This article provides a complete, practical walkthrough of the Wait Webhook Send Webhook n8n agent. It connects HTTP Request, Webhook across approximately 1 node(s). Expect a Intermediate setup in 15-45 minutes. One‑time purchase: €29.

What This Agent Does

This agent orchestrates a reliable automation between HTTP Request, Webhook, handling triggers, data enrichment, and delivery with guardrails for errors and rate limits.

It streamlines multi‑step processes that would otherwise require manual exports, spreadsheet cleanup, and repeated API requests. By centralizing logic in n8n, it reduces context switching, lowers error rates, and ensures consistent results across teams.

Typical outcomes include faster lead handoffs, automated notifications, accurate data synchronization, and better visibility via execution logs and optional Slack/Email alerts.

How It Works

The workflow uses standard n8n building blocks like Webhook or Schedule triggers, HTTP Request for API calls, and control nodes (IF, Merge, Set) to validate inputs, branch on conditions, and format outputs. Retries and timeouts improve resilience, while credentials keep secrets safe.

Third‑Party Integrations

• HTTP Request
• Webhook

Import and Use in n8n

1. Open n8n and create a new workflow or collection.
2. Choose Import from File or Paste JSON.
3. Paste the JSON below, then click Import.
4. Show n8n JSON

   Title:
   Automating Threat Intelligence: URL & IP Reputation Scanning with VirusTotal and Greynoise in n8n
   
   Meta Description:
   Learn how to automate URL and IP reputation scanning using n8n, VirusTotal, and Greynoise APIs. This workflow collects threat intelligence, performs DNS lookups, and delivers security reports via Slack and email.
   
   Keywords:
   n8n workflow, VirusTotal API, Greynoise API, threat intelligence automation, IP reputation, URL scanning, DNS lookup, cybersecurity automation, email security reports, Slack notifications
   
   Third-Party APIs Used:
   
   1. VirusTotal API — https://www.virustotal.com/
      - Used for submitting and retrieving URL scan results, including detection stats and matches from threat providers like OpenPhish and BlockList.
   
   2. Greynoise API (Enterprise) — https://www.greynoise.io/
      - Used for enriching IP data, providing classification, trust level, tags, and real-world internet exposure context via RIOT and Noise lookups.
   
   3. Google DNS over HTTPS API — https://dns.google/
      - Utilized for resolving domain names to IP addresses to ensure consistent threat assessment, even when the input is a domain.
   
   Article:
   
   In an era where cyber threats evolve faster than most organizations can respond, automating threat intelligence collection and response is quickly becoming a must rather than a luxury. Using n8n, an open-source workflow automation tool, cybersecurity teams can now implement a powerful phishing, malware, and suspicious activity detection workflow that scans URLs and IP addresses through VirusTotal and Greynoise APIs. The following overview explains how this advanced yet user-friendly workflow allows teams to assess and act upon potential threats with zero manual analysis.
   
   🧩 Workflow Overview
   
   The n8n workflow is designed to accept either manual form inputs or programmatic API submissions containing a list of URLs or IP addresses. Each item goes through a multi-step processing pipeline that:
   
   - Detects the type of input (IP or URL)
   - Resolves domain names to IPs using Google's DNS service
   - Submits URLs to VirusTotal for malware/phishing reputation analysis
   - Queries Greynoise for behavioral insights on IPs
   - Aggregates results and delivers reports to Slack and via email
   
   This ensures that non-security teams can seamlessly interface with sophisticated threat intel tools just by submitting URLs via a simple form or HTTP request.
   
   🧬 Standardizing Input & DNS Resolution
   
   The first critical component of the pipeline is input standardization. Whether the data comes from a form (via the “Form Trigger” node) or a webhook/API submission, the input is always broken down into independent URLs/IPs. These inputs are then checked with a regular expression to determine whether they are IP addresses.
   
   If the input is a domain (e.g., facebook.com), the workflow leverages Google DNS over HTTPS to resolve it into an IP address. This guarantees that subsequent enrichment steps using IP-based APIs like Greynoise function correctly.
   
   🎯 VirusTotal API Integration
   
   For each URL, n8n submits a scan request to the VirusTotal API. Because scans are asynchronous, the workflow includes a control loop that checks if the scan is complete every 5 seconds. Once ready, the scan results are retrieved and parsed to extract key indicators from vendors like OpenPhish and BlockList, and categorize the threat based on scan statistics—malicious, suspicious, harmless, and undetected.
   
