Rajneesh Gupta
Founder of HAX SECURITY, 2x Author, and 13+ Years in SOC, SIEM, Security Audit and Red Teaming exercise.
Templates by Rajneesh Gupta
Malicious file detection & response: Wazuh to VirusTotal with Slack alerts
Malicious File Detection & Threat Summary Automation using Wazuh + VirusTotal + n8n This workflow helps SOC teams automate the detection and reporting of potentially malicious files using Wazuh alerts, VirusTotal hash validation, and integrated summary/report generation. It's ideal for analysts who want instant context and communication for file-based threats — without writing a single line of code. --- What It Does When Wazuh detects a suspicious file: Ingests Wazuh Alert A webhook node captures incoming alerts containing file hashes (SHA256/MD5). Parses IOCs Extracts relevant indicators (file hash, filename, etc.). Validates with VirusTotal Automatically checks the file hash reputation using VirusTotal's threat intelligence API. Generates Human-Readable Summary Outputs a structured file report. Routes Alerts Based on Threat Level Sends a formatted email with the file summary using Gmail. If the file is deemed malicious/suspicious: Creates a file-related incident ticket. Sends an instant Slack alert to notify the team. --- Tech Stack Used Wazuh – For endpoint alerting VirusTotal API – For real-time hash validation n8n – To orchestrate, parse, enrich, and communicate Slack, Gmail, Incident Tool – To notify and take action --- Ideal Use Case This template is designed for security teams looking to automate file threat triage, IOC validation, and alert-to-ticket escalation, with zero human delay. --- Included Nodes Webhook (Wazuh) Function (IOC extraction and summary) HTTP Request (VirusTotal) If / Switch (threat level check) Gmail, Slack, Incident Creation --- Tips Make sure to add your VirusTotal API key in the HTTP node. Customize the incident creation node to fit your ticketing platform (Jira, ServiceNow, etc.). Add logic to enrich the file alert further using WHOIS or sandbox reports if needed.
By Rajneesh GuptaIP reputation check & SOC alerts with Splunk, VirusTotal and AlienVault
IP Reputation Check & Threat Summary using Splunk + VirusTotal + AlienVault + n8n This workflow automates IP reputation analysis using Splunk alerts, enriches data via VirusTotal and AlienVault OTX, and generates actionable threat summaries for SOC teams — all without any coding. --- What It Does When a Splunk alert contains a suspicious IP: Ingests the IP from the Splunk alert via webhook. Performs dual threat enrichment using: VirusTotal IP reputation & tags. AlienVault OTX pulses, reputation & WHOIS. Merges & processes threat intel data. Generates a rich HTML summary for analyst review. Routes action based on severity: Sends Slack alert for suspicious IPs. Creates an incident in ServiceNow. Emails a formatted HTML report to the SOC inbox. --- Tech Stack Used Splunk – SIEM alert source VirusTotal API – Reputation check & analysis stats AlienVault OTX API – Community threat intel & pulse info n8n – For orchestration, merging, summary generation Slack, Gmail, ServiceNow – For SOC notifications and ticketing --- Ideal Use Case Perfect for security teams wanting to: Automatically validate IP reputation from SIEM logs Get quick context from multiple threat feeds Generate email-ready reports and escalate high-risk IPs --- Included Nodes Webhook (Splunk) Function nodes for IOC extraction and intel processing HTTP Request (VirusTotal & AlienVault) Merge + Switch nodes for conditional logic Gmail, Slack, ServiceNow integration --- Tips Add your VirusTotal and AlienVault credentials in n8n's credential manager. Use the Switch node to route based on your internal threat score logic. Easily extend this to include AbuseIPDB or GreyNoise for deeper enrichment.
By Rajneesh Gupta