v1d1an This workflow corresponds to n8n.io template #1602 — we link there as the canonical source.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": 4,
"name": "Email",
"nodes": [
{
"name": "IMAP Email",
"type": "n8n-nodes-base.emailReadImap",
"position": [
-300,
200
],
"parameters": {
"format": "resolved",
"options": {}
},
"credentials": {
"imap": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "TheHive",
"type": "n8n-nodes-base.theHive",
"position": [
-20,
200
],
"parameters": {
"tags": "Email",
"type": "Email",
"title": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
"source": "Outlook",
"sourceRef": "={{$node[\"IMAP Email\"].json[\"messageId\"]}}",
"artifactUi": {
"artifactValues": [
{
"dataType": "file",
"binaryProperty": "attachment_0"
}
]
},
"description": "={{$node[\"IMAP Email\"].binary.attachment_0.fileName}}",
"additionalFields": {}
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1,
"alwaysOutputData": true
},
{
"name": "Create Case",
"type": "n8n-nodes-base.theHive",
"position": [
280,
200
],
"parameters": {
"id": "={{$node[\"TheHive\"].json[\"_id\"]}}",
"operation": "promote",
"additionalFields": {}
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1,
"alwaysOutputData": true
},
{
"name": "Case",
"type": "n8n-nodes-base.theHive",
"position": [
540,
200
],
"parameters": {
"id": "={{$node[\"Create Case\"].json[\"_id\"]}}",
"resource": "case",
"operation": "get"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1,
"alwaysOutputData": true
},
{
"name": "Observable",
"type": "n8n-nodes-base.theHive",
"position": [
1060,
200
],
"parameters": {
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"options": {},
"resource": "observable",
"returnAll": true
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1,
"alwaysOutputData": true
},
{
"name": "Analyzer Email",
"type": "n8n-nodes-base.theHive",
"position": [
1340,
200
],
"parameters": {
"id": "={{$node[\"Observable\"].json[\"_id\"]}}",
"dataType": "file",
"resource": "observable",
"analyzers": [
"24a64a086a410e1c7d7ace74003c4480::CORTEX"
],
"operation": "executeAnalyzer"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"retryOnFail": true,
"typeVersion": 1,
"alwaysOutputData": true
},
{
"name": "Cortex",
"type": "n8n-nodes-base.cortex",
"position": [
1560,
200
],
"parameters": {
"jobId": "={{$node[\"Analyzer Email\"].json[\"cortexJobId\"]}}",
"resource": "job",
"operation": "report"
},
"credentials": {
"cortexApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "IF",
"type": "n8n-nodes-base.if",
"position": [
-20,
600
],
"parameters": {
"conditions": {
"number": [
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"].length}}",
"operation": "larger"
},
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"].length}}",
"operation": "larger"
},
{
"value1": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"].length}}",
"operation": "larger"
}
]
},
"combineOperation": "any"
},
"typeVersion": 1
},
{
"name": "Update Case Domain",
"type": "n8n-nodes-base.theHive",
"position": [
420,
480
],
"parameters": {
"ioc": true,
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"domain\"]}}",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"status": "Ok",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"options": {
"tags": "Domain"
},
"dataType": "domain",
"resource": "observable",
"operation": "create"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "Update Case Email",
"type": "n8n-nodes-base.theHive",
"position": [
420,
620
],
"parameters": {
"ioc": true,
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"email\"]}}",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"status": "Ok",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"options": {
"tags": "Domain"
},
"dataType": "mail",
"resource": "observable",
"operation": "create"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "Update Case Ip",
"type": "n8n-nodes-base.theHive",
"position": [
420,
760
],
"parameters": {
"ioc": true,
