This workflow follows the HTTP Request → Itemlists recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "IMVycpyABaGuD1hq",
"name": "Analyze_Crowdstrike_Detections__search_for_IOCs_in_VirusTotal__create_a_ticket_in_Jira_and_post_a_message_in_Slack",
"tags": [
{
"id": "GCHVocImoXoEVnzP",
"name": "\ud83d\udee0\ufe0f In progress",
"createdAt": "2023-10-31T02:17:21.618Z",
"updatedAt": "2023-10-31T02:17:21.618Z"
},
{
"id": "QPJKatvLSxxtrE8U",
"name": "Secops",
"createdAt": "2023-10-31T02:15:11.396Z",
"updatedAt": "2023-10-31T02:15:11.396Z"
}
],
"nodes": [
{
"id": "bd1234f2-631c-457d-8423-cec422852bbc",
"name": "Schedule Trigger",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-880,
602
],
"parameters": {
"rule": {
"interval": [
{}
]
}
},
"typeVersion": 1.1
},
{
"id": "b9f134cd-06de-49cd-83a2-19f705fd18c6",
"name": "Split out detections",
"type": "n8n-nodes-base.itemLists",
"notes": "So we can process each one individually",
"position": [
-440,
602
],
"parameters": {
"options": {},
"fieldToSplitOut": "resources"
},
"notesInFlow": true,
"typeVersion": 3
},
{
"id": "8d1fc16d-bcbd-4ca2-ac2d-ea676cde4403",
"name": "Get recent detections from Crowdstrike",
"type": "n8n-nodes-base.httpRequest",
"disabled": true,
"position": [
-660,
602
],
"parameters": {
"url": "https://api.us-2.crowdstrike.com/detects/queries/detects/v1",
"options": {},
"sendQuery": true,
"authentication": "predefinedCredentialType",
"queryParameters": {
"parameters": [
{
"name": "filter",
"value": "status:'new'"
}
]
},
"nodeCredentialType": "crowdStrikeOAuth2Api"
},
"credentials": {
"crowdStrikeOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.1
},
{
"id": "bda81386-f301-44ac-ba91-2301ecdad6c3",
"name": "Get detection details",
"type": "n8n-nodes-base.httpRequest",
"disabled": true,
"position": [
-220,
602
],
"parameters": {
"url": "https://api.us-2.crowdstrike.com/detects/entities/summaries/GET/v1",
"method": "POST",
"options": {},
"jsonBody": "={\n \"ids\":[\"{{ $json.resources }}\"]\n}",
"sendBody": true,
"sendQuery": true,
"specifyBody": "json",
"authentication": "predefinedCredentialType",
"queryParameters": {
"parameters": [
{
"name": "ids",
"value": "={{ $json.resources }}"
}
]
},
"nodeCredentialType": "crowdStrikeOAuth2Api"
},
"credentials": {
"crowdStrikeOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.1
},
{
"id": "ed6fe708-c67e-4cd1-800f-e13ab999c1c2",
"name": "Split out behaviours",
"type": "n8n-nodes-base.itemLists",
"position": [
280,
362
],
"parameters": {
"options": {},
"fieldToSplitOut": "resources[0].behaviors"
},
"typeVersion": 3
},
{
"id": "4d6c708c-56c3-43b7-ae06-0078d917ebd5",
"name": "Look up SHA in Virustotal",
"type": "n8n-nodes-base.httpRequest",
"position": [
720,
362
],
"parameters": {
"url": "=https://www.virustotal.com/api/v3/files/{{ $json.dsha256 }}",
"options": {},
"authentication": "predefinedCredentialType",
"nodeCredentialType": "virusTotalApi"
},
"credentials": {
"virusTotalApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.1,
"continueOnFail": true
},
{
"id": "3e9f63a1-7a2a-43e3-998c-32eef23f8066",
"name": "Look up IOC in Virustotal",
"type": "n8n-nodes-base.httpRequest",
"position": [
940,
362
],
"parameters": {
"url": "=https://www.virustotal.com/api/v3/files/{{ $('Split out behaviours').item.json.ioc_value }}",
"options": {},
"authentication": "predefinedCredentialType",
"nodeCredentialType": "virusTotalApi"
},
"credentials": {
"virusTotalApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.1,
"continueOnFail": true
},
{
"id": "4249e16a-e84b-4af8-98e7-8a771a9016f0",
"name": "Split In Batches",
"type": "n8n-nodes-base.splitInBatches",
"position": [
60,
602
],
"parameters": {
"options": {},
"batchSize": 1
},
"typeVersion": 2
},
{
"id": "a6de25ad-195d-44a8-a8da-3ec14bfaec66",
"name": "Merge behaviour descriptions",
"type": "n8n-nodes-base.itemLists",
"position": [
1460,
360
],
"parameters": {
"options": {},
"operation": "summarize",
