
- Dynamic threat scale — score definitions are loaded from the database at every AI invocation, enabling future self-healing workflows that can auto-tune the scoring model.
- Source weighting — VirusTotal and ThreatFox drive the score; URLhaus contributes only as a supporting modifier, eliminating false positives on legitimate platforms.
- Severity-aware email alerts — color and header adapt to score (green INFO / amber REVIEW / red ALERT) instead of every indicator triggering a red alarm banner.
- Partitioned database with automated retention — DNS queries, network events, and threat indicators are partitioned monthly with automatic cleanup after 6 months.
- Unified Vault provisioning — single Ansible playbook handles initialization, unsealing, and secret provisioning idempotently.
- Full Infrastructure-as-Code deployment — the entire stack (Nginx, Vault, MySQL, MongoDB, n8n) deploys via Ansible with credentials managed through Ansible Vault.
- Tested on Proxmox (Debian) and Raspberry Pi 5 — production-grade stability validated on both home-lab and resource-constrained environments.
Documentation
- GitHub repository: https://github.com/lukaszFD/cyber-sentinel
- Project documentation: https://lukaszfd.github.io/cyber-sentinel/
- Release notes: https://github.com/lukaszFD/cyber-sentinel/releases