Rajneesh Gupta

Workflows

Workflows by Rajneesh Gupta

Sort by:

IP reputation check & SOC alerts with Splunk, VirusTotal and AlienVault

# IP Reputation Check & Threat Summary using Splunk + VirusTotal + AlienVault + n8n This workflow automates IP reputation analysis using **Splunk alerts**, enriches data via **VirusTotal** and **AlienVault OTX**, and generates actionable threat summaries for SOC teams — all without any coding. --- ## What It Does When a Splunk alert contains a suspicious IP: - **Ingests the IP** from the Splunk alert via webhook. - **Performs dual threat enrichment** using: - VirusTotal IP reputation & tags. - AlienVault OTX pulses, reputation & WHOIS. - **Merges & processes** threat intel data. - **Generates a rich HTML summary** for analyst review. - **Routes action based on severity**: - Sends Slack alert for suspicious IPs. - Creates an incident in ServiceNow. - Emails a formatted HTML report to the SOC inbox. --- ## Tech Stack Used - **Splunk** – SIEM alert source - **VirusTotal API** – Reputation check & analysis stats - **AlienVault OTX API** – Community threat intel & pulse info - **n8n** – For orchestration, merging, summary generation - **Slack, Gmail, ServiceNow** – For SOC notifications and ticketing --- ## Ideal Use Case Perfect for security teams wanting to: - Automatically validate IP reputation from SIEM logs - Get quick context from multiple threat feeds - Generate email-ready reports and escalate high-risk IPs --- ## Included Nodes - Webhook (Splunk) - Function nodes for IOC extraction and intel processing - HTTP Request (VirusTotal & AlienVault) - Merge + Switch nodes for conditional logic - Gmail, Slack, ServiceNow integration --- ## Tips - Add your **VirusTotal** and **AlienVault** credentials in n8n's credential manager. - Use the Switch node to route based on your internal threat score logic. - Easily extend this to include AbuseIPDB or GreyNoise for deeper enrichment.

Malicious file detection & response: Wazuh to VirusTotal with Slack alerts

# Malicious File Detection & Threat Summary Automation using Wazuh + VirusTotal + n8n This workflow helps SOC teams automate the detection and reporting of potentially malicious files using **Wazuh alerts**, **VirusTotal hash validation**, and integrated **summary/report generation**. It's ideal for analysts who want instant context and communication for file-based threats — without writing a single line of code. --- ## What It Does When Wazuh detects a suspicious file: - **Ingests Wazuh Alert** A webhook node captures incoming alerts containing file hashes (SHA256/MD5). - **Parses IOCs** Extracts relevant indicators (file hash, filename, etc.). - **Validates with VirusTotal** Automatically checks the file hash reputation using VirusTotal's threat intelligence API. - **Generates Human-Readable Summary** Outputs a structured file report. - **Routes Alerts Based on Threat Level** - Sends a formatted email with the file summary using Gmail. - If the file is deemed malicious/suspicious: - Creates a file-related incident ticket. - Sends an instant Slack alert to notify the team. --- ## Tech Stack Used - **Wazuh** – For endpoint alerting - **VirusTotal API** – For real-time hash validation - **n8n** – To orchestrate, parse, enrich, and communicate - **Slack, Gmail, Incident Tool** – To notify and take action --- ## Ideal Use Case This template is designed for security teams looking to automate **file threat triage**, **IOC validation**, and **alert-to-ticket escalation**, with zero human delay. --- ## Included Nodes - **Webhook** (Wazuh) - **Function** (IOC extraction and summary) - **HTTP Request** (VirusTotal) - **If / Switch** (threat level check) - **Gmail**, **Slack**, **Incident Creation** --- ## Tips - Make sure to add your **VirusTotal API key** in the HTTP node. - Customize the **incident creation node** to fit your ticketing platform (Jira, ServiceNow, etc.). - Add logic to enrich the file alert further using WHOIS or sandbox reports if needed.