{ "id": "LS3DQMrTIzPpWEnp", "meta": { "templateCredsSetupCompleted": true }, "name": "\u2705Wazuh Alert- Malicious File detection", "tags": [], "nodes": [ { "id": "850ecc07-1698-4f8f-8bfd-d11690a5bcb3", "name": "file summary display", "type": "n8n-nodes-base.html", "position": [ -220, 560 ], "parameters": { "html": "\n\n\n \n File Threat Summary\n \n\n\n

\ud83e\uddea File Threat Summary

File: {{ $json.summary.Name }}

SHA256: {{ $json.summary.SHA256 }}

Reputation: {{ $json.summary.Reputation }}

Threat Label: {{ $json.summary.Description }}

Magic Signature: {{ $json.summary.Magic }}

\n\n

Status: \n \n {{ $json.summary.Status }}\n \n

\n\n

Analysis Stats:

Malicious: {{ $json.summary.Malicious }}
Suspicious: {{ $json.summary.Suspicious }}
Harmless: {{ $json.summary.Harmless }}
Undetected: {{ $json.summary.Undetected }}

\n\n

Tags:

\n\n

Generated at: {{ $json.summary.Generated_At }}

\n\n\n" }, "typeVersion": 1.2 }, { "id": "082b96b1-acc1-40f6-8abe-15c516a8af10", "name": "Gmail1", "type": "n8n-nodes-base.gmail", "position": [ 20, 560 ], "parameters": { "sendTo": "user@example.com", "message": "={{ $json.html }}", "options": {}, "subject": "Alert" }, "credentials": { "gmailOAuth2": { "name": "" } }, "typeVersion": 2.1 }, { "id": "d8efcbad-fd0e-4e75-86a9-7572e357de4f", "name": "Wazuh Alert", "type": "n8n-nodes-base.webhook", "position": [ -1080, 820 ], "parameters": { "path": "file_validation", "options": {}, "httpMethod": "POST" }, "typeVersion": 2 }, { "id": "dabe00ea-820a-47df-b61b-8b5353ee7dbd", "name": "Extract IOCs", "type": "n8n-nodes-base.code", "position": [ -860, 820 ], "parameters": { "jsCode": "const body = items[0].json.body || {};\nconst syscheck = body.syscheck || {};\nconst rule = body.rule || {};\n\nconst md5 = syscheck.md5_after || null;\nconst sha1 = syscheck.sha1_after || null;\nconst sha256 = syscheck.sha256_after || null;\nconst filePath = syscheck.path || null;\n\nconst description = rule.description || 'No description';\nconst agent = body.agent?.name || 'unknown';\nconst level = rule.level || 'unknown';\n\nreturn [{\n json: {\n type: 'file_alert',\n md5,\n sha1,\n sha256,\n file_path: filePath,\n description,\n agent,\n level,\n full_alert: body\n }\n}];\n" }, "typeVersion": 2 }, { "id": "4a121bd9-9a42-4b53-9bb7-7b75c6ca40ff", "name": "Generate File Summary", "type": "n8n-nodes-base.code", "position": [ -420, 820 ], "parameters": { "jsCode": "const data = items[0].json.data?.attributes;\n\nconst summary = {\n SHA256: items[0].json.data?.id || 'N/A',\n Malicious: data?.last_analysis_stats?.malicious || 0,\n Suspicious: data?.last_analysis_stats?.suspicious || 0,\n Undetected: data?.last_analysis_stats?.undetected || 0,\n Harmless: data?.last_analysis_stats?.harmless || 0,\n Tags: (data?.tags || []).join(', '),\n Tags_HTML: (data?.tags || []).map(tag =>\n `${tag.trim()}`\n ).join(''),\n Magic: data?.magic || 'N/A',\n Name: data?.meaningful_name || 'Unknown',\n Description: data?.popular_threat_classification?.suggested_threat_label || 'No Label',\n Reputation: data?.reputation || 0,\n Generated_At: new Date().toLocaleString('en-IN', {\n timeZone: 'Asia/Kolkata',\n dateStyle: 'short',\n timeStyle: 'medium'\n })\n};\n\n// Determine Status\nconst status = (summary.Malicious > 0 || summary.Suspicious > 0) ? 'Suspicious' : 'Safe';\nsummary.Status = status;\n\nreturn [\n {\n json: {\n summary\n }\n }\n];\n" }, "typeVersion": 2 }, { "id": "76b0d5b3-f12c-46ff-9488-704854673aea", "name": "Filter Suspicious Files", "type": "n8n-nodes-base.switch", "position": [ -180, 1100 ], "parameters": { "rules": { "values": [ { "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "c151e5cc-a506-4c2f-9c1a-7159592eb1b7", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.summary.Status }}", "rightValue": "Suspicious" } ] } } ] }, "options": {} }, "typeVersion": 3.2 }, { "id": "3d6a1922-e62a-4653-acee-bf1d26a7f9d3", "name": "Create File Incident", "type": "n8n-nodes-base.serviceNow", "position": [ 