diff --git a/workflows/Analyze domain threats via Telegram with VirusTotal, AbuseCH, and Gemini AI-13656/13656-analyze-domain-threats-via-telegram-with-virustotal--abusech--and-gemini-ai.webp b/workflows/Analyze domain threats via Telegram with VirusTotal, AbuseCH, and Gemini AI-13656/13656-analyze-domain-threats-via-telegram-with-virustotal--abusech--and-gemini-ai.webp
new file mode 100644
index 000000000..cfe912225
--- /dev/null
+++ b/workflows/Analyze domain threats via Telegram with VirusTotal, AbuseCH, and Gemini AI-13656/13656-analyze-domain-threats-via-telegram-with-virustotal--abusech--and-gemini-ai.webp	
@@ -0,0 +1 @@
+{"id":"F09DEq4zzu8xOuBu","meta":{"instanceId":"80c42e4e83b2eb44ebbc9d2335c764c111959eb91e3d7362a904f426977dd81f","templateCredsSetupCompleted":true},"name":"DomainThreatBot - Domain AI Analysis via Telegram, Abuse.CH and VirusTotal","tags":[],"nodes":[{"id":"008c04f8-b697-4416-8feb-600bc4e0b294","name":"VirusTotal HTTP Request","type":"n8n-nodes-base.httpRequest","onError":"continueRegularOutput","position":[-480,240],"parameters":{"":"","url":"=https://www.virustotal.com/api/v3/domains/{{ $json.message.text }}","method":"GET","options":{},"sendBody":false,"sendQuery":false,"curlImport":"","infoMessage":"","sendHeaders":false,"authentication":"predefinedCredentialType","httpVariantWarning":"","nodeCredentialType":"virusTotalApi","provideSslCertificates":false},"credentials":{"virusTotalApi":{"id":"XQaSd3azLNPakCIa","name":"VirusTotal account"}},"typeVersion":4.4,"alwaysOutputData":true,"extendsCredential":"virusTotalApi"},{"id":"5663e1e8-9028-4fcf-8b0b-ca3d0d57302c","name":"Abuse.CH_URLHaus request","type":"n8n-nodes-base.httpRequest","position":[-480,-64],"parameters":{"url":"https://urlhaus-api.abuse.ch/v1/host/","method":"POST","options":{},"sendBody":true,"contentType":"form-urlencoded","authentication":"genericCredentialType","bodyParameters":{"parameters":[{"name":"host","value":"={{ $json.message.text }}"}]},"genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"evINq5lY1FNrbaFs","name":"URLHaus - AuthAPI"}},"typeVersion":4.4},{"id":"353f2ad4-31f6-4556-a03d-7e503069ef61","name":"Abuse.CH_ThreatFox request","type":"n8n-nodes-base.httpRequest","position":[-480,-400],"parameters":{"url":"https://threatfox-api.abuse.ch/api/v1/","method":"POST","options":{},"sendBody":true,"authentication":"genericCredentialType","bodyParameters":{"parameters":[{"name":"query","value":"search_ioc"},{"name":"search_term","value":"={{ $json.message.text }}"}]},"genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"g908b0PtwONe0mOt","name":"ThreatFox - AuthAPI"}},"typeVersion":4.4},{"id":"0092afcb-b18b-47a8-abc7-f92d9483b209","name":"Telegram Trigger","type":"n8n-nodes-base.telegramTrigger","notes":"Restrict the Telegram Trigger to your User ID or specific Chat ID. This prevents the workflow from responding to messages from unauthorized users.","position":[-736,-64],"webhookId":"8a8294e1-582c-4f4c-be14-a4c2e5298395","parameters":{"updates":["message"],"additionalFields":{"chatIds":""}},"credentials":{"telegramApi":{"id":"4uExT57Yzhg6Y0RK","name":"Telegram account"}},"notesInFlow":true,"typeVersion":1.2},{"id":"ed0b3323-bf4b-4185-95b3-f9db923bde85","name":"Send a text message","type":"n8n-nodes-base.telegram","position":[736,-64],"webhookId":"e208152b-4826-4281-b48a-8395eac311c3","parameters":{"text":"={{ $json.candidates[0].content.parts[0].text }}","chatId":"={{ $('Telegram Trigger').item.json.message.chat.id }}","additionalFields":{"parse_mode":"HTML"}},"credentials":{"telegramApi":{"id":"4uExT57Yzhg6Y0RK","name":"Telegram account"}},"executeOnce":true,"typeVersion":1.2},{"id":"c66766ef-853c-4e3b-8749-f77eadb0ccb0","name":"Aggregate","type":"n8n-nodes-base.aggregate","position":[192,-64],"parameters":{"options":{},"aggregate":"aggregateAllItemData"},"typeVersion":1},{"id":"b24e11d8-e333-4a19-9faa-1c403c26c354","name":"Message a model","type":"@n8n/n8n-nodes-langchain.googleGemini","position":[384,-64],"parameters":{"modelId":{"__rl":true,"mode":"list","value":"models/gemini-3-flash-preview","cachedResultName":"models/gemini-3-flash-preview"},"options":{"systemMessage":"You are an experienced Cybersecurity Analyst Assistant\nYour Role:\nAnalyze and summarize domain scan results from the following sources: VirusTotal, AbuseCH URLhaus, and AbuseCH ThreatFox.\nCommunicate your findings in professional, concise, and clear language suitable for technical security reporting.\nIdentify, emphasize, and extract key insights from each scan result, such as threat indicators, detection consistency, malicious activity patterns, or reputation data.\nAccount for the possibility of false positives. For example, a suspicious subdomain hosted under a legitimate parent (e.g., on cloud providers or hosting platforms) might not indicate the entire domain is malicious. \nIf possible, differentiate between malicious use of a service and a compromised or abused legitimate domain\nMaintain a neutral, evidence based tone, avoid assumptions not supported by the data.\nAvoid using absolute or emotional terms such as definitely, certainly, overwhelmingly, clearly malicious, or without doubt.\nUse probabilistic and evidence-based phrasing instead, such as likely, possibly, appears to, or based on available data.\nUse terminology appropriate for SOC or threat intelligence reporting.\nDo not include raw data unless explicitly requested."},"messages":{"values":[{"content":"=Analyze the data you receive from VirusTotal, URLHaus, and ThreatFox based on these instructions:\n\nAnalysis Instructions:\n1. Identify the scanned URL: {{ $('Telegram Trigger').item.json.message.text }}\n2. Inside the array data, you will find 3 items representing scan results from VirusTotal, Abuse.CH URLHaus or Abuse.CH ThreatFox, U can understand which one is it by the sourceNode field in each data item\n3. Actual data of each item included in {{ $json.data[0]['DataSummary'] }} for {{ $json.data[0].sourceNode }}, {{ $json.data[1]['DataSummary'] }} for {{ $json.data[1].sourceNode }}, {{ $json.data[2]['DataSummary'] }} {{ $json.data[2].sourceNode }}\n4. Key data points to analyze :\n* VirusTotal, number of Malicious, Suspicious and Harmless verdicts under the different engines, u can use the last_analysis_stats and include the numbers for each one.\n* URLHaus blacklists, url_count and different threatTypes for urls\n* ThreatFox threat_type,Threat_type_desc and tags.\n* Domain creation date (new domains = higher risk, update dates are not so indicative)\n\nAssessment:\nCreate a short domain assessment based on the Analysis Instructions you received\n* make it clear, short and simple\n* include in the end your verdict (Malicious, Suspicious, Benign, Legit)\n\nOutput Format:\nTelegram bot output using ONLY: <b>bold</b>, <u>underline</u>, <i>italic</i>\nSingle \\n between lines, double \\n\\n between sections. Max 90 chars/line.