A collection of hardened n8n workflows for Security Operations Center (SOC) threat intelligence lookups. These workflows accept indicators of compromise (IOCs) via a central dispatcher and return formatted HTML reports aggregating data from multiple threat intelligence sources.
┌──────────────┐ ┌──────────────────┐
│ Security │────▶│ Dispatcher │
│ Onion Chat │ │ (Basic Auth + │
│ or Webhook │ │ input validation)│
└──────────────┘ └───────┬──────────┘
│ regex routing
┌──────────────┼──────────────┐──────────────┐
▼ ▼ ▼ ▼
┌────────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐
│ IP │ │ Domain │ │ Hash │ │ CVE │
│ Reputation │ │ Reputation│ │ Reputation│ │ Info │
└────────────┘ └───────────┘ └───────────┘ └───────────┘
| Workflow | File | Nodes | Sources |
|---|---|---|---|
| Dispatcher | dispatcher.json |
12 | Routes IOCs to sub-workflows via regex matching |
| IP Reputation | ip-reputation.json |
18 | VirusTotal, Shodan, AbuseIPDB, MISP |
| Domain Reputation | domain-reputation.json |
21 | VirusTotal, Shodan, urlscan.io, MISP |
| Hash Reputation | hash-reputation.json |
19 | VirusTotal, HybridAnalysis, MalwareBazaar, MISP |
| CVE Info | cve-info.json |
7 | CIRCL Vulnerability API (CVE 5.0) |
All workflows have been hardened with the following measures:
- Zero hardcoded API keys — All credentials use n8n's Credential Manager (Header Auth, Query Auth, or native integrations)
- XSS prevention — All user-derived values are HTML-escaped before template insertion using a consistent
esc()function - Input validation — Dispatcher validates IOC format with strict regex before routing
- Authentication — Dispatcher webhook protected with Basic Auth via Header Auth credential
- Response optimization — HybridAnalysis responses slimmed from 6.6MB to ~200 bytes by extracting only required fields
- No pinned sensitive data — All test/pinned data sanitized; no leaked cookies, IPs, or session tokens
- Self-hosted n8n (tested on v1.x Docker deployment)
- Credentials configured in n8n Credential Manager (see below)
| Credential Name | Type | Used By |
|---|---|---|
VirusTotal API |
Native VirusTotal | IP, Domain, Hash |
Shodan Query Auth |
Query Auth (key parameter) |
IP, Domain |
AbuseIPDB API |
Header Auth (Key header) |
IP |
Hybrid Analysis API |
Header Auth (api-key header) |
Hash |
Malware Bazaar API |
Header Auth (Auth-Key header) |
Hash |
MISP API |
Native MISP | IP, Domain, Hash |
Dispatcher Basic Auth |
Header Auth (Authorization header) |
Dispatcher |
You'll need API keys for:
- VirusTotal (free tier works)
- Shodan (free tier works)
- AbuseIPDB (free tier works)
- Hybrid Analysis (free account required)
- MalwareBazaar (free)
- MISP (self-hosted instance)
- CIRCL CVE API (no auth required)
Import each JSON file via n8n UI:
- Open n8n → Workflows → Import from File
- Import
dispatcher.jsonfirst - Import the four sub-workflows
Or via CLI:
# Copy workflows to n8n container
docker cp workflows/ n8n-n8n-1:/tmp/
# Import each
docker exec n8n-n8n-1 n8n import:workflow --input=/tmp/workflows/dispatcher.json
docker exec n8n-n8n-1 n8n import:workflow --input=/tmp/workflows/ip-reputation.json
docker exec n8n-n8n-1 n8n import:workflow --input=/tmp/workflows/domain-reputation.json
docker exec n8n-n8n-1 n8n import:workflow --input=/tmp/workflows/hash-reputation.json
docker exec n8n-n8n-1 n8n import:workflow --input=/tmp/workflows/cve-info.jsonAfter import, open each workflow and assign credentials to the appropriate nodes:
- Click any node with a
⚠️ warning → select the matching credential from your Credential Manager - The Dispatcher's Execute Workflow nodes need the sub-workflow IDs updated to match your instance
The workflows point to a self-hosted MISP instance. Search for misp.ardyzone in the workflow JSONs and replace with your MISP instance URL.
In dispatcher.json, the Execute Workflow nodes reference sub-workflows by ID. After importing, update each Execute Workflow node to point to the correct workflow in your instance.
- Activate sub-workflows first (IP, Domain, Hash, CVE)
- Activate the Dispatcher last
- Clear any pinned test data before activating
The Dispatcher is designed to receive queries from Security Onion's SOC console or any HTTP client:
# IP lookup
curl -X POST https://your-n8n.example.com/webhook/dispatcher \
-H "Authorization: Basic <base64-encoded-credentials>" \
-H "Content-Type: application/json" \
-d '{"query": "8.8.8.8"}'
# Domain lookup
curl -X POST https://your-n8n.example.com/webhook/dispatcher \
-H "Authorization: Basic <base64-encoded-credentials>" \
-d '{"query": "example.com"}'
# Hash lookup (SHA-256)
curl -X POST https://your-n8n.example.com/webhook/dispatcher \
-H "Authorization: Basic <base64-encoded-credentials>" \
-d '{"query": "44d88612fea8a8f36de82e1278abb02f"}'
# CVE lookup
curl -X POST https://your-n8n.example.com/webhook/dispatcher \
-H "Authorization: Basic <base64-encoded-credentials>" \
-d '{"query": "CVE-2024-3400"}'All sub-workflows return a styled HTML report using the Bulma CSS framework with dark mode support.
Each sub-workflow includes test data you can use:
- IP:
1.1.1.1(benign),185.220.101.1(Tor exit node) - Domain:
google.com(benign),malware.testcategory.com - Hash:
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c(WannaCry SHA-256) - CVE:
CVE-2024-3400(Palo Alto PAN-OS),CVE-2017-0147(EternalBlue)
.
├── README.md
├── CHANGELOG.md
├── LICENSE
└── workflows/
├── dispatcher.json
├── ip-reputation.json
├── domain-reputation.json
├── hash-reputation.json
└── cve-info.json
Originally based on the InTheCyber SOC workflow templates. Hardened and rebranded for ArkCybr SOC operations.
MIT License — see LICENSE for details.