This workflow follows the HTTP Request → Slack recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"name": "IOC Enrichment Workflow",
"meta": {
"description": "Auto-enrich IOCs (IPs, domains, hashes) from VirusTotal and AbuseIPDB, then use AI to summarize findings and notify via Slack.",
"version": "1.0.0",
"author": "AI for the Win",
"disclaimer": "EXAMPLE TEMPLATE - Configure credentials and test before production use"
},
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "enrich-ioc",
"responseMode": "responseNode",
"options": {}
},
"id": "webhook-trigger",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 1,
"position": [
250,
300
]
},
{
"parameters": {
"operation": "lookup",
"resource": "ip",
"ip": "={{ $json.ioc }}"
},
"id": "virustotal",
"name": "VirusTotal",
"type": "n8n-nodes-base.virusTotal",
"typeVersion": 1,
"position": [
450,
200
],
"credentials": {
"virusTotalApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"url": "https://api.abuseipdb.com/api/v2/check",
"sendQuery": true,
"queryParameters": {
"parameters": [
{
"name": "ipAddress",
"value": "={{ $json.ioc }}"
},
{
"name": "maxAgeInDays",
"value": "90"
}
]
},
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "Key",
"value": "={{ $credentials.abuseipdb.apiKey }}"
}
]
}
},
"id": "abuseipdb",
"name": "AbuseIPDB",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 3,
"position": [
450,
400
]
},
{
"parameters": {
"model": "claude-sonnet-4-20250514",
"prompt": "Analyze the following threat intelligence data for IOC {{ $json.ioc }}:\n\nVirusTotal: {{ $node.VirusTotal.json }}\nAbuseIPDB: {{ $node.AbuseIPDB.json }}\n\nProvide a concise threat assessment including:\n1. Classification (Malicious/Suspicious/Clean)\n2. Confidence level\n3. Key findings\n4. Recommended actions"
},
"id": "ai-analysis",
"name": "AI Analysis",
"type": "n8n-nodes-base.anthropic",
"typeVersion": 1,
"position": [
650,
300
],
"credentials": {
"anthropicApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"channel": "#security-alerts",
"text": ":mag: *IOC Enrichment Complete*\n\n*IOC:* `{{ $node.Webhook.json.ioc }}`\n*Type:* {{ $node.Webhook.json.type }}\n\n{{ $node['AI Analysis'].json.content }}"
},
"id": "slack-notify",
"name": "Slack",
"type": "n8n-nodes-base.slack",
"typeVersion": 1,
"position": [
850,
300
],
"credentials": {
"slackApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"respondWith": "json",
"responseBody": "={{ JSON.stringify({ success: true, ioc: $node.Webhook.json.ioc, analysis: $node['AI Analysis'].json.content }) }}"
},
"id": "response",
"name": "Respond",
"type": "n8n-nodes-base.respondToWebhook",
"typeVersion": 1,
"position": [
1050,
300
]
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "VirusTotal",
"type": "main",
"index": 0
},
{
"node": "AbuseIPDB",
"type": "main",
"index": 0
}
]
]
},
"VirusTotal": {
"main": [
[
{
"node": "AI Analysis",
"type": "main",
"index": 0
}
]
]
},
"AbuseIPDB": {
"main": [
[
{
"node": "AI Analysis",
"type": "main",
"index": 0
}
]
]
},
"AI Analysis": {
"main": [
[
{
"node": "Slack",
"type": "main",
"index": 0
}
]
]
},
"Slack": {
"main": [
[
{
"node": "Respond",
"type": "main",
"index": 0
}
]
]
}
},
"settings": {
"executionOrder": "v1"
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
anthropicApislackApivirusTotalApi
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
IOC Enrichment Workflow. Uses virusTotal, httpRequest, anthropic, slack. Webhook trigger; 6 nodes.
Source: https://github.com/depalmar/ai_for_the_win/blob/9127650cefbcf902051de7dc2df13af1961ca4f5/templates/n8n/ioc_enrichment_workflow.json — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow bridges the gap between raw product data and revenue sales tools. It automates the entire Product Qualified Lead (PQL) lifecycle—from real-time intent routing to churn prevention—reducin
Venafi Presentation - Watch Video
Automatically detects missed Zoom demos booked via Calendly and triggers AI-powered follow-up sequences.
How it works Runs on schedule (Monday-Friday at 9 AM) to automate lead generation Searches for companies on Google Maps by location and category Extracts owner information from company websites and im
Lead-Qualifier with BANT+I and Pipedrive (Multi-Provider). Uses stickyNote, n8n-nodes-studiomeyer-memory, openAi, anthropic. Webhook trigger; 28 nodes.