Back to Templates
🧩 Template Description
File Hash Reputation Checker is a security automation workflow that validates file hashes (MD5, SHA1, SHA256) and checks their reputation using the VirusTotal API. It is designed for SOC teams, security engineers, and automation pipelines that need fast and consistent malware verdicts from a single hash input.
The workflow supports two input methods:
-
An HTTP webhook for API-based integrations
-
A Slack slash command (
/hash-check) for quick analyst-driven checks directly from Slack
Once a hash is submitted, the workflow normalizes and validates the input, queries VirusTotal for detection statistics, and determines whether the file is Malicious, Suspicious, Clean, or Unknown. Results are returned as a structured JSON response and also posted to Slack with severity-based formatting.
⚙️ How It Works
-
A file hash is submitted via HTTP POST or Slack using
/hash-check FILE_HASH. -
The hash is normalized (lowercased and trimmed).
-
The workflow validates the hash format (MD5, SHA1, or SHA256).
-
VirusTotal is queried for hash reputation data.
-
Detection statistics are analyzed to calculate a verdict:
- Malicious
- Suspicious
- Clean
- Unknown
-
A Slack message is sent for all verdicts, with alert-style formatting for malicious results.
-
A structured JSON response is returned to the requester.
🛠️ Setup Steps
-
VirusTotal API
-
Create or use an existing VirusTotal account.
-
Add your API key to n8n as VirusTotal API credentials.
-
-
Slack Configuration
- Create a Slack App.
- Enable Slash Commands and create
/hash-check. - Set the Request URL to the n8n webhook endpoint.
- Connect your Slack account in n8n credentials.
-
Activate the Workflow
-
Activate the workflow in n8n.
-
Test using:
-
HTTP POST:
{ "text": "file_hash" } -
Slack:
/hash-check FILE_HASH;
-
-
🎛️ Customization Ideas
-
Route Slack messages to different channels based on severity.
-
Add additional outputs (email, SIEM, ticketing systems).
-
Extend the workflow to support multiple hashes per request.