maltiverse

n8n community node for Maltiverse Threat Intelligence API — Decisive Defense

Package Information

Downloads: 0 weekly / 0 monthly
Latest Version: 1.0.0
Author: Maltiverse

Available Nodes

Maltiverse
Interact with the Maltiverse Threat Intelligence API — enrich IPs, hostnames, URLs, and file hashes with decisive threat context.

Documentation

@byronlainez/n8n-nodes-maltiverse

npm
License: MIT

Maltiverse — Threat Intelligence for Decisive Defense

n8n community node that integrates the full Maltiverse API into your security automation workflows. Enrich IPs, hostnames, URLs, and file hashes with aggregated threat intelligence from 100+ sources.

Features

Resource Operations
IP Address Get Intelligence · Create/Update · Delete
Hostname / Domain Get Intelligence · Create/Update · Delete
URL Get Intelligence · Create/Update · Delete
Sample (File Hash) Get by SHA-256 · Get by MD5 · Create/Update · Delete
IoC (Generic) Bulk Upload · Delete
  • 🔐 Supports both API Key and Email/Password authentication
  • Simplify Output option for fast SOC triage (classification, score, top blacklist entries)
  • 🔗 Include Original Input option to merge source data into output
  • 🛡️ Graceful error handling for 404 (not found), 401, and 429 (rate limit)
  • 🔑 URL SHA-256 checksum computed automatically

Installation

In n8n Cloud / Self-hosted (Community Nodes)

  1. Open Settings → Community Nodes
  2. Search for @byronlainez/n8n-nodes-maltiverse
  3. Click Install

Manual (npm)

cd ~/.n8n
npm install @byronlainez/n8n-nodes-maltiverse

Authentication

API Key (Recommended)

  1. Log in to maltiverse.com
  2. Go to your Profile → Generate API Key
  3. Copy the JWT token
  4. In n8n, create a Maltiverse API credential → paste your API Key

Email & Password

Use your Maltiverse account credentials. The node fetches a JWT token automatically before each workflow run.

Rate limits: Unauthenticated = 20 calls/day · Free account = 100 calls/day.
See maltiverse.com/plans for higher tiers.

Usage Examples

1 — Enrich an IP from a SIEM alert

[Webhook] → [Set: ip = $json.src_ip] → [Maltiverse: IP → Get] → [IF: classification == "malicious"] → [Slack Alert]

2 — Bulk upload custom IOCs from a CSV

[Read CSV] → [Maltiverse: IoC → Bulk Upload]

3 — Check a file hash from an EDR alert

[CrowdStrike Trigger] → [Maltiverse: Sample → Get by SHA-256] → [Simplify Output: ON] → [Create Ticket]

Output Fields (GET operations)

Field Description
classification malicious, suspicious, neutral, whitelisted
score Numeric maliciousness score (0–10)
tag Array of threat behavior tags (e.g. c2, ransomware, phishing)
blacklist Array of source reports with count, description, first/last seen
as_name Autonomous System name
country_code ISO country code
creation_time First seen timestamp
modification_time Last updated timestamp
av_ratio (Samples) AV detection ratio
process_list (Samples) Runtime process list
resolved_ip (Hostnames) Historical resolved IPs

MITRE ATT&CK Context

Maltiverse enrichment data includes tags aligned to MITRE ATT&CK techniques. Use the tag field to map IoCs to TTPs in your SIEM or SOAR playbooks.

API Reference

Full Swagger spec: https://app.swaggerhub.com/apis-docs/maltiverse/api/1.0.0-oas3

License

MIT © Maltiverse

Discussion