This article provides a complete, practical walkthrough of the Manual Cortex Import Triggered n8n agent. It connects HTTP Request, Webhook across approximately 1 node(s). Expect a Intermediate setup in 15-45 minutes. One‑time purchase: €29.

What This Agent Does

This agent orchestrates a reliable automation between HTTP Request, Webhook, handling triggers, data enrichment, and delivery with guardrails for errors and rate limits.

It streamlines multi‑step processes that would otherwise require manual exports, spreadsheet cleanup, and repeated API requests. By centralizing logic in n8n, it reduces context switching, lowers error rates, and ensures consistent results across teams.

Typical outcomes include faster lead handoffs, automated notifications, accurate data synchronization, and better visibility via execution logs and optional Slack/Email alerts.

How It Works

The workflow uses standard n8n building blocks like Webhook or Schedule triggers, HTTP Request for API calls, and control nodes (IF, Merge, Set) to validate inputs, branch on conditions, and format outputs. Retries and timeouts improve resilience, while credentials keep secrets safe.

Third‑Party Integrations

• HTTP Request
• Webhook

Import and Use in n8n

1. Open n8n and create a new workflow or collection.
2. Choose Import from File or Paste JSON.
3. Paste the JSON below, then click Import.
4. Show n8n JSON

   Title:
   Automating Threat Intelligence: Analyzing URLs with Cortex and n8n
   
   Meta Description:
   Learn how to build an automated workflow in n8n using Cortex to analyze a URL for potential abuse and extract job details efficiently. A step-by-step breakdown of a cybersecurity automation setup.
   
   Keywords:
   n8n, automation, Cortex, cybersecurity, threat intelligence, Abuse Finder, URL analysis, n8n workflow, Cortex API, job status, cyber threat detection
   
   Third-Party APIs Used:
   
   - Cortex API by TheHive Project (https://www.strangebee.com/cortex): A powerful and extensible analysis engine used for observable enrichment and threat detection.
   
   Article:
   
   In the world of cybersecurity automation, integrating tools like Cortex with visual workflow platforms such as n8n can significantly reduce manual effort and speed up threat detection. This article breaks down an n8n workflow designed to automate the process of analyzing a URL using Cortex’s “Abuse Finder 3.0” analyzer and collecting the results for further use or review.
   
   What is n8n?
   
   n8n (pronounced “n-eight-n”) is an open-source workflow automation tool that enables users to visually build integrations between different services, APIs, and logic nodes without writing complex code. It’s especially useful for connecting cybersecurity tools, performing repetitive operations, and consolidating threat intelligence data.
   
   What is Cortex?
   
   Cortex by TheHive Project is an open-source, scalable analysis engine designed to automatically analyze data collected during threat investigations. Security teams can submit observables like IPs, domains, URLs, hashes, and more to Cortex, which then uses its suite of analyzers to return contextual information that helps with decision-making, investigations, and alerts.
   
   Overview of the Workflow: Analyzing a URL and Retrieving Details
   
   This specific n8n workflow is built with the goal of submitting a URL to Cortex for abuse analysis and then retrieving the job results based on the job ID returned by Cortex.
   
   It consists of three main nodes:
   
   1. Manual Trigger Node — “On clicking ‘execute’”
   2. Cortex Analyzer Node — “Cortex”
   3. Cortex Job Status Node — “Cortex1”
   
   Let’s go through each component step by step.
   
   Step 1: Manual Trigger to Initiate Workflow
   
   The workflow begins with a Manual Trigger node labeled “On clicking ‘execute’.” This node allows the user to trigger the automation manually from within the n8n UI. While this can be changed to an HTTP trigger or scheduled trigger for more automated use cases, the manual approach is ideal for testing and controlled execution.
   
   Step 2: Submitting URL to Cortex for Analysis
   
   The second node, labeled simply as “Cortex,” initiates the core functionality of the workflow. This node employs the Cortex API and is set up to analyze a specific URL using an analyzer named Abuse_Finder_3_0. This analyzer helps identify potentially malicious or abusive characteristics of the provided observable — in this case, the URL https://n8n.io.
   