20, 1000 ], "parameters": { "resource": "incident", "operation": "create", "authentication": "basicAuth", "additionalFields": {}, "short_description": "=Potential malicious file detected File '{{ $json.summary.Name }}' with SHA256 '{{ $json.summary.SHA256.slice(0, 12) }}...' flagged as '{{ $json.summary.Status }}' by VirusTotal. Threat classification: '{{ $json.summary.Description }}'." }, "credentials": { "serviceNowBasicApi": { "name": "" } }, "typeVersion": 1 }, { "id": "8f60bfc2-382f-4ffd-b3d4-ecfd313d774b", "name": "Slack File Alert", "type": "n8n-nodes-base.slack", "position": [ 20, 1200 ], "parameters": { "text": "=\u26a0\ufe0f File Threat Detected \n\ud83e\uddfe File: {{ $json.summary.Name || 'Unknown file' }} \n\ud83e\uddec SHA256: {{ $json.summary.SHA256.slice(0, 12) }}...\n\ud83d\udd0d Status: {{ $json.summary.Status }} \n\ud83d\udcdb Threat: {{ $json.summary.Description }} ", "select": "channel", "channelId": { "__rl": true, "mode": "list", "value": "C0913JPTZBJ", "cachedResultName": "n8n-trigger" }, "otherOptions": {}, "authentication": "oAuth2" }, "credentials": { "slackOAuth2Api": { "name": "" } }, "typeVersion": 2.3 }, { "id": "5f7eb5d0-2c96-4a5a-b50f-78343d71c8fb", "name": "VirusTotal File Hash Validation", "type": "n8n-nodes-base.httpRequest", "onError": "continueRegularOutput", "position": [ -640, 820 ], "parameters": { "": "", "url": "=https://www.virustotal.com/api/v3/files/{{ $json.sha256 }}", "method": "GET", "options": {}, "sendBody": false, "sendQuery": false, "curlImport": "", "infoMessage": "", "sendHeaders": false, "authentication": "predefinedCredentialType", "httpVariantWarning": "", "nodeCredentialType": "virusTotalApi", "provideSslCertificates": false }, "credentials": { "virusTotalApi": { "name": "" } }, "typeVersion": 4.2, "extendsCredential": "virusTotalApi" }, { "id": "fe7e02b8-d305-4b70-91db-fd4e43daf3f7", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -1100, 600 ], "parameters": { "color": 4, "width": 360, "height": 200, "content": "## Alert Ingestion & Threat Intelligence\n- Receives file integrity alerts via webhook.\n- Extracts SHA256, MD5, filename, path, and agent info.\n- Prepares clean JSON data for threat validation.\n" }, "typeVersion": 1 }, { "id": "ad135139-d360-4a2e-95da-8007b13aba0a", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -220, 740 ], "parameters": { "width": 360, "height": 220, "content": "## Alert Escalation & Analyst Notification\n- Routes alerts based on threat level (Safe or Suspicious).\n- Sends Slack alert and creates ServiceNow ticket if suspicious.\n- Emails formatted threat summary to analyst inbox.\n\n" }, "typeVersion": 1 }, { "id": "a72c8256-0cc7-493c-9605-ba7cc6fd322a", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ -700, 600 ], "parameters": { "width": 400, "height": 200, "content": "## VirusTotal Enrichment & Threat Summary\n- Validates file hash with VirusTotal API.\n- Gathers reputation, detection stats, threat label, and tags.\n- Generates a readable HTML summary with file context.\n" }, "typeVersion": 1 } ], "active": false, "settings": { "executionOrder": "v1" }, "versionId": "0ae8f2a4-1a78-4c18-8d34-9189d04bbbf2", "connections": { "Wazuh Alert": { "main": [ [ { "node": "Extract IOCs", "type": "main", "index": 0 } ] ] }, "Extract IOCs": { "main": [ [ { "node": "VirusTotal File Hash Validation", "type": "main", "index": 0 } ] ] }, "file summary display": { "main": [ [ { "node": "Gmail1", "type": "main", "index": 0 } ] ] }, "Generate File Summary": { "main": [ [ { "node": "file summary display", "type": "main", "index": 0 }, { "node": "Filter Suspicious Files", "type": "main", "index": 0 } ] ] }, "Filter Suspicious Files": { "main": [ [ { "node": "Slack File Alert", "type": "main", "index": 0 }, { "node": "Create File Incident", "type": "main", "index": 0 } ] ] }, "VirusTotal File Hash Validation": { "main": [ [ { "node": "Generate File Summary", "type": "main", "index": 0 } ] ] } } }