"fieldsToSummarize": {
"values": [
{
"field": "details",
"separateBy": "other",
"aggregation": "concatenate",
"customSeparator": "\\n\\n"
}
]
}
},
"typeVersion": 3
},
{
"id": "fdc43a7b-579b-44ea-841b-cfebf2447ab9",
"name": "Set behaviour descriptions",
"type": "n8n-nodes-base.set",
"position": [
1240,
360
],
"parameters": {
"values": {
"string": [
{
"name": "details",
"value": "=| Link | https://falcon.us-2.crowdstrike.com/activity/detections/detail/{{ $('Split out behaviours').item.json.control_graph_id.replaceAll(':', '/').substring(4) }} |\n| Confidence | {{ $('Split out behaviours').item.json.confidence }} |\n| Filename | {{ $('Split out behaviours').item.json.filename }} |\n| Username | {{ $('Split out behaviours').item.json.user_name }} |\n| VT link | https://www.virustotal.com/gui/file/{{ $('Split out behaviours').item.json.sha256 }}/detection |\n| VT creation date | {{ $('Look up SHA in Virustotal').item.json.data.attributes.creation_date }} |\n| VT tags | {{ $('Look up SHA in Virustotal').item.json.data.attributes.tags.join(', ') }} |\n| IOC | {{ $('Split out behaviours').item.json.ioc_value }} |\n| IOC VT score | {{ $json.data.attributes.last_analysis_stats.malicious }} |\n| IOC source | {{ $('Split out behaviours').item.json.ioc_source }} |\n| IOC description | {{ $('Split out behaviours').item.json.ioc_description }} |"
}
]
},
"options": {}
},
"typeVersion": 2
},
{
"id": "d11c8794-ca93-4916-87b2-86b87751d64e",
"name": "Create Jira issue",
"type": "n8n-nodes-base.jira",
"disabled": true,
"position": [
1680,
360
],
"parameters": {
"project": {
"__rl": true,
"mode": "list",
"value": "10000",
"cachedResultName": "My Kanban Project"
},
"summary": "=CrowdStrike {{ $('Split In Batches').item.json.resources[0].max_severity_displayname.toLowerCase() }} severity alert ({{ $('Split In Batches').item.json.resources[0].device.hostname }})",
"issueType": {
"__rl": true,
"mode": "list",
"value": "10001",
"cachedResultName": "Task"
},
"additionalFields": {
"description": "=\nAlert details\n\n| Severity | {{ $('Split In Batches').item.json.resources[0].max_severity_displayname }} |\n| Host | {{ $('Split In Batches').item.json.resources[0].device.hostname }} |\n| Device ID | {{ $('Split In Batches').item.json.resources[0].device.device_id }} |\n| IP (external) | {{ $('Split In Batches').item.json.resources[0].device.external_ip }}|\n| IP (internal) | {{ $('Split In Batches').item.json.resources[0].device.local_ip }}|\n| Platform | {{ $('Split In Batches').item.json.resources[0].device.platform_name }} |\n| OS version | {{ $('Split In Batches').item.json.resources[0].device.os_version }}|\n\nBehaviours\n\n{{ $json.concatenated_details }}"
}
},
"credentials": {
"jiraSoftwareCloudApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "ac44f600-31b3-418b-8f75-5c42094f2b5b",
"name": "Post notification on Slack",
"type": "n8n-nodes-base.slack",
"disabled": true,
"position": [
2080,
400
],
"parameters": {
"text": "=New CrowdStrike {{ $('Split In Batches').item.json.resources[0].max_severity_displayname.toLowerCase() }} severity alert ({{ $('Split In Batches').item.json.resources[0].device.hostname }})\n<{{ $json.self }}|Jira ticket>",
"user": {
"__rl": true,
"mode": "list",
"value": "U034NUWQ7M5",
"cachedResultName": "david"
},
"select": "user",
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "2c5c81bd-096c-4613-aa85-e1c01eac484e",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-940,
200
],
"parameters": {
"width": 907.2533697472911,
"height": 622.2432296251139,
