Overview
This node performs "defanging" and "refanging" of Indicators of Compromise (IoCs). Defanging is the process of altering potentially malicious URLs, IPs, or other indicators to a safe format that prevents accidental execution or clicking. Refanging reverses this process, restoring the original form of the IoC.
Common scenarios include:
- Sharing threat intelligence safely by defanging URLs or IP addresses in reports or alerts.
- Processing incoming data where defanged IoCs need to be converted back to their usable form for automated analysis or blocking.
For example, a URL like http://malicious.com can be defanged to hxxp://malicious[.]com to prevent accidental visits. Later, it can be refanged back to the original URL for use in security tools.
Properties
| Name | Meaning |
|---|---|
| Operation | Choose between "Defang" (convert IoCs to safe format) or "Refang" (restore original IoCs). |
| Value | The string value containing the IoC to be defanged or refanged. |
| Property Name | The JSON property path where the output will be written. Supports dot-notation (e.g., data.person[0].name). |
Output
The node outputs an array of items with the same structure as the input but with the specified property updated to the defanged or refanged value.
- The output JSON contains all original properties plus the transformed value at the specified property path.
- Binary data from the input is preserved and passed through unchanged.
- If an error occurs during transformation and the node is set to continue on failure, the output item will contain the original JSON and an
errorfield describing the issue.
Dependencies
- Uses the external library
fangerfor defanging and refanging logic. - Uses
lodashfor setting values in nested JSON objects via dot-notation. - No external API keys or services are required.
- Runs entirely within n8n without additional environment variables.
Troubleshooting
- Common issues:
- Invalid input strings that cannot be processed by the defang/refang functions may cause errors.
- Incorrect property names (dot-notation paths) may result in output not being written where expected.
- Error messages:
- Errors thrown by the underlying defang/refang library will be surfaced.
- If "Continue On Fail" is enabled, errors will be included in the output item's
errorproperty instead of stopping execution.
- To resolve errors, verify the input string format and ensure the property name path exists or is correctly specified.
Links and References
- Fanger GitHub Repository – Library used for defanging and refanging IoCs.
- General info on defanging IoCs: https://www.sans.org/blog/defanging-iocs/