{
  "name": "Monitor SSL certificates for brand-impersonating domains with crt.sh, Urlscan.io and Slack",
  "nodes": [
    {
      "id": "5a9b9b55-f3b5-4dad-9dd3-b08bf725f0dd",
      "name": "Schedule (Every Hour)",
      "type": "n8n-nodes-base.scheduleTrigger",
      "position": [
        592,
        576
      ]
    },
    {
      "id": "a6fdb539-8f90-4090-9bf2-3224081ae2e6",
      "name": "Poll crt.sh (SSL Logs)",
      "type": "n8n-nodes-base.httpRequest",
      "position": [
        816,
        576
      ]
    },
    {
      "id": "1de5d4c1-e5f5-4cb9-b032-cd8d24df5313",
      "name": "Filter & Deduplicate",
      "type": "n8n-nodes-base.code",
      "position": [
        1264,
        576
      ]
    },
    {
      "id": "5b663bf6-4fab-43be-9481-13b5d410f09e",
      "name": "Split In Batches",
      "type": "n8n-nodes-base.splitInBatches",
      "position": [
        1488,
        576
      ]
    },
    {
      "id": "179f2924-4a59-4cb9-9f29-11f611c432d1",
      "name": "Wait for Scan",
      "type": "n8n-nodes-base.wait",
      "position": [
        1920,
        512
      ]
    },
    {
      "id": "aaa47290-fbba-4a6e-8316-e550bfad4ebe",
      "name": "Alert Slack",
      "type": "n8n-nodes-base.slack",
      "position": [
        2384,
        576
      ]
    },
    {
      "id": "211e55b8-1516-48b8-aee4-e02169108bde",
      "name": "Perform a scan",
      "type": "n8n-nodes-base.urlScanIo",
      "position": [
        1712,
        512
      ]
    },
    {
      "id": "c525fb48-1552-417c-a472-cbaf104d91cb",
      "name": "Get a scan",
      "type": "n8n-nodes-base.urlScanIo",
      "position": [
        2160,
        512
      ]
    },
    {
      "id": "a9b666e6-a7b5-4b67-92e4-3a8f431cb99a",
      "name": "Split Out",
      "type": "n8n-nodes-base.splitOut",
      "position": [
        1040,
        576
      ]
    },
    {
      "id": "4b7fb101-dc9d-4b7b-af93-08a3d91512be",
      "name": "Sticky Note",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        0,
        0
      ],
      "parameters": {
        "width": 544,
        "height": 992,
        "content": "## Phishing Lookout: Brand Impersonation Monitor\nThis workflow monitors SSL certificate logs to find and scan new domains that might be impersonating your brand.\n\n## Background\nIn modern cybersecurity"
      }
    },
    {
      "id": "0d84061a-e93e-4761-bda9-97201e6ea4c8",
      "name": "Sticky Note1",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        784,
        384
      ],
      "parameters": {
        "width": 384,
        "height": 352,
        "content": "## Poll crt.sh\n- Searches the crt.sh database for new SSL certificates using wildcard queries (e.g., %.testdomain.com).\n- Configured with Retry on Fail to handle intermittent \n502/504 errors from the "
      }
    },
    {
      "id": "8fff4d5e-27e6-407c-b4ca-730bed75ac92",
      "name": "Sticky Note2",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        1184,
        304
      ],
      "parameters": {
        "width": 256,
        "height": 432,
        "content": "## Filter & Deduplicate\n- Only allows domains with certificates registered within the last 'x' hours.\n- Uses a myDomains list to exclude your company's legitimate domains from the scan. (Productive sc"
      }
    },
    {
      "id": "87a20b0b-144a-4900-b348-2d775e6bd356",
      "name": "Sticky Note3",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        1648,
        192
      ],
      "parameters": {
        "width": 640,
        "height": 528,
        "content": "## Perform scan, Wait, Get results in loop \nScan Trigger: Submits the suspicious URL to Urlscan.io for a safe, remote headless browser analysis.\nCaptures the uuid (Scan ID) needed to retrieve the resu"
      }
    },
    {
      "id": "07a336f5-9efd-4c0a-ab8b-abbb0e1aa4a7",
      "name": "Sticky Note4",
      "type": "n8n-nodes-base.stickyNote",
      "position": [
        2320,
        288
      ],
      "parameters": {
        "width": 256,
        "height": 432,
        "content": "## Alert Slack\nNotification: Sends an alert to the security channel containing the malicious site, domain, report link, and site screenshot.\n\nNote, \"Unfurl Media\" is enabled to display the screenshot "
      }
    }
  ],
  "connections": {
    "Split Out": {
      "main": [
        [
          {
            "node": "Filter & Deduplicate",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Get a scan": {
      "main": [
        [
          {
            "node": "Alert Slack",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Alert Slack": {
      "main": [
        [
          {
            "node": "Split In Batches",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Wait for Scan": {
      "main": [
        [
          {
            "node": "Get a scan",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Perform a scan": {
      "main": [
        [
          {
            "node": "Wait for Scan",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Split In Batches": {
      "main": [
        [],
        [
          {
            "node": "Perform a scan",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Filter & Deduplicate": {
      "main": [
        [
          {
            "node": "Split In Batches",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Schedule (Every Hour)": {
      "main": [
        [
          {
            "node": "Poll crt.sh (SSL Logs)",
            "type": "main",
            "index": 0
          }
        ]
      ]
    },
    "Poll crt.sh (SSL Logs)": {
      "main": [
        [
          {
            "node": "Split Out",
            "type": "main",
            "index": 0
          }
        ]
      ]
    }
  }
}