"content": "\n## Workflow Overview\nThis n8n workflow is a robust orchestration tool designed to streamline and automate the response to cybersecurity threats detected by CrowdStrike. By running daily, the script systematically gathers new detection data, enriches it with external intelligence from VirusTotal, and then creates tickets in Jira for incident tracking and resolution. Finally, it posts notifications to Slack to alert the security team promptly. \n\n## Get details of recent CrowdStrike detections\nThis section initiates the workflow, scheduled to run daily at midnight, by fetching new detection events from CrowdStrike. It leverages an HTTP Request to query the CrowdStrike API, receiving a list of recent detections. These detections are then individually parsed for further analysis, ensuring that each detection is handled separately and efficiently.\n"
},
"typeVersion": 1
},
{
"id": "34f3178a-f333-44ae-bb84-775748a40871",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
456,
85.94250946457566
],
"parameters": {
"width": 684.9176314093856,
"height": 498.43309582729387,
"content": "\n## Enrich each detection using VirusTotal\n\nEach detection is enhanced with additional intelligence by querying VirusTotal. The process involves looking up SHA256 hashes and other indicators of compromise (IOCs) to gather comprehensive threat information. With rate-limiting in mind, a 1-second pause is included between requests to maintain compliance with VirusTotal's API usage policies.\n"
},
"typeVersion": 1
},
{
"id": "9b248ed5-0a9b-4737-a571-ce20340a48af",
"name": "Pause 1 second",
"type": "n8n-nodes-base.wait",
"notes": "To avoid overloading VT",
"position": [
500,
362
],
"parameters": {
"unit": "seconds"
},
"notesInFlow": true,
"typeVersion": 1
},
{
"id": "854bbab6-b725-4a01-b179-1f1c944b7ea5",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1180,
89.58126014061668
],
"parameters": {
"width": 732.8033084720628,
"height": 495.2133868905577,
"content": "\n## Create a Jira Ticket:\nFor actionable response and tracking, the workflow creates a Jira ticket for each detection. The ticket includes detailed information from CrowdStrike and enrichment data from VirusTotal, such as detection links, confidence scores, and relevant tags. This step is crucial for documenting incidents and initiating the incident response protocol.\n"
},
"typeVersion": 1
},
{
"id": "da8ca7ef-714f-42b1-a642-3165c479b5df",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1940,
90.04831844240124
],
"parameters": {
"width": 348.9781174689024,
"height": 490.93784005768947,
"content": "\n## Post Notification in Slack\nTo ensure prompt attention, a notification is sent to a designated Slack channel with the severity level of the alert and a link to the corresponding Jira ticket. This immediate notification allows for quick engagement from the security team to review and act upon the detection as needed.\n"
},
"typeVersion": 1
},
{
"id": "a10f5365-85bc-435d-9b56-1154987af962",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
-96.97284326663032
],
"parameters": {
"width": 432.3140705656865,
"height": 908.8964372010092,
"content": "\n## Iterate Through Detection Events\nThe \"`Split In Batches`\" node is configured with a batch size of one, ensuring that the array of detections from CrowdStrike is divided into individual items for processing. \n\nThis approach allows for a focused analysis of each detection, ensuring no detail is overlooked. \n\nFollowing this, the \"`Split out behaviours`\" node further dissects each detection to extract and separately handle the array of behaviors associated with them. \n\nBy processing these elements one by one, we effectively manage the workflow's load, maintaining optimal performance and adherence to external APIs' rate limits, crucial for the seamless operation of our security protocols.\n\n"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "5529711a-2944-4559-a798-a6b2bc43f65a",
"connections": {
"Pause 1 second": {
"main": [
[
{
"node": "Look up SHA in Virustotal",
"type": "main",
"index": 0
}
]
]
},
"Schedule Trigger": {
"main": [
[
{
"node": "Get recent detections from Crowdstrike",
"type": "main",
"index": 0
}
]
]
},
"Split In Batches": {
"main": [
[
{
"node": "Split out behaviours",
"type": "main",
"index": 0
}
]
]
},
"Create Jira issue": {
