Collect risky links and IPs from a simple form or a webhook, scan them with trusted security sources, and send clear results to your team in Slack and email. It fits security and IT teams that need quick answers without giving everyone access to full threat tools.

The flow starts with two intake options: a form trigger for easy internal use and a webhook for API submissions. An item list splits batches, then a check decides if each entry is an IP or a domain. Domains are resolved to IPs using Google Public DNS so every record has a clean IP. The system submits URLs to VirusTotal, waits, and polls until results are ready. It also checks each IP with GreyNoise and RIOT. Results are merged by IP, summarized, and pushed to Gmail and Slack so the team can act fast.

Plan for a VirusTotal API key and a GreyNoise enterprise API key, plus Slack and Gmail access. Expect faster triage, fewer copy paste steps, and a repeatable intake path that anyone in your company can use. Common uses include help desk tickets with suspicious links, vendor scans during onboarding, and quick checks before allowing new domains through a firewall.

• Dual intake with Webhook and Form Trigger for API submissions and simple internal forms.
• Batch handling using Item Lists to process many URLs or IPs at once.
• IP detection with a regex If node and domain to IP conversion via Google Public DNS.
• VirusTotal submission and polling loop using Wait and status checks until results are ready.
• GreyNoise IP and RIOT lookups to classify IP behavior and context.
• Merge by IP to unify VirusTotal and GreyNoise data into a single record.
• Summary nodes that extract key stats for clear, short messages.
• Automated reporting to Slack and Gmail so teams see results where they already work.
• Filter and Combine nodes to control when to fetch results and to flatten the final payload.

• Reduce manual review from 15 minutes per indicator to under 1 minute with automated lookups and reporting
• Streamline intake to decision time by about 70% by removing copy and paste work
• Improve accuracy by resolving domains to IPs automatically and merging results by IP
• Handle 50 or more indicators in one run without extra clicks
• Connect VirusTotal, GreyNoise, Slack, and Gmail in one flow for faster responses

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Slack, Gmail, VirusTotal and GreyNoise. See the Tools Required section above for links to create accounts with these services.
3. In the n8n credentials manager, create a Slack OAuth credential: open the Slack node, choose Credential to connect with, click Create new credential, and follow the on screen steps to authorize your workspace.
4. Create a Gmail OAuth2 credential: open the Gmail node, choose Credential to connect with, click Create new credential, and finish the Google consent flow.
5. Set a VirusTotal API Key: open the VirusTotal nodes, choose Credential to connect with, click Create new credential, and paste your API key from the VirusTotal account API page.
6. Set a GreyNoise API Key: open the GreyNoise nodes, choose Credential to connect with, click Create new credential, and paste your enterprise API key from the GreyNoise account API page.
7. Open the Form Trigger node and copy the form URL for internal submissions. Share this link with users who will submit URLs or IPs.
8. Open the Webhook node and copy the test and production endpoints. Use curl or your app to POST the JSON payload with data and email to verify intake.
9. In the Slack node, pick the target channel for reports. In the Gmail node, set the To field to the Email value attached to each item or a shared mailbox as needed.
10. Review the Wait 5s and VirusTotal ready checks. If you hit rate limits, increase the wait time to reduce polling frequency.
11. Test with a small batch: send two domains and one IP. Check the Executions tab for errors like invalid URLs, missing API keys, or rate limit responses.
12. If DNS resolution fails, confirm the input uses a valid domain format. If GreyNoise returns no data, verify your enterprise access and API key status.
13. Once tests pass, share the production webhook URL and the form link with your team and monitor the first few runs in the Executions tab.