Automated Threat Intelligence & IP Analysis Workflow
detail.loadingPreview
Streamline your digital security by automating URL and IP address analysis. This workflow leverages VirusTotal and DNS lookups to detect threats, enrich data, and provide actionable insights. Ideal for proactive security monitoring and incident response.
About This Workflow
This powerful n8n workflow automates the process of analyzing URLs and IP addresses for potential threats. It begins by receiving input via a webhook, then intelligently determines if the input is a URL or an IP address. For URLs, it initiates a scan with VirusTotal, waits for the results, and extracts key threat indicators like 'BlockList' and 'OpenPhish' status, along with overall threat statistics. If the input is identified as an IP address, or if a URL resolves to an IP, the workflow performs a DNS lookup to gather associated domain information. Finally, it merges the findings from VirusTotal and DNS lookups, providing a consolidated view of the analyzed entity's security posture. This integrated approach offers a comprehensive understanding of potential risks, enabling faster and more informed security decisions.
Key Features
- Automated Threat Detection: Leverages VirusTotal for comprehensive URL and IP reputation analysis.
- Dynamic IP Resolution: Automatically performs DNS lookups to resolve URLs to their underlying IP addresses.
- Data Enrichment: Combines threat intelligence from VirusTotal with DNS resolution data for a holistic view.
- Flexible Input: Accepts data via webhook, allowing seamless integration with other systems.
- Actionable Insights: Extracts key threat indicators and threat statistics for quick assessment.
How To Use
- Webhook Setup: Configure the 'Webhook' node with your desired path and HTTP method (POST recommended) to receive incoming data containing URLs or IP addresses. An example
curlcommand is provided in the node's notes. - Data Extraction: Use the 'Get List of URLs' node to parse the incoming data, specifically targeting the
body.datafield. - Email Capture: The 'Set Email' node extracts the sender's email from the webhook payload for reporting purposes.
- IP Address Check: The 'Is IP?' node determines if the input is a valid IP address using a regular expression.
- IP Address Handling:
- If it's an IP, the 'Set IP' node stores it for further processing.
- If it's a URL, the 'DNS Lookup' node resolves it to an IP address.
- The 'Set IP From Lookup' node then extracts this resolved IP.
- VirusTotal Integration:
- The 'Start VirusTotal Scan' node sends the URL to VirusTotal for analysis.
- The 'Wait 5s' node introduces a brief pause to allow VirusTotal to process the request.
- The 'VirusTotal result' node fetches the scan results.
- The 'VirusTotal ready?' node checks if the scan is complete.
- The 'VirusTotal Summary' node extracts key attributes and threat statistics from the VirusTotal report.
- Data Merging:
- The 'Merge Greynoise results' node (placeholder, assumes external Greynoise lookup not fully detailed in snippet) and 'Merge VirusTotal & Greynoise results' nodes combine the gathered information, linking data by IP address.
- Reporting: The 'Send Report Slack' node consolidates the URL/IP, its associated IP (if resolved), and VirusTotal threat data into a Slack message for immediate notification.
Apps Used
Workflow JSON
{
"id": "4f34c4e1-3b42-4cb3-a9e2-0be545dbd314",
"name": "Automated Threat Intelligence & IP Analysis Workflow",
"nodes": 29,
"category": "DevOps",
"status": "active",
"version": "1.0.0"
}Note: This is a sample preview. The full workflow JSON contains node configurations, credentials placeholders, and execution logic.
Get This Workflow
ID: 4f34c4e1-3b42...
About the Author
SaaS_Connector
Integration Guru
Connecting CRM, Notion, and Slack to automate your life.
Statistics
Related Workflows
Discover more workflows you might like
Automated PR Merged QA Notifications
Streamline your QA process with this automated workflow that notifies your team upon successful Pull Request merges. Leverage AI and vector stores to enrich notifications and ensure seamless integration into your development pipeline.
Automate Qualys Report Generation and Retrieval
Streamline your Qualys security reporting by automating the generation and retrieval of reports. This workflow ensures timely access to crucial security data without manual intervention.
Visualize Your n8n Workflows: Interactive Dashboard with Mermaid.js
Gain unparalleled visibility into your n8n automation landscape. This workflow transforms your n8n instance into a dynamic, interactive dashboard, leveraging Mermaid.js to visualize all your workflows in one accessible place.