Security Splunk VirusTotal AlienVault SOC Automation

Automated IP Reputation Check & SOC Alerting

Free n8n workflow to automatically analyze suspicious IPs from Splunk alerts using VirusTotal & AlienVault OTX, generate threat reports, and notify your security team.

Download Template JSON · n8n compatible · Free
Visual diagram of the IP reputation automation workflow connecting Splunk, VirusTotal, AlienVault, and notification channels

What This Workflow Does

Security teams are inundated with alerts. This automation tackles a critical, time-consuming task: investigating suspicious IP addresses flagged by your SIEM (Splunk). Instead of manually copying IPs into multiple threat intelligence websites, this workflow automatically enriches each alert with data from VirusTotal and AlienVault OTX, synthesizes the findings into a clear report, and routes it to the right people—all within seconds.

It transforms raw, noisy Splunk alerts into actionable intelligence. When an IP is detected in a malicious log event, the workflow extracts it, queries two leading threat intelligence platforms, merges the results, and decides the next step based on severity. High-risk IPs can trigger immediate Slack alerts and ServiceNow tickets, while lower-risk ones generate a detailed HTML email summary for daily review. This ensures your SOC analysts spend their time investigating real threats, not looking up data.

How It Works

The workflow is a logical pipeline that ingests, enriches, analyzes, and acts.

1. Trigger & Ingestion

A Splunk alert containing a suspicious IP address triggers the workflow via a webhook. The workflow parses the incoming JSON payload to isolate the IP for analysis.

2. Dual Threat Intelligence Enrichment

The IP is sent simultaneously (or sequentially) to the VirusTotal and AlienVault OTX APIs. VirusTotal returns detection scores from dozens of antivirus engines, associated malware hashes, and community tags. AlienVault OTX provides reputation scores, known related pulses (threat campaigns), and geographical/ISP data.

3. Data Processing & Merging

Responses from both services are normalized and merged into a unified data structure. A Function node calculates a composite threat score and determines the alert severity (e.g., Critical, High, Medium, Informational).

4. Conditional Routing & Action

A Switch node evaluates the threat score. Critical threats can be set to automatically create a ServiceNow incident and post an urgent message to a dedicated Slack #security-alerts channel. All events, regardless of severity, generate a formatted HTML report for the audit trail.

5. Reporting & Notification

An HTML node builds a clean, readable report summarizing the IP, its reputation scores, associated malware, geographic info, and links to the full analysis on VirusTotal/AlienVault. This report is sent via Gmail (or your SMTP server) to a designated SOC inbox.

Who This Is For

This template is designed for security professionals and IT teams responsible for monitoring and responding to threats.

  • SOC Analysts: Automate the initial triage of IP-based alerts to focus on complex investigations.
  • IT Managers at mid-sized companies who lack a 24/7 SOC but need to implement basic, automated threat intelligence.
  • MSPs (Managed Service Providers): Standardize and scale threat investigation across multiple client environments.
  • DevOps/SRE Teams managing cloud infrastructure who need to automate security response within their CI/CD or incident management pipelines.

If you're using Splunk (or any log source that can send webhooks) and want to add automated, enriched threat context to your alerts, this workflow is your starting point.

What You'll Need

  1. A running n8n instance (self-hosted or n8n.cloud).
  2. Splunk with the ability to send webhook alerts for search results containing IP addresses.
  3. API keys for VirusTotal (public API has rate limits; private is recommended for production) and AlienVault OTX (free tier available).
  4. Destination credentials configured in n8n for your chosen notification channels: Slack (webhook or bot token), Gmail/Office 365 (SMTP), and ServiceNow (if used).

Pro tip: Start with the AlienVault OTX free API tier to test the workflow. For high-volume environments, consider upgrading to VirusTotal's private API to avoid rate limiting and gain access to additional data points like passive DNS and historical reports.

Quick Setup Guide

You can have this automation running in under 30 minutes.

  1. Download the template using the button above and import it into your n8n instance.
  2. Configure credentials in n8n's "Credentials" section for VirusTotal, AlienVault OTX, Slack, and your email service.
  3. Update the webhook URL in the first node and configure your Splunk alert to send a POST request to this URL when an IP is detected. The payload should include the IP address in a predictable field (e.g., result.ip).
  4. Adjust the Switch node logic to match your organization's risk thresholds. Define what score constitutes a "Critical" vs. "High" alert.
  5. Test the workflow manually by entering a test IP (like a known malicious IP from a threat feed) into the webhook trigger or using the n8n "Test Workflow" function.
  6. Activate the workflow and configure your Splunk alert to call the webhook. Monitor the first few executions to ensure data flows correctly and notifications are received as expected.

Key Benefits

Reduce alert investigation time from minutes to seconds. What used to be a manual, multi-tab process is now fully automated, freeing up your security team for higher-value analysis.

