Every SOC analyst has been there: a suspicious IP shows up in your logs, and you spend the next 5 minutes copy-pasting it into VirusTotal, AbuseIPDB, and three other tabs.
What if I told you that you could automate this entire process in under 10 minutes with zero coding experience?
In this guide, I'll show you how to build an IP Reputation Checker that:
- ✅ Accepts any IP address via a simple API call
- ✅ Queries AbuseIPDB for threat intelligence
- ✅ Alerts you on Slack if the IP is high-risk
- ✅ Logs every lookup for audit trails
This is the exact workflow running in my home lab right now. And once you build it, you'll have the foundation to automate phishing triage, IOC enrichment, and more.
🛠️ Prerequisites: Get Your Lab Ready
Before we start, you'll need n8n up and running.
Don't have n8n installed yet?
👉 Check out my first article:
This covers Docker setup, security hardening, and getting your environment production-ready.
Already have n8n running? Let's build! 🚀
What else you'll need:
- AbuseIPDB free API key (I'll show you how to get one)
- Slack workspace with a channel for alerts
- 10 minutes of focused time
Why Start Here?
Before we dive into complex SOAR platforms, let's be honest:
Most "SOC automation" tutorials throw you into the deep end—SIEM integrations, API authentication nightmares, and 47-step workflows.
This article is different.
We're building ONE workflow that teaches you the core concepts:
- Webhook Triggers – How automation starts
- API Integration – Pulling threat intel data
- Conditional Logic – Making decisions (High risk vs. Low risk)
- Alerting – Notifying your team
- Logging – Creating audit trails
Master these 5 concepts, and you can build any SOC automation.
What We're Building
┌─────────────────┐
│ Webhook │ ◄── You send an IP (POST request)
│ Trigger │
└────────┬────────┘
│
▼
┌─────────────────┐
│ AbuseIPDB │ ◄── Query threat intelligence
│ API Check │
└────────┬────────┘
│
▼
┌─────────────────┐
│ IF: Score > 50 │ ◄── Decision point
└────────┬────────┘
│
┌────┴────┐
│ │
▼ ▼
┌───────┐ ┌───────┐
│ HIGH │ │ LOW │
│ RISK │ │ RISK │
└───┬───┘ └───┬───┘
│ │
▼ │
┌───────┐ │
│ Slack │ │
│ Alert │ │
└───┬───┘ │
│ │
▼ ▼
┌─────────────────┐
│ Log to │ ◄── Audit trail
│ Data Table │
└─────────────────┘
│
▼
┌─────────────────┐
│ Return │ ◄── Send results back
│ Response │
└─────────────────┘
Time to build: ~10 minutes
GitHub Link to the workflow
Step 1: Create the Webhook Trigger (2 minutes)
The webhook is your workflow's "front door"—it listens for incoming requests.
Configuration:
Setting Value HTTP Method POST Path ip-check Response Mode Response Node (we'll respond at the end)
What this means:
When you send a POST request to https://your-n8n-url/webhook/ip-check with a JSON body like:
{
"ip": "185.220.101.34"
}
...the workflow triggers.
🎯 SOC Application: In production, your SIEM or firewall could automatically send suspicious IPs to this webhook for enrichment.
Step 2: Query AbuseIPDB (3 minutes)
AbuseIPDB is a free threat intelligence database with reports from security professionals worldwide.
Get Your Free API Key:
- Go to abuseipdb.com
- Create a free account
- Navigate to API → Create Key
- Copy your key somewhere safe
HTTP Request Node Configuration:
Setting Value Method GET URL https://api.abuseipdb.com/api/v2/check?ipAddress={{ $json.body.ip }}&maxAgeInDays=90
Headers:
Header Value Key YOUR_ABUSEIPDB_API_KEY Accept application/json
⚠️Security Best Practice: Never hardcode API keys! In n8n, use the Credentials Manager to store your API key securely. Go to Credentials → Add Credential → Header Auth and reference it in your node. This will keep your APIs away from the internet
What You Get Back:
{
"data": {
"ipAddress": "185.220.101.34",
"abuseConfidenceScore": 100,
"totalReports": 1547,
"countryCode": "DE",
"isp": "Tor Exit Node",
"usageType": "Data Center/Web Hosting",
"isWhitelisted": false,
"lastReportedAt": "2025-01-26T14:32:00+00:00"
}
}
The abuseConfidenceScore ranges from 0-100:
- 0-25: Probably safe
- 26-50: Suspicious, worth investigating
- 51-100: High confidence malicious
Step 3: Add Decision Logic (2 minutes)
Now we need to route the IP based on its risk score.
IF Node Configuration:
Condition Operator Value {{ $json.data.abuseConfidenceScore }} Greater than 50
Branches:
- True (High Risk): Send Slack alert + Log as high risk
- False (Low Risk): Log as low risk only
💡Why 50?: This threshold is adjustable. In enterprise SOCs, you might set it to 80 to reduce noise, or 25 if you want to catch more threats. Tune it based on your alert volume.
