dfir-platform

n8n community node for the DFIR Platform API — phishing analysis, IOC enrichment, exposure scanning, and AI triage

Package Information

Downloads: 1 weekly / 47 monthly
Latest Version: 0.1.0
Author: DFIR Lab

Available Nodes

DFIR Platform icon
DFIR Platform
Interact with the DFIR Platform API for phishing analysis, IOC enrichment, exposure scanning, and AI triage

Documentation

n8n-nodes-dfir-platform

An n8n community node for the DFIR Platform API by DFIR Lab.

Automate security operations directly from your n8n workflows: analyze phishing emails, enrich IOCs, scan domain attack surfaces, and triage alerts with AI.

Prerequisites

  • An n8n instance (self-hosted or cloud)
  • A DFIR Platform API key -- sign up at platform.dfir-lab.ch
  • API credits (each operation consumes credits from your account)

Installation

Via n8n Community Nodes UI

  1. Go to Settings > Community Nodes
  2. Click Install a community node
  3. Enter n8n-nodes-dfir-platform
  4. Click Install

Manual Installation

cd ~/.n8n/nodes
npm install n8n-nodes-dfir-platform

Restart your n8n instance after installation.

Configuration

  1. Open any workflow in n8n
  2. Add the DFIR Platform node
  3. Create new credentials:
    • Enter your DFIR Platform API key
    • The connection is tested automatically against the API health endpoint
  4. Select a resource and operation

Operations

Phishing Analysis

Analyze phishing emails using 26+ analysis modules.

  • Input: EML file as binary data
  • Output: Comprehensive analysis including headers, URLs, attachments, sender reputation, and more
  • Endpoint: POST /v1/phishing/analyze

IOC Enrichment

Enrich indicators of compromise from 14+ intelligence sources.

  • Input: IOC value + type (IP, domain, hash, or URL)
  • Output: Aggregated threat intelligence data, risk scores, and context
  • Endpoint: POST /v1/ioc/enrich

Exposure Scan

Scan a domain's attack surface using 11 providers.

  • Input: Domain name
  • Output: Open ports, subdomains, certificates, DNS records, technologies, and vulnerabilities
  • Endpoint: POST /v1/exposure/scan

AI Triage

AI-powered security alert triage with MITRE ATT&CK mapping.

  • Input: Alert data as JSON (title, description, raw logs, etc.)
  • Output: Severity classification, MITRE ATT&CK technique mapping, recommended response actions
  • Endpoint: POST /v1/ai/triage

Usage Examples

Phishing Analysis Workflow

  1. Email Trigger (IMAP) -- receive forwarded suspicious emails
  2. DFIR Platform (Phishing Analysis) -- analyze the EML
  3. IF node -- check if verdict is malicious
  4. Slack -- notify the SOC channel with findings

IOC Enrichment Workflow

  1. Webhook -- receive IOC from SIEM/SOAR
  2. DFIR Platform (IOC Enrichment) -- enrich the indicator
  3. Google Sheets -- log results to a tracker
  4. TheHive -- create an alert if risk score is high

Automated Exposure Monitoring

  1. Schedule Trigger -- run weekly
  2. DFIR Platform (Exposure Scan) -- scan your domains
  3. Compare -- diff against previous scan
  4. Email -- send report of new findings

Credits

Each API call consumes credits from your DFIR Platform account. Credit usage varies by operation:

Operation Credits per call
Phishing Analysis 5
IOC Enrichment 1
Exposure Scan 10
AI Triage 3

Monitor your credit balance at platform.dfir-lab.ch.

Screenshots

Screenshots coming soon.

Support

License

MIT

Discussion