Schedule a Call
Schedule a Call

← Back to All Workflows

Automate CrowdStrike Alerts with VirusTotal, Jira & Slack

This workflow automates processing of CrowdStrike detections by enriching threat data via VirusTotal, creating Jira tickets for incident tracking, and notifying teams on Slack for quick response. Save hours daily by transforming complex threat data into actionable alerts effortlessly.
scheduleTrigger
httpRequest
jira
+5
Download Workflow Free
Learn how to Build this Workflow with AI:
Workflow Identifier: 1278
NODES in Use: Schedule Trigger, Item Lists, HTTP Request, Split In Batches, Wait, Set, Jira, Slack

Press CTRL+F5 if the workflow didn't load.

Visit through Desktop for Best experience

Opening Problem Statement: David’s Daily Security Overload ⚙️

David is a cybersecurity analyst responsible for monitoring CrowdStrike alerts across his company’s endpoints. Every day, he faces a flood of new detection events—each one a potential threat. Manually verifying indicators of compromise (IOCs), cross-referencing hashes with VirusTotal, filing Jira tickets for incident response, and notifying the security team through Slack eats up several hours. Sometimes alerts slip through or lack vital context, delaying response and putting the enterprise at risk.

Imagine losing four hours daily just managing detections manually. Errors creep in due to the volume and complexity of threat data. David needs a smarter way to automate this workflow without compromising thorough analysis and rapid team notification.

What This Automation Does

This n8n workflow revolutionizes David’s daily routine by orchestrating the entire security alert lifecycle—from CrowdStrike detection ingestion to enriched threat intelligence, ticket creation, and instant team notifications. When triggered daily, the workflow:

  • Fetches new detection events from CrowdStrike using API calls.
  • Splits and processes each detection individually for granular analysis.
  • Extracts and analyzes behavioral indicators and hashes associated with detections.
  • Enriches threat data by querying VirusTotal for both SHA256 hashes and IOC values, respecting API rate limits with timed pauses.
  • Aggregates detailed behavior descriptions into a comprehensive format.
  • Automatically creates detailed Jira issues capturing CrowdStrike and VirusTotal threat intelligence for incident workflow tracking.
  • Posts contextual notifications to the designated Slack user, linking directly to the Jira ticket for rapid action.

By automating these steps, David saves an estimated 3-4 hours daily previously spent on manual lookups and ticketing. The security team gains higher fidelity alerts and instant engagement, reducing the risk of missed or delayed responses.

Prerequisites ⚙️

  • n8n account: To build and run the workflow.
  • CrowdStrike API credentials: For querying new detection data.
    (OAuth2 token for the CrowdStrike API node.)
  • VirusTotal API key: To enrich IoCs and file hashes.
  • Jira Software Cloud account: To create and track issues automatically.
  • Slack User OAuth Token: To post notifications.

Step-by-Step Guide to Build this Security Automation

1. Schedule Trigger to Run Daily
Navigate to Nodes → Schedule Trigger, add the node, and set it to run daily at midnight (or your preferred time). This triggers the entire workflow to start fetching new alerts daily.

2. Fetch Recent Detections from CrowdStrike
Add an HTTP Request node configured with CrowdStrike OAuth2 credentials. Set the method to GET and the URL to https://api.us-2.crowdstrike.com/detects/queries/detects/v1, with the query parameter filter=status:'new' to only retrieve new detections. This node returns detection IDs.

3. Split Out Detections for Individual Processing
Use the Item Lists node and set the field to split as resources to process each detection ID separately.

4. Get Detection Details
Add another CrowdStrike HTTP Request node, method POST, URL https://api.us-2.crowdstrike.com/detects/entities/summaries/GET/v1. Pass the detection IDs in the JSON body: { "ids": ["{{ $json.resources }}"] }. This fetches full detection data including device info and behaviors.

5. Split In Batches
Attach a Split In Batches node with batch size 1 to handle one detection at a time, ensuring API limits are respected and detailed processing is manageable.

6. Split Out Behaviours
Add an Item Lists node to process each detection’s array of behavior objects found in resources[0].behaviors.

7. Pause 1 Second to Respect VirusTotal Rate Limits
Use the Wait node configured for a 1-second pause. This avoids hitting VirusTotal API limits when making consecutive requests.

8. Query VirusTotal with SHA256 Hash
Add an HTTP Request node to call VirusTotal’s API at https://www.virustotal.com/api/v3/files/{{ $json.dsha256 }}, passing the SHA256 hash from the behavior. Use the VirusTotal API key in authentication settings.

9. Query VirusTotal for IOC Values
In parallel, add another HTTP Request node with the URL https://www.virustotal.com/api/v3/files/{{ $('Split out behaviours').item.json.ioc_value }} to lookup any IOC detected within the behavior.

10. Set Behavior Descriptions
Use a Set node to format a rich Markdown description including links to CrowdStrike detection, VirusTotal files, IOC scores, confidence level, user, and filename for clarity in ticketing and reporting.

11. Merge Behavior Descriptions
Use an Item Lists node to concatenate all behavior details into a single description for creating the Jira ticket.

12. Create Jira Issue
Add a Jira Software Cloud node configured to create an issue in your project. Map the summary, issue type, and description fields using values from the detection and enriched VirusTotal data. This automates tracking of all new alerts.

13. Post Notification on Slack
Add a Slack node to send a message to the concerned user or channel containing alert severity and a direct link to the created Jira ticket, prompting quick security team response.

