{ "id": "xfusgVqUUXHnAXQx", "meta": { "instanceId": "e5b9fbfcbc747c24cfec1b0d31a7610c1fd70e6ecc554dfc55a7cfd7b215cd58", "templateCredsSetupCompleted": true }, "name": "✅Splunk Alert - IP Reputation Check", "tags": [], "nodes": [ { "id": "4cca587e-f7f6-42d0-9df1-938f1fbad8d3", "name": "VirusTotal IP reputation check", "type": "n8n-nodes-base.httpRequest", "position": [ -540, 460 ], "parameters": { "": "", "url": "=https://www.virustotal.com/api/v3/ip_addresses/{{ $json.ip_address }}\n", "method": "GET", "options": {}, "sendBody": false, "sendQuery": false, "curlImport": "", "infoMessage": "", "sendHeaders": false, "authentication": "predefinedCredentialType", "httpVariantWarning": "", "nodeCredentialType": "virusTotalApi", "provideSslCertificates": false }, "credentials": { "virusTotalApi": { "id": "credential-id", "name": "virusTotalApi Credential" } }, "typeVersion": 4.2, "extendsCredential": "virusTotalApi" }, { "id": "9da62a29-8a41-4ab8-b04e-4bafdaac47fe", "name": "IP summary display", "type": "n8n-nodes-base.html", "position": [ 400, 320 ], "parameters": { "html": "\n\n\n \n Threat Intelligence Summary\n \n\n\n

IP Threat Summary

IP: {{ $json.summary.VirusTotal.IP }}

\n \n

Description: {{ $json.summary.VirusTotal.Description }}

\n \n

\n {{ $json.summary.Status }}\n

\n\n

\n \n

VirusTotal

Reputation: {{ $json.summary.VirusTotal.Reputation }}

WHOIS: {{ $json.summary.VirusTotal.Whois }}

Tags: {{ $json.summary.VirusTotal.Tags_HTML }}

Analysis Stats

Harmless: {{ $json.summary.VirusTotal.Harmless }}
Malicious: {{ $json.summary.VirusTotal.Malicious }}
Suspicious: {{ $json.summary.VirusTotal.Suspicious }}
Undetected: {{ $json.summary.VirusTotal.Undetected }}

\n\n \n

AlienVault

Reputation: {{ $json.summary.AlienVault.Reputation }}

WHOIS: \n View WHOIS\n

Pulse Count: {{ $json.summary.AlienVault.Pulse_Count }}

Pulse Names

\n {{ $json.summary.AlienVault.Pulse_Names.split(',').map(name => `${name.trim()}`).join('') }}\n

