Security teams need quick and clear triage when new threats appear. This automation collects new alerts from CrowdStrike, enriches them with VirusTotal, opens a Jira task, and pings Slack so the team can act fast. It suits IT and SecOps groups that want a reliable daily intake of incidents.

On a set schedule, the flow pulls recent detections marked as new from CrowdStrike and fetches full details. It splits the list and handles one alert at a time using batch control, then extracts behavior data for deeper context. For each behavior it calls VirusTotal for the file hash and the indicator of compromise, with a one second pause to respect limits. It builds a clear summary, creates a Jira issue with severity and hostname in the title, and posts a Slack alert with a link to the ticket. The result is consistent triage with all key data in one place.

You will need accounts and credentials for CrowdStrike, VirusTotal, Jira Software Cloud, and Slack. Configure the nodes with your project, channel, and API keys, and keep the batch size at one to stay within rate limits. Expect faster response time and better tracking, which helps daily handover and small teams without round the clock coverage.

• Daily Schedule Trigger collects new security detections.
• HTTP request to CrowdStrike queries new alerts and pulls full details.
• Item Lists splits detections so each alert is processed on its own.
• Split In Batches processes one detection at a time and loops until done.
• Item Lists extracts behavior records from each detection for deeper review.
• Wait node adds a one second delay to respect VirusTotal rate limits.
• VirusTotal lookups check both SHA256 hash and the IOC value.
• Set and Merge nodes build clear behavior notes and a CrowdStrike link.
• Jira issue creation fills project, issue type, and a dynamic summary.
• Slack message posts severity and the Jira ticket link to a chosen channel.

• Reduce manual triage from 2 hours to 10 minutes per day
• Automate up to 90 percent of alert intake across tools
• Improve incident context with VirusTotal data on each behavior
• Connect CrowdStrike, Jira Software Cloud and Slack in one flow
• Handle higher alert volume with batch processing and rate control
• Cut missed alerts by running on a fixed daily schedule

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with CrowdStrike, VirusTotal, Jira Software Cloud and Slack. See the Tools Required section above for links to create accounts with these services.
3. In the n8n credentials manager, create a CrowdStrike credential. If unsure, double click the CrowdStrike HTTP Request nodes, open the Credential to connect with menu, click Create new credential, then follow the on screen steps. Ensure your CrowdStrike app has read access to detections.
4. Create a VirusTotal API Key in your VirusTotal account. In n8n, add a VirusTotal credential using that key. If unsure, double click the VirusTotal nodes and create the credential from the dropdown.
5. Set up Jira Software Cloud credentials. Create an Atlassian API token, then in n8n add your email and API token to a Jira Software Cloud credential. Double click the Jira node and select this credential.
6. Authorize Slack with Slack OAuth2 in n8n. Double click the Slack node, choose Create new credential, sign in to your workspace, and allow chat write permissions.
7. Open the Schedule Trigger node and set the run time. Use daily at midnight or choose a time that matches your shift handover.
8. Open Get recent detections from CrowdStrike. Confirm the base URL matches your region and the filter is status new. Click Execute Node to verify a successful response.
9. Check Get detection details. Make sure the body uses the detection ids and returns resources with behaviors.
10. Open Split In Batches and set batch size to 1 so VirusTotal limits are respected.
11. Confirm the Wait node delay is 1 second. Increase if your VirusTotal plan has stricter limits.
12. In the Jira node, select the target project and issue type. Keep the dynamic summary with severity and hostname, and ensure the description contains the merged behavior details.
13. In the Slack node, pick the alert channel and include the Jira issue link. Send a test message by executing the node.
14. Run the workflow once with Execute Workflow. Verify that a new Jira ticket is created and a Slack message is posted. If no detections are returned, adjust the CrowdStrike filter or test with a known detection id.
15. If you see rate limit or auth errors, recheck credentials, reduce batch speed, and confirm required scopes and tokens are valid.