{ "name": "Score DNS threats with VirusTotal, Abuse.ch, HashiCorp Vault and Gemini", "nodes": [ { "id": "84dca179-a0f0-49fd-8e5b-5feb60b26e82", "name": "Schedule Trigger", "type": "n8n-nodes-base.scheduleTrigger", "position": [ -3104, -496 ] }, { "id": "8bf1829c-9df2-41b2-a86e-75cc263170bb", "name": "Select rows from a table", "type": "n8n-nodes-base.mySql", "position": [ -2592, -496 ] }, { "id": "ff297aa5-0e9f-4f5e-b2e1-7a7eeaf96bf8", "name": "VirusTotal IP Scan", "type": "n8n-nodes-base.httpRequest", "position": [ -2160, -176 ] }, { "id": "301ce32c-69d1-4561-809b-792422ada724", "name": "If 'malicious' or 'suspicious'", "type": "n8n-nodes-base.if", "position": [ -1968, -176 ] }, { "id": "a56ac689-7f44-4614-bf7e-940d85ce6c40", "name": "Virus total API TOKEN", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ -2352, -176 ] }, { "id": "2d61d46a-cd6d-4b12-a052-6cca8f988d34", "name": "Gemini AI Studio", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ -752, -608 ] }, { "id": "a532302f-b601-47da-9197-9910b6c7b6df", "name": "AI Agent", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ -592, -608 ] }, { "id": "db7320d8-0d9f-4035-83ac-60eae5e0659a", "name": "MySQL Pass", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ -2944, -496 ] }, { "id": "fcc4211c-8807-4aa5-adc5-3abf05716f1d", "name": "Google Gemini Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatGoogleGemini", "position": [ -656, -384 ] }, { "id": "583369e8-7519-42a2-9174-0b1b6a811372", "name": "Parse AI Agent output", "type": "n8n-nodes-base.code", "position": [ -224, -720 ] }, { "id": "ce9c8563-971f-4531-a990-ecf3cd0024ab", "name": "Insert AI verdict", "type": "n8n-nodes-base.mySql", "position": [ 0, -720 ] }, { "id": "adabcf0d-8191-4bf2-ba73-07e78d78006f", "name": "Send an Email", "type": "n8n-nodes-base.emailSend", "position": [ 224, -448 ] }, { "id": "643dbbfa-6be9-475d-862a-8ba4f895d136", "name": "Abuse.CH_ThreatFox request", "type": "n8n-nodes-base.httpRequest", "position": [ -2160, -528 ] }, { "id": "990717f4-746b-423a-a67c-1876f3cb4222", "name": "Abuse API TOKEN", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ -2352, -720 ] }, { "id": "3ca870ed-b0c3-407c-8cf3-66d54593ae62", "name": "Get Email Pass", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ 0, -448 ] }, { "id": "0a02d8d8-5055-44a4-b165-848eb61e07e7", "name": "Abuse.CH_URLHaus", "type": "n8n-nodes-base.httpRequest", "position": [ -2144, -912 ] }, { "id": "392f063c-7556-40d7-91cc-045f62268f1f", "name": "Insert doc URLHaus", "type": "n8n-nodes-base.mongoDb", "position": [ -1568, -1008 ] }, { "id": "f941de13-8d24-4fd8-91cd-62921d64f886", "name": "Edit Json for Mongo - URLHaus", "type": "n8n-nodes-base.code", "position": [ -1744, -1008 ] }, { "id": "61246457-db7e-4a4a-9252-c1490d95efc5", "name": "Insert a clear scan - URLHaus", "type": "n8n-nodes-base.mySql", "position": [ -1744, -800 ] }, { "id": "3052da02-3e4f-4296-acdb-5046b1c096a0", "name": "Edit Json for Mongo - ThreatFox", "type": "n8n-nodes-base.code", "position": [ -1744, -608 ] }, { "id": "6d692e11-3337-4359-b4c2-c8240c435155", "name": "Insert a clear scan - ThreatFox", "type": "n8n-nodes-base.mySql", "position": [ -1744, -432 ] }, { "id": "fc72827d-518f-4148-827b-738fbe1149a7", "name": "Insert doc ThreatFox", "type": "n8n-nodes-base.mongoDb", "position": [ -1568, -608 ] }, { "id": "450424c2-bdcd-45a5-b36c-be2a9d646ee4", "name": "Insert a clear scan - VirusTotal", "type": "n8n-nodes-base.mySql", "position": [ -1744, -48 ] }, { "id": "d37f9a57-2001-4922-b76b-2ac3f08b851a", "name": "Edit Json for Mongo - VirusTotal", "type": "n8n-nodes-base.code", "position": [ -1744, -240 ] }, { "id": "906ced4e-8588-4a7e-8367-d7e4a3735e87", "name": "Mongo DB Pass", "type": "n8n-nodes-hashi-vault.hashiCorpVault", "position": [ -2768, -496 ] }, { "id": "dba05af7-2214-46f8-a689-9f3535e89995", "name": "Insert doc VirusTotal", "type": "n8n-nodes-base.mongoDb", "position": [ -1568, -240 ] }, { "id": "f5f11f7c-b94b-4b92-a8d9-8a49fdd3c756", "name": "Data reduction and aggregation - Urlhaus", "type": "n8n-nodes-base.code", "position": [ -1376, -848 ] }, { "id": "e08faa3a-62a3-4237-8656-a0f54c7889d3", "name": "Data reduction and aggregation - ThreatFox", "type": "n8n-nodes-base.code", "position": [ -1376, -608 ] }, { "id": "22f949e1-9fc7-41b6-bcec-3582c355a217", "name": "Data reduction and aggregation - VirusTotal", "type": "n8n-nodes-base.code", "position": [ -1376, -352 ] }, { "id": "5116e479-f768-40d5-bda2-5a11ed457aff", "name": "Merge", "type": "n8n-nodes-base.merge", "position": [ -1104, -624 ] }, { "id": "b14246cd-3917-44a5-9ebc-27e90118387c", "name": "Code for Merge", "type": "n8n-nodes-base.code", "position": [ -928, -608 ] }, { "id": "34ac24c9-e2bf-4f03-ad2a-8c8c57218632", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -3136, -592 ], "parameters": { "width": 672, "height": 288, "content": "## Orchestration & Data Ingestion\n\n" } }, { "id": "c79b8cfa-45c8-4173-a58d-62a6adc8679d", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -2400, -992 ], "parameters": { "width": 576, "height": 992, "content": "## Multi-Source Threat Intelligence Enrichment\n\n" } }, { "id": "4a9b306d-a43b-49b3-8c60-1f29ccb12798", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ -1808, -1088 ], "parameters": { "width": 624, "height": 1232, "content": "## Dual-Layer Persistence Strategy\n" } }, { "id": "733bed6a-a760-4f3e-9cfa-507a133d3e6e", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ -1152, -752 ], "parameters": { "width": 800, "height": 512, "content": "## AI Synthesis & Cognitive Analysis\n\n" } }, { "id": "9397274e-2b43-4311-bb10-71917f04eaa2", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ -320, -800 ], "parameters": { "width": 688, "height": 528, "content": "## Incident Reporting & Remediation\n\n" } }, { "id": "283c9478-9c26-457b-8523-e2fe91da72cc", "name": "If query_status = ok - UrlHause", "type": "n8n-nodes-base.if", "position": [ -1968, -912 ] }, { "id": "12f99d4d-1cee-47ab-bef6-3770dd24fea0", "name": "If query_status = ok - ThretFox", "type": "n8n-nodes-base.if", "position": [ -1968, -528 ] }, { "id": "b4748bfd-2c53-4ae2-8df1-1dcba238a284", "name": "Filter", "type": "n8n-nodes-base.filter", "position": [ -224, -448 ] }, { "id": "3ada188a-28ca-46c6-8387-a07bf03fdd63", "name": "Sticky Note5", "type": "n8n-nodes-base.stickyNote", "position": [ -3840, -784 ], "parameters": { "width": 688, "height": 608, "content": "# 🛡️ Project: Cyber Sentinel\n\n### **Purpose**\nAutonomous **Cyber Threat Intelligence (CTI)** & **Passive DNS Monitoring**. This workflow orchestrates the analysis of DNS telemetry using AI to detect m" } } ], "connections": { "Merge": { "main": [ [ { "node": "Code for Merge", "type": "main", "index": 0 } ] ] }, "Filter": { "main": [ [ { "node": "Get Email Pass", "type": "main", "index": 0 } ] ] }, "AI Agent": { "main": [ [ { "node": "Parse AI Agent output", "type": "main", "index": 0 } ] ] }, "MySQL Pass": { "main": [ [ { "node": "Mongo DB Pass", "type": "main", "index": 0 } ] ] }, "Mongo DB Pass": { "main": [ [ { "node": "Select rows from a table", "type": "main", "index": 0 } ] ] }, "Send an Email": { "main": [ [] ] }, "Code for Merge": { "main": [ [ { "node": "Gemini AI Studio", "type": "main", "index": 0 } ] ] }, "Get Email Pass": { "main": [ [ { "node": "Send an Email", "type": "main", "index": 0 } ] ] }, "Abuse API TOKEN": { "main": [ [ { "node": "Abuse.CH_ThreatFox request", "type": "main", "index": 0 }, { "node": "Abuse.CH_URLHaus", "type": "main", "index": 0 } ] ] }, "Abuse.CH_URLHaus": { "main": [ [ { "node": "If query_status = ok - UrlHause", "type": "main", "index": 0 } ] ] }, "Gemini AI Studio": { "main": [ [ { "node": "AI Agent", "type": "main", "index": 0 } ] ] }, "Schedule Trigger": { "main": [ [ { "node": "MySQL Pass", "type": "main", "index": 0 } ] ] }, "Insert AI verdict": { "main": [ [ { "node": "Filter", "type": "main", "index": 0 } ] ] }, "Insert doc URLHaus": { "main": [ [ { "node": "Data reduction and aggregation - Urlhaus", "type": "main", "index": 0 } ] ] }, "VirusTotal IP Scan": { "main": [ [ { "node": "If 'malicious' or 'suspicious'", "type": "main", "index": 0 } ] ] }, "Insert doc ThreatFox": { "main": [ [ { "node": "Data reduction and aggregation - ThreatFox", "type": "main", "index": 0 } ] ] }, "Insert doc VirusTotal": { "main": [ [ { "node": "Data reduction and aggregation - VirusTotal", "type": "main", "index": 0 } ] ] }, "Parse AI Agent output": { "main": [ [ { "node": "Insert AI verdict", "type": "main", "index": 0 } ] ] }, "Virus total API TOKEN": { "main": [ [ { "node": "VirusTotal IP Scan", "type": "main", "index": 0 } ] ] }, "Google Gemini Chat Model": { "ai_languageModel": [ [ { "node": "AI Agent", "type": "ai_languageModel", "index": 0 } ] ] }, "Select rows from a table": { "main": [ [ { "node": "Virus total API TOKEN", "type": "main", "index": 0 }, { "node": "Abuse API TOKEN", "type": "main", "index": 0 } ] ] }, "Abuse.CH_ThreatFox request": { "main": [ [ { "node": "If query_status = ok - ThretFox", "type": "main", "index": 0 } ] ] }, "Edit Json for Mongo - URLHaus": { "main": [ [ { "node": "Insert doc URLHaus", "type": "main", "index": 0 } ] ] }, "If 'malicious' or 'suspicious'": { "main": [ [ { "node": "Edit Json for Mongo - VirusTotal", "type": "main", "index": 0 } ], [ { "node": "Insert a clear scan - VirusTotal", "type": "main", "index": 0 } ] ] }, "Edit Json for Mongo - ThreatFox": { "main": [ [ { "node": "Insert doc ThreatFox", "type": "main", "index": 0 } ] ] }, "If query_status = ok - ThretFox": { "main": [ [ { "node": "Edit Json for Mongo - ThreatFox", "type": "main", "index": 0 } ], [ { "node": "Insert a clear scan - ThreatFox", "type": "main", "index": 0 } ] ] }, "If query_status = ok - UrlHause": { "main": [ [ { "node": "Edit Json for Mongo - URLHaus", "type": "main", "index": 0 } ], [ { "node": "Insert a clear scan - URLHaus", "type": "main", "index": 0 } ] ] }, "Edit Json for Mongo - VirusTotal": { "main": [ [ { "node": "Insert doc VirusTotal", "type": "main", "index": 0 } ] ] }, "Data reduction and aggregation - Urlhaus": { "main": [ [ { "node": "Merge", "type": "main", "index": 0 } ] ] }, "Data reduction and aggregation - ThreatFox": { "main": [ [ { "node": "Merge", "type": "main", "index": 1 } ] ] }, "Data reduction and aggregation - VirusTotal": { "main": [ [ { "node": "Merge", "type": "main", "index": 2 } ] ] } } }