Step 4: Configure Slack Alerts (2 minutes)
When a high-risk IP is detected, you want to know immediately.
Slack Node Configuration:
- Channel: #suspicious_ip_alert (create this channel first)
- Message:
🚨 *High Risk IP Detected!*
*IP Address:* {{ $json.data.ipAddress }}
*Abuse Score:* {{ $json.data.abuseConfidenceScore }}%
*ISP:* {{ $json.data.isp }}
*Usage Type:* {{ $json.data.usageType }}
*Total Reports:* {{ $json.data.totalReports }}
*Last Reported:* {{ $json.data.lastReportedAt }}
*Action Required:* Investigate and block if necessary.
What Your Alert Looks Like:
🚨 High Risk IP Detected!
IP Address: 185.220.101.34
Abuse Score: 100%
ISP: Tor Exit Node
Usage Type: Data Center/Web Hosting
Total Reports: 1547
Last Reported: 2025-01-26T14:32:00+00:00
Action Required: Investigate and block if necessary.
🎯SOC Application: Replace Slack with Microsoft Teams, PagerDuty, or email for your organization's alerting platform.
Step 5: Log Everything (1 minute)
Every IP check should be logged for:
- Audit compliance (who checked what, when)
- Pattern analysis (are we seeing the same IPs repeatedly?)
- Reporting (metrics for management)
Data Table Schema:
Create this data table in your n8n instance
Why use this insted google sheet you ask?
- For one it is really fast
- This makes sense if you are the only one doing this
- If you use this in collaboration then make sure you use google nodes for that
now have a searchable audit log of every IP your team investigates.
Step 6: Return the Response
Finally, send the enrichment data back to whoever called the webhook.
Respond to Webhook Node:
- Respond With: All Incoming Items
This returns the full AbuseIPDB response to the caller—useful if you're integrating this with other tools.
🧪 Testing Your Workflow
Time to see it in action! Open your terminal and run these commands.
Test 1: Known Malicious IP (Tor Exit Node)
Invoke-RestMethod -Uri "Your-Webhook-URL" -Method POST -ContentType "application/json" -Body '{"ip": "185.220.101.34"}'
Expected Result:
- ✅ AbuseIPDB returns high score (~100)
- ✅ Takes the "High Risk" path
- ✅ Slack alert fires in #suspicious_ip_alert
- ✅ Logged to data table as "High" risk
- ✅ JSON response returned in terminal
Test 2: Safe IP (Google DNS)
Invoke-RestMethod -Uri "Your-Webhook-URL" -Method POST -ContentType "application/json" -Body '{"ip": "8.8.8.8"}'
Expected Result:
- ✅ AbuseIPDB returns score of 0
- ✅ Takes the "Low Risk" path
- ❌ No Slack alert (as expected!)
- ✅ Logged to data table as "Low" risk
- ✅ JSON response returned in terminal
Test 3: Your Own Suspicious IP
Got a weird IP from your firewall logs? Test it:
Invoke-RestMethod -Uri "Your-Webhook-URL" -Method POST -ContentType "application/json" -Body '{"ip": "YOUR_SUSPICIOUS_IP_HERE"}'
💡 Pro Tip: If you're running n8n with a custom domain or port, replace localhost:5678 with your actual URL.
What You've Learned
In 10 minutes, you've mastered:
Concept What You Did Real-World Application Webhooks Created an API endpoint SIEM → SOAR integration API Calls Queried external threat intel IOC enrichment Conditional Logic Routed based on risk score Alert prioritization Alerting Sent Slack notifications Incident notification Logging Stored results in a table Audit trails & compliance
These are the same building blocks used in enterprise SOAR platforms like Splunk SOAR, Palo Alto XSOAR, and Swimlane.
🚀 Where to Go From Here
This workflow is your foundation. Here's how to level up:
Level What to Build Skills Gained Level 2 Add VirusTotal + GreyNoise Multi-source enrichment Level 3 Auto-block high-risk IPs via firewall API Automated response Level 4 Phishing email triage workflow Full investigation automation Level 5 SIEM integration (Splunk/Wazuh) Enterprise-grade SOAR. I will post about them next. Keep an eye here.
📖 Coming Next: In my next article, I'll show you how go deep from here. We will explore VirusTotal and other useful APIs that we as a security professional can use on our day to day life.
Final Thoughts
SOC automation isn't about replacing analysts—it's about eliminating the copy-paste drudgery so you can focus on real threats.
This 10-minute workflow saves ~5 minutes per IP lookup. If your team checks 50 IPs per day, that's 4+ hours saved weekly.
Start small. Build confidence. Then scale.
Questions? Let's connect!
Building in public, one workflow at a time. 🛠️