Automated Threat Intelligence and IP Reconnaissance
detail.loadingPreview
This workflow automates the process of gathering threat intelligence on URLs and IPs. It leverages VirusTotal for comprehensive analysis and DNS lookups to resolve hostnames to IP addresses, providing a unified view of potential risks.
About This Workflow
This powerful workflow automates critical security and reconnaissance tasks, providing you with actionable threat intelligence. It begins by receiving a list of URLs or IP addresses via a webhook. For each entry, it intelligently determines if it's an IP address or a URL. If it's a URL, it performs a DNS lookup to resolve it to its corresponding IP address. Subsequently, it initiates a scan with VirusTotal to analyze the URL and its associated IP for any malicious indicators, including blocklists and phishing attempts. The results from VirusTotal are then enriched with the DNS lookup data and potentially other sources (though not fully represented in this snippet). Finally, it consolidates all gathered information, offering a comprehensive summary of the threat landscape for each input, with the option to send summarized reports to Slack.
Key Features
- Automated URL and IP Analysis: Seamlessly process lists of web addresses and IP addresses.
- Integrated VirusTotal Reporting: Gain deep insights into threat levels, malicious activity, and reputation.
- Real-time DNS Resolution: Automatically translate domain names to their associated IP addresses.
- Data Consolidation: Merge threat intelligence from multiple sources for a holistic view.
- Actionable Reporting: Prepare for automated notifications (e.g., Slack) with key findings.
How To Use
- Configure Webhook: Set up the 'Webhook' node to receive incoming POST requests containing a JSON payload with an array of 'data' objects, each having a 'url' property, and an optional 'email' property.
- Process Incoming Data: Use the 'Get List of URLs' node to extract the 'data' array from the webhook payload.
- Capture Email: If provided, store the sender's email using the 'Set Email' node.
- Check for IP: The 'Is IP?' node determines if the input is an IP address or a URL using a regular expression.
- Set IP Address: If the input is an IP, the 'Set IP' node stores it for further processing.
- DNS Lookup: If the input is a URL, the 'DNS Lookup' node resolves the hostname to an IP address.
- Extract Resolved IP: The 'Set IP From Lookup' node extracts the resolved IP address from the DNS query results.
- Initiate VirusTotal Scan: For URLs, the 'Start VirusTotal Scan' node submits the URL to VirusTotal for analysis.
- Poll VirusTotal Results: The 'Wait 5s' and 'VirusTotal ready?' nodes manage polling for the scan results.
- Retrieve VirusTotal Analysis: The 'VirusTotal result' node fetches the detailed analysis report from VirusTotal.
- Merge and Consolidate: Use the 'Merge Greynoise results' and 'Merge VirusTotal & Greynoise results' nodes (Greynoise node is assumed to be present upstream and merged here) to combine IP and threat intelligence data.
- Summarize Findings: The 'VirusTotal Summary' node extracts key statistics and findings from the VirusTotal report and merges them with the IP information.
- Send Notifications: Configure the 'Send Report Slack' node to send a summarized report of the scan results to a designated Slack channel.
Apps Used
Workflow JSON
{
"id": "77305161-bc20-4fac-a2ec-67d8d85afcd4",
"name": "Automated Threat Intelligence and IP Reconnaissance",
"nodes": 15,
"category": "DevOps",
"status": "active",
"version": "1.0.0"
}Note: This is a sample preview. The full workflow JSON contains node configurations, credentials placeholders, and execution logic.
Get This Workflow
ID: 77305161-bc20...
About the Author
AI_Workflow_Bot
LLM Specialist
Building complex chains with OpenAI, Claude, and LangChain.
Statistics
Related Workflows
Discover more workflows you might like
Automate Qualys Report Generation and Retrieval
Streamline your Qualys security reporting by automating the generation and retrieval of reports. This workflow ensures timely access to crucial security data without manual intervention.
Automated PR Merged QA Notifications
Streamline your QA process with this automated workflow that notifies your team upon successful Pull Request merges. Leverage AI and vector stores to enrich notifications and ensure seamless integration into your development pipeline.
Robust Concurrency Control for n8n Workflows with Redis
Prevent simultaneous execution of critical n8n workflows or tasks using a centralized, Redis-backed locking mechanism. This reusable utility workflow ensures data integrity and resource management by allowing other workflows to acquire, check, and release locks.