Intermediate Pro

Wazuh + n8n + Suricata: Automated Malicious URL Enrichment

Automated DNS threat detection and enrichment workflow integrated with VirusTotal, Wazuh, and n8n.

Self-Paced by Aman Gupta

Overview

Objective:
Automate detection of malicious domains queried from Linux endpoints, enrich alerts with VirusTotal intelligence, and trigger response actions using n8n.

Components:

  • Suricata IDS (Network monitoring)
  • Wazuh SIEM (Log collection & rules)
  • n8n (SOAR automation engine)
  • VirusTotal, Gmail, Slack, ServiceNow integrations

Workflow:

  1. Suricata generates DNS/TLS logs.
  2. Wazuh forwards alerts to n8n via webhook.
  3. n8n queries VirusTotal for domain reputation.
  4. n8n processes data, builds a report, and applies conditional logic.
  5. Alerts sent through Gmail, Slack, and ServiceNow.

Outcome:
A fully automated detection and response pipeline for malicious URLs, reducing analyst intervention time and improving visibility.

What You'll Learn

  • Install and configure Suricata IDS on Linux

    Set up Suricata with the right rules and interfaces to detect suspicious network activity.

  • Forward IDS logs into Wazuh SIEM for correlation

    Integrate Suricata’s eve.json output into Wazuh to generate actionable security alerts.

  • Design an n8n automation workflow for threat enrichment

    Build a workflow that enriches Suricata/Wazuh alerts with external threat intelligence.

  • Implement multi-channel alerting (Email, Slack, ServiceNow)

    Deliver enriched alerts to your SOC team across communication and ticketing platforms.

About Trainer

Aman Gupta

Aman Gupta

Aman Gupta is an emerging voice in automation-driven cybersecurity, combining strong engineering skills with a passion for knowledge sharing. He has worked on advanced projects spanning security monitoring, intelligent alerting, process automation, and AI-powered decision systems. With experience bridging software engineering and modern DevSecOps practices, Aman focuses on simplifying complex technologies into practical, real-world applications.

LinkedIn Twitter GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.