This workflow automates the process of scanning URLs or IP addresses for potential threats using VirusTotal and Greynoise. It standardizes inputs (URLs or IPs), enriches them with DNS resolution when needed, and consolidates intelligence reports. Results are automatically shared with users via Slack or Email, enabling fast detection and response without needing to manually query threat intel platforms.
Key Features
- 📥 Multiple Input Options
- Accepts URLs/IPs via webhook, API, or web form.
- Supports bulk submissions with associated email addresses.
- 🌐 DNS & IP Resolution
- Detects whether the input is a URL or IP.
- Performs DNS lookups to extract IPs from domains.
- 🛡 VirusTotal Integration
- Submits URLs for scanning.
- Waits and loops until scan results are ready.
- Collects malicious/suspicious/harmless stats, blocklist, and phishing flags.
- ⚡ Greynoise Integration
- Checks IPs against Greynoise Noise and RIOT databases.
- Provides trust level, classification, location, category, and tags.
- 📊 Threat Report Generation
- Merges results from VirusTotal and Greynoise into a single report.
- Summarizes risks (Harmless ✅ vs. Malicious 🚨).
- 📢 Automated Reporting
- Sends reports via Slack (team notifications).
- Emails detailed results directly to requesters.
- 🧩 Flexible Usage
- Easy-to-use form trigger for non-technical users.
- API/webhook mode for automated integrations.