\nFor all domain you present, use defanging, replace . with [.] \n\n**Required structure:**\n1. <b>Domain:</b> {{ $('Telegram Trigger').item.json.message.text }} \n2. <b>Scan Time:</b> {{ $now }}\n2. <b>Findings:</b> 3 bullets (one per sourceNode value, include the sourceNode value and the related findings in new line with /n, note \"no results\" if empty)\n3. <b>Assessment:</b> 5-7 neutral lines + verdict\n4. <b>Recommendations:</b> Max 3 bullets\n5. Close with this reminder: Better safe than sorry, check before you click and remember \"In God We Trust, All Others We Investigate...\""}]},"simplify":false,"builtInTools":{}},"credentials":{"googlePalmApi":{"id":"D7c522O1nH6qDBDY","name":"Google Gemini(PaLM) Api account"}},"executeOnce":false,"typeVersion":1.1},{"id":"1fb7cacc-698d-4eb9-91b1-7ff96520cb45","name":"Merge","type":"n8n-nodes-base.merge","position":[32,-80],"parameters":{"numberInputs":3},"typeVersion":3.2},{"id":"9bff600c-39c9-41af-83e3-26c8435daac4","name":"Edit Field - ThreatFox","type":"n8n-nodes-base.set","position":[-176,-400],"parameters":{"options":{},"assignments":{"assignments":[{"id":"f3796464-d8d2-486a-8a2a-b425ebe68cec","name":"sourceNode","type":"string","value":"ThreatFox"},{"id":"0bb2ab43-87e3-421e-93cd-ee08c0668d17","name":"DataSummary","type":"string","value":"={{JSON.stringify($json)}}"}]}},"typeVersion":3.4},{"id":"3395ff9b-966c-4e92-88f0-f0117ca1e095","name":"Edit Field - URLHaus","type":"n8n-nodes-base.set","position":[-176,-64],"parameters":{"options":{},"assignments":{"assignments":[{"id":"f3796464-d8d2-486a-8a2a-b425ebe68cec","name":"sourceNode","type":"string","value":"URLHaus"},{"id":"0bb2ab43-87e3-421e-93cd-ee08c0668d17","name":"DataSummary","type":"string","value":"={{JSON.stringify($json)}}"}]}},"typeVersion":3.4},{"id":"c74f5164-6842-48e5-b145-162906a6f8ed","name":"Edit Field - VirusTotal","type":"n8n-nodes-base.set","position":[-176,240],"parameters":{"options":{},"assignments":{"assignments":[{"id":"f3796464-d8d2-486a-8a2a-b425ebe68cec","name":"sourceNode","type":"string","value":"VirusTotal"},{"id":"0bb2ab43-87e3-421e-93cd-ee08c0668d17","name":"DataSummary","type":"string","value":"={{JSON.stringify($json)}}"}]}},"typeVersion":3.4},{"id":"f2959d41-6041-4617-8285-0dda0b5a28e7","name":"Sticky Note","type":"n8n-nodes-base.stickyNote","position":[-1376,-624],"parameters":{"width":496,"height":960,"content":"## Description:\nThis n8n workflow enables Telegram users to submit a domain for quick threat intelligence analysis. It queries VirusTotal, AbuseCH URLHaus, and AbuseCH ThreatFox, then uses Gemini AI to generate a formatted summary with key findings, assament/analysis, and actionable recommendations.\nNote: Currently supports domains only.\n\nEveryone knows VirusTotal, so there’s no need to elaborate. AbuseCH, on the other hand, is a well‑known community threat‑intelligence project that focuses on tracking and sharing indicators related to malware, botnets, and other malicious stuff.\n\n\n## Nodes:\n* Telegram Trigger – Waits for a user message containing a domain to analyze. Telegram Token is needed\n\n* VirusTotal HTTP Request – Sends an API request to VirusTotal to retrieve data about the domain received via Telegram.\nAPI key is needed - Community will work see Referencese section\n\n* ThreatFox & URLHaus HTTP Requests – Similar to the VirusTotal node, but querying AbuseCH ThreatFox and URLHaus for additional indicators.\nAPI key is needed - see Referencese section\n\n* Edit Fields – Adds two fields used by the AI analysis (sourceNode and dataSummary).