Rajneesh Gupta This workflow corresponds to n8n.io template #5997 — we link there as the canonical source.
This workflow follows the Gmail → HTTP Request recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "LS3DQMrTIzPpWEnp",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "\u2705Wazuh Alert- Malicious File detection",
"tags": [],
"nodes": [
{
"id": "850ecc07-1698-4f8f-8bfd-d11690a5bcb3",
"name": "file summary display",
"type": "n8n-nodes-base.html",
"position": [
-220,
560
],
"parameters": {
"html": "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <title>File Threat Summary</title>\n <style>\n body {\n font-family: \"Segoe UI\", sans-serif;\n background-color: #121212;\n color: #f0f0f0;\n padding: 20px;\n }\n .card {\n background-color: #1e1e1e;\n border-radius: 12px;\n box-shadow: 0 4px 12px rgba(0, 0, 0, 0.6);\n padding: 20px;\n max-width: 600px;\n margin: auto;\n border: 1px solid #333;\n }\n .long-text {\n word-break: break-all;\n overflow-wrap: break-word;\n white-space: pre-wrap;\n font-size: 0.9rem;\n color: #e0e0e0;\n }\n h1 {\n color: #00bfff;\n }\n .label {\n font-weight: bold;\n color: #c5e1a5;\n }\n .tag {\n background-color: #333;\n color: #c5cae9;\n border-radius: 5px;\n padding: 2px 6px;\n margin: 3px 4px 3px 0;\n display: inline-block;\n font-size: 0.85rem;\n }\n .status-safe {\n color: #00e676;\n }\n .status-suspicious {\n color: #ff5252;\n }\n .timestamp {\n margin-top: 20px;\n font-size: 0.9rem;\n color: #999;\n }\n </style>\n</head>\n<body>\n <div class=\"card\">\n <h1>\ud83e\uddea File Threat Summary</h1>\n <p><span class=\"label\">File:</span> {{ $json.summary.Name }}</p>\n <p><span class=\"label\">SHA256:</span> <span class=\"long-text\">{{ $json.summary.SHA256 }}</span></p>\n <p><span class=\"label\">Reputation:</span> {{ $json.summary.Reputation }}</p>\n <p><span class=\"label\">Threat Label:</span> {{ $json.summary.Description }}</p>\n <p><span class=\"label\">Magic Signature:</span> {{ $json.summary.Magic }}</p>\n\n <p><span class=\"label\">Status:</span> \n <span class=\"{{ $json.summary.Status === 'Safe' ? 'status-safe' : 'status-suspicious' }}\">\n {{ $json.summary.Status }}\n </span>\n </p>\n\n <p class=\"label\">Analysis Stats:</p>\n <ul>\n <li>Malicious: {{ $json.summary.Malicious }}</li>\n <li>Suspicious: {{ $json.summary.Suspicious }}</li>\n <li>Harmless: {{ $json.summary.Harmless }}</li>\n <li>Undetected: {{ $json.summary.Undetected }}</li>\n </ul>\n\n <p class=\"label\">Tags:</p>\n <div>{{ $json.summary.Tags_HTML }}</div>\n\n </div>\n <div class=\"timestamp\">Generated at: {{ $json.summary.Generated_At }}</div>\n</body>\n</html>\n"
},
"typeVersion": 1.2
},
{
"id": "082b96b1-acc1-40f6-8abe-15c516a8af10",
"name": "Gmail1",
"type": "n8n-nodes-base.gmail",
"position": [
20,
560
],
"parameters": {
"sendTo": "user@example.com",
"message": "={{ $json.html }}",
"options": {},
"subject": "Alert"
},
"credentials": {
"gmailOAuth2": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "d8efcbad-fd0e-4e75-86a9-7572e357de4f",
"name": "Wazuh Alert",
"type": "n8n-nodes-base.webhook",
