URL/IP Threat Intelligence Scanning and Reporting Automation Workflow

Workflow Name

URL/IP Threat Intelligence Scanning and Reporting Automation Workflow

Key Features and Highlights

This workflow integrates two leading threat intelligence services, VirusTotal and GreyNoise, to automate scanning and security risk assessment of input URLs or IP addresses. Its core highlights include intelligent differentiation between IP addresses and domain names, resolving domains to IPs via Google DNS, asynchronous management of VirusTotal scan status, enrichment with GreyNoise IP behavior intelligence, and automatic generation and delivery of comprehensive threat reports through Slack and email.

Core Problems Addressed

• Simplifies the submission process of threat indicators across multiple departments without relying on complex threat platforms.
• Automates the collection, fusion, and analysis of multi-source threat intelligence data, enhancing security response efficiency.
• Provides unified handling and evaluation of domains and IPs, eliminating errors and delays caused by manual differentiation.
• Resolves the complexity of asynchronous waiting and status polling for VirusTotal scans.
• Enables timely delivery of threat intelligence results to security teams, supporting rapid decision-making.

Use Cases

• Automated threat detection and response in Enterprise Security Operations Centers (SOC).
• Rapid risk assessment of suspicious URLs/IPs by IT operations and security teams.
• Centralized management and sharing of threat intelligence to facilitate cross-department collaboration.
• Automated integration of third-party threat intelligence platform data to enhance security monitoring capabilities.

Main Workflow Steps

1. Trigger Input
   Supports receiving bulk JSON-formatted URLs/IPs and email information via Webhook, or interactive submission through a built-in form.
2. Input Identification and Normalization
   Determines whether the input is an IP or a URL; if a URL, resolves the domain to its corresponding IP using Google DNS for unified subsequent processing.
3. Virus Scanning Request
   Submits the URL to VirusTotal for scanning, employing a looped wait and status check mechanism to retrieve scan results.
4. Intelligence Data Query
   Queries GreyNoise’s Noise and RIOT APIs for the IP to obtain classification, trust score, tags, and geographic information.
5. Data Merging and Summary
   Combines results from VirusTotal and GreyNoise, extracting key statistics and security tags.
6. Report Generation and Delivery
   Automatically generates a detailed security assessment report and sends it via a designated Slack channel and email to the submitter for immediate notification.

Involved Systems and Services

• VirusTotal API: Provides URL maliciousness scanning and result feedback.
• GreyNoise API: Offers IP behavior noise detection and threat intelligence.
• Google DNS Resolution Service: Resolves domain names to IP addresses.
• n8n Webhook and Form Trigger: Supports external data input and interactive form submission.
• Slack: Real-time push notifications of scan reports.
• Gmail: Sends detailed threat analysis reports via email.

Target Users and Value

• Enterprise security teams and SOC analysts, aiding rapid identification and response to potential threats.
• IT operations personnel, facilitating security checks on accessed domains/IPs.
• Threat intelligence analysts, simplifying multi-source data integration.
• Any organization seeking to automate URL/IP threat assessment and reporting workflows.

---

By leveraging highly automated threat intelligence collection and analysis, this workflow significantly improves security operations efficiency, reduces human error risks, and helps enterprises build a robust security defense.