   Here are the key parameters:
   
   - Analyzer: f4abc1b633b80f45af165970793fd4fd::Abuse_Finder_3_0
   - Observable Type: url
   - Observable Value: https://n8n.io
   
   The node submits a job to Cortex to perform the analysis and returns vital information, including a unique job ID.
   
   Step 3: Retrieving the Cortex Job Details
   
   Once the analysis job is submitted, we need to gather the results. The third node, “Cortex1,” takes the job ID output from the previous node and makes another Cortex API call—this time to retrieve the job’s status and results.
   
   Specifically, the node accesses:
   
   - Resource: job
   - Job ID: dynamically retrieved from the previous Cortex node using a variable expression {{ $node["Cortex"].json["_id"] }}
   
   This dynamic reference ensures that the job details are tied specifically to the analysis request sent in the prior step.
   
   Using these results, users can determine whether the URL was found to be associated with malicious activity, phishing attempts, or other forms of abuse. From here, the results can be displayed, logged, or used to trigger downstream actions, such as alerting a team member or enriching a security dashboard.
   
   Benefits of the Workflow
   
   - Efficiency: Automatically submitting URLs to Cortex eliminates repetitive manual steps.
   - Real-time Intelligence: Retrieving live job statuses ensures up-to-date intelligence without waiting.
   - Integration Ready: Results can be forwarded to Slack, emails, ticketing systems, or other platforms using additional n8n nodes.
   
   Extend the Workflow Further
   
   This is just the beginning. You can add more nodes to:
   - Submit multiple URLs or other observables (e.g., file hashes, IPs)
   - Filter job results for alert-level threats
   - Store results in a database for audit purposes
   - Trigger actions based on specific flags (e.g., alert a SecOps team via Slack)
   
   Conclusion:
   
   With just three nodes, this simple but powerful n8n workflow demonstrates how you can leverage Cortex to analyze cyber observables like URLs on-demand. Whether you’re part of a small IT team or a full-fledged SOC, integrating Cortex with n8n opens the door to scalable and adaptable threat intelligence automation.
   
   Try it yourself, and unlock the full potential of automated cybersecurity workflows!
   
   — Powered by n8n & Cortex.

5. Set credentials for each API node (keys, OAuth) in Credentials.
6. Run a test via Execute Workflow. Inspect Run Data, then adjust parameters.
7. Enable the workflow to run on schedule, webhook, or triggers as configured.

Tips: keep secrets in credentials, add retries and timeouts on HTTP nodes, implement error notifications, and paginate large API fetches.

Validation: use IF/Code nodes to sanitize inputs and guard against empty payloads.

Why Automate This with AI Agents

AI‑assisted automations offload repetitive, error‑prone tasks to a predictable workflow. Instead of manual copy‑paste and ad‑hoc scripts, your team gets a governed pipeline with versioned state, auditability, and observable runs.

n8n’s node graph makes data flow transparent while AI‑powered enrichment (classification, extraction, summarization) boosts throughput and consistency. Teams reclaim time, reduce operational costs, and standardize best practices without sacrificing flexibility.

Compared to one‑off integrations, an AI agent is easier to extend: swap APIs, add filters, or bolt on notifications without rewriting everything. You get reliability, control, and a faster path from idea to production.

Best Practices

• Credentials: restrict scopes and rotate tokens regularly.
• Resilience: configure retries, timeouts, and backoff for API nodes.
• Data Quality: validate inputs; normalize fields early to reduce downstream branching.
• Performance: batch records and paginate for large datasets.
• Observability: add failure alerts (Email/Slack) and persistent logs for auditing.
• Security: avoid sensitive data in logs; use environment variables and n8n credentials.

FAQs

Can I swap integrations later? Yes. Replace or add nodes and re‑map fields without rebuilding the whole flow.

How do I monitor failures? Use Execution logs and add notifications on the Error Trigger path.

Does it scale? Use queues, batching, and sub‑workflows to split responsibilities and control load.

Is my data safe? Keep secrets in Credentials, restrict token scopes, and review access logs.