Improve threat detection accuracy with correlated intelligence. Relying on a single threat feed is risky. By combining VirusTotal's scanning results with AlienVault's community pulse data, you get a more reliable verdict on an IP's malicious intent.

Ensure consistent and auditable response procedures. Every alert is processed the same way, creating a standardized HTML report for the record. This is invaluable for compliance audits and post-incident reviews.

Enable 24/7 coverage without staffing overhead. The automation runs continuously, providing immediate threat enrichment even during nights, weekends, or periods of high alert volume.

Build a scalable foundation for your security automation. This workflow is a modular component. You can easily extend it to check domains, hashes, or add steps like querying internal blocklists or ticketing systems beyond ServiceNow.

Frequently Asked Questions

Common questions about security automation and threat intelligence integration

IP reputation analysis is the process of evaluating whether an IP address is associated with malicious activity, such as spamming, hacking, or malware distribution. For SOC (Security Operations Center) teams, it's critical because it helps quickly identify potential threats from network logs and alerts.

Manual checking of IPs across multiple threat intelligence feeds is time-consuming and error-prone. Automating this process with tools like n8n ensures immediate, consistent analysis, allowing analysts to focus on high-priority incidents rather than repetitive data lookup tasks.

Combining these tools creates a multi-layered defense. Splunk acts as the central log aggregator and alert source. VirusTotal provides crowd-sourced malware detection and scanning results from over 70 antivirus engines. AlienVault OTX (Open Threat Exchange) offers community-driven threat intelligence, including known malicious IPs, domains, and malware signatures.

By cross-referencing an IP across both services, the workflow significantly reduces false positives and provides a more comprehensive threat profile than any single source, leading to more accurate and confident security decisions.

Absolutely. While designed for SOC efficiency, this workflow is equally valuable for IT managers, system administrators, or small business owners handling their own security. The automated enrichment and reporting mean you don't need deep security expertise to get actionable intelligence.

The workflow can be configured to send alerts to any communication channel (like Slack or email) used by your team. It effectively acts as a force multiplier, giving smaller teams enterprise-grade threat intelligence capabilities without the overhead of manual investigation.

Manual IP reputation checks can take an analyst 5-15 minutes per alert, involving switching between browser tabs, copying/pasting IPs, and compiling results. This automated workflow completes the same analysis in seconds.

For a team handling 20 alerts per day, that's over 2 hours saved daily, or 10+ hours per week. More importantly, it eliminates alert fatigue and ensures every suspicious IP is checked consistently, 24/7, reducing the risk of human error or oversight during high-volume incidents or after-hours.

The workflow includes conditional logic (via Switch nodes) to route alerts based on configurable threat thresholds. You can set rules like: 'If VirusTotal detection rate is >5 vendors OR AlienVault has >3 pulses, create a ServiceNow ticket and send Slack alert. If detection is 1-5 vendors, just email the report for review.'

This allows for tiered response. The generated HTML report includes all raw data (detection counts, associated malware families, country, ASN) so analysts can quickly validate automated decisions and understand the context behind a score.

You need three main components: 1) A Splunk instance (cloud or on-prem) that can send webhook alerts for suspicious IPs. 2) API keys for VirusTotal (public or private) and AlienVault OTX (free tier available). 3) An n8n instance (self-hosted or cloud) with credentials configured for your notification channels (Slack, Gmail/Office 365, ServiceNow).

Basic familiarity with n8n's interface is helpful, but the imported template provides the complete structure. The workflow handles the complex data parsing and merging logic for you.

Yes, that's a key advantage of using n8n. The modular design makes it easy to add additional enrichment steps. You could integrate sources like AbuseIPDB for community abuse reports, GreyNoise for internet background noise context, or Shodan for open port/service detection.

Simply add another HTTP Request node after the existing enrichment steps, parse the response, and merge the data into the final report. This future-proofs your security automation, allowing you to adapt as new threat feeds emerge or your organization's requirements evolve.

Yes, GrowwStacks specializes in building tailored security and IT automation solutions. While this template provides a solid foundation for IP reputation checks, every organization has unique tools, risk thresholds, and escalation procedures.

We can build custom workflows that integrate with your specific SIEM (like Sentinel, QRadar), ticketing system (Jira, Zendesk), internal databases, or compliance reporting tools. Our team works with you to map your incident response playbooks into automated, reliable n8n workflows that reduce mean time to detection (MTTD) and response (MTTR).

  • Integration with your existing security stack and data sources.
  • Custom alerting logic and escalation paths matching your SOC runbooks.
  • Compliance reporting and audit trail generation.

Need a Custom Security Automation?

This free template is a starting point. Our team builds fully tailored automation systems for your specific business needs.

Get Free Consultation Browse More Workflows