   The system even includes safety nets: if the scan isn’t ready, a wait node and a loop ensure it doesn’t overwhelm the API with requests or timeout prematurely.
   
   🌐 Greynoise Behavioral Intelligence
   
   Parallel to VirusTotal scanning, the resolved IP addresses are enriched using Greynoise's Noise and RIOT APIs. These services classify IPs based on whether they’re seen engaging in benign internet scanning (like search engine crawlers), harmful behaviors (botnets, malware), or are safe (home routers, CDNs). The classification, trust level, location, category, and behavioral tags give security analysts additional context to assess risk.
   
   📬 Reporting & Alerts (Slack + Email)
   
   Upon completing the enrichment phases, n8n merges results from VirusTotal and Greynoise using the common IP address field. The final merged intelligence data is then used to generate full reports:
   
   - Slack: A formatted message sent to a designated channel (e.g. #notifications)
   - Email: A rich HTML report sent to the original requester’s email, making it easy to forward or escalate to incident response teams
   
   Each report clearly summarizes scan statistics, threat classifications, tags, and the final verdict—whether the item is harmless or potentially malicious.
   
   🔐 Security & Best Practices
   
   To maintain operational integrity and minimize false positives or erroneous scans:
   
   - Inputs must be well-formatted. URLs should not contain typos or malformed structures.
   - This workflow assumes sanitized input; no deep validation is performed.
   - Users must configure their respective API credentials within n8n’s credential system.
   
   Special care is taken to adhere to API rate limits—particularly VirusTotal's free tier limit of 500 requests/day and four/min. Instead of concurrent polling, the wait-loop mechanism paces requests strategically.
   
   🚀 How to Use
   
   - Use the interactive form at: https://n8n.domain.com/webhook-test/url-scan-form
   - Or make a silent POST request to: https://n8n.domain.com/webhook/url-scan-form
   - Example submission JSON:
     ```json
     {
       "email": "user@example.com",
       "data": [
         { "url": "1.1.1.1" },
         { "url": "facebook.com" }
       ]
     }
     ```
   The workflow processes each item, determines the asset type, enriches it, and delivers a complete threat report—all with no human intervention.
   
   📌 Final Thoughts
   
   Combining the analytical power of VirusTotal and Greynoise in an n8n workflow enables security and non-technical teams alike to triage and assess threats faster, smarter, and more collaboratively. Whether you wish to detect phishing links or understand suspicious IP behaviors, this automated solution gives you full visibility without sacrificing usability.
   
   For teams looking to extend this even further, the workflow can integrate with SIEMs, ticketing systems, or SOAR platforms—transforming threat intel into automated defenses.
   
   By democratizing access to actionable intelligence, n8n makes threat detection not only easier—but also beautifully automated.

5. Set credentials for each API node (keys, OAuth) in Credentials.
6. Run a test via Execute Workflow. Inspect Run Data, then adjust parameters.
7. Enable the workflow to run on schedule, webhook, or triggers as configured.

Tips: keep secrets in credentials, add retries and timeouts on HTTP nodes, implement error notifications, and paginate large API fetches.

Validation: use IF/Code nodes to sanitize inputs and guard against empty payloads.

Why Automate This with AI Agents

AI‑assisted automations offload repetitive, error‑prone tasks to a predictable workflow. Instead of manual copy‑paste and ad‑hoc scripts, your team gets a governed pipeline with versioned state, auditability, and observable runs.

n8n’s node graph makes data flow transparent while AI‑powered enrichment (classification, extraction, summarization) boosts throughput and consistency. Teams reclaim time, reduce operational costs, and standardize best practices without sacrificing flexibility.

Compared to one‑off integrations, an AI agent is easier to extend: swap APIs, add filters, or bolt on notifications without rewriting everything. You get reliability, control, and a faster path from idea to production.

Best Practices

• Credentials: restrict scopes and rotate tokens regularly.
• Resilience: configure retries, timeouts, and backoff for API nodes.
• Data Quality: validate inputs; normalize fields early to reduce downstream branching.
• Performance: batch records and paginate for large datasets.
• Observability: add failure alerts (Email/Slack) and persistent logs for auditing.
• Security: avoid sensitive data in logs; use environment variables and n8n credentials.

FAQs

Can I swap integrations later? Yes. Replace or add nodes and re‑map fields without rebuilding the whole flow.

How do I monitor failures? Use Execution logs and add notifications on the Error Trigger path.

Does it scale? Use queues, batching, and sub‑workflows to split responsibilities and control load.

Is my data safe? Keep secrets in Credentials, restrict token scopes, and review access logs.