Score DNS threats with VirusTotal, Abuse.ch, HashiCorp Vault and Gemini
Score DNS Threats with VirusTotal, Abuse.ch, HashiCorp Vault and Gemini An end-to-end Cyber Threat Intelligence pipeline that turns raw DNS traffic into actionable security verdicts — without manual triage, without le...
Template notes
Score DNS Threats with VirusTotal, Abuse.ch, HashiCorp Vault and Gemini
An end-to-end Cyber Threat Intelligence pipeline that turns raw DNS traffic into actionable security verdicts — without manual triage, without leaking credentials, and without alert fatigue.
What this workflow does
This workflow ingests passive DNS observations, enriches each indicator with multi-source threat intelligence, and uses Google Gemini as a senior security analyst to produce a single, defensible verdict per indicator. Every step that touches a secret pulls it from HashiCorp Vault at runtime, and only confirmed threats reach your inbox.
Problems it solves
Manual threat triage takes hours. A SOC analyst checking a suspicious indicator across VirusTotal, ThreatFox, and URLhaus, then writing up the verdict, typically spends 10-20 minutes per IoC. This workflow performs the same correlation in seconds and produces a structured report ready for review or downstream automation.
Hardcoded credentials are a breach waiting to happen. API keys, database passwords, and provider tokens commonly end up in workflow JSON, environment files, or git history. This workflow fetches every secret directly from HashiCorp Vault during execution, so credentials never live inside n8n configuration.
Alert fatigue trains analysts to ignore real threats. The AI agent applies a detection-first scoring model on a 1–5 scale, with email alerts firing only on confirmed malicious indicators (score ≥ 4). Clean traffic and low-signal noise are silently logged for trend analysis, not pushed to the operator.