"main": [
[
{
"node": "Post notification on Slack",
"type": "main",
"index": 0
}
]
]
},
"Split out behaviours": {
"main": [
[
{
"node": "Pause 1 second",
"type": "main",
"index": 0
}
]
]
},
"Split out detections": {
"main": [
[
{
"node": "Get detection details",
"type": "main",
"index": 0
}
]
]
},
"Get detection details": {
"main": [
[
{
"node": "Split In Batches",
"type": "main",
"index": 0
}
]
]
},
"Look up IOC in Virustotal": {
"main": [
[
{
"node": "Set behaviour descriptions",
"type": "main",
"index": 0
}
]
]
},
"Look up SHA in Virustotal": {
"main": [
[
{
"node": "Look up IOC in Virustotal",
"type": "main",
"index": 0
}
]
]
},
"Post notification on Slack": {
"main": [
[
{
"node": "Split In Batches",
"type": "main",
"index": 0
}
]
]
},
"Set behaviour descriptions": {
"main": [
[
{
"node": "Merge behaviour descriptions",
"type": "main",
"index": 0
}
]
]
},
"Merge behaviour descriptions": {
"main": [
[
{
"node": "Create Jira issue",
"type": "main",
"index": 0
}
]
]
},
"Get recent detections from Crowdstrike": {
"main": [
[
{
"node": "Split out detections",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
crowdStrikeOAuth2ApijiraSoftwareCloudApislackOAuth2ApivirusTotalApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
How this works
This workflow swiftly analyses recent CrowdStrike detections to identify potential threats by searching for indicators of compromise (IOCs) like file hashes in VirusTotal, enabling security teams to respond faster and reduce breach risks. It automates the creation of a detailed ticket in Jira for investigation and posts an alert in Slack to notify the team, ensuring collaborative and timely action without manual oversight. Ideal for cybersecurity analysts and incident response teams in organisations using CrowdStrike for endpoint protection, the key step involves querying VirusTotal to enrich detection data with reputation scores and threat intelligence.
Use this workflow for routine monitoring of CrowdStrike alerts in environments with moderate to high threat volumes, such as mid-sized enterprises, to streamline triage without overwhelming resources. Avoid it in low-threat setups where manual review suffices, or if your team lacks Jira and Slack integrations, as custom adaptations would be needed. Common variations include adding email notifications or integrating with additional threat intel sources like AlienVault OTX for deeper analysis.
About this workflow
Analyze_Crowdstrike_Detections__search_for_IOCs_in_VirusTotal__create_a_ticket_in_Jira_and_post_a_message_in_Slack. Uses scheduleTrigger, itemLists, httpRequest, splitInBatches. Scheduled trigger; 18 nodes.
Source: https://github.com/Zie619/n8n-workflows — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This n8n workflow automates the handling of security detections from CrowdStrike, streamlining incident response and notification processes. The workflow is triggered daily at midnight by the Schedule
Item Lists, HTTP Request, Jira +1
This workflow automates the prioritization and escalation of customer support tickets. It acts as an intelligent triage system that identifies high-value customers and potential churn risks in HubSpot
HTTP Request, HubSpot, Jira +1
This template helps you create an interactive InfraNodus knowledge graph for your ZenDesk tickets using any search criteria (e.g. after a certain date, specific status, sender, keyword) that will auto
Zendesk, HTTP Request, Telegram +4
How it works This AI Customer Success Risk Prediction workflow revolutionizes customer retention by predicting churn risk 30-90 days before it happens. Here's the high-level flow: Daily Data Collectio
HTTP Request, Zendesk, Stripe +4
This workflow is built for education businesses, course creators, coaching programs, and online academies that use Close CRM for sales and need to automate everything that happens after a deal closes.
Slack, HTTP Request, Airtable