Customizations ✏️

  • Change Slack Recipient User: In the Slack node, update the user field to alert a different security team member or channel.
  • Adjust VirusTotal Rate Limit Timing: Modify the Wait node duration to speed up or slow down calls based on your subscription quota.
  • Expand Jira Ticket Fields: Add extra fields like priority or labels in the Jira node to match your organization’s incident response processes.
  • Enable CrowdStrike Detection Fetch: Untick the disable checkbox on the CrowdStrike API nodes to activate live data fetching rather than sample data.
  • Add Email Notifications: Insert an Email node after Jira creation to send alert summaries to executives or compliance teams.

Troubleshooting 🔧

  • Problem: CrowdStrike API returns authentication failure.
    Cause: Incorrect OAuth2 credentials or expired token.
    Solution: Reauthorize your CrowdStrike API credentials in n8n Settings → Credentials.
  • Problem: VirusTotal API rate limited errors.
    Cause: Too many rapid requests.
    Solution: Increase Wait node delay, or upgrade VirusTotal subscription for higher quota.
  • Problem: Jira issue not created or missing fields.
    Cause: Incorrect project key or issue type configuration.
    Solution: Double-check Jira node settings, project key, and issue type dropdown selection.
  • Problem: Slack messages not sent.
    Cause: OAuth token lacks permission or wrong user ID.
    Solution: Verify Slack OAuth credentials and user/channel IDs.

Pre-Production Checklist ✅

  • Verify CrowdStrike OAuth2 credentials with test API call.
  • Test VirusTotal API HTTP request independently with a known SHA256 hash.
  • Ensure Jira credentials have create issue permission in the selected project.
  • Validate Slack OAuth token with a simple test message.
  • Confirm the batch size of 1 in Split In Batches to handle API call throttling.
  • Run a dry test triggering the workflow manually and check outputs at each node.

Deployment Guide

After verifying all credentials and configurations, activate the Schedule Trigger node to enable daily execution. Monitor executions through n8n’s workflow run logs to catch any API errors or issues. Adjust wait time or batch size if rate limits are approached. Alerts will now flow automatically through CrowdStrike detections, VirusTotal enrichment, Jira ticket logging, and Slack team notifications, supplying your security team with timely, actionable intelligence.

FAQs

  • Q: Can I substitute VirusTotal with another threat intelligence service?
    A: Yes, by replacing VirusTotal HTTP Request nodes with other API calls, adjusting authentication and URL structure accordingly.
  • Q: Does this consume many API credits?
    A: VirusTotal and CrowdStrike APIs use rate limits—consider your API tier and adjust wait times to avoid overages.
  • Q: Is my incident data secure?
    A: n8n encrypts credentials, but ensure your environment is secure as this workflow automates sensitive threat data.
  • Q: Can I scale this for thousands of detections?
    A: Consider increasing batch size with caution and monitor API limits; also consider parallel processing where safe.

Conclusion

By following this guide, you’ve created a powerful automation that transforms the painful manual process of analyzing CrowdStrike alerts into a seamless daily routine. This workflow enriches detection data with VirusTotal insights, auto-generates Jira tickets for incident tracking, and instantly notifies your Slack team to accelerate response times.

David now saves hours every day, reduces human error, and improves security posture by acting on high-confidence alerts faster. Next, you might explore integrating automated remediation actions or expanding to other endpoint detection platforms to build a comprehensive security operations automation ecosystem. Keep optimizing and automating your security workflows for maximum protection and efficiency.

Learn by Category

Sales →
Productivity →
Social →
Finance →
Marketing →
Content→
Recruitment →
Security →
SEO →
CRM →
Development →
Ecommerce →

Related Workflows

Automate Viral UGC Video Creation Using n8n + Degaus (Beginner-Friendly Guide)

Learn how to automate viral UGC video creation using n8n, AI prompts, and Degaus. This beginner-friendly guide shows how to import, configure, and run the workflow without technical complexity.
Form Trigger
Google Sheets
Gmail
+37
Free

AI SEO Blog Writer Automation in n8n (Beginner Guide)

A complete beginner guide to building an AI-powered SEO blog writer automation using n8n.
AI Agent
Google Sheets
httpRequest
+5
Free

Automate Telegram Invoices to Notion with AI Summaries & Reports

Save hours on financial tracking by automating invoice extraction from Telegram photos to Notion using Google Gemini AI. This workflow extracts data, records transactions, and generates detailed spending reports with charts sent on schedule via Telegram.
lmChatGoogleGemini
telegramTrigger
notion
+9
Free

Automate Email Replies with n8n and AI-Powered Summarization

Save hours managing your inbox with this n8n workflow that uses IMAP email triggers, AI summarization, and vector search to draft concise replies requiring minimal review. Automate business email processing efficiently with AI guidance and Gmail integration.
emailReadImap
vectorStoreQdrant
emailSend
+12
Free

Automate Email Campaigns Using n8n with Gmail & Google Sheets

This n8n workflow automates personalized email outreach campaigns by integrating Gmail and Google Sheets, saving hours of manual follow-up work and reducing errors in email sequences. It ensures timely follow-ups based on previous email interactions, optimizing communication efficiency.
googleSheets
gmail
code
+5
Free

Build OpenAI Assistant with Google Drive Using n8n Automation

This workflow automates creating and updating an OpenAI-powered Travel Assistant using a Google Drive file for accurate, specific user replies. It saves time by streamlining assistant updates and chat interactions seamlessly.
googleDrive
openAi
chatTrigger
+3
Free
Load More