\n\n* Merge & Aggregate – Prepares and normalizes all results into a single structured payload for the AI model.\n\n* Message an AI Model (Gemini) – Analyzes the merged results using a System Prompt + User Prompt, and generates a formatted response that includes key findings, assessment/analysis, and actionable recommendations.\n\n* Telegram Send Message – Sends the final report back to the end user in Telegram.\n\n\n## Referencese:\n[VirusTotal API Doc](https://docs.virustotal.com/reference/overview)\n[AbuseCH URLhaus API](https://urlhaus-api.abuse.ch/)\n[AbuseCH ThreatFox API](https://urlhaus-api.abuse.ch/)"},"typeVersion":1},{"id":"a661a875-bb09-43e3-9ccb-65cb73d42a18","name":"Sticky Note1","type":"n8n-nodes-base.stickyNote","position":[-832,-624],"parameters":{"color":7,"width":256,"height":1120,"content":"## Trigger Telegram Message:\n*  Set your Telegram credentials (Token) \n* Restrict to your User ID or specific Chat ID (node settings additional fields) to prevent unauthorized access and responses to random users."},"typeVersion":1},{"id":"22253b36-1310-4e63-92fc-86020afd8ec7","name":"Sticky Note2","type":"n8n-nodes-base.stickyNote","position":[-560,-624],"parameters":{"color":7,"width":288,"height":1120,"content":"## Api requests:\n* Set your APIKey (Virustotal URLhaus and ThreatFox)\n"},"typeVersion":1},{"id":"53cddb4e-361e-443f-865d-0bf219deed29","name":"Sticky Note3","type":"n8n-nodes-base.stickyNote","position":[-256,-624],"parameters":{"color":7,"width":576,"height":1120,"content":"## Data Structuring\nPrepering the data into single structured payload for the AI model."},"typeVersion":1},{"id":"7c2a7506-b488-4c61-9c2a-efbf63e3fe7c","name":"Sticky Note4","type":"n8n-nodes-base.stickyNote","position":[336,-624],"parameters":{"color":7,"width":336,"height":1120,"content":"## Ai Model Analysis\nGemini - tested with Gemini 3 Flash\nThere are 2 different prompts included, User and System prompt.\n* Set your APIKey\n"},"typeVersion":1},{"id":"aecdad28-e560-4d25-9591-12e00ac6a448","name":"Sticky Note5","type":"n8n-nodes-base.stickyNote","position":[688,-624],"parameters":{"color":7,"width":272,"height":1120,"content":"## Telegram Report Delivery \n\n"},"typeVersion":1}],"active":false,"pinData":{},"settings":{"timezone":"Etc/UTC","binaryMode":"separate","callerPolicy":"workflowsFromSameOwner","timeSavedMode":"fixed","availableInMCP":false,"executionOrder":"v1"},"versionId":"8e0f5fab-090a-4719-8454-ed9ee66ff4af","connections":{"Merge":{"main":[[{"node":"Aggregate","type":"main","index":0}]]},"Aggregate":{"main":[[{"node":"Message a model","type":"main","index":0}]]},"Message a model":{"main":[[{"node":"Send a text message","type":"main","index":0}]]},"Telegram Trigger":{"main":[[{"node":"Abuse.CH_ThreatFox request","type":"main","index":0},{"node":"Abuse.CH_URLHaus request","type":"main","index":0},{"node":"VirusTotal HTTP Request","type":"main","index":0}]]},"Edit Field - URLHaus":{"main":[[{"node":"Merge","type":"main","index":1}]]},"Edit Field - ThreatFox":{"main":[[{"node":"Merge","type":"main","index":2}]]},"Edit Field - VirusTotal":{"main":[[{"node":"Merge","type":"main","index":0}]]},"VirusTotal HTTP Request":{"main":[[{"node":"Edit Field - VirusTotal","type":"main","index":0}]]},"Abuse.CH_URLHaus request":{"main":[[{"node":"Edit Field - URLHaus","type":"main","index":0}]]},"Abuse.CH_ThreatFox request":{"main":[[{"node":"Edit Field - ThreatFox","type":"main","index":0}]]}}}
\ No newline at end of file