"position": [
-1080,
820
],
"parameters": {
"path": "file_validation",
"options": {},
"httpMethod": "POST"
},
"typeVersion": 2
},
{
"id": "dabe00ea-820a-47df-b61b-8b5353ee7dbd",
"name": "Extract IOCs",
"type": "n8n-nodes-base.code",
"position": [
-860,
820
],
"parameters": {
"jsCode": "const body = items[0].json.body || {};\nconst syscheck = body.syscheck || {};\nconst rule = body.rule || {};\n\nconst md5 = syscheck.md5_after || null;\nconst sha1 = syscheck.sha1_after || null;\nconst sha256 = syscheck.sha256_after || null;\nconst filePath = syscheck.path || null;\n\nconst description = rule.description || 'No description';\nconst agent = body.agent?.name || 'unknown';\nconst level = rule.level || 'unknown';\n\nreturn [{\n json: {\n type: 'file_alert',\n md5,\n sha1,\n sha256,\n file_path: filePath,\n description,\n agent,\n level,\n full_alert: body\n }\n}];\n"
},
"typeVersion": 2
},
{
"id": "4a121bd9-9a42-4b53-9bb7-7b75c6ca40ff",
"name": "Generate File Summary",
"type": "n8n-nodes-base.code",
"position": [
-420,
820
],
"parameters": {
"jsCode": "const data = items[0].json.data?.attributes;\n\nconst summary = {\n SHA256: items[0].json.data?.id || 'N/A',\n Malicious: data?.last_analysis_stats?.malicious || 0,\n Suspicious: data?.last_analysis_stats?.suspicious || 0,\n Undetected: data?.last_analysis_stats?.undetected || 0,\n Harmless: data?.last_analysis_stats?.harmless || 0,\n Tags: (data?.tags || []).join(', '),\n Tags_HTML: (data?.tags || []).map(tag =>\n `<span class=\"tag\">${tag.trim()}</span>`\n ).join(''),\n Magic: data?.magic || 'N/A',\n Name: data?.meaningful_name || 'Unknown',\n Description: data?.popular_threat_classification?.suggested_threat_label || 'No Label',\n Reputation: data?.reputation || 0,\n Generated_At: new Date().toLocaleString('en-IN', {\n timeZone: 'Asia/Kolkata',\n dateStyle: 'short',\n timeStyle: 'medium'\n })\n};\n\n// Determine Status\nconst status = (summary.Malicious > 0 || summary.Suspicious > 0) ? 'Suspicious' : 'Safe';\nsummary.Status = status;\n\nreturn [\n {\n json: {\n summary\n }\n }\n];\n"
},
"typeVersion": 2
},
{
"id": "76b0d5b3-f12c-46ff-9488-704854673aea",
"name": "Filter Suspicious Files",
"type": "n8n-nodes-base.switch",
"position": [
-180,
1100
],
"parameters": {
"rules": {
"values": [
{
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "c151e5cc-a506-4c2f-9c1a-7159592eb1b7",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.summary.Status }}",
"rightValue": "Suspicious"
}
]
}
}
]
},
"options": {}
},
"typeVersion": 3.2
},
{
"id": "3d6a1922-e62a-4653-acee-bf1d26a7f9d3",
"name": "Create File Incident",
"type": "n8n-nodes-base.serviceNow",
"position": [
20,
1000
],
"parameters": {
"resource": "incident",
"operation": "create",
"authentication": "basicAuth",
"additionalFields": {},
"short_description": "=Potential malicious file detected File '{{ $json.summary.Name }}' with SHA256 '{{ $json.summary.SHA256.slice(0, 12) }}...' flagged as '{{ $json.summary.Status }}' by VirusTotal. Threat classification: '{{ $json.summary.Description }}'."