\n\n

Generated at: {{ $json.summary.Generated_At }}

\n\n\n" }, "typeVersion": 1.2 }, { "id": "eb78ae05-e2fc-4027-9f35-93d60fa92513", "name": "Extract IOCs", "type": "n8n-nodes-base.code", "position": [ -840, 600 ], "parameters": { "jsCode": "const body = $input.first().json.body;\n\nconst ip = body?.result?.src_ip || 'No IP found';\nconst reason = body?.result?.reason || 'No reason found';\n\nreturn [\n {\n json: {\n ip_address: ip,\n description: reason\n }\n }\n];\n" }, "typeVersion": 2 }, { "id": "157e919e-0e53-4e44-867f-5455f443b4df", "name": "AlienVault Lookup", "type": "n8n-nodes-base.httpRequest", "onError": "continueRegularOutput", "position": [ -540, 720 ], "parameters": { "": "", "url": "=https://otx.alienvault.com/api/v1/indicators/IPv4/{{ $json.ip_address }}", "method": "GET", "options": {}, "sendBody": false, "sendQuery": false, "curlImport": "", "infoMessage": "", "sendHeaders": false, "authentication": "predefinedCredentialType", "httpVariantWarning": "", "nodeCredentialType": "alienVaultApi", "provideSslCertificates": false }, "credentials": { "alienVaultApi": { "id": "credential-id", "name": "alienVaultApi Credential" } }, "typeVersion": 4.2, "extendsCredential": "alienVaultApi" }, { "id": "8cbccd4b-fa7e-4f02-8f3b-fca1c0478592", "name": "Merge Threat Data", "type": "n8n-nodes-base.merge", "position": [ -260, 600 ], "parameters": { "numberInputs": 3 }, "typeVersion": 3.2, "alwaysOutputData": false }, { "id": "246f6880-d0d7-4315-9a88-a2334cbaa336", "name": "Process Intel Data", "type": "n8n-nodes-base.code", "position": [ -40, 600 ], "parameters": { "jsCode": "let virustotal = null;\nlet alienvault = null;\nlet metadata = null;\n\nfor (const item of items) {\n if (item.json?.data?.attributes) {\n // Likely VirusTotal result\n virustotal = item.json;\n } else if (item.json?.pulse_info) {\n // Likely AlienVault result\n alienvault = item.json;\n } else if (item.json?.description) {\n // The Wazuh description or IP metadata\n metadata = item.json;\n }\n}\n\nreturn [{\n json: {\n virustotal,\n alienvault,\n description: metadata?.description || \"No description\",\n ip_address: metadata?.ip_address || virustotal?.data?.id || \"Unknown IP\"\n }\n}];\n" }, "typeVersion": 2 }, { "id": "1398b87a-d2e8-4328-8c6a-b36c4b2809ef", "name": "Generate IP Summary", "type": "n8n-nodes-base.code", "position": [ 180, 600 ], "parameters": { "jsCode": "// Get merged input (single item array)\nconst data = items[0].json;\n\n// VirusTotal extraction\nconst vt = data.virustotal?.data?.attributes;\nconst vtTagsArray = vt?.tags || [];\n\nconst malicious = vt?.last_analysis_stats?.malicious || 0;\nconst suspicious = vt?.last_analysis_stats?.suspicious || 0;\n\nconst vtSummary = vt ? {\n IP: data.virustotal.data.id,\n Reputation: vt.reputation,\n Tags: vtTagsArray.join(', '),\n Tags_HTML: vtTagsArray.map(tag =>\n `${tag.trim()}`\n ).join(''),\n Harmless: vt.last_analysis_stats?.harmless || 0,\n Malicious: malicious,\n Suspicious: suspicious,\n Undetected: vt.last_analysis_stats?.undetected || 0,\n Whois: vt.whois?.split(\"\\n\")[0] || \"No WHOIS info\",\n Description: data.description || \"No description\"\n} : {};\n\n// AlienVault extraction with fallback\nlet avSummary = {};\nlet isAlienVaultSuspicious = false;\n\nif (data.alienvault && data.alienvault.pulse_info) {\n const av = data.alienvault;\n const pulseNamesArray = (av?.pulse_info?.pulses || []).map(p => p.name);\n const pulseCount = av?.pulse_info?.count || 0;\n\n isAlienVaultSuspicious = pulseCount > 0;\n\n avSummary = {\n IP: av.indicator,\n Reputation: av.reputation,\n Whois: av.whois,\n Pulse_Count: pulseCount,\n Pulse_Names: pulseNamesArray.join(', '),\n Pulse_Names_HTML: pulseNamesArray.map(name =>\n `${name.trim()}`\n ).join('')\n };\n} else {\n avSummary = {\n IP: 'N/A (Private IP)',\n Reputation: 'N/A',\n Whois: 'N/A',\n Pulse_Count: 0,\n Pulse_Names: 'N/A',\n Pulse_Names_HTML: ''\n };\n}\n\n// Global Status Logic\nconst isVirusTotalSuspicious = malicious > 0 || suspicious > 0;\nconst finalStatus = (isVirusTotalSuspicious || isAlienVaultSuspicious) ? 