"data": "={{$node[\"Cortex\"].json[\"report\"][\"full\"][\"iocs\"][\"ip\"]}}",
"caseId": "={{$node[\"Case\"].json[\"_id\"]}}",
"status": "Ok",
"message": "={{$node[\"Cortex\"].json[\"analyzerName\"]}}",
"options": {
"tags": "Domain"
},
"dataType": "ip",
"resource": "observable",
"operation": "create"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "Wait",
"type": "n8n-nodes-base.wait",
"position": [
800,
200
],
"parameters": {
"unit": "seconds",
"amount": 5
},
"typeVersion": 1
},
{
"name": "Email Reputation",
"type": "n8n-nodes-base.theHive",
"position": [
640,
620
],
"parameters": {
"id": "={{$node[\"Update Case Email\"].json[\"id\"]}}",
"dataType": "mail",
"resource": "observable",
"analyzers": [
"9902b4e5c58015184b177de13f2151c7::CORTEX"
],
"operation": "executeAnalyzer"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "OTX IP",
"type": "n8n-nodes-base.theHive",
"position": [
640,
760
],
"parameters": {
"id": "={{$node[\"Update Case Ip\"].json[\"id\"]}}",
"dataType": "ip",
"resource": "observable",
"analyzers": [
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX"
],
"operation": "executeAnalyzer"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"name": "OTX DOMAIN",
"type": "n8n-nodes-base.theHive",
"position": [
640,
480
],
"parameters": {
"id": "={{$node[\"Update Case Domain\"].json[\"id\"]}}",
"dataType": "domain",
"resource": "observable",
"analyzers": [
"b084bf78d1aea92966b6ef6a4f6193a5::CORTEX"
],
"operation": "executeAnalyzer"
},
"credentials": {
"theHiveApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
}
],
"active": true,
"settings": {},
"connections": {
"IF": {
"main": [
[
{
"node": "Update Case Domain",
"type": "main",
"index": 0
},
{
"node": "Update Case Email",
"type": "main",
"index": 0
},
{
"node": "Update Case Ip",
"type": "main",
"index": 0
}
]
]
},
"Case": {
"main": [
[
{
"node": "Wait",
"type": "main",
"index": 0
}
]
]
},
"Wait": {
"main": [
[
{
"node": "Observable",
"type": "main",
"index": 0
}
]
]
},
"Cortex": {
"main": [
[
{
"node": "IF",
"type": "main",
"index": 0
}
]
]
},
"TheHive": {
"main": [
[
{
"node": "Create Case",
"type": "main",
"index": 0
}
]
]
},
"IMAP Email": {
"main": [
[
{
"node": "TheHive",
"type": "main",
"index": 0
}
]
]
},
"Observable": {
"main": [
[
{
"node": "Analyzer Email",
"type": "main",
"index": 0
}
]
]
},
"Create Case": {
"main": [
[
{
"node": "Case",
"type": "main",
"index": 0
}
]
]
},
"Analyzer Email": {
"main": [
[
{
"node": "Cortex",
"type": "main",
"index": 0
}
]
]
},
"Update Case Ip": {
"main": [
[
{
"node": "OTX IP",
"type": "main",
"index": 0
}
]
]
},
"Update Case Email": {
"main": [
[
{
"node": "Email Reputation",
"type": "main",
"index": 0
}
]
]
},
"Update Case Domain": {
"main": [
[
{
"node": "OTX DOMAIN",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
cortexApiimaptheHiveApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
With workflow, you analyze Email with TheHive/Cortex
Source: https://n8n.io/workflows/1602/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Email. Uses emailReadImap, theHive, cortex. Manual trigger; 15 nodes.
Email Read Imap, The Hive, Cortex
If you are a postmaster or you manage email server, you can set up DKIM and SPF records to ensure that spoofing your email address is hard. On your domain you can also set up DMARC record to receive X
Email Read Imap, MySQL, Compression +3
This workflow automates URL reporting to Spamhaus based on incoming spam/phishing sample emails. It watches one or more IMAP folders, extracts URLs from each email body, removes duplicates and common
Email Read Imap, HTTP Request
This automated n8n workflow automates AWS S3 bucket and file operations (create, delete, upload, download, copy, list) by parsing simple email commands and sending back success or error confirmations.
Email Read Imap, AWS S3, Email Send
This workflow contains community nodes that are only compatible with the self-hosted version of n8n.
Email Read Imap, Execute Command, Email Send