},
"credentials": {
"serviceNowBasicApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "8f60bfc2-382f-4ffd-b3d4-ecfd313d774b",
"name": "Slack File Alert",
"type": "n8n-nodes-base.slack",
"position": [
20,
1200
],
"parameters": {
"text": "=\u26a0\ufe0f File Threat Detected \n\ud83e\uddfe File: {{ $json.summary.Name || 'Unknown file' }} \n\ud83e\uddec SHA256: {{ $json.summary.SHA256.slice(0, 12) }}...\n\ud83d\udd0d Status: {{ $json.summary.Status }} \n\ud83d\udcdb Threat: {{ $json.summary.Description }} ",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "list",
"value": "C0913JPTZBJ",
"cachedResultName": "n8n-trigger"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.3
},
{
"id": "5f7eb5d0-2c96-4a5a-b50f-78343d71c8fb",
"name": "VirusTotal File Hash Validation",
"type": "n8n-nodes-base.httpRequest",
"onError": "continueRegularOutput",
"position": [
-640,
820
],
"parameters": {
"": "",
"url": "=https://www.virustotal.com/api/v3/files/{{ $json.sha256 }}",
"method": "GET",
"options": {},
"sendBody": false,
"sendQuery": false,
"curlImport": "",
"infoMessage": "",
"sendHeaders": false,
"authentication": "predefinedCredentialType",
"httpVariantWarning": "",
"nodeCredentialType": "virusTotalApi",
"provideSslCertificates": false
},
"credentials": {
"virusTotalApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"extendsCredential": "virusTotalApi"
},
{
"id": "fe7e02b8-d305-4b70-91db-fd4e43daf3f7",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-1100,
600
],
"parameters": {
"color": 4,
"width": 360,
"height": 200,
"content": "## Alert Ingestion & Threat Intelligence\n- Receives file integrity alerts via webhook.\n- Extracts SHA256, MD5, filename, path, and agent info.\n- Prepares clean JSON data for threat validation.\n"
},
"typeVersion": 1
},
{
"id": "ad135139-d360-4a2e-95da-8007b13aba0a",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-220,
740
],
"parameters": {
"width": 360,
"height": 220,
"content": "## Alert Escalation & Analyst Notification\n- Routes alerts based on threat level (Safe or Suspicious).\n- Sends Slack alert and creates ServiceNow ticket if suspicious.\n- Emails formatted threat summary to analyst inbox.\n\n"
},
"typeVersion": 1
},
{
"id": "a72c8256-0cc7-493c-9605-ba7cc6fd322a",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
-700,
600
],
"parameters": {
"width": 400,
"height": 200,
"content": "## VirusTotal Enrichment & Threat Summary\n- Validates file hash with VirusTotal API.\n- Gathers reputation, detection stats, threat label, and tags.\n- Generates a readable HTML summary with file context.\n"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "0ae8f2a4-1a78-4c18-8d34-9189d04bbbf2",
"connections": {
"Wazuh Alert": {
"main": [
[
{
"node": "Extract IOCs",
"type": "main",
"index": 0
}
]
]
},
"Extract IOCs": {
"main": [
[
{
"node": "VirusTotal File Hash Validation",
"type": "main",
"index": 0
}
]
]
},
"file summary display": {
"main": [
[
{
"node": "Gmail1",
"type": "main",
"index": 0
}
]
]
},
"Generate File Summary": {
"main": [
[
{
"node": "file summary display",
"type": "main",
"index": 0
},
{
"node": "Filter Suspicious Files",
"type": "main",
"index": 0
}
]
]
},
"Filter Suspicious Files": {
"main": [
[
{
"node": "Slack File Alert",
"type": "main",
"index": 0
},
{
"node": "Create File Incident",
"type": "main",
"index": 0
}
]
]
},
"VirusTotal File Hash Validation": {
"main": [
[
{
"node": "Generate File Summary",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
gmailOAuth2serviceNowBasicApislackOAuth2ApivirusTotalApi
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow helps SOC teams automate the detection and reporting of potentially malicious files using Wazuh alerts, VirusTotal hash validation, and integrated summary/report generation. It's ideal for analysts who want instant context and communication for file-based threats —…
Source: https://n8n.io/workflows/5997/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow automates IP reputation analysis using Splunk alerts, enriches data via VirusTotal and AlienVault OTX, and generates actionable threat summaries for SOC teams — all without any coding.
HTTP Request, Service Now, Slack +1
Suspicious_login_detection. Uses postgres, httpRequest, noOp, html. Webhook trigger; 43 nodes.
Postgres, HTTP Request, Gmail +1
This n8n workflow is designed for security monitoring and incident response when suspicious login events are detected. It can be initiated either manually from within the n8n UI for testing or automat
Postgres, HTTP Request, Gmail +1
Receive inventory movements via webhook, validate data, update stock levels, and trigger automatic alerts when products need reordering.
HTTP Request, Slack, Gmail +1
Wait. Uses httpRequest, itemLists, slack, gmail. Webhook trigger; 29 nodes.
HTTP Request, Item Lists, Slack +2