'Suspicious' : 'Safe';\n\n// Timestamp\nconst generatedAt = new Intl.DateTimeFormat('en-IN', {\n dateStyle: 'short',\n timeStyle: 'medium',\n timeZone: 'Asia/Kolkata'\n}).format(new Date());\n\n// Final Output\nreturn [\n {\n json: {\n summary: {\n VirusTotal: vtSummary,\n AlienVault: avSummary,\n Status: finalStatus,\n Generated_At: generatedAt\n }\n }\n }\n];\n" }, "typeVersion": 2 }, { "id": "d3c233f3-663f-452a-9757-c114bc5ed7f7", "name": "Filter Suspicious IPs", "type": "n8n-nodes-base.switch", "position": [ 420, 880 ], "parameters": { "rules": { "values": [ { "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "559feb80-bac9-4300-82ac-7fbec9c24320", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.summary.Status }}", "rightValue": "Suspicious" } ] } } ] }, "options": {} }, "typeVersion": 3.2 }, { "id": "cdf4d022-a819-4dcf-a320-2c29f1eb204e", "name": "Create IP Incident", "type": "n8n-nodes-base.serviceNow", "position": [ 640, 760 ], "parameters": { "resource": "incident", "operation": "create", "authentication": "basicAuth", "additionalFields": {}, "short_description": "=IP: {{ $json.summary.VirusTotal.IP }} \n{{ $json.summary.VirusTotal.Description }}" }, "credentials": { "serviceNowBasicApi": { "id": "credential-id", "name": "serviceNowBasicApi Credential" } }, "typeVersion": 1, "alwaysOutputData": false }, { "id": "7aa90c7f-4766-4a7b-9e70-09ad884901e4", "name": "Slack IP Alert", "type": "n8n-nodes-base.slack", "position": [ 640, 980 ], "webhookId": "c246176e-5a7c-4223-9c41-196ed03ceaa2", "parameters": { "text": "={{ $json.summary.VirusTotal.Status === 'Safe' ? '✅' : '🚨' }} IP {{ $json.summary.VirusTotal.IP }}\nStatus: *{{ $json.summary.Status }}*\nEvent: {{ $json.summary.VirusTotal.Description }}\n", "select": "channel", "channelId": { "__rl": true, "mode": "list", "value": "C0913JPTZBJ", "cachedResultName": "n8n-trigger" }, "otherOptions": {}, "authentication": "oAuth2" }, "credentials": { "slackOAuth2Api": { "id": "credential-id", "name": "slackOAuth2Api Credential" } }, "typeVersion": 2.3 }, { "id": "4d08d7c7-6fff-4688-b38d-3199c0ba733b", "name": "Gmail", "type": "n8n-nodes-base.gmail", "position": [ 640, 320 ], "webhookId": "a0b9d4ee-ac9f-46e1-a9de-b81395a03636", "parameters": { "sendTo": "user@example.com", "message": "={{ $json.html }}", "options": {}, "subject": "[New Alert] IP Reputation Check Summary" }, "credentials": { "gmailOAuth2": { "id": "credential-id", "name": "gmailOAuth2 Credential" } }, "typeVersion": 2.1 }, { "id": "fe07061e-9ea1-405c-a6e3-41a07a8caada", "name": "Splunk Alert", "type": "n8n-nodes-base.webhook", "position": [ -1080, 600 ], "webhookId": "e645d98e-f80c-47e5-b96e-762c96f3db76", "parameters": { "path": "e645d98e-f80c-47e5-b96e-762c96f3db76", "options": {}, "httpMethod": "POST" }, "typeVersion": 2 }, { "id": "e42e348c-52ae-46e9-80bc-a025ea9d4a1f", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -1080, 400 ], "parameters": { "width": 340, "height": 180, "content": "## 📥 Alert Ingestion & IOC Extraction\n- Receives alert from Splunk with IP address.\n- Extracts source IP and event reason.\n- Sends it to VirusTotal, AlienVault, and Merge nodes.\n" }, "typeVersion": 1 }, { "id": "011fc6c0-27cd-472c-9423-a4d1fc1194c9", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -320, 400 ], "parameters": { "color": 3, "width": 600, "height": 140, "content": "## 🧪 Threat Enrichment & Summary Generation\n- Queries VirusTotal and AlienVault for reputation.\n- Merges data, tags, WHOIS, and pulse info.\n- Creates a readable summary of threat posture.\n" }, "typeVersion": 1 }, { "id": "65c83639-4dc3-473d-bd03-5b335db8c9c8", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 400, 500 ], "parameters": { "width": 340, "height": 200, "content": "## 🚨 Alert Routing & Analyst Notification\n- If IP is marked suspicious:\n - Sends Slack alert\n - Creates an incident ticket\n- Emails an HTML summary report to the SOC inbox.\n" }, "typeVersion": 1 } ], "active": false, "pinData": {}, "settings": { "executionOrder": "v1" }, "versionId": "3b5315c6-249b-47e2-b7bf-fddcf817eb77", "connections": { "Extract IOCs": { "main": [ [ { "node": "VirusTotal IP reputation check", "type": "main", "index": 0 }, { "node": "AlienVault Lookup", "type": "main", "index": 0 }, { "node": "Merge Threat Data", "type": "main", "index": 1 } ] ] }, "Splunk Alert": { "main": [ [ { "node": "Extract IOCs", "type": "main", "index": 0 } ] ] }, "AlienVault Lookup": { "main": [ [ { "node": "Merge Threat Data", "type": "main", "index": 2 } ] ] }, "Merge Threat Data": { "main": [ [ { "node": "Process Intel Data", "type": "main", "index": 0 } ] ] }, "IP summary display": { "main": [ [ { "node": "Gmail", "type": "main", "index": 0 } ] ] }, "Process Intel Data": { "main": [ [ { "node": "Generate IP Summary", "type": "main", "index": 0 } ] ] }, "Generate IP Summary": { "main": [ [ { "node": "IP summary display", "type": "main", "index": 0 }, { "node": "Filter Suspicious IPs", "type": "main", "index": 0 } ] ] }, "Filter Suspicious IPs": { "main": [ [ { "node": "Create IP Incident", "type": "main", "index": 0 }, { "node": "Slack IP Alert", "type": "main", "index": 0 } ] ] }, "VirusTotal IP reputation check": { "main": [ [ { "node": "Merge Threat Data", "type": "main", "index": 0 } ] ] } } }