Hey everyone,
I just published a community node for DFIR Platform — an API-first toolkit for SOC analysts and incident responders. The node lets you plug DFIR capabilities directly into your n8n workflows.
What it does
4 operations available:
- Phishing Analysis — Upload an EML file and get a full analysis from 26+ modules (SPF/DKIM/DMARC validation, header analysis, URL reputation, QR code decoding, AI-powered verdicts)
- IOC Enrichment — Enrich IPs, domains, hashes, and URLs across 14+ intelligence sources in a single call
- Exposure Scan — Scan any domain’s attack surface, aggregating data from 11 providers (Shodan, Criminal IP, Netlas, SSL Labs, crt.sh, SecurityTrails, and more)
- AI Triage — Submit alert data and get MITRE ATT&CK mapping, severity scoring, and recommended response actions
Installation
Install via the n8n Community Nodes UI:
- Go to Settings > Community Nodes
- Click Install a community node
- Enter:
n8n-nodes-dfir-platform
Or via npm: npm install n8n-nodes-dfir-platform
Getting started
- Sign up at platform.dfir-lab.ch (free tier: 100 credits/month, no credit card)
- Create an API key in your dashboard
- In n8n, add your DFIR Platform credentials (Settings > Credentials > New > DFIR Platform API)
- Start building workflows
Example use cases
- Phishing triage automation: Email arrives > extract EML > analyze with DFIR Platform > if malicious, create ticket in your ITSM
- IOC enrichment pipeline: SIEM alert fires > extract indicators > enrich via DFIR Platform > update case with context
- Scheduled exposure monitoring: Cron trigger > scan your domains daily > alert on new open ports or vulnerabilities
Links
- npm: n8n-nodes-dfir-platform
- GitHub: dfir-lab/n8n-nodes-dfir-platform
- Platform: platform.dfir-lab.ch
- Docs & Blog: dfir-lab.ch
Built by DFIR Lab in Switzerland. Happy to answer any questions or take feedback!