Malicious File Detection & Response: Wazuh to VirusTotal with Slack Alerts

Malicious File Detection & Threat Summary Automation using Wazuh + VirusTotal + n8n

This workflow helps SOC teams automate the detection and reporting of potentially malicious files using Wazuh alerts, VirusTotal hash validation, and integrated summary/report generation. It's ideal for analysts who want instant context and communication for file-based threats — without writing a single line of code.

What It Does

When Wazuh detects a suspicious file:

Ingests Wazuh Alert**
A webhook node captures incoming alerts containing file hashes (SHA256/MD5).

Parses IOCs**
Extracts relevant indicators (file hash, filename, etc.).

Validates with VirusTotal**
Automatically checks the file hash reputation using VirusTotal's threat intelligence API.

Generates Human-Readable Summary**
Outputs a structured file report.

Routes Alerts Based on Threat Level**
Sends a formatted email with the file summary using Gmail.
If the file is deemed malicious/suspicious: Creates a file-related incident ticket.
Sends an instant Slack alert to notify the team.

Tech Stack Used

Wazuh** – For endpoint alerting
VirusTotal API** – For real-time hash validation
n8n** – To orchestrate, parse, enrich, and communicate
Slack, Gmail, Incident Tool** – To notify and take action

Ideal Use Case

This template is designed for security teams looking to automate file threat triage, IOC validation, and alert-to-ticket escalation, with zero human delay.

Included Nodes

Webhook** (Wazuh) Function** (IOC extraction and summary) HTTP Request** (VirusTotal) If / Switch** (threat level check) Gmail, **Slack, Incident Creation

Tips

Make sure to add your VirusTotal API key in the HTTP node.
Customize the incident creation node to fit your ticketing platform (Jira, ServiceNow, etc.).
Add logic to enrich the file alert further using WHOIS or sandbox reports if needed.