Intermediate Pro

Wazuh + n8n: Automated IP Encrichment

Enrich Wazuh alerts with IP reputation (VirusTotal + AlienVault) and route suspicious IPs to ServiceNow / Slack / Email via n8n.

Self-Paced by Rajneesh Gupta

Overview

Wazuh → n8n IP Reputation Enrichment

Receive Wazuh JSON alerts in n8n, extract source IP IOCs, query VirusTotal and AlienVault OTX for reputation,
merge & normalize results, render a responsive HTML threat summary, and automatically create incidents or send alerts
for suspicious IPs (ServiceNow, Slack, Gmail).

Primary nodes used

  • Webhook (Wazuh → n8n)
  • Code (extract IOCs)
  • HTTP Request (VirusTotal)
  • HTTP Request (AlienVault OTX)
  • Merge
  • Code (normalize + scoring)
  • HTML (IP summary)
  • Switch (suspicious?) → ServiceNow / Slack / Gmail

What You'll Learn

  • Receive Wazuh JSON alerts in n8n

    Learn how to trigger workflows from Wazuh alerts and extract important fields like IP and description.

  • Perform IP reputation lookups with VirusTotal & AlienVault OTX

    Understand how to query external threat intel services directly from n8n.

  • Merge and normalize intelligence from multiple providers

    Combine different API results into a single, consistent structure for easier analysis.

  • Generate a visual HTML IP threat summary

    Create a clear, formatted report and use conditional logic to route suspicious results.

  • Push incidents to ServiceNow and alerts to Slack/Email

    Automate SOC notifications by sending enriched alerts into ticketing and communication tools.

Prerequisites

  • Review the recommended background before starting.

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.